December 4, 2017 · pentesting OSINT Kali tools

OSINT Tools

Kali recently released their third update for 2017 and I thought I might highlight some of the new tools that were added.

InSpy allows you to search through LinkedIn for indiviuals that work at specific companies. The ability to include a wordlist permits targeted searches for those that may only work in customer service, or to find who the security team members are.

InSpy can be installed in Kali by: apt update && apt -y install inspy

root@kali:~# inspy --empspy /usr/share/inspy/wordlists/title-list-large.txt coinbase

InSpy 2.0.3

2017-12-20 10:23:25 128 Employees identified
2017-12-20 10:23:25 Michael de Hoog Engineer at Coinbase
2017-12-20 10:23:25 Richard Gates Operations Recruiting Lead at Coinbase
2017-12-20 10:23:25 Amy Yin Engineer at Coinbase
2017-12-20 10:23:25 Lauren Lee Recruiting Coordinator at Coinbase
2017-12-20 10:23:25 Tom Boice Software Engineer @ Coinbase
2017-12-20 10:23:25 David Lester Staff Accountant at Coinbase
2017-12-20 10:23:25 Tim Laehy CFO (Interim) at Coinbase
2017-12-20 10:23:25 Charlene Delapena University Relations & Recruitment at Coinbase
2017-12-20 10:23:25 Eunice Panganiban Recruiter at Coinbase
2017-12-20 10:23:25 Jesse Posner Software Engineer at Coinbase
2017-12-20 10:23:25 Marti K. Recruiting Coordinator at Coinbase
2017-12-20 10:23:25 Natalie Stratton Executive Assistant at Coinbase
2017-12-20 10:23:25 Burkay Gur Software Engineer at Coinbase
2017-12-20 10:23:25 Melissa Zhang Software Engineer at Coinbase
2017-12-20 10:23:25 Courtney Chin Business Operations Associate at Coinbase
2017-12-20 10:23:25 Reuben Bramanathan Product Counsel at Coinbase
2017-12-20 10:23:25 Tony Wang Coinbase
2017-12-20 10:23:25 Harrison Dimon Customer Service Representative at Coinbase
2017-12-20 10:23:25 Jesse Pollak Engineering Manager at Coinbase
2017-12-20 10:23:25 Chase Evans Engineer at Coinbase
2017-12-20 10:23:25 Zeeshan F. CEO (UK) at Coinbase
2017-12-20 10:23:25 Emily Hassard Recruiting Coordinator at Coinbase
2017-12-20 10:23:25 Michael Probber Software Engineer at Coinbase
2017-12-20 10:23:25 Michael Yenny Investor at Coinbase
2017-12-20 10:23:25 Rees Atlas Risk Operations Manager at Coinbase
2017-12-20 10:23:25 Jason Alvillar System & Network Administrator (IT Contractor) at 
2017-12-20 10:23:25 Rachel Price Head of Payment Operations at Coinbase
2017-12-20 10:23:25 John Yi Growth Product Management at Coinbase
2017-12-20 10:23:25 Lareine Sison Recruiting Coordinator at Coinbase
2017-12-20 10:23:25 Daniel Romero GM of Coinbase
2017-12-20 10:23:25 Shahab Asghar Corporate Counsel at Coinbase
2017-12-20 10:23:25 Graham Jenson DevOps at Coinbase
2017-12-20 10:23:25 John Kothanek Coinbase
2017-12-20 10:23:25 Sarah Richmond Business Development & Partnerships at Coinbase
2017-12-20 10:23:25 Maribeth Ann Bushey Customer Disputes and Regulatory Counsel at Coinba
2017-12-20 10:23:25 Eduardo Fernandez Customer Success Manager at Coinbase
2017-12-20 10:23:25 Dillon McCoy Software Engineer at Coinbase
2017-12-20 10:23:25 David Caseria Software Engineer at Coinbase
2017-12-20 10:23:25 Raymond Lam Analyst at Coinbase
2017-12-20 10:23:25 Mitchell Glazier Regulatory Compliance Analyst at Coinbase
2017-12-20 10:23:25 Anne Wu Risk Analyst at Coinbase
2017-12-20 10:23:25 Ashley Martens Software Engineer at Coinbase
2017-12-20 10:23:25 Jim F. Ward Sr. Recruiter at Coinbase
...

