EXPERIMENT NO.

Aim - Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup
to gather information about networks and domain registrars.

1) Ping : Ping is a computer network administration software utility used to test the reachability of
a host on an Internet Protocol (IP) network.

Output:
• a) ping (Ping the host to see if its alive)
administrator@admin-pc:~$ ping google.com
PING google.com (172.217.166.78) 56(84) bytes of data.
64 bytes from bom05s15-in-f14.1e100.net (172.217.166.78): icmp_req=1 ttl=248 time=3.36 ms
64 bytes from bom05s15-in-f14.1e100.net (172.217.166.78): icmp_req=2 ttl=248 time=3.84 ms
64 bytes from bom05s15-in-f14.1e100.net (172.217.166.78): icmp_req=3 ttl=248 time=3.44 ms
64 bytes from bom05s15-in-f14.1e100.net (172.217.166.78): icmp_req=4 ttl=248 time=3.30 ms
64 bytes from bom05s15-in-f14.1e100.net (172.217.166.78): icmp_req=5 ttl=248 time=5.30 ms

• b) ping -c (Send N packets and stop)

administrator@admin-pc:~$ ping -c 5 amazon.com

PING amazon.com (205.251.242.103) 56(84) bytes of data.
64 bytes from s3-console-us-standard.console.aws.amazon.com (205.251.242.103):
icmp_req=1 ttl=248 time=190 ms
64 bytes from s3-console-us-standard.console.aws.amazon.com (205.251.242.103):
icmp_req=2 ttl=248 time=190 ms
64 bytes from s3-console-us-standard.console.aws.amazon.com (205.251.242.103):
icmp_req=3 ttl=248 time=190 ms
64 bytes from s3-console-us-standard.console.aws.amazon.com (205.251.242.103):
icmp_req=4 ttl=248 time=190 ms
64 bytes from s3-console-us-standard.console.aws.amazon.com (205.251.242.103):
icmp_req=5 ttl=248 time=190 ms

• c)ping -i(Increase or Decrease the Time Interval Between Packets)

administrator@admin-pc:~$ sudo ping -i 10 google.com

[sudo] password for administrator:
Sorry, try again.
[sudo] password for administrator:
PING google.com (172.217.166.78) 56(84) bytes of data.
64 bytes from bom05s15-in-f14.1e100.net (172.217.166.78): icmp_req=1 ttl=248 time=3.54 ms
^C

2) Hostname: The hostname command is used to show or set a computer's host name and domain
name. It is one of the most basic of the network administrative utilities.

Output:
administrator@admin-pc:~$ hostname
admin-pc

3) ifconfig(linux)/ipconfig(windows) –In computing, ipconfig (internet protocol configuration) is

a console application of some operating systems that displays all current TCP/IP network
configuration values and refresh Dynamic Host Configuration Protocol (DHCP) and Domain Name
System (DNS) settings.
Output:
administrator@admin-pc:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 74:27:ea:cf:da:a8
inet addr:192.168.2.150 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::7627:eaff:fecf:daa8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60362 errors:0 dropped:0 overruns:0 frame:0
TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3906192 (3.9 MB) TX bytes:16271 (16.2 KB)
Interrupt:40 Base address:0x4000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6203 (6.2 KB) TX bytes:6203 (6.2 KB)

4) Netstat - In computing, netstat (network statistics) is a command-line network utility that displays
network connections for Transmission Control Protocol (both incoming and outgoing), routing tables,
and a number of network interface (network interface controller or software-defined network
interface) and network protocol statistics

a)netstat
Output:
administrator@admin-pc:~$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 admin-pc.local:33185 74.125.24.154:https ESTABLISHED
tcp 0 0 localhost:domain localhost:46162 ESTABLISHED
tcp 0 0 admin-pc.local:51366 privet.canonical.c:http ESTABLISHED
tcp 0 0 admin-pc.local:50732 ec2-18-136-65-112:https ESTABLISHED
tcp 0 0 admin-pc.local:37191 bom05s10-in-f136.:https ESTABLISHED
tcp 0 0 admin-pc.local:45637 gcm4.host.hit.gem:https ESTABLISHED
tcp 0 0 admin-pc.local:57242 bom05s15-in-f14.1:https ESTABLISHED
^C

b)netstat -al | more

Output:
administrator@admin-pc:~$ netstat -al | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 admin-pc-5.local:50675 bom07s20-in-f6.1e:https ESTABLISHED
tcp 0 0 admin-pc-5.local:41249 21.72.190.35.bc.g:https TIME_WAIT
tcp 0 0 admin-pc-5.local:50306 ec2-34-239-2-85.c:https ESTABLISHED
tcp 0 0 localhost:47516 localhost:domain TIME_WAIT
tcp 0 0 admin-pc-5.local:40147 104.16.38.14:https ESTABLISHED
tcp 0 0 admin-pc-5.local:49233 132.124.95.34.bc.:https ESTABLISHED
tcp 0 0 admin-pc-5.local:43094 bom12s01-in-f4.1e:https ESTABLISHED
tcp 0 0 admin-pc-5.local:35826 104.16.88.26:https ESTABLISHED
tcp 0 0 admin-pc-5.local:34274 static.117.106.20:https ESTABLISHED
tcp 0 0 admin-pc-5.local:60283 ec2-54-229-0-131.:https TIME_WAIT
tcp 0 0 admin-pc-5.local:37166 599.bm-nginx-load:https TIME_WAIT
tcp 0 0 admin-pc-5.local:52226 209.191.163.152:https TIME_WAIT
tcp 0 0 admin-pc-5.local:46632 bom07s01-in-f129.:https ESTABLISHED
tcp 0 0 admin-pc-5.local:54407 ec2-18-195-61-72.:https TIME_WAIT
tcp 0 0 admin-pc-5.local:41476 ec2-34-253-246-15:https TIME_WAIT
tcp 0 0 admin-pc-5.local:47575 a104-104-60-192.d:https ESTABLISHED
tcp 0 0 admin-pc-5.local:38009 ec2-18-209-124-77:https TIME_WAIT
tcp 0 0 admin-pc-5.local:48280 bom07s15-in-f2.1e:https ESTABLISHED
tcp 0 0 admin-pc-5.local:39055 bom05s15-in-f2.1e:https ESTABLISHED

5) Nslookup - nslookup is a network administration command-line tool available in many

computer operating systems for querying the Domain Name System (DNS) to obtain domain
name or IP address mapping, or other DNS records. The name "nslookup" means "name server
lookup".

Output:administrator@admin-pc:~$ traceroute google.com

traceroute to google.com (172.217.166.78), 30 hops max, 60 byte packets
1 192.168.2.1 (192.168.2.1) 0.791 ms 0.786 ms 0.778 ms
2 136.232.240.21 (136.232.240.21) 2.414 ms 2.831 ms 2.830 ms
3 172.16.177.102 (172.16.177.102) 4.300 ms 4.858 ms 5.059 ms
4 172.16.176.60 (172.16.176.60) 5.056 ms 5.169 ms 5.168 ms
5 * * 172.16.177.100 (172.16.177.100) 7.127 ms
6 172.16.178.177 (172.16.178.177) 6.062 ms 2.769 ms 3.100 ms
7 * 172.16.180.129 (172.16.180.129) 3.251 ms 3.780 ms
8 bom05s15-in-f14.1e100.net (172.217.166.78) 4.284 ms 5.177 ms 5.426 ms
administrator@admin-pc:~$ nslookup amazon.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: amazon.com
Address: 205.251.242.103
Name: amazon.com
Address: 176.32.98.166
Name: amazon.com
Address: 176.32.103.205

6) Traceroute: In computing, traceroute and tracert are computer network diagnostic commands for
displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP)
network.

