综合开源情报调查方法学

v20260415

offensive-osint

一套全面的开源情报（OSINT）调查工作流，旨在用于红队演习、渗透测试和漏洞赏金项目。涵盖域名侦察、用户画像、社交媒体挖掘、代码泄露分析、基础设施映射、加密货币追踪等多个维度，帮助构建目标组织的完整攻击面图。

OSINT 开源情报红队安全测试渗透测试情报收集网络安全数据采集

获取技能

126 次下载

概览

Offensive OSINT Methodology

Workflow

Define target scope (domain, org, person, crypto address, or geo subject)
Select applicable categories below based on scope
Work top-down within each category; pivot on discovered artifacts
Archive every key artifact: URL + timestamp + screenshot (PNG) + hash (SHA-256)
Log findings in JSONL with a run_id and tool versions for reproducibility
Suggest next steps based on what each tool returns

General OSINT

Bookmarks — Comprehensive OSINT bookmarks
OSINT Framework — Tool/resource directory
IntelTechniques Tools — Suite of investigative tools
Bellingcat Toolkit — Investigative journalism tools
CyberSudo OSINT Toolkit — OSINT websites list
Google Dorks — Efficient Google searching
Distributed Denial of Secrets — Leaked data
Country-Specific Resources — Country-targeted OSINT

Search Engines

Tool	Notes
Carrot2	Clusters results by topic
etools	Metasearch engine
Kagi	Privacy-first, non-personalized results
Brave Search	Independent index; Goggles for custom ranking
PDF Search	Search PDF files and view table of contents
Google Fact Check Explorer	Cross-site fact-check search

Username & Email Investigation

Tool	Purpose
Sherlock	Username search across social networks
Maigret	Collect profiles by username from many sites
What's My Name	Username search across platforms
Holehe	Check if email is registered on platforms
Epieos	Email address pivots and metadata
OSINT Industries	Email/username/phone lookups
Hunter.io	Find email addresses for a domain
EmailRep	Email reputation and associated data
Emailable	Verify email existence
Mugetsu	X/Twitter username history
RocketReach / Apollo	Email enrichment and pattern guessing
PhoneInfoga	Phone number intelligence framework

Browser extensions: GetProspect, SignalHire

People Search

TruePeopleSearch — Free U.S. people search
WhitePages — Contact information
Spokeo — People search engine
Webmii — People search
Pipl — Deep web people search (paid)
Clearbit — Company/individual data enrichment
FaceCheck / FaceSeek — Reverse face search

Phone Number OSINT

TrueCaller — Caller ID and spam blocking
ThatsThem — Reverse phone search
Infobel — Phone search outside USA
FreeCarrierLookup — Carrier/type lookup (US)
NumlookupAPI [Freemium] — Programmatic carrier/line-type checks
CallerIDTest — Phone search
Advanced Background Checks — All people linked to a number

Social Media

Platform	Tool
Instagram	Picuki — view profiles without account
X/Twitter	snscrape — preferred CLI scraper; use Twint only as fallback
Facebook	Graph Search, sowsearch.info, lookup-id.com, whopostedwhat.com
Facebook (research)	Meta Content Library — CrowdTangle successor (researcher-gated)
YouTube/Twitch	Social Blade — analytics
TikTok	Tokboard — trend and profile analytics
Reddit	Reveddit — removed content; RedTrack.social — user history
Bluesky	Firesky — real-time firehose; SkyView — follower graphs
Mastodon	FediSearch — cross-instance search; Fedifinder — find Twitter users on Mastodon
Faces	Search4Faces

Public Records & Company Information

OpenCorporates — World's largest open company database
SEC EDGAR — U.S. company filings
OpenOwnership Register — Beneficial ownership datasets
MuckRock — FOIA repository and request tracking
EU Tenders (TED) — EU procurement notices
World Bank Projects — Project and procurement records

RU/CN Registries

Russia: Rusprofile, Kontur.Focus (freemium), zakupki.gov.ru (procurement), EGRUL/EGRIP (official, captcha-gated)

China: GSXT (National Enterprise Credit), Qichacha/Tianyancha (freemium), MIIT ICP/Beian (ICP filings)

Sanctions & Compliance

OFAC SDN List
EU Sanctions Map
OpenSanctions — Aggregated persons/entities datasets
OCCRP Aleph — Investigative documents, leaks, company records

Breach & Leak Data

Have I Been Pwned — Breach lookup; Pwned Passwords API (k-anonymity)
Dehashed — Credential search
IntelX — Data intelligence
LeakCheck — Breach lookups
Snusbase — Database breach lookups
BreachDirectory — Recent breach credentials
Scattered Secrets
Cavalier (Hudson Rock) — Infostealer lookups
Phonebook
LeakPeek

