Open Source Intelligence

OSINT Web Resources

• exif.regex.info — Metadata viewer
• Google Reverse Image Search — Reverse image search
• Github — Code repository (lol)
• Shodan — Search engine for web services
• Censys — Online scanner for websites and certificates.
• Greynoise — IP reputation search
• Maxmind — GeoIP lookup
• web.archive.org — The Internet archive
• Latitude and Longitude converter — Degrees Minutes Seconds to/from Decimal Degrees
• Cert Logik — CSR decoder and certificate decoder
• Geocode 3 Word System — Geocode system labeling every 3 meter square of the world with a unique 3-word combination.
• Online Exiftool — online file metadata extraction

Command Line OSINT Tools

• ExifTool — Meta information reader/writer
  • File types and meta information formats supported by ExifTool
  • exiftool <filename>

OSINT Misc. Information and Resources

• 50 Common Ports You Should Know
• Service Name and Transport Protocol Port Number Registry — IANA
• Google Dork Cheatsheet
• List of DNS Record Types
• Google Hacking Database

Scan Wi-Fi Network

arp-scan

arp-scan is a network scanning tool that uses the ARP protocol to discover and fingerprint IPv4 hosts on the local network.

Send ARP requests to target hosts and display resources:

arp-scan [options] [hosts...]

Scan a subnet, specifying interface to use and a custom source MAC address:

arp-scan -I eth0 --srcaddr=DE:AD:BE:EF:CA:FE 192.168.86.0/24

iwlist

iwlist <if> scanning | grep -A5 -B5 -E "AA.BB.CC.DD.EE.FF" | grep -i ESSID

Misc

• Kali - Hidden WiFi Network Name
• mdk3
• Airodump-ng
• Wigle.net User Reported Wireless Network Data
• Article on wireless networking, wardriving, SSIDs, MAC addresses, and hotspots; includes basic walkthrough of wigle.net.

Wi-Fi Terms and Definitions

Wireless LAN (WLAN) is a network in which devices are communicating wirelessly with each other in a defined area. It is ultimately connected to a wired network.

A Wireless Access Point (WAP) accepts a wireless signal from multiple devices and retransmits them to the rest of the network.

The Service Set Identifier (SSID), also called the “network name” is the fundamental identification for an 802.11 Wireless Local Area Network (WLAN), whcih includes both home networks and public hotspots. The SSID is a case-sensitive text string that can contain letters, digits, or both, and has a maximum length of 32 characters. Wi-Fi units are preprogrammed by router manufacturers with a default SSID (examples: TP LINK, D LINK, JIO FI, or DEFAULT).

The Basic Service Set Identifier (BSSID) is not the same as the SSID. The Basic Service Set (BSS) is a group of wireless devices that work with the same Access Point (AP). The BSSID is the AP’s physical MAC address. This info is included in the packets.

One Service Set can be extended by adding more APs; this is called the Extended Service Set (ESS). The shared network name is referred to as the Extended Service Set Identifier (ESSID). Every AP broadcasts the same SSID to its users.

• WEP
• WPA/WPA2
• WPS
• WAP: Wireless Access Point