Automate OSINT techniques

The Harvester

• This tool gathers subdomain names, IP addresses, email addresses and employee names while only needing an initial domain name to start.

• In order to use this tool you will need the following API Keys: Bing, Github, Hunter.io, Intelx, SecurityTrails, Shodan, Spyse.

• theHarvester will work fine without these API keys but the search results may be limited.

Running theHarvester

python3 theHarvester.py -d <target_domain> -b all

Amass

• Amass does not perform OSINT on employee names or email, it makes up for it in the large amount of subdomain OSINT sources.

• Amass is set up as a suite of tools that can search for subdomains, ASNs, and IP addresses as well as perform brute force subdomain discovery.

Amass different scan one-liners.

 # Search for domain names associated with target domain through reverse whois:
 amass intel -d <target_domain> -whois
 
 # Search for company name is ASN names:
 amass intel -org <target_organization>
 
 # Search for domain names, associated IP addresses in an ASN, and prints where Amass found them:
 amass intel -asn <target_asn> -ip -src
 
 # Search for subdomains found strictly in open-source intelligence resources:
 amass enum -d <target_domain> -passive
 
 # Search for subdomains and verify info about the host through direct connections:
 amass enum -d <target_domain> -active
 
 # Brute force subdomains using a mask of aaa-[a-z][a-z][a-z]:
 amass enum -d <target_domain> -active -brute -wm "aaa-?l?l?l" 

Recon-ng

• Recon-NG is more of a framework of tools rather than just one tool.

• What makes it great is the extensibility through the Recon-NG Marketplace.

• You can choose which addons you want to install as well as create your own for others to use.