Output:
administrator@admin-pc:~$ traceroute google.com
traceroute to google.com (172.217.166.78), 30 hops max, 60 byte packets
1 192.168.2.1 (192.168.2.1) 0.791 ms 0.786 ms 0.778 ms
2 136.232.240.21 (136.232.240.21) 2.414 ms 2.831 ms 2.830 ms
3 172.16.177.102 (172.16.177.102) 4.300 ms 4.858 ms 5.059 ms
4 172.16.176.60 (172.16.176.60) 5.056 ms 5.169 ms 5.168 ms
5 * * 172.16.177.100 (172.16.177.100) 7.127 ms
6 172.16.178.177 (172.16.178.177) 6.062 ms 2.769 ms 3.100 ms
7 * 172.16.180.129 (172.16.180.129) 3.251 ms 3.780 ms
8 bom05s15-in-f14.1e100.net (172.217.166.78) 4.284 ms 5.177 ms 5.426 ms

7) Dig: dig (domain information groper) is a network administration command-line tool for querying
the Domain Name System (DNS).
dig is useful for network troubleshooting and for educational purposes. It can operate based on command
line option and flag arguments, or in batch mode by reading requests from an operating system file.

Output:
administrator@admin-pc:~$ dig instagram.com

; <<>> DiG 9.8.1-P1 <<>> instagram.com

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4968
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 8

;; QUESTION SECTION:
;instagram.com. IN A

;; ANSWER SECTION:
instagram.com. 60 IN A 52.4.88.119
instagram.com. 60 IN A 52.72.225.212
instagram.com. 60 IN A 52.6.187.201
instagram.com. 60 IN A 35.171.35.181
instagram.com. 60 IN A 54.174.125.210
instagram.com. 60 IN A 52.72.100.145
instagram.com. 60 IN A 54.144.193.133
instagram.com. 60 IN A 52.54.9.168

;; AUTHORITY SECTION:
instagram.com. 79992 IN NS ns-868.awsdns-44.net.
instagram.com. 79992 IN NS ns-384.awsdns-48.com.
instagram.com. 79992 IN NS ns-2016.awsdns-60.co.uk.
instagram.com. 79992 IN NS ns-1349.awsdns-40.org.

;; ADDITIONAL SECTION:
ns-384.awsdns-48.com. 79992
ns-868.awsdns-44.net.79992 IN
ns-1349.awsdns-40.org. 79992
ns-2016.awsdns-60.co.uk. 79992
ns-384.awsdns-48.com. 80345
ns-868.awsdns-44.net.79992 IN
ns-1349.awsdns-40.org. 79992
ns-2016.awsdns-60.co.uk. 79992
IN A 205.251.193.128
A 205.251.195.100
IN A 205.251.197.69
IN A 205.251.199.224
IN AAAA 2600:9000:5301:8000::1
AAAA 2600:9000:5303:6400::1
IN AAAA 2600:9000:5305:4500::1
IN AAAA 2600:9000:5307:e000::1

;; Query time: 5 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 17 12:54:43 2020
;; MSG SIZE rcvd: 472

8) Nmap :

kali:~# nmap
Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
 -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
 -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80

9) W: w prints a summary of the current activity on the system, including what each user is do-
ing, and their processes.Also list the logged in users and system load average for the past
1, 5, and 15 minutes.

Output: root@kali:~# w

22:36:43 up 1:06, 1 user, load average: 0.02, 0.27, 0.30

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

root tty7 :0 21:30 1:06m 1:11 1:11 /usr/lib/xorg/Xorg :0 -seat seat0 -auth
/var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
scp

scp allows you to secure copy files to and from another host in the network.

Output: root@kali:~# scp

usage: scp [-346BCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]

[-J destination] [-l limit] [-o ssh_option] [-P port]

[-S program] source ... target

10) Telnet : telnet connect destination host:port via a telnet protocol if connection establishes means
connectivity between two hosts is working fine.

Output: root@kali:~# telnet google.com

Trying 172.217.166.46...

11) Route: route command also shows and manipulate ip routing table. To see default routing
table in Linux, type the following command.
Output: root@kali:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.2.2 0.0.0.0 UG 100 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0

12) ARP: ARP (Address Resolution Protocol) is useful to view / add the contents of the kernel’s ARP
tables. To see default table use the command as.
Output: root@kali:~# arp
Address HWtype HWaddress Flags Mask Iface
10.0.2.2 ether 52:54:00:12:35:02 C eth0

TOOLS

1) WHOIS: WHOIS (pronounced as the phrase "who is") is a query and response protocol that is
widely used for querying databases that store the registered users or assignees of
an Internet resource, such as a domain name, an IP address block or an autonomous system, but is
also used for a wider range of other information.

