It has been sometime since I have had time to update my website with new material as my GitHub OSINT tools & resources take up quite a bit of my time. I thought it was time to have a change and write a new blog over the Christmas holidays.
The inspiration for this blog came from presenting at a conference in the summer of 2023 where I introduced the delegates to OSINT.industries. I said at the time that they should make use of it as it would inevitably go behind a pay-wall. Anyone who has been involved with OSINT over the years will have seen this model before, Epieos and Dehashed are two of the most recent ones that spring to mind. I have no issue with this model after all, its takes a lot of time, effort and undoubtedly money to build such resources.
Michael Bazzell is unlikely in the short term at least to release an OSINT 11 edition, there is always the hope that he will reconsider.
What can we do if we cannot afford a subscription to resources such as the aforementioned or your organisation will not allow you to use such paid for services. What if OSINT pioneers like Michael Bazzell take a break. In 2021 when I wrote a blog on investigating emails, I was using Epieos (It was free back then) however the site went down and as a result I decided to install Ghunt & Holehe.
We can build our own, after all, some of the resources used are available to use free of charge. In this blog I am going to take you through how I build my own VM for investigating identifiers, such as email addresses, usernames and telephone numbers.
There are other OSINT VMs that you can create some are free, some you have to pay for, however lets learn new skills my building our own and not being reliant on others. Unfortunately I am no Linux wiz and I will be building the VM the manual way.
I do not like having all my OSINT resources in one VM, as you know I have a VM just for Telegram research. I like to separate the different aspects of my OSINT work and researching identifiers fits nicely into that ethos.
You will need to read my Telegram blogs in relation to creating the Ubuntu base. Don’t worry for those of you who are new to Linux and VMs below are the links you will need for those particular blogs.
It has only been about six months since I wrote my Telegram blogs and I have added extra tools and deleted others. That is the benefit of building and maintaining your own.
One thing that is worthy of a note here, is that I no longer use the, ‘Normal Installation’ I now use the, ‘Minimal installation’. I will also use DuckDuckGo as my default search engine on Firefox and not Yandex.
The reason for using the minimal installation, is regardless of the OS I use, I remove software / bloatware that I will never use. It is easier adding what I need to my VMs then removing all the bloatware.
The link to my Telegram blogs are below, it will be beneficial to read these as it will aid you in following the subsequent instructions. Ensure you give your new VM a suitable name.
I am going to assume at this stage you have read my Telegram blogs or are happy with how to install your Ubuntu base. Lets begin.
You will need to add the GHunt companion app extension to Firefox:-
https://addons.mozilla.org/en-US/firefox/addon/ghunt-companion/
With this being an OSINT VM that works beyond just Telegram I am going to add some extra search engines, which I have listed below, you can never have too many options plus it enables you to obfuscate your searching if necessary. You can add whichever ones you like, you do not need to follow my choices.
Now, when you type in the search bar the below will populate and you can choose which search engine you would like to use.
Next I will bookmark the following sites:-
https://github.com/cqcore/Email-Username-OSINT
https://github.com/cqcore/Data-OSINT
https://github.com/cqcore/Telephone-OSINT
https://whatsmyname.app/
https://haveibeenzuckered.com/
https://haveibeenpwned.com/
https://www.digitalfootprintcheck.com/checks/free-checker.html
https://search.0t.rocks/
https://inteltechniques.com/tools/
https://intelx.io/
Lets talk about a couple of the bookmarks in more detail. Most of them you will have heard of, however I also use a site called Digital Footprint Check, which works on both usernames and email addresses. It is a paid for service but it also allows 3 free searches a day. Search 0t Rocks is a free Data OSINT site, use it responsibly as the owner has previously closed the site down because of misuse.
I will now install the following GitHub tools:-
https://github.com/sherlock-project/sherlock
https://github.com/soxoj/maigret/
https://github.com/mxrch/GHunt
https://github.com/megadose/holehe
I will walk you through how to install the above Github tools and then I will run through each and see what we can find out about a particular email or username.
