Posted on February 4th, 2019
I have always maintained an Email Search Tool as part of my set of online investigation tools at https://inteltechniques.com/menu.html. This month, a series of reports about a huge new set of data breaches emerged and created unnecessary panic. While there truly was a new public database released containing hundreds of millions of email addresses and passwords, the vast majority was old data which had surfaced several years prior. Regardless, it was a good reminder that we should be diligent about checking our own email accounts against the various online repositories that possess most of the public leaks/breaches/data dumps being abused by amateur criminals. Investigators should also take advantage of this information as part of every email investigation. Recently, I made several changes to the Email Search Tool as seen below.
In this example, I entered a test email address and chose the “Populate All” option. The following details explain the first six options, which are the most lucrative.
Breaches/Leaks: This tool queries the HIBP API and presents the results in the window to the right. In this example, you can see that the test email is present within numerous data breaches. The OFFENSE of this is to identify the various online accounts in use by your target. The DEFENSE is to identify your own accounts with exposed passwords and change them anywhere they have been used.
Pastes: This queries the HIBP Pastebin API and identifies email addresses that have appeared on pastebin.com, which is often used to store user credentials.
PSBDMP: This queries the PSBDMP collection of pastebin scrapes, which identifies email addresses that have appeared on pastebin.com, even if they have been removed or were never indexed by Google. The results display in the window to the right, and I have added the complete URL of each entry for further investigation. (Thanks to Justin Seitz for fixing my pathetic PHP attempt on this). This has been a huge help with my investigations. A sample entry with the dates of original capture is below.
Verifier: This opens a new tab and queries the address through the Trumail API. This identifies whether the email address is valid, has a full inbox, is a catch-all, is from a disposable email provider, and other interesting details.
Dehashed: This opens a new tab and queries the free version of dehashed.com, which displays any additional breaches that may not have been captured by the previous attempts. Paid memberships can see the password details.
IntelX: This premium option (with a free trial) also identifies pastebin posts that reference the email address. The free version will tell you that the data exists, the premium (or free trial) will display the content.
I encourage everyone to check their own email addresses on occasion. If you appear within any of these data sets, you know that an account has likely been compromised to some extent. Be sure to change those passwords to something secure, unique, and preferably randomly generated by a password manager (I use KeepassXC).
Posted on October 29th, 2018
The following new-ish resources have been beneficial to my online investigations this month, and have been added to the new IntelTechniques Online Search Portal:
World Imagery Wayback – https://livingatlas.arcgis.com/wayback/
This satellite mapping tool, powered by ESRI, offers multiple historic views of practically any position on earth. I highly recommend checking the “Only updates with local changes” box, as it will remove useless options without any visual changes. Last week, I used this to identify a unique vehicle in a driveway of a suspect residence. I could not find this evidence on any other mapping options.
Social Searcher – https://www.social-searcher.com
This tool is not new, but there have been some updates that are worth mentioning. The search option allows query of any data including names, usernames, or keywords. The export option on the right is useful to create a csv of results. Recently, this located a social network profile that had been deleted, but was still being picked up. There was enough data to extract details for another search through archives.
Profilr – https://www.profilr.social
Another service that has been around a while, but only recently have I found it to be useful. It only searches six main networks, and queries can be made from the search field or through a direct URL as follows:
Findera – https://findera.com/
This site is obviously scraping LinkedIn data, which is nothing new. The difference here is that you can search for keywords within fields that are not searchable by LinkedIn. In one example, I searched my own name to make sure there were no undesired profiles. One of the results was a LinkedIn profile that mentioned my training at one time. This could be a great tool to search deleted profiles or accounts that have since removed specific details.
Intelligence X – https://intelx.io
This is another service scanning and collecting paste dumps, which often include email lists and password breaches. A search will display a few results and redact the rest unless you are logged into a free registered account. I have found many relevant details here. This is a mandatory stop for an email search.
Grey Hat Warfare – https://buckets.grayhatwarfare.com
I have yet to experience a benefit to my investigations with this tool, but I can see where it could be valid. This tool scrapes public Amazon buckets, even those that should be made private. I currently only visit this tool when searching businesses. Many of the links do not provide any actual content, but some reveal data unavailable anywhere else, such as test web pages and documents.
