Are you requesting access to your account?
+======================================================================================================+
| THE ULTIMATE DOXXING & OSINT MANUAL (MADE BY SPYDIR) |
+======================================================================================================+
>> AUDIENCE:
Red Teamers, Threat Intelligence Analysts, Investigators, Doxxers, Bug Bounty Hunters.
>> PURPOSE:
Show how adversaries build FULL identity profiles (doxxing) using open source data, breach data,
and digital footprinting.
>> MESSAGE:
I hope this guide helps everyone take their research and data collection. – SpyDir
-- If you want to add go ahead and add - Help the community.
======================================================================================================
0x00. TABLE OF CONTENTS
======================================================================================================
1. Introduction
2. DOXXING ATTACK CHAINS – Step-by-Step Identity Profiling
- 2.1 Understanding the Doxxing Mindset
- 2.2 Full Attack Chain Framework
- 2.3 Deep Techniques (Every Data Angle)
- 2.4 Advanced Correlation
- 2.5 Examples: Real World Chain Builds
- 2.6 Defensive Countermeasures
3. BREACH DATA PIVOTING – Emails → Leaks → Passwords → Infrastructure
4. Data Brokers & People Search Engines (Full Index)
5. Social Media Doxxing & Digital Footprinting
6. Metadata & Device Fingerprinting
7. Image & Geo-Location OSINT
8. Family, Friends, & Relational Mapping
9. IP Hunting & Technical Infrastructure Mapping
10. OSINT Toolsets & Frameworks
11. Google Dorking – Advanced Search Exposures
12. Dark Web & Underground Intelligence
13. OPSEC & Anonymity
======================================================================================================
0x01. INTRODUCTION
======================================================================================================
Doxxing is not about “hacking into” anything; it’s about connecting **public crumbs of data** into a full profile.
Attackers systematically move from **seed data** (an email, username, phone number, or domain) to:
- Full legal name
- Address history
- Family members
- Employment details
- Hobbies, habits, weak points
======================================================================================================
0x02. DOXXING ATTACK CHAINS – STEP-BY-STEP PROFILE BUILD
======================================================================================================
-----------------------------------
2.1 UNDERSTANDING THE DOXXING MINDSET
-----------------------------------
Adversaries follow a pattern: **Collect → Correlate → Confirm → Expand**
They start with ONE piece of information and build outward:
- Email address → username → social media → workplace → family → financial
-----------------------------------
2.2 ATTACK CHAIN FRAMEWORK
-----------------------------------
**Stage 1: SEED DATA**
- Email addresses (from leaks, public sites, domains)
- Usernames (gaming, forums, social media)
- Phone numbers
- Real names (partial or full)
**Stage 2: DATA BROKER & PUBLIC RECORDS**
- People search engines (Infotracer, Whitepages, Spokeo, TruthFinder, Intelius, FastPeopleSearch)
- Property/tax databases
- Business registrations (OpenCorporates, state corp databases)
- Court filings (PACER, clerk of court portals)
**Stage 3: SOCIAL MEDIA & DIGITAL FOOTPRINTING**
- Username cross-check: WhatsMyName, Maigret, Sherlock
- Social platforms: LinkedIn, Facebook Graph, Instagram (geo-tagging), Reddit post history
- Friends, followers, relatives as indirect pivots
**Stage 4: BREACH DATA EXPLOITATION**
- HaveIBeenPwned, Dehashed, Scylla, Snusbase
- Leak parsing: passwords → reused credentials → new accounts
**Stage 5: METADATA & DEVICE FINGERPRINTING**
- ExifTool (image metadata)
- FOCA & metagoofil (document metadata)
- Browser/device fingerprint leaks (email headers, forum posts)
**Stage 6: INFRASTRUCTURE MAPPING**
- WhoisXML, ViewDNS, SecurityTrails (domains, IP history)
- SSL certificate transparency logs (crt.sh)
- Shodan/Censys (find owned devices)
**Stage 7: FAMILY, FRIENDS, RELATIONAL PIVOTS**
- Relatives from data brokers → their social media → confirm addresses/photos
- Friends tagged in posts revealing locations
-----------------------------------
2.3 DEEP DOXXING TECHNIQUES (EVERY ANGLE)
-----------------------------------
**Phone Number Doxxing**
- HLR lookups (HLRLookup.com)
- Reverse search: Truecaller, Sync.me, Infotracer
- Carrier lookups (who owns the number?)
**Email Address Doxxing**
- Check Google/Gravatar images for account photos
- Epieos: Reverse Google account search (public calendars, map reviews)
- Check associated usernames across breaches
**Username Doxxing**
- Sherlock, Maigret, WhatsMyName: find where username is used
- Forum cross-use (same username posts on tech/gaming forums → personal info leaks)
**Financial & Property Footprinting**
- County tax assessor databases
- Zillow/Realtor: property linked to names
- Business registrations: LLCs, DBAs, partnerships
**Workplace Doxxing**
- LinkedIn scraping: employee hierarchies
- Email pattern guessing (firstname.lastname@company.com)
- Zoominfo, RocketReach for org charts
**Travel & Location**
- Instagram/TikTok geo-tagged posts
- Public Strava fitness maps
- AirBnB host profiles
-----------------------------------
2.4 ADVANCED CORRELATION
-----------------------------------
- Connect addresses to relatives and past residents
- Build time-based address history
- Overlay breach data on current employer accounts
- Cross-pivot domains registered by same WHOIS email
**TOOLS:**
- SpiderFoot (automated chaining)
- Maltego (relationship graphs)
- IntelX (leaks + dark web)
- Scylla.so (breach aggregator)
-----------------------------------
2.5 REAL-WORLD CHAIN EXAMPLES
-----------------------------------
1. Username → forum posts → photo with EXIF → GPS coordinates → property record → family members
2. Work email → Dehashed → reused password → LinkedIn login → map company infrastructure
-----------------------------------
2.6 DEFENSIVE COUNTERMEASURES
-----------------------------------
- Remove info from data brokers (opt-out)
- Use alias emails/usernames
- Strip metadata from files/photos
- Train employees on oversharing risks
======================================================================================================
0x03. BREACH DATA PIVOTING – EMAILS → LEAKS → PASSWORDS → INFRASTRUCTURE
======================================================================================================
**Sources:**
- HaveIBeenPwned (free)
- Dehashed, Snusbase, LeakCheck, Scylla (paid APIs)
- Breach-parse tools to parse large dumps
**Pivoting Steps:**
1. Start with email in breach DB → extract leaked password
2. Try password reuse across other accounts
3. From username reuse, find forums/social accounts
4. Cross-pivot to domains registered by same email
5. Link back to physical addresses, workplaces, devices
**Dark Web & Underground:**
- IntelX.io (dark web indexed)
- Kilos, DarkOwl
- Telegram leak channels & paste sites
======================================================================================================
0x04. DATA BROKERS & PEOPLE SEARCH – COMPLETE INDEX (EXPANDED, CATEGORIZED, ACTIONABLE)
======================================================================================================
USAGE NOTES
-----------
• Verify with at least 2–3 independent sources before treating any record as confirmed.
• Cross-pivot: NAME ⇄ EMAIL ⇄ PHONE ⇄ ADDRESS ⇄ DOB ⇄ RELATIVES ⇄ EMPLOYER.
• Always check each site’s OPT-OUT to remove your own data (or for clients, with written authorization).
LEGEND (Strengths)
[ID] Identity/relatives [PH] Phone/Caller ID [AD] Address history [PR] Property
[EM] Email finds [CR] Criminal/civil [CO] Corporate/LLC [SOC] Social links
[INT] International [API] Has API/Pro tier
------------------------------------------------------------------------------------------------------
A) CORE U.S. PEOPLE-SEARCH / DATA-BROKER AGGREGATORS
------------------------------------------------------------------------------------------------------
Infotracer.com [ID][PH][AD][CR][SOC] – Deep person profiles, includes relatives, aliases.