Sublist3r works by searching through google, bing and other engines for subdomains and then spits them out with the associated port. You can also use a wordlist to enumerate subdomains.

(DNSdumpster is an alternative for this and gives much more data)

Sublist3r can be installed in Kali by: apt update && apt -y install sublist3r

root@kali:~# sublist3r -d coinbase.com -p 80,443 -e google,bing

                 ____        _     _ _     _   _____
                / ___| _   _| |__ | (_)___| |_|___ / _ __
                \___ \| | | | '_ \| | / __| __| |_ \| '__|
                 ___) | |_| | |_) | | \__ \ |_ ___) | |
                |____/ \__,_|_.__/|_|_|___/\__|____/|_|

                # Coded By Ahmed Aboul-Ela - @aboul3la
    
[-] Enumerating subdomains now for coinbase.com
[-] Searching now in Google..
[-] Searching now in Bing..
[-] Total Unique Subdomains Found: 11
[-] Start port scan now for the following ports: 80,443
blog.coinbase.com - Found open ports: 80, 443
api.coinbase.com - Found open ports: 80, 443
buy.coinbase.com - Found open ports: 80, 443
developers.coinbase.com - Found open ports: 80, 443
community.coinbase.com - Found open ports: 80, 443
beta.coinbase.com - Found open ports: 80, 443
custody.coinbase.com - Found open ports: 80, 443
exchange.coinbase.com - Found open ports: 80, 443
status.coinbase.com - Found open ports: 80, 443
engineering.coinbase.com - Found open ports: 80, 443
support.coinbase.com - Found open ports: 80, 443

OSRFramework is another great tool used to hunt down usernames and more across multiple services. The functions are broken down into a couple tools, in the event you only want to find usernames, or emails. However, searchfy.py below will search for everything.

OSRFramrwork can be installed in Kali by: apt update && apt -y install osrframework

root@kali:~# searchfy.py -q "crash2oo"

  ___  ____  ____  _____                                            _
 / _ \/ ___||  _ \|  ___| __ __ _ _ __ ___   _____      _____  _ __| | __
| | | \___ \| |_) | |_ | '__/ _` | '_ ` _ \ / _ \ \ /\ / / _ \| '__| |/ /
| |_| |___) |  _ <|  _|| | | (_| | | | | | |  __/\ V  V / (_) | |  |   <
 \___/|____/|_| \_\_|  |_|  \__,_|_| |_| |_|\___| \_/\_/ \___/|_|  |_|\_

                Version:      OSRFramework 0.17.2
                Created by:   Felix Brezo and Yaiza Rubio, (i3visio)



searchfy.py Copyright (C) F. Brezo and Y. Rubio (i3visio) 2014-2017

This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you
are welcome to redistribute it under certain conditions. For additional info,
visit https://www.gnu.org/licenses/agpl-3.0.txt

2017-12-20 10:05:55.081567	Starting search in different platform(s)... Relax!

	Press <Ctrl + C> to stop...


2017-12-20 10:06:05.101873	A summary of the results obtained are listed in the following table:

Sheet Name: Profiles recovered (2017-12-20_10h6m).
+-----------------------------+---------------+------------------+
|         i3visio_uri         | i3visio_alias | i3visio_platform |
+=============================+===============+==================+
| http://twitter.com/crash2oo | crash2oo      | Twitter          |
+-----------------------------+---------------+------------------+

2017-12-20 10:06:05.109628	You can find all the information collected in the following files:
	./profiles.csv

2017-12-20 10:06:05.109672	Finishing execution...

Total time used:	0:00:10.028105
Average seconds/query:	10.028105 seconds

Did something go wrong? Is a platform reporting false positives? Do you need to
integrate a new one and you don't know how to start? Then, you can always place
an issue in the Github project:
    https://github.com/i3visio/osrframework/issues
Note that otherwise, we won't know about it!