Always remember to do, ‘sudo apt update’ and ‘sudo apt upgrade’ before installing any new software.
By now you should have configured you Firefox browser.
You will need a password manager to store any credentials you create for accounts and in any case for your sock puppet GMail account that you will need for GHunt. I do not recommend you store any passwords in your browser, always use a reputable password manager. I like to use Keepassxc as it stores the passwords locally and not in the cloud, which removes one vulnerability.
Lets download Keepassxc.
In terminal use the following cmd:-
sudo snap install keepassxc
Lets look to install Chrome, as this is an OSINT VM I will use Chrome due to the extra OSINT extensions that are available when compared to Firefox, also if I am using Google as one of my main OSINT search engines, due to the advanced search operators, then I do not see an issue with using Chrome.
Navigate to:-
https://www.google.com/chrome/index.html
The way to Install Chrome once it is downloaded is to right click on the zip and select, ‘Open with Other Application’ and select, “Software Install.’
Give the Software install time to kick in and then select, ‘Install.’
Then navigate to, ‘Show Applications” and add Chrome to your favourites.
You can now delete the zip file that you downloaded.
We need to check that we have python3 installed and the version.
We also need to install Pip.
You will need to install Git next.
Next lets create some folders on our desktop for Sherlock, Maigret, Holehe, GHunt and WhatsMyName. That way we can use them to store our OSINT collections for each tool we use, you can also save instruction on how to use each tool.
The tools & resources I am going to use will follow the below order:-
Usernames
Emails
Phone Numbers
Sherlock
I will start with Sherlock, it seems like it has been around for a long time, it was one of the first username tools I used from Github many years ago. It is straight forward to install and use.
Complete the following steps using Git: –
git clone https://github.com/sherlock-project/sherlock.git
cd sherlock
$ python3 -m pip install -r requirements.txt
Lets run a scan on my username cqcore
python3 sherlock cqcore
You will find the results in the Sherlock Folder in your Home Folder.
I will move the text document to my Sherlock folder on my desktop as I like to have my results in an easy accessible place.
Maigret
Next we will install Maigret following the instruction here: –
https://github.com/soxoj/maigret/blob/main/README.md
Maigret is a fork of Sherlock and I like how the creator has given it the name of a French Detective, keeping the theme of investigations going. Searching for emails, usernames etc is not just about tools but also having an investigative mindset.
As always I like to give a shout out awesome people in OSINT who create content and tools, check out @soxoj https://soxoj.com/ the creator of Maigret.
You have several ways to install it however I will stick with Git.
git clone https://github.com/soxoj/maigret
cd maigret
pip3 install -r requirements.txt
After installation we will run a scan on cqcore again.
./maigret.py cqcore –html
By selecting the –html or –pdf, Maigret will also generate a report for you. You will find the results in the Maigret folder in the Home folder. It also provides in the terminal results tags of interest.
You maybe asking, why do we need so many username resources surely they all do the same thing. They do, do the same thing in relation to looking for usernames however they don’t always return the same results and in any case you should never rely on one source of information, you also need resilience as tools and resources come and go. The OSINT world is fluid and changes daily.
As an example I ran cqcore through, Sherlock, Maigret and WhatsMyName and ended up with three different sets of results.
I was interested in the Telegram account.
I can tell you that is not me! What this does demonstrate though is the other use these resources have, you can uses them to search for an entity of interest or to ensure from a reputational perspective you or your organisation is not negatively impacted my the rogue use of a username.
In theory if you know the username URL structure for a site you can do this work manually if you are interested in this particular method, it is always good to have this type of knowledge in case your favourite tool or site disappears. I have some examples on my GitHub repos, which you can add to your cqcore bookmark folder if you wish:-
https://github.com/cqcore/URL-Manipulation
GHunt
We will now install GHunt. I can still remember the manual way that Sector035 discovered to obtain details of a GMail account. This is a prime example of the OSINT community working together to develop, tools, techniques, tradecraft & tactics for all.
https://github.com/mxrch/GHunt
You will need to install the following:-
sudo apt install python3.10-venv
pip3 install pipx
pipx ensurepath
pipx install ghunt
Once GHunt is installed run the following cmd
ghunt login
You should be presented with the following:-
Choose either option 1 or 2.
