0xnull-sec/osint-toolkit

# osint-toolkit 用于用户名枚举、邮箱调查、域名侦察和泄露检测的 OSINT 脚本与技术。 # OSINT Toolkit ## 目录 - [用户名枚举](#username-enumeration) - [邮箱调查](#email-investigation) - [域名侦察](#domain-recon) - [IP 与基础设施](#ip--infrastructure) - [泄露检测](#leak-detection) - [Google Dorks](#google-dorks) - [脚本](#scripts) ## 用户名枚举 ``` # Sherlock — 检查 400+ 平台上的用户名 pip install sherlock-project sherlock username # Maigret — 高级（电话、电子邮件、社交链接） pip install maigret maigret username --all-sites # WhatsMyName (web) # https://whatsmyname.app/ ``` ## 邮箱调查 ``` # holehe — 检查电子邮件是否在各项服务上已注册 pip install holehe holehe target@email.com # h8mail — 检查数据泄露中的电子邮件 pip install h8mail h8mail -t target@email.com # theHarvester — 从 domain 查找电子邮件 theHarvester -d target.com -b google,bing,linkedin # GHunt — Google 账户 OSINT pip install ghunt ghunt email target@gmail.com ``` ## 域名侦察 ``` # 被动子域名枚举 subfinder -d target.com -o subs.txt amass enum -passive -d target.com -o subs.txt # Certificate transparency curl -s "https://crt.sh/?q=%.target.com&output=json" | \ python3 -c "import sys,json; [print(x['name_value']) for x in json.load(sys.stdin)]" | \ sort -u # DNS 记录 dig target.com ANY dig target.com MX dig target.com TXT # SPF, DKIM, DMARC # Zone transfer 尝试 dig axfr @ns1.target.com target.com # WHOIS 历史 whois target.com # https://whoishistory.com/ # Web archive curl "http://web.archive.org/cdx/search/cdx?url=*.target.com&output=text&fl=original&collapse=urlkey" ``` ## IP 与基础设施 ``` # Reverse IP — 查找同一 IP 上的所有 domain # https://viewdns.info/reverseip/ # Shodan CLI pip install shodan shodan host shodan search 'org:"Target Company" port:22' shodan search 'ssl.cert.subject.cn:"target.com"' # Censys (web) # https://search.censys.io/ # ASN lookup curl https://ipinfo.io//json # 查找 CDN/Cloudflare 背后的源 IP # 1. 检查历史 DNS：securitytrails.com # 2. 检查 MX 记录（通常不在 CDN 之后） # 3. 检查子域名：mail.、ftp.、dev.、staging. ``` ## 泄露检测 ``` # HaveIBeenPwned API curl -H "hibp-api-key: YOUR_KEY" \ "https://haveibeenpwned.com/api/v3/breachedaccount/target@email.com" # h8mail 使用自定义泄露数据库 h8mail -t target@email.com -bc /path/to/breach/files/ # Dehashed（需要账户） # https://dehashed.com/ # Paste 站点监控 # https://psbdmp.ws/ # https://pastebin.com/search ``` ## Google Dorks ``` # 查找登录页面 site:target.com inurl:login site:target.com inurl:admin site:target.com intitle:"Login" # 查找敏感文件 site:target.com filetype:pdf "confidential" site:target.com filetype:xlsx site:target.com filetype:sql # 查找暴露的凭证 site:target.com "password" filetype:txt site:github.com "target.com" password site:pastebin.com "target.com" # 查找子域名 site:*.target.com -www # 摄像头 / IoT inurl:"/view/index.shtml" intitle:"webcamXP 5" # 暴露的面板 intitle:"phpMyAdmin" site:target.com inurl:":8080/manager/html" ``` ## 脚本 ### batch_email_check.py ``` #!/usr/bin/env python3 """Check multiple emails against HaveIBeenPwned API""" import requests, time, sys API_KEY = "YOUR_HIBP_API_KEY" HEADERS = {"hibp-api-key": API_KEY, "User-Agent": "osint-toolkit"} def check_email(email): url = f"https://haveibeenpwned.com/api/v3/breachedaccount/{email}" r = requests.get(url, headers=HEADERS) if r.status_code == 200: breaches = [b['Name'] for b in r.json()] return breaches elif r.status_code == 404: return [] else: return None emails = sys.argv[1:] # python3 script.py email1 email2 ... for email in emails: result = check_email(email) if result: print(f"[PWNED] {email}: {', '.join(result)}") elif result == []: print(f"[CLEAN] {email}") else: print(f"[ERROR] {email}: API error") time.sleep(1.5) # API rate limit ``` ### subdomain_recon.sh ``` #!/bin/bash # 完整的被动子域名侦察 DOMAIN=$1 OUTPUT="recon_${DOMAIN}" mkdir -p $OUTPUT echo "[*] Subfinder..." subfinder -d $DOMAIN -silent -o $OUTPUT/subfinder.txt echo "[*] Amass passive..." amass enum -passive -d $DOMAIN -o $OUTPUT/amass.txt 2>/dev/null echo "[*] crt.sh..." curl -s "https://crt.sh/?q=%.${DOMAIN}&output=json" | \ python3 -c "import sys,json; [print(x['name_value']) for x in json.load(sys.stdin)]" \ 2>/dev/null | sort -u > $OUTPUT/crtsh.txt echo "[*] Merging results..." cat $OUTPUT/*.txt | sort -u > $OUTPUT/all_subs.txt echo "[+] Total unique subdomains: $(wc -l < $OUTPUT/all_subs.txt)" echo "[+] Results saved to: $OUTPUT/all_subs.txt" ``` ### username_recon.sh ``` #!/bin/bash # 在用户名上运行多个 OSINT 工具 USERNAME=$1 echo "[*] Sherlock..." sherlock $USERNAME --output sherlock_${USERNAME}.txt echo "[*] Maigret..." maigunt $USERNAME --all-sites --report maigret_${USERNAME}.html 2>/dev/null echo "[+] Done. Check sherlock_${USERNAME}.txt and maigret_${USERNAME}.html" ``` ## 实用资源 - [OSINT Framework](https://osintframework.com/) — OSINT 工具可视化地图 - [Shodan](https://shodan.io/) — 互联网连接设备搜索 - [Censys](https://search.censys.io/) — 基础设施搜索 - [SecurityTrails](https://securitytrails.com/) — DNS 历史记录 - [BuiltWith](https://builtwith.com/) — 网站技术栈 - [Wayback Machine](https://web.archive.org/) — 网站历史记录 - [IntelX](https://intelx.io/) — 暗网 + 粘贴搜索 *更多内容 → [t.me/oxnull_security](https://t.me/oxnull_security) · [dev.to/0xnull](https://dev.to/0xnull)*

标签：ESC4, GitHub, OSINT, Python, 动态插桩, 实时处理, 应用安全, 文档结构分析, 无后门, 用户定义反射加载器, 网络安全, 逆向工具, 隐私保护