{"id":3511,"date":"2022-04-07T09:17:39","date_gmt":"2022-04-07T09:17:39","guid":{"rendered":"https:\/\/osintme.com\/?p=3511"},"modified":"2022-05-28T09:01:25","modified_gmt":"2022-05-28T09:01:25","slug":"how-to-investigate-phishing-campaigns-resources-for-the-sans-osint-summit-2022-talk","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2022\/04\/07\/how-to-investigate-phishing-campaigns-resources-for-the-sans-osint-summit-2022-talk\/","title":{"rendered":"How to investigate phishing campaigns &#8211; resources for the SANS OSINT Summit 2022 talk"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"3511\" class=\"elementor elementor-3511\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e1779d5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e1779d5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0139fe8\" data-id=\"0139fe8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-704d30f elementor-widget elementor-widget-text-editor\" data-id=\"704d30f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>I was delighted to be able to present at the SANS OSINT Summit 2022!<\/p><p>Here is the <a href=\"https:\/\/www.youtube.com\/watch?v=L1gVIFP5BdI\">YouTube video stream<\/a> of ALL the presentations that appeared at the Summit.<\/p><p>My one starts exactly at the 2 h 30m mark.<\/p><p>Or you can just watch it separately <a href=\"https:\/\/www.youtube.com\/watch?v=0mmsShIqMIk\">here<\/a>.<\/p><p>A big thank you to the organisers, fellow speakers, to all attendees and participants.<\/p><p>A separate thank you and a shout out to <a href=\"https:\/\/twitter.com\/thegumshoo\"><strong>John TerBush<\/strong><\/a> who provided great assistance and feedback during the creation of this presentation.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8ce1f38 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8ce1f38\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-65ec18b\" data-id=\"65ec18b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e34d9c1 elementor-widget elementor-widget-image\" data-id=\"e34d9c1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"300\" height=\"143\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/03\/SANS-Osint-Summit.jpg?fit=300%2C143&amp;ssl=1\" class=\"attachment-medium size-medium wp-image-3459\" alt=\"SANS Osint Summit\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/03\/SANS-Osint-Summit.jpg?w=460&amp;ssl=1 460w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/03\/SANS-Osint-Summit.jpg?resize=300%2C143&amp;ssl=1 300w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e62898a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e62898a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-752865b\" data-id=\"752865b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0d4bdf3 elementor-widget elementor-widget-text-editor\" data-id=\"0d4bdf3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>List of helpful resources to use in support of various OSINT methods I described during the SANS OSINT Summit 2022 presentation:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e90fec8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e90fec8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1fc23d1\" data-id=\"1fc23d1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9a2a085 elementor-widget elementor-widget-heading\" data-id=\"9a2a085\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">IP reputation &amp; passive reconnaissance <\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-40a8a9b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"40a8a9b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-07a4aec\" data-id=\"07a4aec\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0f3f889 elementor-widget elementor-widget-text-editor\" data-id=\"0f3f889\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><a href=\"https:\/\/ipremoval.sms.symantec.com\/lookup\">Broadcom<\/a> &#8211; simple IP address reputation check.<\/li><li><a href=\"https:\/\/centralops.net\/co\/\">Centralops<\/a> &#8211; multi-purpose tool with the domain dossier lookup functionality. Has a free usage limit of 50 queries per day.<\/li><li><a href=\"https:\/\/talosintelligence.com\/\">Cisco Talos Intelligence<\/a> &#8211; allows checking for various data points and types of activity associated with an IP address. Decent reputation lookup tool.<\/li><li><a href=\"https:\/\/domainbigdata.com\/\">Domain Big Data<\/a> &#8211; allows searches by IP, domain, email, even phone number. Returns information on what else is being hosted on the same IP address.<\/li><li><a href=\"https:\/\/gofindwhois.com\/\">Go Find Whois<\/a> &#8211; advanced tool with multiple functionalities. It aggregates several other search engines and tools that can be used to perform lookups.<\/li><li><a href=\"https:\/\/ipinfo.io\/\">IP Info<\/a> &#8211; detailed IP lookup, including IP address type (VPN, proxy, hosting, etc.).<\/li><li><a href=\"https:\/\/www.ip-neighbors.com\/\">IP Neighbors<\/a> &#8211; for checking hosting neighbours of a site \/ host of interest.<\/li><li><a href=\"https:\/\/www.ipvoid.com\/\">IP Void<\/a> &#8211; multi-tool IP search tool, allows lookups against several basic and advanced criteria.<\/li><li><a href=\"https:\/\/mxtoolbox.com\/SuperTool.aspx\">MX Toolbox<\/a> &#8211; another multi-tool that allows searching by domain name, IP address or host name. Also allows conducting IP reputation checks.<\/li><li><a href=\"https:\/\/www.showmyip.com\/bulk-ip-lookup\/\">ShowMyIP<\/a> &#8211; bulk IP address lookup, allows looking up as many as 100 IPs at the same time, but can be plagued by captchas. IP search results can be downloaded as .csv files.<\/li><li><a href=\"https:\/\/www.threatminer.org\/\">Threatminer<\/a> &#8211; a threat intelligence portal that combines the information from several well-respected infosec industry platforms.<\/li><li><a href=\"https:\/\/www.virustotal.com\/gui\/home\/upload\">Virus Total<\/a> &#8211; handy for checking IPs and URLs. Predominantly a static analysis sandbox for suspicious files, with solid capabilities for screening websites and IPs.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b89a8a7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b89a8a7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7a458e0\" data-id=\"7a458e0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9d46eeb elementor-widget elementor-widget-heading\" data-id=\"9d46eeb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">DNS analysis<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6e9385e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6e9385e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a2804ab\" data-id=\"a2804ab\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fdca8c6 elementor-widget elementor-widget-text-editor\" data-id=\"fdca8c6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><a href=\"https:\/\/otx.alienvault.com\/\">Alien Vault<\/a> &#8211; for DNS records but also a myriad of other indicators, like URLs, file scans and other telemetry.<\/li><li><a href=\"https:\/\/completedns.com\/dns-history\/\">Complete DNS<\/a> &#8211; for checking the DNS history, domain history and archive records.<\/li><li><a href=\"https:\/\/dnsdumpster.com\/\">DNS Dumpster<\/a> &#8211; very useful for subdomain enumeration. Includes the option to create a map displaying all the results.<\/li><li><a href=\"https:\/\/dnslytics.com\/reverse-ip\">DNSlytics<\/a> &#8211; reverse IP lookup tool for identifying domains that share the same IP address or subnet.<\/li><li><a href=\"https:\/\/dnstwister.report\/\">DNS Twister<\/a> &#8211; for searching domains by name and monitoring DNS records. Useful when investigating typo-squatting and domains with very similar names \/ special characters.<\/li><li><a href=\"https:\/\/passivedns.mnemonic.no\/\">Passive DNS<\/a> &#8211; for basic DNS lookups.<\/li><li><a href=\"https:\/\/sitecheck.sucuri.net\/\">Sucuri Site Check<\/a> &#8211; quick website scanner, useful for running DNS name checks.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ddd269c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ddd269c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f0194c9\" data-id=\"f0194c9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0bb4b84 elementor-widget elementor-widget-heading\" data-id=\"0bb4b84\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Shortened URLs<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-696ad3e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"696ad3e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6c2fbb0\" data-id=\"6c2fbb0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-212c2e4 elementor-widget elementor-widget-text-editor\" data-id=\"212c2e4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Many shortened links can be explored by simply adding a\u00a0<strong>\u2018+\u2019<\/strong>\u00a0symbol at the end of the shortened URL in the your browser\u2019s URL tab. This will work majority of the time, but it depends on the compatibility of the URL shortening service.<\/p><p>Note that instead of the \u2018+\u2019 symbol, in order to unshorten your link some of these services require different symbols, like:<\/p><ul><li>a hyphen \u2018-\u2018;<\/li><li>a question mark \u2018?\u2019<\/li><li>a tilde \u2018~\u2019<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-326c30d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"326c30d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b72d01f\" data-id=\"b72d01f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-60fb1dc elementor-widget elementor-widget-text-editor\" data-id=\"60fb1dc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Other ways to investigate shortened URLs include installing a dedicated browser extension or going directly to online resources that will do the job for you, with varying degrees of details. Examples:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4142e6a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4142e6a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a9d0b4c\" data-id=\"a9d0b4c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-bf7b7aa elementor-widget elementor-widget-text-editor\" data-id=\"bf7b7aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><a href=\"http:\/\/www.checkshorturl.com\/\">http:\/\/www.checkshorturl.com\/<\/a><\/li><li><a href=\"https:\/\/unshorten.it\/\">https:\/\/unshorten.it\/<\/a><\/li><li><a href=\"https:\/\/wheregoes.com\/\">https:\/\/wheregoes.com\/<\/a><\/li><li><a href=\"http:\/\/urlxray.com\/\">http:\/\/urlxray.com\/<\/a><\/li><li><a href=\"https:\/\/redirectdetective.com\/\">https:\/\/redirectdetective.com\/<\/a><\/li><li><a href=\"https:\/\/www.spyoffers.com\/\">https:\/\/www.spyoffers.com\/<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6a918e2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6a918e2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-543f23d\" data-id=\"543f23d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f185db9 elementor-widget elementor-widget-heading\" data-id=\"f185db9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Open directory websites<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e45fd9c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e45fd9c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5670a26\" data-id=\"5670a26\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4e2749f elementor-widget elementor-widget-text-editor\" data-id=\"4e2749f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Opendir websites can be found using the following search methods:<\/p><p><em><strong>Google searches:<\/strong><\/em><\/p><p><strong>intitle:&#8221;index.of&#8221; .exe<\/strong> (or whatever file extension you&#8217;re searching for; could be a name keyword of interest too).<\/p><p><strong>intext:&#8221;keyword&#8221; intitle:&#8221;index.of&#8221; -inurl: file extension<\/strong> &#8211; example:<\/p><p><em>intext:&#8221;osint&#8221; intitle:&#8221;index.of&#8221; -inurl: jpg<\/em><\/p><p>Multiple piped search criteria combinations are also possible, for instance:<\/p><p><strong>intext:&#8221;osint&#8221; intitle:&#8221;index.of&#8221; (rar|tar|7z|zip)<\/strong><\/p><p><strong>index of parent directory<\/strong> <strong>&#8220;keyword&#8221; &#8220;file extension&#8221;<\/strong> &#8211; example:<\/p><p><strong>index of parent directory osint\u00a0 (.txt|.doc|.docx)<\/strong><\/p><ul><li>Twitter search &#8211; hashtag <strong>#opendir<\/strong> &#8211; or this link <a href=\"https:\/\/twitter.com\/hashtag\/opendir?src=hashtag_click\">here<\/a> (great for finding malware \/ phishing sites).<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-198e694 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"198e694\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f29f0a8\" data-id=\"f29f0a8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-779e2b3 elementor-widget elementor-widget-text-editor\" data-id=\"779e2b3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><a href=\"https:\/\/odcrawler.xyz\/\">ODCrawler<\/a> &#8211; useful for searching by keyword and file type. However, it focuses on finding specific files as opposed to opendir websites.<\/li><\/ul><p>\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-778c140 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"778c140\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0bc9531\" data-id=\"0bc9531\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-cf205f6 elementor-widget elementor-widget-heading\" data-id=\"cf205f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Website technology stack &amp; content examination<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-641fea0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"641fea0\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d0daa8d\" data-id=\"d0daa8d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8cb89c7 elementor-widget elementor-widget-text-editor\" data-id=\"8cb89c7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><a href=\"https:\/\/awesometechstack.com\/\">Awesome Tech Stack<\/a> &#8211; currently in beta, this site allows for scanning websites and generating performance reports for their tech stacks.<\/li><li><a href=\"https:\/\/builtwith.com\/\">Built With<\/a> &#8211; online scan of the technologies and components used on a particular website.<\/li><li><a href=\"https:\/\/www.httrack.com\/\">HTTrack<\/a> &#8211; for downloading websites offline. Useful for phishing \/ scam websites as they are typically not very cumbersome or rich in video file \/ multimedia content.<\/li><li><a href=\"https:\/\/publicwww.com\/\">Public WWW<\/a>\u00a0&#8211; source code inspection engine, good for finding and identifying complete or incomplete elements of website source code.<\/li><li><a href=\"https:\/\/themarkup.org\/blacklight\">The Markup Blacklight<\/a> &#8211; a privacy enabling tool, allows for conducting a quick website scan in search for trackers, third party cookies, keyloggers and Facebook \/ Google ad monitoring.<\/li><li><a href=\"https:\/\/webtechsurvey.com\/\">Web Tech Survey<\/a> &#8211; another online scanner, useful for tracking changes to the website&#8217;s technology stack.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-394cec8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"394cec8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7919be1\" data-id=\"7919be1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ff4a0b7 elementor-widget elementor-widget-heading\" data-id=\"ff4a0b7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Security certificates<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bb4b552 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bb4b552\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c009643\" data-id=\"c009643\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-215f2e4 elementor-widget elementor-widget-text-editor\" data-id=\"215f2e4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li>Binary Edge:&nbsp;<a href=\"https:\/\/app.binaryedge.io\/\">https:\/\/app.binaryedge.io\/<\/a><\/li><li>Cert SH:&nbsp;<a href=\"https:\/\/crt.sh\/\">https:\/\/crt.sh\/<\/a><\/li><li>Censys:&nbsp;<a href=\"https:\/\/search.censys.io\/\">https:\/\/search.censys.io\/<\/a><\/li><li>Shodan:&nbsp;<a href=\"https:\/\/www.shodan.io\/\">https:\/\/www.shodan.io\/<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-114f429 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"114f429\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f306a48\" data-id=\"f306a48\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e97c6e1 elementor-widget elementor-widget-heading\" data-id=\"e97c6e1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Captcha abuse OSINT<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d45bf98 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d45bf98\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8e9b81b\" data-id=\"8e9b81b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7369805 elementor-widget elementor-widget-text-editor\" data-id=\"7369805\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Captcha sites contain a reCAPTCHA API key used in the URL parameters<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Repetitive values within a URL string<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">These identifiers can be drilled into and searched for on other pages, which gives us the ability to find other phishing websites or campaigns using the same MO.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">CAPTCHA keys can be extracted from the HTML source code.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">View page source code \/ F12 &#8211; examine the code searching for<\/span><span style=\"font-weight: 400;\"> values that follow \u201crecaptcha\u201d, \u201crecaptcha-response\u201d or \u201crecaptcha callback\u201d.<\/span><\/li><li aria-level=\"1\">Simple Google searches as follow up to see if these can be found elsewhere?<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-70010ac elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"70010ac\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9538fca\" data-id=\"9538fca\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fe1b8e3 elementor-widget elementor-widget-image\" data-id=\"fe1b8e3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"648\" height=\"419\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/04\/captcha-OSINT-phishing-site.png?fit=648%2C419&amp;ssl=1\" class=\"attachment-large size-large wp-image-3549\" alt=\"captcha OSINT phishing site\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/04\/captcha-OSINT-phishing-site.png?w=648&amp;ssl=1 648w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/04\/captcha-OSINT-phishing-site.png?resize=300%2C194&amp;ssl=1 300w\" sizes=\"(max-width: 648px) 100vw, 648px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5de07cb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5de07cb\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e337a3e\" data-id=\"e337a3e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4f274be elementor-widget elementor-widget-image\" data-id=\"4f274be\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"911\" height=\"164\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/04\/captcha-OSINT-phishing-2.png?fit=911%2C164&amp;ssl=1\" class=\"attachment-large size-large wp-image-3550\" alt=\"captcha OSINT phishing 2\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/04\/captcha-OSINT-phishing-2.png?w=911&amp;ssl=1 911w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/04\/captcha-OSINT-phishing-2.png?resize=300%2C54&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2022\/04\/captcha-OSINT-phishing-2.png?resize=768%2C138&amp;ssl=1 768w\" sizes=\"(max-width: 911px) 100vw, 911px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>List of helpful resources to use in support of various OSINT methods I described during the SANS OSINT Summit 2022 presentation.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6],"tags":[157,80,82,155,87,79],"class_list":["post-3511","post","type-post","status-publish","format-standard","hentry","category-open-source-intelligence","tag-conference","tag-domain","tag-phishing","tag-sans","tag-training","tag-website"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/3511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=3511"}],"version-history":[{"count":61,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/3511\/revisions"}],"predecessor-version":[{"id":3670,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/3511\/revisions\/3670"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=3511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=3511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=3511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}