Whitepages.com [PH][AD] – Phone/Address; good for landline history & reverse lookups.
Spokeo.com [ID][SOC][EM][PH] – Social graphing, usernames, email enrich.
TruthFinder.com [ID][CR][AD] – Person reports with past addresses, possible records.
Intelius.com [ID][AD][PH][CR] – Longstanding aggregator; link analysis between addresses.
FastPeopleSearch.com [ID][AD][PH] – Quick basic profiles; often shows previous addresses.
PeopleFinders.com [ID][AD][PH] – Similar to Intelius; old address history often present.
Radaris.com [ID][AD][CO][SOC] – People + business affiliations; good for LLC associations.
BeenVerified.com [ID][AD][PH][CR][SOC] – Person reports + social links, usernames.
Pipl.com (Pro) [ID][EM][SOC][API] – Email/username identity resolution for investigators.
ZabaSearch.com [ID][AD] – Simple public records index; older address snapshots.
CocoFinder.com [ID][AD][PH] – Basic aggregator use to corroborate others.
InstantCheckmate.com [ID][CR][AD] – Criminal/court mention surfacing; verify independently.
Nuwber.com [ID][AD][PH] – Aliases, household members/roommates.
Thatsthem.com [ID][AD][EM][PH] – Free lookups; good for email ⇄ address pivots.
TruePeopleSearch.com [ID][AD][PH] – Often returns phone + past addresses; quick corroboration.
PeekYou.com [SOC][ID] – Social user discovery across platforms; username pivots.
WebMii.com [SOC][ID][INT] – Social mentions internationally; public web presence.
IDTrue.com [ID][AD] – Lightweight corroboration on address/age ranges.
NeighborReport / Addresses.com [AD][PH] – Address and neighbor lists; local context.
USSearch.com [ID][AD][PH] – Legacy broker; sometimes surfaces older database refs.
------------------------------------------------------------------------------------------------------
B) PHONE / CALLER‑ID / EMAIL ENRICHMENT
------------------------------------------------------------------------------------------------------
Truecaller (app/web) [PH][ID] – Reverse caller ID at scale; often shows caller name.
Sync.me (app) [PH][SOC] – Phone → social hints; verify accuracy.
NumLookup.com [PH] – Simple reverse; carrier type (mobile/VOIP).
CallerSmart [PH] – Community reports + reverse phone.
Hunter.io [EM][CO][API] – Company email patterns; domain-based enrichment.
RocketReach / ZoomInfo [EM][CO][ID] – Work emails, titles; B2B enrichment (verify carefully).
Clearbit (Pro) [EM][CO][API] – Company/person enrichment via email/domain.
Epieos.com [EM][SOC] – Google account pivots (public Maps, photos, calendars).
------------------------------------------------------------------------------------------------------
C) PROPERTY / ASSESSOR / HOME & NEIGHBOR DATA
------------------------------------------------------------------------------------------------------
County Assessor Portals [PR][AD] – Owner name, parcel history, valuations (per county).
Zillow.com / Realtor.com [PR][AD] – Historical listing photos; neighborhood metadata.
Redfin.com [PR][AD] – MLS snapshots; price history; date correlations.
Trulia.com [PR][AD] – Complementary neighborhood insights; rental history.
BeenVerified (Property) [PR][AD] – Packaged property reports cross-linked to owners.
PropertyShark (select cities) [PR][AD] – Deep deeds, liens (paid in some regions).
------------------------------------------------------------------------------------------------------
D) COURTS / CRIMINAL / CIVIL / LICENSE
------------------------------------------------------------------------------------------------------
PACER (US Federal) [CR] – Federal docket search (paid by page).
State/County Court Portals [CR] – Civil/criminal filings; varies by jurisdiction.
VINELink [CR] – Custody status notifications in some states.
State Bar / License Boards [CO][ID] – Professional licenses, disciplinary actions.
Sex Offender Registries [CR][AD] – Official registry details; verify identities cautiously.
