OSINT
Open Source INTelligence: Abusing public information
Last updated
Open Source INTelligence: Abusing public information
Last updated
When you have a username of someone and want to find more information about that username, you can try to search for that username on different social media platforms. There are also a few tools that do this for you on a lot of websites quickly.
A popular CLI tool is sherlock, where you can simply provide a username and see all the accounts that were found:
Another tool I have found to be very useful is the following site:
The above web tool also shows some Google search results, as a bonus. These can be useful in finding more details about a username, and what it is associated with.
Certificate Transparency (CT) can be a useful tool as it provides a publicly accessible log of all issued SSL certificates for websites, including information about the domain names associated with the certificate. Some databases collect these logs and make them able to be queried, like crt.sh or Censys:
Very often when setting up a new subdomain the owner will have to register a new certificate for it. This action is logged by the CT and can be looked up on websites such as crt.sh. Simply put in a query with a % like in SQL as follows to get all the subdomains of a certain root domain:
Note that these queries can take some time, as there is a lot of data to query through. Just be a little patient with these services.
The Censys search tool linked above is really powerful. You only need to create a free account and then you can use Elasticsearch syntax to query all kinds of information about the certificates. Most often you're querying the domain name, and want to use the parsed.names keyword. After the colon, you can specify a string, maybe including wildcards, or even a regular expression:
With these Regular Expressions (RegEx), you can query pretty much anything you want. You can also try to search for multiple strings with anything in between, and make sure "very" is the start of a word:
