The Hunter’s Book of OSINT
HTTP Tools
Unfurl: break down URLs to their components
OSINT Tools | GitHub Curated Reference
awesome-osint
Yelp Threat Intel
CertStream
r3con1z3r
Gotanda OSINT
List of supported engines
Hawk
OSINT Online Services
RiskIQ

The Hunter’s Book of OSINT

URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.

urlhaus.abuse.ch

Reverse Engineer's Toolkit

This is a collection of tools you may like if you are interested on reverse engineering and/or malware analysis on x86 and x64 Windows systems.

github.com

Arsenal-Image-Mounter

Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows.

github.com

HTTP Tools

Unfurl: break down URLs to their components

2D version: https://dfir.blog/unfurl/
3D version: https://dfir.blog/unfurl-3d/

OSINT Tools | GitHub Curated Reference

awesome-osint

URL: https://github.com/jivoi/awesome-osint

9f8bb33d44ae4550bfcc863430453da8

4d57eb337670421badc9454452f63b63

We need to start with awesome-osint because it contains a great list of public threat intel resources. {.is-success}

Yelp Threat Intel

URL: https://github.com/Yelp/threat_intel

6c55aac2f13f46ea97dfd80fd5dc8396

472c6f06e4654ab9a73c273cefbfb423

Amazing python tool that acts as a wrapper for useful APIs: Umbrella Investigate, VirusTotal API v2.0 and ShadowServer API

CertStream

URL: https://github.com/huydhn/certstream-analytics

89d5cf81402f4cbda11bf90777e01c39

1ef1bcddff3f4c27aa0423e7380749a7

A great tool to perform analysis on domain strings: IDNA decoder, homoglyphs decoder, word segmentation, etc.

r3con1z3r

URL: https://github.com/abdulgaphy/r3con1z3r

d9ba6c0324174266bfbda0239f1952b3

d0519dd580b441f793fb1a82aab2c030

This tool allows for quick an easy to read reports on specific domains. By default, it outputs a HTML file with plain text information on the domain.

Gotanda OSINT

URL: https://github.com/HASH1da1/Gotanda

d91e4db95fba491d954d7fa65ae4cbe2

ccaedf9241eb47cb87f70d7e42f77ce7

Gotanda is OSINT(Open Source Intelligence) Web Extension for Firefox/Chrome. This Web Extension could search OSINT information from some IOC in web page (IP, Domain, URL, SNS, etc.).

List of supported engines

Name	URL	Category
Domain Tools	https://whois.domaintools.com/	whois Lookup
Security Trails	https://securitytrails.com/	whois lookup
whoisds	https://whoisds.com/	whois lookup
ThreatCrowd	https://www.threatcrowd.org/	Domain, IPv4
AbuseIPDB	https://www.abuseipdb.com/	IPv4
HackerTarget	https://hackertarget.com/	IPv4
Censys	https://censys.io/	IP, Domain
Shodan	https://shodan.io/	IP, Domain
FOFA	https://fofa.so/	IP, Domain
VirusTotal	https://virustotal.com/	IP, Domain, URL,Hash
GreyNoise	https://viz.greynoise.io/	IPv4
IPAlyzer	https://ipalyzer.com/	IPv4
Tor Relay Search	https://metrics.torproject.org/	IP,Domain
Domain Watch	https://domainwat.ch/	Domain, Email,whois lookup
crt.sh	https://crt.sh/	SSL-certificate
SecurityHeaders	https://securityheaders.com/	URL, Domain
DNSlytics	https://dnslytics.com/	IPv4,IPv6,ASN
URLscan	https://urlscan.io/	URL
Ultratools	https://www.ultratools.com/	IPv6
Wayback Machine	https://web.archive.org	URL
aguse	https://www.aguse.jp/	URL
check-host	https://check-host.net/	URL
CIRCL	https://cve.circl.lu/	CVE
FortiGuard	https://fortiguard.com/	CVE
Sploitus	https://sploitus.com/	CVE
Vulmon	https://vulmon.com/	CVE
CXSecurity	https://cxsecurity.com/	CVE
Vulncode-DB	https://www.vulncode-db.com/	CVE
Malshare	https://malshare.com/	MD5 Hash
ThreatCrowd	https://www.threatcrowd.org/	IP,Domain
Hybrid Analysis	https://www.hybrid-analysis.com/	hash
Twitter	https://twitter.com/	SNS, w/TimeLine
Qiita	https://qiita.com	SNS
GitHub	https://github.com	SNS
Facebook	https://www.facebook.com/	SNS, w/TimeLine
Instagram	https://www.instagram.com/	SNS
LinkedIn	https://linkedin.com/	SNS
Pinterest	https://www.pinterest.jp	SNS
reddit	https://www.reddit.com/	SNS

Hawk

URL: https://github.com/T0pCyber/hawk

19c4579315a444008d3b9b3c18656587

4f000177045c4f49a4da92a1e4a78ff7

Powershell Based tool for gathering information related to O365 intrusions and potential Breaches.

The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

OSINT Online Services

RiskIQ

Threat Intelligence Platform that allows you to connect multiple third party services and brings petabytes of internet intelligence directly to your fingertips. RiskIQ does offer a community edition which is free and allows you to gather information on different IOC either via the GUI or API. You can investigate threats by pivoting through attacker infrastructure data, understand your digital assets that are internet-exposed, and map and monitor your external attack surface.

API Reference and Testing: https://api.riskiq.net.

Note: The API has two sections, the full RiskIQ platform section which uses an api_key and api_secret and the RiskIQ Community API section (aka PassiveTotal) where you can use your community account API base on user_name and api_key. The latter won’t work with the former.

OSINT Tools