------------------------------------------------------------------------------------------------------
E) CORPORATE / LLC / NON‑PROFIT / OWNERSHIP
------------------------------------------------------------------------------------------------------
OpenCorporates.com [CO][INT] – Global corporate records + officer cross‑links.
State Secretary of State [CO] – U.S. entity filings; registered agent, officers.
CorporationWiki.com [CO] – Cross-link officers & entities; sanity-check with SOS.
Manta / D&B / BBB [CO] – Business directories; sometimes list principals.
IRS Exempt Orgs (990 search) [CO] – Non-profit officers, compensation (public filings).
SEC EDGAR [CO] – Filings, exec names/addresses for public companies.
------------------------------------------------------------------------------------------------------
F) SOCIAL GRAPH / USERNAME PIVOTS
------------------------------------------------------------------------------------------------------
WhatsMyName [SOC][ID] – Username → site presence (large coverage).
Maigret [SOC][ID] – CLI username sweeps across 300+ sites.
Sherlock [SOC][ID] – Similar to Maigret; cross-verify across both.
Namechk / KnowEm [SOC] – Handle availability + discovery.
PimEyes (face search) [SOC] – Face similarity search; confirm with sources.
Yandex Images / Google Lens [SOC] – Reverse images for avatars, tattoos, locations.
------------------------------------------------------------------------------------------------------
G) INTL & COUNTRY‑SPECIFIC DIRECTORIES
------------------------------------------------------------------------------------------------------
192.com (UK) [ID][AD][INT] – UK electoral roll (open register), director data.
Companies House (UK) [CO][INT] – UK company filings; officer addresses (historic).
UK Land Registry [PR][INT] – Title registers (paid); owner/price history.
Canada411.ca [PH][AD][INT] – Canadian phone/address directory.
White Pages AU (Australia) [PH][AD][INT] – Australian listings.
ABN Lookup (Australia) [CO][INT] – Australian business registry.
MCA (India) – mca.gov.in [CO][INT] – Indian company filings; directors.
Gov property portals (varies) [PR][INT] – Country/municipal land records.
------------------------------------------------------------------------------------------------------
H) LEAK / BREACH AWARENESS (LEGAL CHECKS / MONITORING)
------------------------------------------------------------------------------------------------------
HaveIBeenPwned.com [EM] – Email breach exposure alerts; domains monitoring.
Dehashed.com (paid) [EM][ID][API] – Emails, usernames, IPs; sometimes SSN fragments.
LeakCheck.io (paid/API) [EM][API] – Combos + partial SSN in some sets; verify legality.
Scylla.so (paid/API) [EM][API] – Aggregated breach indexes; programmatic checks.
IntelX.io [INT][SOC] – Index of paste/leak sites; dark-web aware search.
------------------------------------------------------------------------------------------------------
I) “DATA EXHAUST” / MISCELLANEOUS
------------------------------------------------------------------------------------------------------
Wayback Machine (archive.org) [SOC][AD] – Old versions of profiles, personal sites, dox artifacts.
Gravatar [EM][SOC] – Email → avatar; hash collisions reveal usernames.
Username → GitHub/GitLab [SOC][CO] – Emails in commits; company domains; personal sites.
Public WHOIS / SecurityTrails [CO][AD] – Domains, historical DNS/IP; infra mapping.
Crt.sh (CT logs) [CO] – SSL certificates; domains tied to same emails.
------------------------------------------------------------------------------------------------------
HOW TO WORKFLOWS
------------------------------------------------------------------------------------------------------
1) From PHONE → PERSON
• Run phone in Truecaller / NumLookup / Whitepages (reverse).
• Cross-check name & city in FastPeopleSearch + Intelius (confirm DOB range).
• Pivot to relatives list → verify via Facebook/LinkedIn.
• Confirm address against County Assessor + Zillow photos.
2) From EMAIL → FULL PROFILE
• Epieos (Google account traces) → grab avatar, Maps lists, possible name hints.
• Pipl/Spokeo/Thatsthem: email → addresses, phones, age ranges.