Do you remember when we installed the GHunt companion extension. You will need to login to you sock puppet GMail account so that GHunt can store the session cookie, select the GHunt extension and synchronise it with GHunt. Please do not use a GMail account that is for personal use.
You will be presented with the login page to your sock puppet GMail account, which once you have logged in will synchronise with GHunt and you will then be presented with the below image. Make the same selection as you choose when we logged into GHunt and follow the instruction.
Lets now run GHunt against a Gmail account: –
You will find the results in the Home folder.
Open the JSON file and you will see the results. It does not render like you will find on OSINT.Industries or Epieos however it is easy enough to navigate. If I wanted to look at the profile picture, copy and paste the URL into a browser.
Holehe
Next we will add Holehe but we will use PyPI
pip3 install holehe
We can now run Holehe using the following cmd:-
holehe EMAIL@HERE.com
I will run it against the same email address as above that I know exists.
You will find a text document with the results in the Home folder, which you can move to your Holehe folder on the desktop. You may have to run it using a different IP if you have too many, “Rate Limit” returns.
Lets have a look at phone numbers. There are a couple of GitHub repos that I am aware of which rely on the old password reset trick. There are a couple of issues with this, firstly neither repo is maintained and secondly the major social media companies are aware of this trick and have taken measures to defeat it, and rightly so.
Ignorant
One GitHub tool that is used is Ignorant, however Snapchat always appears to return a rate limit result. The other two results returned are Amazon & Instagram.
We will instal it using PyPI.
pip3 install ignorant
You can run it using the following cmd.
Ignorant (countrycode) (number)
We can also use the data OSINT sites I have included as you can use these to search for phone numbers, as well as emails and usernames:-
https://search.0t.rocks/
https://intelx.io/
You have the use of Michael Bazzell’s tools over at Inteltechniques, however the telephone tool is US centric:-
https://inteltechniques.com/tools/Telephone.html
You can also uses resources like HaveIBeenPwned or HaveIBeenZuckered. On my GitHub repo there some resources that allow a free trial.
https://seon.io/ for example,allows you to have 5 lookups per day. The results are not 100% accurate in that the tests I did, they did not pick up all the accounts my number was linked too. This goes back to my earlier statement, never rely on one source.
One important matter to remember with phone numbers is to try as many different formats of the number as you can, an example would be with and without the country code.
To give you an example of the value Data OSINT will have to your investigation, I have used search.0t.rocks to search for the email address that I have used previously in this blog:-
Don’t forget there are also Google CSE searches you can use, I have a list of some useful ones on my GitHub resources page but you can try this one out:-
https://cse.google.com/cse?key=AIzaSyB21wQuNzUsRTH-49FA7od4dB_Xvu5DCvg&cx=001794496531944888666:iyxger-cwug&q=
An extra bit.
SnapIntel
I woke up Christmas Day morning to a Tweet from @HolismVision and a Snapchat Github repo:-
https://github.com/Kr0wZ/SnapIntel
SnapIntel is a python tool providing you information about Snapchat users. It is limited to what it can provide on private profiles. I had issues installing it using Git, so I downloaded the zip file, which I saved to my Home directory. Once unzipped, right click and select, ‘Open in Terminal,’ then use the following cmd:-
python3 -m pip install -r requirements.txt
Of note I had no issues with installing numpy.
The below cmd will search for a Snapchat username and provide you with the summary of the account.
python3 main.py -u Username -s
On public accounts it is very easy to find out additional information and to download videos. On the subject of videos if you require VLC media player you can add this to your VM using the following cmd:-
sudo snap install vlc
I mentioned previously about knowing the URL structure of a username on a specific platform. You can obtain some basic Snapchat user information using the following URL:-
snapchat.com/add/USERNAME
My closing thoughts are, never rely on one source for your results, beware of false positives, verify your results and above all look at what they tell you about your entity or person of interest.