Infrastructure & Attack-Surface OSINT

Shodan — Internet-connected device/service search
Censys — Host and certificate enumeration
GreyNoise — Distinguish background noise from targeted scans
SecurityTrails — Passive DNS and asset discovery
SpiderFoot — Automated recon and correlation
theHarvester — Subdomain, email, metadata harvesting
Recon-ng — Web recon framework
Amass / Subfinder — Passive subdomain discovery
BuiltWith — Tech stack enumeration
Netlas — Large-scale HTTP/DNS/certificate pivots
BinaryEdge / FOFA / ZoomEye — Infra pivots complementing Shodan/Censys
RiskIQ PassiveTotal — Passive DNS/cert/host pivots
Spur — IP lookups and tracking
Robtex — Passive DNS and infrastructure pivots

ASN/BGP & Internet Measurement

Hurricane Electric BGP Toolkit — ASN, prefix, peers, IRR data
RIPEstat — IP/ASN history, routing, geolocation, abuse contacts
BGPView — ASN and prefix explorer
bgp.tools — Clean ASN/IX views, routing details
PeeringDB — Facility and peering info

Certificates & CT Monitoring

crt.sh — Search Certificate Transparency logs
Censys Certificates — CT and x509 attribute pivots
CertStream — Real-time CT feed via WebSocket
Rapid7 Open Data — Sonar DNS/HTTP/SSL datasets
Cert Spotter [Freemium] — CT monitoring and alerts
Favicon hash (mmh3): cluster infrastructure; pair with Shodan/Censys favicon search

Threat Intel & IOCs

Vendor/CERT advisories: CISA/NSA/CSA joint advisories, CERT-EU, NCSC-UK, JPCERT/CC, CERT-UA
MISP Project and public MISP feeds
OpenCTI — CTI knowledge graph
Malpedia — Malware families, YARA, references
ThreatFox / URLHaus / SSLBL
MalwareBazaar — Hash-based sample sharing
PhishTank / OpenPhish

Malware Analysis & Sandboxes

Static analysis: pefile, FLOSS, capa
Similarity: SSDEEP, TLSH
Sandboxes: ANY.RUN, Hybrid Analysis, CAPE, Tria.ge
Intelligence: Intezer (code reuse), VirusTotal (caution: uploads become public)
TLS fingerprints: JA3, JA4

Cryptocurrency OSINT

Blockchain Explorers

Chain	Explorer
Bitcoin	Blockchain.com, Blockchair
Ethereum	Etherscan
BNB Chain	BSCScan
Polygon PoS	PolygonScan
Solana	Solscan
Multi-chain	OKLink [Freemium], Cielo

L2 Explorers: Arbiscan, Optimistic Etherscan, BaseScan, zkSync Era, L2Beat (risk/TVL comparison)

Transaction Tracking & Analytics

Arkham — Multichain explorer, entity labels, graphs, alerts
TRM — Address/transaction graphs
MetaSleuth — Visual crypto flow analysis
Breadcrumbs [Freemium] — Visual graphing and labeling
Bubblemaps — Holder concentration visualization
Whale Alert — Large transaction monitoring
Chainalysis / Crystal Blockchain — Professional analytics
GraphSense — Cryptocurrency analytics platform
Nansen — Smart Money labels (paid)
Dune — Custom blockchain data queries
Token Sniffer — Honeypot and scam token detection

NFT & Exchange Intelligence

OpenSea / NFTScan — NFT marketplace/explorer
DappRadar — NFT sales and marketplace activity
CoinGecko / CoinMarketCap — Market data
Glassnode — On-chain market intelligence

Bridge Monitoring

Socketscan — EVM bridge explorer
L2Beat Bridges — Bridge risk analysis
Pulsy — Bridge explorer aggregator

Media Intelligence

Reverse Image & Facial Search

Google Images — General reverse image search
TinEye — Reverse image search
Yandex Images — Effective for Russian/Eastern European content
PimEyes — Face-based image search
FaceCheck — Find people by photo

Image Forensics

Forensically — Digital image forensics toolkit
ExifTool — Read/write/edit metadata
Jimpl — Online EXIF viewer
Jeffrey's EXIF viewer — Online metadata viewer
FOCA — Metadata in documents
Metagoofil — Extract metadata from public documents
C2PA Verify — Verify content credentials and AI provenance