This Google CSE searches for information relevant to Telegram/Telegraph data. Results can be filtered by Private, Stickers, Contacts, Public, and other general areas of the popular online service.
Google Storage API – https://www.google.com/search?q=site:storage.googleapis.com
This Google Dork provides some surprising results. If your target uses the Google Storage API (similar to Google Drive), you may find exposed content. These often include PDF files not publicly linked on official websites.
DeepL Translator – https://www.deepl.com/translator
Whether you are frustrated with garbled translations from Google or simply want a second opinion, DeepL is a fantastic language translator. It also allows translation of uploaded foreign documents. This feature recently helped me quickly translate a large Word document that would have otherwise taken many hours to break apart.
YouTube Channel Crawler – http://channelcrawler.com
Searching videos and users on Youtube is fairly straight-forward. Searching YouTube channels using wildcard queries has always been frustrating. Channel Crawler attempts to fix this by scraping channels and providing a search option for the collected data. I find that providing the most minimal search query possible works best.
Whoodle – https://www.whoodle.com
This is another U.S. people search engine with a freemium model. The free results are usually enough to give me direction for additional searches on more reliable sites. Clicking View Report will only present you with payment options.
Yellow Pages Goes Green – https://www.yellowpagesgoesgreen.org
The overall design and function of this website is awful. The data behind it is mediocre. Why is it here? Many people are removing their white pages listings from the main people finder sites, but miss smaller option such as this one. Searching on the main page will fail almost every time. Instead, I suggest using Google as follows:
site:yellowpagesgoesgreen.org “debbie bazzell”
Posted on October 26th, 2018
EPISODE 096: Lessons Learned From My Latest Doxxing Attack
This week, Jason and I discuss lessons to be learned after an online group tried to dox me because of a forum post. Also, I provide a full review of Skopenow.com and we take listener questions.
Listen to all episodes at https://inteltechniques.com/podcast.html
or Subscribe at:
OFFENSE & DEFENSE:
Q: I am a Protonmail user but few of my contacts use it. Are there still benefits of using Protonmail even though most don’t use it?
Q: I am an online investigator, jumping into the world of alias accounts. Are there any good getting started tips for creating a list of aliases?
Please submit your listener questions at https://inteltechniques.com/podcast.html
Posted on October 17th, 2018
I have always provided a collection of online search tools and links on my website. This landing area has changed drastically since 2010, and was due for another makeover. I have completely re-worked the entire collection of online search resources, which is available at https://inteltechniques.com/menu.html (you may need to refresh the page). The following explains a bit about the function, changes, and reasons for modification.
Function: This new collection of tools focuses on TARGET DATA. Choose the type of information you have about your investigation (email address, Facebook profile, name, IP address, etc), and click the corresponding category to the left. This will present a drop-down menu with two options. The first will launch the custom automated search tools for that type of data. This should be the first attack. If you are still seeking more information after the searches, the second option in the menu will take you to numerous online resources related to the search type.
Changes: Overall, almost all of the automated tools were updated to reflect new technique changes. I removed over 60 dead links, and added over 35 new resources.
Reasoning: I decided to change to the format of TARGET DATA searching for several reasons. First, most users of the tool do not want to poke around hundreds of links in order to identify which work best for their investigation. This new format allows you to only display resources that apply to the data you have and want to search. Second, I am seeing a ton of OSINT link collections that pop up, many of which seem to be competing for the “Most OSINT Links” award. It is great to see so many people sharing their OSINT resources, but the pages get overwhelming. I saw one today that had over 4,000 links, without any clear guide to where a person should start. Two that I found recently possessed a handful of useful resources that I was not aware of. I believe these serve a GREAT purpose for dedicated OSINT practitioners. OSINT instructors should stay aware of these huge collections and scrutinize them for the next big resource. I will continue to scour these for tools that are not already covered within another service. For most users, they present too many mediocre search options that are already covered within better services. Additionally, most of these collections are hosted on Start.Me sites, which include mandatory tracking scripts from Google, NewRelic, and others. I believe that investigators should avoid tracking behavior when searching sensitive information.
I chose the “Most Bang for Your Buck” scenario. I believe that less is more. Thousands of resources do no good if you do not have the time to devote toward learning all of them. With my new collection, I present only the most beneficial tools and links that seem to assist with my own investigations. I also do this without any tracking or third-party scripts. I hope that more online investigators will embrace the idea of avoiding web-monitoring and tracking behaviors from commercial sites, and will consider self-hosting without trackers.