• Dehashed/LeakCheck: see breaches → new usernames → new emails.
• Use usernames in Sherlock/Maigret; pull social links and photos.
• Validate home address via property records; link household/roommates.
3) From NAME (COMMON) → CORRECT PERSON
• Add DOB/age range + last known city (broker filters).
• Compare relatives lists across 3+ brokers; keep only intersecting names.
• Use LinkedIn (company + city) to choose the correct identity.
• Sanity-check with court dockets for unique identifiers (middle initials, addresses).
4) From ADDRESS → OCCUPANTS / OWNER
• County Assessor: owner of parcel; mailing vs site address (landlord/tenant signal).
• Property portals: listing photos = confirm interiors (OSINT only).
• Brokers: show household members; cross-check with social “tagged at home”.
5) From COMPANY DOMAIN → EMPLOYEES
• Hunter.io: email pattern (e.g., {first}.{last}@).
• LinkedIn: search site:linkedin.com/in "CompanyName" + "City".
• ZoomInfo/RocketReach: confirm titles/emails; test patterns with public contact forms.
• Crt.sh/SecurityTrails: enumerate subdomains; infer internal systems from names.
------------------------------------------------------------------------------------------------------
OPT‑OUT / REMOVAL QUICK START
------------------------------------------------------------------------------------------------------
• Search “[sitename] opt out” or “privacy request” – most have forms; some require ID verification.
• Prioritize: Whitepages, Spokeo, Intelius, BeenVerified, Radaris, FastPeopleSearch, PeopleFinders, Nuwber.
• Set calendar reminders: reappearances are common—re-check quarterly.
• If an address is high-risk (stalking): ask brokers to suppress; consider a PO Box or CMRA address.
------------------------------------------------------------------------------------------------------
GOOD PRACTICE CHECKLIST
------------------------------------------------------------------------------------------------------
[ ] Always corroborate with 2–3 sources before accepting a data point.
[ ] Keep a simple graph (Maltego/Obsidian) linking Person ⇄ Phones ⇄ Emails ⇄ Addresses ⇄ Relatives.
[ ] Timestamp screenshots; note source + retrieval date (records change).
[ ] Separate “unverified lead” vs “confirmed” in your notes.
[ ] Provide takedown guidance with every report (ethical requirement).
------------------------------------------------------------------------------------------------------
TROUBLESHOOTING & TIPS
------------------------------------------------------------------------------------------------------
• Common name? Anchor on UNIQUE combos (middle name + city + employer).
• Moved recently? Check USPS forwarding clues (broker “previous address” fields).
• Missing age/DOB? Infer from property purchase year + school/alumni pages.
• Sparse social? Pivot through relatives’ posts and tagged photos.
• Discrepancies? Old data sticks—prefer sources with “last seen” recency.
======================================================================================================
0x05. SOCIAL MEDIA DOXXING & DIGITAL FOOTPRINTING
======================================================================================================
- Facebook Graph queries
- Instagram “location” + “tagged” filters
- TikTok username & sound search
- Reddit advanced search (Pushshift)
- LinkedIn company org charts
======================================================================================================
0x06. METADATA & DEVICE FINGERPRINTING
======================================================================================================
- ExifTool (images)
- FOCA (PDF/Office docs)
- metagoofil
- Email headers (IP/device info)
======================================================================================================
0x07. IMAGE & GEO-LOCATION OSINT
======================================================================================================
- PimEyes (face match)
- Yandex reverse image
- Google Lens
- GeoCreepy, MapChecking.com (geotag plots)
- SunCalc.org (verify shadows in photos)
======================================================================================================
0x08. FAMILY, FRIENDS & RELATIONAL MAPPING
======================================================================================================
- Relatives from data brokers
- Tagged photos of family/friends
- Use relatives’ social media to confirm home addresses & workplaces
======================================================================================================
0x09. IP HUNTING & TECH INFRASTRUCTURE (EXPANDED)
======================================================================================================
Adversaries use IP hunting and infrastructure mapping to track targets, deanonymize online identities, and
identify technical weaknesses in associated networks and devices. This is a critical phase because a single IP
pivot can unlock locations, employer information, or even connected systems.
