How to Chain OSINT Tools for Maximum Impact in Investigations
OSINT (Open-Source Intelligence) is a critical part of cybersecurity investigations. The sheer volume of publicly accessible information makes it possible to uncover assets, vulnerabilities, and potential attack vectors without needing direct access to a system. However, using OSINT tools in isolation often leads to incomplete results. The real power of OSINT is unlocked when multiple tools are "chained" together, creating a layered approach that builds on data from one source to fuel the next tool.
This post will explain how to create an effective OSINT toolchain using Maltego, theHarvester, Shodan, and other tools to maximize the impact of your investigations. By chaining these tools, you can expand the breadth and depth of your investigation, uncovering hidden assets and vulnerabilities that may not be apparent with a single tool.
Step 1: Starting with theHarvester
Objective: Gather baseline information (email addresses, subdomains, IPs) about your target.
theHarvester is an excellent starting point because it scrapes various search engines and public databases to collect initial intelligence on a target. It will provide you with details like associated email addresses, subdomains, IP addresses, and domains.
Tools Used:
- theHarvester: This tool is excellent for scraping emails, IP addresses, and domains. It supports multiple search engines, including Bing, Google, PGP key servers, and more.
Step 2: Investigating Domains with Shodan
Objective: Gain visibility into the exposed infrastructure of your target.
Once you have a list of IP addresses or domains from theHarvester, Shodan becomes your next tool in the chain. Shodan is known as the “search engine for the internet,” but instead of searching for web pages, it indexes devices and systems connected to the internet. It can reveal open ports, services running, and even system vulnerabilities.
Tools Used:
- Shodan: A search engine for internet-connected devices that allows you to find vulnerable services, misconfigurations, or exposed systems within an organization’s network.
Step 3: Visualizing Relationships with Maltego
Objective: Map the relationships between entities (emails, domains, IPs) to reveal patterns.
Once you have collected data from theHarvester and Shodan, it’s time to visualize it with Maltego. Maltego is powerful for OSINT investigations because it allows you to create a graph showing how different entities relate to each other. For example, you might link email addresses to specific domains or find connections between subdomains and their parent organizations.
- Use Maltego to visualize the chain of connections:
After importing the data gathered from theHarvester and Shodan into Maltego, run transforms to explore deeper connections between the entities. For example, you can:
- Identify whois information for domains
- Map IP ranges to hosting providers
- Uncover social media profiles linked to the email addresses found
Example Scenario:
Imagine you used theHarvester to find multiple subdomains for a target company. Then, Shodan revealed that one of the subdomains is running an outdated FTP service. In Maltego, you could visualize the connections between the subdomain, its related IP addresses, and potentially discover other vulnerable services linked to the same server.
Tools Used:
- Maltego: A graph-based data visualization tool used to map relationships between entities (people, organizations, websites) and discover hidden links between them. Maltego allows you to run “transforms” to automatically enrich data.
Step 4: Cross-Referencing Leaked Data with Dehashed
Objective: Find leaked credentials or personal information linked to your target.
Once you have the emails and usernames collected from theHarvester and visualized in Maltego, use Dehashed to see if these credentials have been leaked in any recent data breaches. Dehashed is a platform for finding leaked credentials in publicly available breach datasets.
Tools Used:
- Dehashed: A tool for searching through leaked databases for compromised credentials or personal information related to your target.
Step 5: Enriching Data with Spyse
Objective: Perform deep data enrichment on domains and IPs.
Once you've gathered a list of domains or IPs, it’s useful to run further queries on Spyse, a search engine specifically designed for cybersecurity research. Spyse provides detailed information on domains, subdomains, IP addresses, and SSL certificates, allowing for advanced data enrichment.
- Example Command:
spyse domain example.com
You can use Spyse to verify your earlier findings and uncover more technical data, such as SSL issues, DNS records, or web vulnerabilities.
Tools Used:
- Spyse: A cybersecurity search engine that provides data on domains, IP addresses, SSL certificates, and more. It's useful for identifying technical vulnerabilities.
Step 6: Uncovering Digital Footprints with Social-Analyzer
Objective: Investigate the target’s digital footprint across social media platforms.
Now that you have some personal identifiers (emails, names) from the earlier steps, use Social-Analyzer to dig deeper into the target’s presence on social media. This tool can analyze social profiles across multiple platforms and gather relevant data about the target’s digital activity.
Tools Used:
- Social-Analyzer: A tool for identifying and analyzing social media profiles across various platforms using publicly available data.
Step 7: Correlating Data with WhoisXML
Objective: Identify who owns the domains and IPs.
To finalize your investigation, use WhoisXML to find domain ownership information. You might want to verify whether the domains found through theHarvester, Shodan, or Spyse belong to the target or are affiliated with it. This step also helps confirm the accuracy of your findings.
- Example Query:
whoisxml -d example.com
WhoisXML will provide registration information, helping you track down domain owners and affiliate organizations.
Tools Used:
- WhoisXML: A service that provides detailed Whois information, including domain registration data, ownership details, and contact information.
Conclusion:
Chaining OSINT tools is like building a puzzle, with each tool providing a piece of the overall picture. By starting with baseline data collection using theHarvester, enriching that data with Shodan, and visualizing relationships in Maltego, you can uncover a wealth of hidden assets and vulnerabilities that would remain obscured using a single tool. Tools like Dehashed, Spyse, Social-Analyzer, and WhoisXML further enrich this data, providing an even deeper understanding of your target’s infrastructure and exposure.
Summary of Tools for OSINT Tool Chaining:
- theHarvester – Baseline data collection (emails, subdomains, IPs)
- Shodan – Exposed services and infrastructure
- Maltego – Visualizing entity relationships
- Dehashed – Finding leaked credentials
- Spyse – Technical data enrichment (SSL, DNS, etc.)
- Social-Analyzer – Social media investigation
- WhoisXML – Domain and IP ownership identification
Using these tools in a chained fashion increases the depth and effectiveness of your OSINT investigations, allowing you to gather actionable intelligence with a comprehensive understanding of your target.
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
