Start with what you know (email, username, etc.)
Define requirements (what you want to get)
Gather the data
Analyze collected data
Pivot as-needed using new gathered data
Validate assumptions
Generate report
Real name
Governmental resources
There are dozens of websites where you can find information about people or organizations and depending on the country, information openness can be different. I’m not going to write about it in details as the governmental resources I would provide might not be relevant to you, as a resident of a different country. Just remember that such resources exist and Google them in need, as they are not that hard to find, especially using the advanced search queries I describe below.
Google Dorks
In 2002, Johnny Long began collecting Google search queries that uncovered vulnerable systems or sensitive information disclosures. He labeled them Google Dorks. Since the article is about legally obtained information I’m not going to show how to get an unauthorized access, however, you can explore Google Hacking Database with thousands of different queries. The queries below can return information that is difficult to locate through a simple search.
“john doe” site:instagram.com — quotation marks force Google Search to do absolutely exact match while the search is performed on Instagram.
“john doe” -“site:instagram.com/johndoe” site:instagram.com — hide postings from the target’s own account, but show posted comments on the Instagram posts of others.
“john” “doe” -site:instagram.com — show results that exactly match the given name and surname but in different combinations. Also, exclude Instagram from results.
“CV” OR “Curriculum Vitae” filetype:PDF “john” “doe” — search for the target’s resumes that contain “CV” or “Curriculum Vitae” in the name and have a PDF extension.
Wrap single words in quotes if you are 100% sure about spelling as by default Google will try to shape your keyword to what the masses want. By the way, what’s interesting about Instagram is with the right Google Dork you can see comments and likes of private accounts.
Perform a search using advanced search queries on Bing, Yandex, and DuckDuckGo as other search engines might give you results that Google couldn’t.
People search
There are websites that specialize in people search which can be done providing a real name, username, email or phone number.
https://www.fastpeoplesearch.com
https://www.truepeoplesearch.com
People search websites allow to opt out, but after people remove themselves from listings, new search services appear with their records in them. The reason for that is the same dataset is bought and used by different services. Some companies own those datasets and even if on one of their websites a person removes the listing, on the new domain the old data is repopulated again so the previously removed profile reappears in the search. Consequently, if people did a pretty good at cleaning their stuff up you just have to wait for a new database to appear. One of the methods to find people that opted out is to go the people search service, find a unique paragraph, do a quoted Google search on it and find all of the domains that the company owns. There are chances that information your target removed from site A is now on site B.
User name
Username search
There are a lot of websites with a username search, I find these to be one of the best: instantusername.com and namechk.com. Usually, one service finds accounts that other one doesn’t so it’s better to use both websites. Apart from online services you can use WhatsMyName — a Github project, included in more advanced tools: Spiderfoot and Recon-ng. However, you can use it as a standalone checker running the Python script.
While searching, you might get false positives as someone else can use the same username, be prepared for that.
Note: Running WhatsMyName, as well as any locally installed tool, could be an issue when you have certain websites blocked by the ISP. In that case, going through proxy or VPN will solve the issue. Moreover, to avoid exposure you should use anonymizers anyway.
Email Address
Google Dorks
“@example.com” site:example.com — search for all emails on a given domain.
HR “email” site:example.com filetype:csv | filetype:xls | filetype:xlsx — find HR contact lists on a given domain.
site:example.com intext:@gmail.com filetype:xls — extract email IDs from Google on a given domain.
Email tools
Hunter — performs fast scan of the domain name for email addresses and reveals its common pattern.
Email permutator — generates permutations of up to three domains at which target is likely to have an email address. Supports multiple variables input to generate custom results.
Proofy — allows bulk email validation which is useful when you generated a list of emails using a permutation tool and want to check all of them at once.
Verifalia — validates single email addresses for free without registration. To use bulk validation you have to sign up.
Browser plugins
Prophet — reveals more information about people. It uses an advanced engine to predict the most likely email combination for a given person based on name, company and other social data. Then, Prophet verifies the generated email to make sure it is correct and deliverable.
OSINT browser extension — contains a lot of useful links, including ones for email search and verification. Compatible with Firefox and Chrome.
LinkedIn Sales Navigator — plugin for Chrome that shows associated Twitter account and rich LinkedIn profile data directly in Gmail.
Compromised databases
Data breaches have become a big issue and recently we are seeing more and more data dumps. Security researcher Troy Hunt collected released data, stripped off passwords, assigned emails to the breach they were involved in, and uploaded it to haveibeenpwned.com. While the fact of the breach itself might not be as important, what’s important is with the email you might get a list of services that person uses or at least used.
Another option would be to use dehashed.com. With a free account it works similarly to Troy Hunt’s website but with an active subscription it shows passwords in clear text or password hashes. From an OSINT perspective, we need that to search whether it was used on some other websites — one more way to find out which services the person uses or at least used. Doing the search by password or its hash shows not only on which website it was used, but also email address tied to it. Thus, we can get the target’s emails we wouldn’t obtain otherwise. It’s important to note that ifthe password is not unique we might get false positives as other people might use it as well.
Phone number
Sometimes people link a phone number and email to their Facebook profile, so typing it in the Facebook search might show you the profile. Another option is to look up user-supplied databases of phone numbers, like whocalledme.com. The database is not limited only to America, numbers from Europe can be checked as well. Besides, for those who want something like this but on the mobile device there are several apps: privacystar.com, getcontact.com, and everycaller.com. There are many reverse phone lookup services and they are usually country-specific so find the one that fits your need.
PhoneInfoga
PhoneInfoga is one of the most advanced tools to scan phone numbers using only free resources. The goal is to first gather basic information such as country, area, carrier, and line type on any international phone numbers with very good accuracy. Then try to determine the VoIP provider or search for footprints on search engines to try to identify the owner.
Features:
Check if phone number exists and is possible
Gather standard information such as country, line type, and carrier
Check several numbers at once
OSINT reconnaissance using external APIs, Google Hacking, phone books, & search engines
Use custom formatting for more effective OSINT reconnaissance
إرسال تعليق