Email spoofing
https://medium.com/iron-bastion/setting-up-email-server-for-direct-email-spooling-attack-c34a4beb7ff
https://medium.com/iron-bastion/discovering-hidden-email-servers-with-osint-2dbf07559626
Other tools
BuiltWith
With BuiltWith, it’s possible to uncover the different tech stacks and platforms that power certain websites. It also generates a list of JavaScript/CSS libraries, plugins and other utilities used by the website in question. Personnel can then use that to perform vital functions, such as patching WordPress weaknesses and updating a plugin with a new version.
Creepy
An OSINT tool written in Python, Creepy collects geolocation data from social networking sites as well as image hosting services. It enables users to present that data on a map. Not only that, but users can also download those results in .CSV or .KML to show in Google Maps.
theHarvester
theHarvester is an OSINT tool through which users can gather emails, subdomains, IPs, URLs and other pieces of data using numerous public data sources. On the passive side, theHarvester is capable of using search engines such as DuckDuckGo and Google. But it also comes with active search capabilities such as conducting DNS brute forcing and taking screenshots of whatever subdomains it finds.
Maltego
A Java tool that runs on Windows-, Linux- and macOS-powered machines, Maltego is a graphical link analysis tool that helps users to gather and connect OSINT as part of an ongoing investigation. Maltego comes with 58 data integrations from over 35 data partners, and it allows users to choose four different layouts to recognize patterns in the data they’ve uncovered.
Metagoofil
The value of Metagoofil lies in its ability to extract metadata from public documents, including PDFs and Microsoft Office files. It does this by using a Google search to find and download the documents to a local disk. At that point, the tool uses Hachoir, PdfMiner and other libraries to lift the metadata from those documents.
Recon-ng
Recon-ng is a framework that stands apart from others due to its focus on web-based open source reconnaissance. It helps users to pursue their reconnaissance work by way of modules. Towards that end, Recon-ng comes with several built-in modules, such as those that help users to uncover further domains related to a target domain.
Shodan
With Shodan, users can search the web for internet-connected devices. Websites provide some insight into those assets, but Shodan takes its scans a step further by revealing assets like Internet of Things (IoT) products. Shodan helps achieve comprehensive visibility over all a group’s devices and to keep those assets up to date.
SpiderFoot
Those running Linux- and Windows-based machines can use SpiderFoot to automate their collection of OSINT. This open source reconnaissance tool comes with over 200 modules for data collection and analysis. This can help gain a broad view of their attack surfaces, including low-hanging fruit like unmanaged assets and exposed credentials.
Spyse
With more than 25 billion records stored about online assets, Spyse helps users to collect public data relating to websites, servers and devices connected on the web. Security teams can use that knowledge to check on risks and suspicious connections between those points in an effort to minimize their employer’s attack surface.
TinEye
Unlike the other OSINT tools discussed thus far, TinEye focuses on reverse image searches. It can help moderate content that’s posted on the web and to detect instances of fraud involving a brand. What’s more, teams can use TinEye to track where those images are appearing online.
GreyNoise Search for devices connected to the internet (GreyNoise Website Link).
Netlas Search and monitor internet connected assets (Netlas Website Link).
ONYPHE Collects cyber-threat intelligence data (ONYPHE Website Link).
FullHunt Search and discovery attack surfaces (FullHunt Website Link).
GrepApp Search across a half million git repos (GrepApp Website Link).
CRT sh Search for certs that have been logged by CT (CRT sh Website Link).
GreyHatWarfare Search public S3 buckets (GreyHatWarfare Website Link).
AlienVault Open Threat Intelligence Community (AlienVault Website Link).
BinaryEdge Scans the internet for threat intelliegence (BinaryEdge Website Link)
Hunter.io Search for email addresses belonging to a website (Hunter.io Website Link).
LeakIX Search publicly indexed information (LeakIX Website Link).
Mitaka
Intelligence X
DarkSearch.io
Grep.app
Searchcode
Babel X
URLscan.io URLscan.io is a service that provides the end user with analysis of the IP address information and HTTP connections made during the site’s retrieval. The result panels include a top-level survey of what country the site is hosted in, what links are included on the main page and the IP location details. Details about how many subdomains it contains and what external links it contains can be found as well.
Through WHOIS analysis, hosting details can also be discovered. This can help lead investigators to find servers that host multiple sites or share webmasters, as well as valuable owner information.
DomainIQ DomainIQ operates similarly to URLscan.io and can provide identifying details about the site owner, host and what other pages they may be operating.
Carbon Date
Carbon Date uses the advanced search engine technique of “carbon dating” that analyzes a website and gives the earliest known creation date of the page. You can also view previous versions of the page, including the first known scrape through archive.org.
https://carbondate.cs.odu.edu/#http://www.cs.odu.edu/
Torch,or TorSearch, is a search engine designed to explore the hidden parts of the internet. Torch claims to have over a billion darknet pages indexed and allows users to browse the dark web uncensored and untracked.
Dark.fail has been crowned the new hidden wiki. It indexes every major darknet site and keeps track of all domains linked to a particular hidden service.
https://ahmia.fi/ another TOR Search