There was a lot of discussion within the OSINT community about creating a standard for online link collections. I don’t think it ever progressed into anything official, but I offer this new format for consideration. I think OSINT resources should be categorized by what data is being SEARCHED (email, telephone number, domain, etc) versus the alphabetical NAME of each site or the TYPES of services (marketing, political, social media, etc.). I think this tool provides a faster, more direct approach to online investigations. For those that hate the new design, the previous version can be accessed by the”Classic Version” link in the upper right. There will be much more frequent updates with the new set.
Posted on September 3rd, 2018
Only a few years ago, paid access to a premium database was required in order to search vehicle information such as a VIN or owner details. We are slowly starting to see this type of data leak into free public resources. One such tool is Cars Owners (carsowners.net). This site does not have much search functionality. Instead, you must navigate through make, model, year, state, and finally personal details. Instead, consider a custom Google search. If I were looking for any vehicles owned by John Smith, I would type the following into Google.
site:carsowners.net “john smith”
This produces numerous results. I may want to filter by state and make, such as the following search on Google:
site:carsowners.net “john smith” “mazda” “tx”
This leads us to a direct URL of https://carsowners.net/mazda/mazda3/2007/tx/page8. On this page, the following is an example of the type of details one should expect:
We can also search personal details such as a telephone number, address, or VIN. The following search examples have been productive.
site:carsowners.net “(618) 463-4164”
site:carsowners.net “4900 Ridgewood Ln”
Posted on June 22nd, 2018
Facebook constantly tweaks its search structure, which occasionally breaks some of my custom search tools (https://inteltechniques.com/osint/facebook.html). Recently, locating a person’s profile by their school, likes, employer, and location started displaying errors or blank pages. I updated several search options within the right-side portion of the Facebook Tools page in order to correct these issues, and added some new functionality. The Multiple Variables option is also working again. However, there are come caveats.
You Must be logged into a Facebook profile
You should refresh the tools page to get the latest updates
Some countries are blocked from these types of searches (Change to US)
Some profiles are blocked from these searches (Flagged accounts)
Some tools require a User ID instead of keyword (These are marked)
Some can accept either a user number or user name
I anticipate several additions to this tool in the coming weeks as new search techniques become stable. If you have any questions or experience issues, please post them to the OSINT forum.
Posted on May 30th, 2018
If you use the free Buscador OSINT Linux Virtual Machine, you have likely noticed that the Instagram tool stopped working. If you use the included custom Firefox browser, you may have noticed a delay in loading pages and annoying ads creep in after the latest update. This is due to a Firefox extension (add-on) that started injecting ads, and was removed by the Firefox repository. I HIGHLY recommend executing the following instructions within every copy of Buscador that you use.
REMOVE “COPY ALL LINKS” FIREFOX EXTENSION:
Please remove Copy All Links from Firefox, the extension has started injecting ads within web traffic. Click Tools > Add-Ons, and “Remove” next to Copy All Links.
Open Terminal and execute:
rm update_scripts.sh (this removes the old script)
wget https://raw.githubusercontent.com/beast-fighter/saves_the_day/master/update_scripts.sh (this downloads the new script)
sudo chmod +x /home/osint/update_scripts.sh (this makes the new script able to execute)
update_scripts (this runs the new script updater)
Open Terminal and execute:
sudo -H pip uninstall instalooter
sudo apt remove python-enum34 –purge
sudo pip install pyopenssl
sudo -H pip install instalooter
Posted on May 27th, 2018
Blog removed due to complaints about displaying public information found through a Google search. New techniques will be shared through the online training going forward.
Posted on May 13th, 2018
In my previous career, I relied heavily on the ability to filter a friends list only to those in common with at least two suspects. I could provide two Facebook user names, and receive a list of all friends that they each had in common. If I had a burglary spree and I knew two of the three thieves, Facebook would help me identify the third. If I was investigating a homicide, I could input the suspect and the victim, and quickly identify a short list of priority interviews. This was my shortcut to the subjects that may provide actual information versus a lengthy list of people that may not know the victim well. The ability to compare common friends of two individuals on Facebook can be accomplished with a URL. In the following example, I will filter the list of common friends between Christopher Hadnagy (christopher.hadnagy.92) and Jayson Street (jayson.e.street). First, I must use my Facebook Search Tool to translate christopher.hadnagy.92 to 100019852604792 and jayson.e.street to 734444097. The following URL displays the results, which include ONLY people that are friends with BOTH of my targets.
