The script performs extensive Open Source Intelligence (OSINT) on a given domain, utilizing a wide range of sources and tools to gather detailed information. The script covers various aspects of OSINT, including domain information, DNS records, social media profiles, internet-connected device details, breach data, email harvesting, and more.
-
WHOIS Information
- Fetches WHOIS data for the given domain using the
whoispackage.
- Fetches WHOIS data for the given domain using the
-
DNS Records
- Retrieves DNS records using the HackerTarget API.
-
Social Media Profiles
- Scrapes LinkedIn profiles related to the domain using Google search.
- Searches for Twitter profiles related to the domain using the Twitter API.
-
Shodan Information
- Uses the Shodan API to find details about internet-connected devices associated with the domain.
-
Reverse IP Lookup
- Performs reverse IP lookup to find other domains hosted on the same server using the HackerTarget API.
-
Breached Data
- Checks for data breaches related to the domain using the Have I Been Pwned API.
-
Email Harvesting
- Uses the Hunter.io API to find email addresses associated with the domain.
-
Pastebin Mentions
- Scrapes Google search results to find mentions of the domain on Pastebin.
-
SecurityTrails Information
- Fetches detailed domain information using the SecurityTrails API.
-
PublicWWW Results
- Searches for websites using the same analytics or advertising code as the domain using PublicWWW.
-
CertSpotter Information
- Retrieves SSL certificate details for the domain using the CertSpotter API.
-
GitHub Repositories
- Finds public repositories or code snippets mentioning the domain using the GitHub Search API.
-
Wayback Machine Snapshots
- Gets historical snapshots of the website using the Wayback Machine API.
-
ZoomEye Information
- Fetches information on the domain, useful for bypassing WAFs, using the ZoomEye API.
-
Criminal-IP Information
- Provides domain intelligence and reputation information using the Criminal-IP API.
-
Censys Information
- Searches for IPv4 records related to the domain using the Censys API.
-
crt.sh Information
- Fetches SSL certificate information from crt.sh.
-
AbuseIPDB Information
- Checks if IPs are reported for abuse using the AbuseIPDB API.
-
IP Validation
- Validates if the IP is available by performing a DNS lookup.
-
Initialization:
- The script initializes various API clients using the provided API keys.
-
Domain Information Gathering:
- The script collects WHOIS data, DNS records, and social media profiles related to the domain.
-
Infrastructure and Device Information:
- Shodan and ZoomEye APIs are used to gather information on internet-connected devices.
- Reverse IP lookup is performed to identify other domains hosted on the same server.
-
Security and Breach Data:
- Checks for data breaches using the Have I Been Pwned API.
- Gathers email addresses using Hunter.io.
- Searches for Pastebin mentions.
-
Detailed Domain Analysis:
- SecurityTrails, PublicWWW, CertSpotter, and Criminal-IP APIs are used for detailed domain analysis.
- Historical snapshots are fetched using the Wayback Machine API.
-
Certificate and Repository Information:
- SSL certificates are retrieved using crt.sh and CertSpotter.
- GitHub is searched for repositories mentioning the domain.
-
Validation and Abuse Checking:
- IP addresses are validated for availability.
- AbuseIPDB is used to check if any IPs are reported for abuse.
-
Compilation of OSINT Report:
- All gathered data is compiled into a comprehensive OSINT report and saved to a JSON file.
-
API Keys:
- Users need to obtain API keys for the various services used in the script, including Shodan, Twitter, Hunter.io, SecurityTrails, CertSpotter, ZoomEye, Criminal-IP, Censys, and AbuseIPDB.
-
Python Packages:
- Required Python packages include
requests,beautifulsoup4,python-whois,shodan,twython, anddnspython.
- Required Python packages include
pip install requests beautifulsoup4 python-whois shodan twython dnspythonTo run the script, the user needs to execute it and provide the target domain when prompted:
python osint_script.pyThe user will be prompted to enter the target domain, and the script will then perform the OSINT activities, generating an OSINT report saved as a JSON file named osint_report_<domain>.json.
The final OSINT report is a JSON file that includes detailed information from all the sources and tools mentioned, providing a thorough overview of the target domain's online presence, security posture, and potential vulnerabilities.
This extensive OSINT script is a powerful tool for cybersecurity professionals conducting penetration testing, red teaming, or general reconnaissance on target domains. It leverages a wide range of public and semi-public information sources to build a comprehensive intelligence profile.