Week in OSINT #2018–38

Tools, threat intelligence, transparency and tips

Sector035
Week in OSINT

--

This week’s post is one of the longest I’ve created since I started this newsletter in May. A huge amount of interesting links were thrown at me, were found on Twitter or simply popped up somewhere during the week. And luckily I had the time to include a large amount of them in here. A lot also didn’t make it, but hey… Treat this newsletter as a gift horse ;-)

Off to this week’s overview:

  • Threat Intelligence Hunter
  • Amazon Cloud CSE
  • Bing Image Search
  • Searching for Hoaxes
  • Leaked? 2.0
  • Whoisology
  • Certificate Transparency
  • Cert Stream Monitor
  • TwiMap
  • Danger Zone
  • Agile Intel

Tool: Threat Intelligence Hunter

This tool is aimed to be used by people who are investigation indicators of compromise. The tool provides a simple and fast way to check IP addresses or URL’s via Virustotal, Urlvoid, Emerging Threats, Talos blacklist and lots of other sites.

The tool hasn’t been updated for a few months, but I know that there are people that definitely have a need for a tool like this. So have a look yourself and play around with it.

Link: https://github.com/abhinavbom/Threat-Intelligence-Hunter

Search: Amazon Cloud CSE

Stefanie Proto shared another Google Custom Search Engine, this time to search for goodies in the Amazon cloud.

You can run a query, but after the query is run you can simply filter between pages where the word “index” is included in the title, PDF’s, TXT files or XML files. A simple and easy to use search engine!

Link: https://cse.google.com/cse?cx=005797772976587943970:g-6ohngosio

Website: Bing Image Search

Last week a simple tweet got my attention. It didn’t say a lot, but I still saved it to be included in here, but while writing this newsletter I didn’t know why.

A mysterious tweet about…?

But a few days later people like Christiaan Triebert started tweeting about Bing offering a new option to search for parts of images, a bit similar to what Yandex has been providing on their mobile site of their reverse image search:

So Bing just gave the OSINT enthusiasts a most wonderful tool to use! No more cropping pictures to search for clues, but a simple online and web based tool to search for specific details within existing images! The only problem is that as far as I know there isn’t a way to upload a picture yourself. But when you do find interesting images, you can use those images to search further via the matches photos or go straight to the 'search image in image’ option.

Link to Bing blog: https://blogs.bing.com/search-quality-insights/2017-06/beyond-text-queries-searching-with-bing-visual-search

Bing image search: https://www.bing.com/images

Webtool: Searching for Hoaxes

When searching for fake accounts or fake news, you can manually go over the vast amount of data that social media sites like Twitter spews out every day. But if it comes to Twitter, a better option would be to use the tool “Hoaxy” by the University of Indiana. You can search Twitter itself or the already aggregated data and visualise the timelines of certain news spreading. A very interesting tool, especially now the war on fake news is still going on.

Link: https://hoaxy.iuni.iu.edu

Tool: Leaked? 2.0

Last week a tweet by St3C4nB5t25 notified me of an update of the tool called ‘Leaked?’ by SecureGF. It is a command line script that uses the lea.kz to check for breached accounts and passwords. Just fill in a password, it calculates a hash and retrieves the status of it. In a similar way you can also check for possibly breached email addresses. I suspect the dataset of lea.kz isn’t as big as HIBP, but it won’t hurt running an extra tool like this while performing recon for a red team assignment.

Link: https://github.com/GitHackTools/Leaked

Webtool: Whoisology

The website Whoisology is one of those tools that everybody should know. One of the things that I am secretly happy about is the fact that they don’t censor the private data (yet) so it can be used for investigating domains via the Whois data. This information is extremely important when it comes to investigating malware, scams, phishing runs and whatever you can think of.

So save this one in a bookmark, but do remember that the free tier only allows you to run three searches in an hour. So use that time wisely!

Link: https://whoisology.com/

Certificate Transparency

I am not only interested in social media OSINT, or things like company data, but I also love to browse around and find security flaws on the internet. One of the biggest treasure troves that a lot of people don’t realise, is the certificate transparency program. Simply said: When someone registers an SSL certificate, it will eventually show up somewhere in a register. And with that, all the information that is inside that particular certificate.

While looking up all certificates that were requested for subdomains of medium.com, I for instance found https://jss.medium.com particularly interesting, since it shows a Cisco VPN login screen. No other details given and after a few little tests it seemed to me it was fairly well protected, but I always ask myself in such situations: What purpose does this login screen have?

Besides the usual subdomains you can sometimes find domains that are not maintained anymore, incorrectly configured certificates and even internal server names in the certificates themselves. These can be found in the ‘common names’ and ‘alternative names’ fields.

And that is information that a red team will use, but that is also what OSINT practitioners should consider using. Because a certificate is not only the secure connection between the outside and inside, it can also be used as a public ‘phone book’ with information of the infrastructure of a company.

Link to the blog: https://isc.sans.edu/diary/rss/24114

Certificate tool 1: https://crt.sh/

Certificate tool 2: https://www.entrust.com/ct-search/

Tool: Cert Stream Monitor

While being on the subject of certificate transparency, here is a great tool for you to look at! The tool uses keywords to search for certificates you would like to monitor, after it will alert you when a site comes online. So once you are investigating a company and see a new and interesting domain popping up in a newly requested certificate, this tool will let you know straight away when you can start investigating that particular host.

Link: https://github.com/AssuranceMaladieSec/CertStreamMonitor

Webtool: TwiMap

Via Henk van Ess I was notified about a new tool that deals with the geolocation of tweets. It isn’t your ordinary tool where you can scrape someone’s account to find the location, this works the other way around. Via a Google Map interface you search for a location of interest and you can order TwiMap to retrieve the latest tweets that were posted within that area. A great tool when you don’t like to use Twitter’s advanced search, or when you aren’t that comfortable with writing your own queries for that.

Link: https://twimap.com/

Tool: Danger Zone

Wojciech published a new last weekend, called Danger zone. This little command line tool written in Python is able to connect several pieces of information and present them in a visual way.

An example of connecting the dots during an investigation on a scammer

The tool scrapes Whois data, searches Google, checks usernames, gathers info on IP addresses, queries Virustotal or Threatcrowd and a lot more! It will store the data in an ElasticSearch for easy storage and further manual analysis if needed.

Link: https://github.com/woj-ciech/Danger-zone

Blog: Agile Intel

And to close this week off, a little extra shameless plug of one of my own articles that was published this weekend. This time I didn’t just gathered some interesting links, or wrote an article on geolocation, but I did a write-up on some of my own research. It deals with the information that is publicly available from Jira installations that are connected to the internet. So if you are looking into a company and you need to get that one particular piece of information for a security assessment, look no further. Because it might be out there and easy to find.

Retrieving dashboard names to find interesting projects or customers

Link: https://medium.com/@sector035/gathering-company-intel-the-agile-way-6db12ca031c9

And that was it! I still had loads of other things I found that I could have included, but it was simply too much to dive into this week… Let’s hope next week will bring us some more interesting and new tools, blogs or websites!

Have a good week and have a good search

--

--

Sector035
Week in OSINT

Just a shadowy nerd… Busy with InfoSec, geolocation and OSINT (archived articles only, Week in OSINT can be found on https://sector035.nl)