Domain Name: SNAPCHAT.COM

Registry Domain ID: 1704543145_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2018-03-28T20:34:03Z
Creation Date: 2012-02-28T19:29:26Z
Registry Expiry Date: 2026-02-28T19:29:26Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS-1468.AWSDNS-55.ORG
Name Server: NS-1892.AWSDNS-44.CO.UK
Name Server: NS-220.AWSDNS-27.COM
Name Server: NS-530.AWSDNS-02.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-01-07T19:13:42Z <<<

2) Google Dorks : A Google Dork, also known as Google Dorking or Google hacking, is a valuable
resource for security researchers. For the average person, Google is just a search engine used to
find text, images, videos, and news. However, in the infosec world, Google is a useful hacking tool.

 cache: this dork will show you the cached version of any website, e.g. cache: securi-
tytrails.com
 allintext: searches for specific text contained on any web page, e.g. allintext: hacking tools
 allintitle: exactly the same as allintext, but will show pages that contain titles with X charac-
ters, e.g. allintitle:"Security Companies"
 allinurl: it can be used to fetch results whose URL contains all the specified characters, e.g:
allinurl client area
 filetype: used to search for any kind of file extensions, for example, if you want to search for
jpg files you can use: filetype: jpg
 inurl: this is exactly the same as allinurl, but it is only useful for one single keyword,
e.g. inurl: admin

3) Recon-Ng: Recon-ng comes already built in the Kali Linux distribution and is another great tool
used to perform quickly and thoroughly reconnaissance on remote targets.

This web reconnaissance framework was written in Python and includes many modules, convenience func-
tions and interactive help to guide you on how to use it properly.

root@kali:~# recon-ng

[*] Version check disabled.

_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/

_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/

_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/

_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/

_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/

____ ____ ____ ____ _____ _ ____ ____ ____

|____] | ___/ |____| | | | |____ |____ |

| | \_ | | |____ | | ____| |____ |____

www.practisec.com
 [recon-ng v5.0.1, Tim Tomes (@lanmaster53)]

[*] No modules enabled/installed.

[recon-ng][default] >

4) Shodan:

Shodan is a network security monitor and search engine focused on the deep web & the internet of things. It
was created by John Matherly in 2009 to keep track of publicly accessible computers inside any network.

It is often called the 'search engine for hackers', as it lets you find and explore a different kind of devices con-
nected to a network like servers, routers, webcams, and more.

Shodan is pretty much like Google, but instead of showing you fancy images and rich content / informative
websites, it will show you things that are more related to the interest of IT security researchers like SSH,
FTP, SNMP, Telnet, RTSP, IMAP and HTTP server banners and public information. Results will be shown
ordered by country, operating system, network, and ports.

Shodan users are not only able to reach servers, webcams, and routers. It can be used to scan almost any-
thing that is connected to the internet, including but not limited to traffic lights systems, home heating sys-
tems, water park control panels, water plants, nuclear power plants, and much more.

5) SpiderFoot:

SpiderFoot is one of the best reconnaissance tools out there if you want to automate OSINT and have fast
results for reconnaissance, threat intelligence, and perimeter monitoring.

It was written by our friend Steve Micallef, who did a great job building this app and writing the SecurityTrails
Addon for Splunk

This recon tool can help you to launch queries over 100 public data sources to gather intelligence on generic
names, domain names, email addresses, and IP addresses.

Using Sipiderfoot is pretty much easy, just specify the target, choose which modules you want to run, and
Spiderfoot will do the hard job for you collecting all the intel data from the module

6) Creepy

Creepy is a geo-location OSINT tool for infosec professionals. It offers the ability to get full geolocation data
from any individuals by querying social networking platforms like Twitter, Flickr, Facebook, etc.

If anyone uploads an image to any of these social networks with geolocation feature activated, then you will
be able to see a full active mal where this person has been.

You will be able to filter based on exact locations, or even by date. After that, you can export the results in
CSV or KML format.