This technique has been around for a long time, and is not likely new to many readers. In the past, filtering only two people was sufficient. Today, many online targets have thousands of friends, and filtering common results with another target is not enough. The result is still more profiles than can be easily investigated. Additionally, I cheated a bit in this example because both of those subjects have a completely public friends list. There is really no reason I should not be able to isolate common friends. Consider the following example which brings in a person with a “private” friends list and more than two targets.
Assume (theoretically) that I have just finished the first draft of a book titled “The Invisible Life: My Successes and Failures at Making People Disappear”, which includes extremely detailed examples of every advanced privacy strategy that I use with wealthy clients that want to fall off radar, story-driven to help explain my process. I know that Chris Hadnagy has written several successful books on the topic of social engineering, and I see that he is friends with Bill Pollock, the founder of the publishing company No Starch Press. Assume that I want to infiltrate this connection and achieve an unfair advantage toward promoting this title to Bill. We can already see all friends on Hadnagy’s profile, but notice that Bill is a bit more private and chooses not to display his friends:
The official Facebook URL to see common friends is the following:
This result discloses two of eighteen mutual friends between our two targets. If I translate Bill’s profile ID and recreate the previous link, I receive the entire list of common friends between the two, regardless of Bill’s privacy settings:
The results identify eighteen people that may influence Bill’s book submission process. That is a lot of people if I wanted to send unsolicited review copies of my book in order to generate buzz in Bill’s circles. Instead, I might want to filter this list only to those that are friends with Chris (public), Jayson (public), and Bill (private). I previously had a working Facebook URL that made this process simple, but it stopped functioning in the past month. Instead, we can make quick use of a spreadsheet to replicate the filter. I copied and pasted all results from the following two URLs into Excel:
This resulted in a list of several names. In Excel, I highlighted the column, then chose Home > Conditional Formatting > Highlight Cell Rules > Duplicate Values. The result in this scenario was red highlighting around only those cells that are friends with all three targets. After sorting by cell color and removing duplicates, I am left with fourteen people that know all three of my subjects. This can be very beneficial considering that Chris and Jayson have hundreds of Facebook friends and Bill keeps his friends list private. There are many investigative scenarios where this can expose immediate people of interest. Below is my actual result, including hyperlinks to each Facebook profile:
My apologies to Chris, Jayson and Bill. Hopefully this does not ruin any potential with No Starch Press for a future book!
Posted on April 26th, 2018
During my live Cyber Keynotes, I discuss the ways that I would steal your online accounts, identify your recycled passwords, and craft and spoof unique phishing emails to infect your company’s network. Many of my audiences assume that all “hacking” occurs through large servers and hidden firewalls. In reality, I would prefer to attack you the easiest way possible. One abundant option is to use the public information you share on social networks against you. Consider the following selection of “security questions” required in order to create an Apple account.
The idea is that you choose a question, provide the answer to Apple, and then confirm the answer to them if you ever get locked out of your account. The reality is that anyone who can identify these answers online is one step closer to accessing your account. If you chose one of these options and provide a correct answer, and also happen to be one of 4 million people that take online quizzes at the Good Old Days Facebook page, I might be able to identify your answers quickly. Below are a handful of recent quizzes where people can share some fairly personal details.
If those did not help me, I would look on other Facebook pages to find the following posts where people respond with their personal answers.
The lesson here, which will be obvious to many, is to never provide real information within online security question challenges. When a service forces you to provide your first car, give them an answer completely unrelated to vehicles. Be sure to document this within your password manager.
On the OSINT side, we can get a bit creepy with the following searches on Facebook. The first identifies every user that has “liked” the Good Old Days Facebook page:
Next, we can isolate our query to display comments where a person replied “German shepherd” on a post from this same Facebook page:
The results include the following redacted post in response to “What was your first pet’s name?”
On the defense side, please revisit your security questions within your important online accounts. If the answers match the questions, and the details could be found online, change them immediately. On the offense side of the house, these online posts can provide valuable data for your investigations.