Video Analysis

YouTube Data Viewer — Extract YouTube metadata
InVID & WeVerify — Video verification browser extension
YouTube Geo Tag — Video geolocation via geo tags
MediaInfo — Technical/tag info for video/audio
Snap Map (public stories) — Area/event context

Browser Extensions for Media

Geospatial Intelligence

Satellite Imagery & Mapping

Google Maps / Bing Maps — General mapping
Sentinel Hub EO Browser — Sentinel/Landsat satellite imagery
NASA Worldview — NASA satellite imagery
Zoom Earth — Live satellite images and weather
Wayback Imagery — Historical satellite images
NASA FIRMS — Fire/hotspot data
Open Infrastructure Map — Global infrastructure networks
Windy — Live weather map

Geolocation Tools

Mapillary — Crowdsourced street-level imagery
KartaView — Open-source street-level imagery
Overpass Turbo — Advanced OpenStreetMap queries
SunCalc — Sun position for chronolocation
GeoNames — Geographical database
PeakVisor — Identify mountain peaks
GeoGuesser tips — Geolocation methodology

Street View: Google Street View, Apple Maps, Yandex Maps, Baidu Maps

Flight OSINT

FlightRadar24 / FlightAware / RadarBox
ADSBExchange — Unfiltered community ADS-B feed
Planespotters — Fleet/airframe history by tail number
AirFrames / JetPhotos — Visual confirmation

Maritime OSINT

MarineTraffic — Live AIS vessel tracking
VesselFinder — Global ship movements and port calls
FleetMon — Historical AIS data and analytics
Global Fishing Watch — Fishing vessel behavior and AIS gap analysis

AI-Assisted OSINT

Warning: Never paste PII, sensitive IOCs, or unique pivots into cloud LLMs. They log inputs and may use them for training. Use local models (Ollama, LM Studio) for sensitive analysis.

Tool	Strength
ChatGPT (paid)	Log parsing, dataset analysis, Code Interpreter for CSVs/JSON, GPT-4 Vision for image OCR
Claude (paid)	200K token context for large document dumps and report synthesis
Gemini 1.5 Pro	2M token context; Deep Research mode with citations
Perplexity Pro (paid)	Real-time web search + reasoning; multi-query synthesis

Local/privacy-preserving: Ollama (Llama 3, Mistral), LM Studio, GPT4All

Commercial AI OSINT Platforms

Cylect — AI entity extraction and link-analysis
Fivecast Matrix — Generative-AI triage for social-media datasets
Recorded Future — AI-driven threat intelligence
DarkOwl Vision — AI-powered darknet data analysis

Deepfake & Synthetic Media Detection

Sensity AI — Deepfake detection
Reality Defender — AI-generated content detection
Adobe Content Credentials Verify — C2PA verifier
CarNet — AI car model identification (useful for geolocation)

Archiving & Evidence Preservation

archive.today — One-page content archiver with screenshot
URLScan.io — On-demand webpage scan with resource map
ArchiveBox — Self-hosted archiving (HTML, PDF, screenshots, media)
Hunchly — Evidence capture for investigators (paid)
Wayback SavePageNow API v3 — On-demand archiving with job IDs
SingleFileZ — Browser extension for offline HTML archives
Kasm Workspaces — Containerized OSINT workspace/browser isolation

Evidence handling:

Capture: URL + timestamp + PNG screenshot + WARC/SingleFileZ archive
Hash all downloaded files (SHA-256) and record in case notes
Separate work profiles/containers per case; store evidence read-only
Use JSONL (NDJSON) logs with run_id and tool versions for reproducibility

Automation & Workflows

n8n — Self-hosted workflow automation (e.g., RSS → scrape → alert pipelines)
Huginn — Agent-based monitoring, scraping, alerting
Playwright — Headless browser automation with stealth plugins
Browsertrix Crawler — Archival crawling with WARC export
Prefect / Apache Airflow — Workflow orchestration for data pipelines

Regional Search Engines

Russia/CIS: Yandex, Mail.ru Search
China: Baidu, Sogou, 360 Search
Russia social: VK, OK.ru
China social: Weibo, Bilibili, Zhihu, Douyin

Telegram & Messaging Intelligence

TGStat — Channel analytics and search
Telemetr — Channel growth, overlaps, forwards
Combot — Group analytics (partially paid)
TelegramDB Search Bot — Basic Telegram OSINT
Discord ID — Basic Discord account information
Sogou Weixin search — WeChat Official Accounts content search
View public Telegram channels: https://t.me/s/<channel>

信息

Category 编程开发

Name offensive-osint

版本 v20260415

大小 22.06KB

Source SnailSploit/Claude-Red

更新时间 2026-04-28