Week in OSINT #2022-26

Hello and welcome to another short overview of some useful links, tips and tricks in the world of OSINT

I am always looking for interesting new links, sites and techniques. So today I share a few of such examples. The first is a collection of links, because I never know what hidden gems are possibly included. The second one is about small bookmarklets, that are simple but very useful. The third one is extra explanation about RegEx, so I'm kind of revisiting a previous episode featuring this. And of course I'm curious, so I had a little look at Michael Bazzell's little hint that he posted this weekend. And I finish off with an interesting video about geolocation. A small overview, but hopefully interesting enough nonetheless:

  • Commandergirl's Links
  • Google Analytics Bookmarklets
  • RegEx Tips
  • Bazzell's Teaser

Links: Commandergirl's Links

Twitter user commandergirl was mentioned by the Start.me account, where her link page was featured. This is again an awesome and huge list of OSINT resources, neatly categorized. I'm particularly interested in the several IP/domain related links. Thanks for curating these!

Another Start.me page with lots of links
Another Start.me page with lots of links

Link: https://start.me/p/1kJKR9


Tool: Google Analytics Bookmarklets

Twitter user K2SOSINT shared two handy bookmarklets to search for Google Analytics codes on Censys. Event hough it is not that hard to search on there, the bookmarklets make it even easier. Especially if someone doesn't have experience with the query language of Censys. But do understand what it does:Censys is a service that indexes the internet, a bit like Google but then specifically for connected devices. It will be able to find a match if there are dedicated web servers (usually not shared hosting platforms!), that have the text you search for in the webpage that is shown when one browses to that IP address. So this ain't a magic tool, but it does come in handy for those extra checks. Thank you for sharing!

One to save, quickly search for matching servers on Censys
One to save, quickly search for matching servers on Censys

Link: https://github.com/K2SOsint/K2SOsint-Bookmarklets


Tip: RegEx Tips

Back in episode 2022-09 I talked about RegEx, and since I do like to investigate things manually as much as possible, today it's time to get back to regular expressions, and how they can help you get through information quickly.

There are special tools to dig into large amounts of data, and sometimes all you need is a simple command line tool. I'll give an example that can easily be expanded to a more versatile bash or Python script, that can search within multiple websites. The following is merely to demonstrate that by understanding the tool you have at hand, your own computer, you can use it to find that needle in a haystack. Something we do on a daily basis during our OSINT work.

I created a 'one-liner' to extract anything that might match some form of Google Analytics identifier, and below that, I will explain every part of the command:

curl -s https://www.searchenginejournal.com | \
grep -o -E "(UA-[0-9]{3,10}|G-[A-Z]{3,10}|GTM-[A-Z0-9]{3,10})"

curl followed by -s means it has to run in 'silent' mode, so no progress bar or other information. After that comes the URL of the website you want to check. Then there's the so-called 'piping' bar, that makes sure that the output will be forwarded to another command.

The backslash is placed here to break the long line, and can actually be copied and pasted into the command line.

Then we get to grep, a tool that is able to quickly search within data for specific content. The option -o means I only want to see the output, and the -E tells grep that I want to search using RegEx.

Then there's a very long line of what seems to be gobbledygook, but that is the smarter part of this all. It checks for the existence of specific combinations of letters and numbers. There are three options, divided by another vertical bar. But within RegEx a vertical bar can be used to specify a logical 'OR', in combination with placing all the options between brackets. And yes, that is the same way you can search in Google for multiple items!

I want to search for any of the following three types of codes:

  • UA-123456 (old analytics code)
  • G-ACDEFGH (new style Google tag)
  • GTM-A1B2C (the new Google Tag Manager)

And each part of my RegEx searches for a different code:

UA-[0-9]{3,10}

Starts with UA-
Followed by the numbers 0 to 9
These numbers occur at least 3 to 10 times

G-[A-Z]{3,10}

Starts with G-
Followed by capital letters A to Z
These letters occur at least 3 to 10 times

GTM-[A-Z0-9]{3,10}

Starts with GTM-
Followed by A to Z, and/or 0 to 9
These alphanumeric characters occur 3 to 10 times

To be really honest, I had to guess the maximum amount of occurrences. But after some digging around and looking at a few examples, it seemed to be a pretty safe number. Maybe there are longer numbers, who knows.

When that one-liner is run, and both curl and grep are installed, the result of it is as follows:

UA-1465708
UA-1465708
UA-1465708
UA-1465708
G-TJPZMKSHES
UA-1465708
UA-1465708
GTM-M2HM2DB

All Google analytics codes that are available in the page neatly in a list on the screen.

This isn't the most useful example, but it wsa merely to show that having some knowledge of the command line, can actually be useful when you want to dig within data, no matter where it comes from. In this instance, it is a website where we want to find information in, but it can also be a large collection of data.


Tip: Bazzell's Teaser

This weekend Michael Bazzell sent out a tweet on twitter, talking about some big announcements coming up this week. Curious me wanted to know what this could be, so I had a little look. And it turns out that he decided to host all of his search tools online again! Sorry to spoil your moment Michael, but it was too easy to find

Bazzell's tools back online!
Bazzell's tools back online!

Link: https://inteltechniques.com/tools


FUNINT: Geolocating Bombal

Some time ago Nixintel and Technisette were invited back by David Bombal to see whether they were able to find where he took some photos. Join them on an hour-long lesson on geolocation!


Have a good week and have a good search!

Previous Post Next Post