------------------------------------------------------------------------------------------------------
9.1 GOALS OF IP HUNTING
------------------------------------------------------------------------------------------------------
1) Deanonymize a target by linking them to a real world location or device.
2) Uncover hidden infrastructure (servers, domains, IoT devices).
3) Map the attack surface: open ports, technologies, services, and certificates.
4) Build time-based patterns (when they’re online, VPN usage, mobility).
------------------------------------------------------------------------------------------------------
9.2 ACTIVE COLLECTION – BAIT & LOGGING
------------------------------------------------------------------------------------------------------
**IPLogger / Grabify / Blasze**
• Shorten links → capture IP, ASN, device fingerprint.
• Embed in images or redirects (e.g., send “funny meme” or survey link).
• OPSEC: rotate domains, remove identifiable branding.
**Custom Tracking Servers**
• Spin up a VPS with a logging script:
- Log headers, IP, user-agent, referrer.
- Use canary tokens (web beacons, email read receipts) to catch client IPs.
• Tools: CanaryTokens.org, Gophish, Modlishka.
**Email Tracking**
• Pixel tracking (1x1 transparent image) to log IPs on open.
• Be aware of modern mail clients auto-blocking images.
**Chat & P2P Platforms**
• Direct connection chats (older Skype, IRC, some game servers) leak IPs.
• Tools like Wireshark/tcpdump can capture peer IPs during direct sessions.
------------------------------------------------------------------------------------------------------
9.3 PASSIVE COLLECTION – HISTORICAL & PUBLIC DATA
------------------------------------------------------------------------------------------------------
**WHOIS History (WhoisXML, DomainTools, SecurityTrails)**
• Find historical owners of domains (emails, addresses, phone numbers).
• Check “reverse WHOIS”: same registrant email tied to multiple domains.
**Passive DNS**
• SecurityTrails / FarsightDNS: see what IPs domains resolved to in the past.
• Reverse lookup: find all domains that ever pointed to a specific IP.
**Certificate Transparency Logs (crt.sh, Censys)**
• Discover subdomains from SSL certificates issued.
• Pivot: Same cert used across multiple domains = common owner.
**GeoIP Databases**
• IPinfo, MaxMind GeoLite2: approximate geolocation & ISP.
• Cross-verify with other data; mobile IPs & VPNs will change frequently.
**Shodan / Censys**
• Enumerate open ports, services, software versions, exposed banners.
• Identify VPN endpoints, IoT cameras, RDP, databases left open.
------------------------------------------------------------------------------------------------------
9.4 DEVICE & USER FINGERPRINTING
------------------------------------------------------------------------------------------------------
**Headers & Metadata**
• User-agent, time zone, language can hint at OS, region, or corporate VPN.
**WebRTC & Browser Leaks**
• Force targets to load scripts that reveal local/private IPs (if browser allows).
**Email Headers**
• Original sending IP in “Received” header (unless using webmail).
• Compare against previous known logins.
------------------------------------------------------------------------------------------------------
9.5 INFRASTRUCTURE MAPPING
------------------------------------------------------------------------------------------------------
1) Start with a seed IP or domain:
• Passive DNS → all associated domains.
• Reverse WHOIS → other domains by same registrant.
• Reverse IP → websites hosted on same server.
2) Build a full asset map:
• Shodan/Censys → exposed services (SSH, RDP, MySQL, Elasticsearch).
• Identify cloud providers (AWS, Azure, GCP) vs residential ISPs.
3) SSL Certificate Pivots:
• Use crt.sh to list subdomains (e.g., dev.domain.com, vpn.domain.com).
• Same cert hash reused on other domains? → same infrastructure.
------------------------------------------------------------------------------------------------------
9.6 GEOLOCATION & TIME CORRELATION
------------------------------------------------------------------------------------------------------
• IP addresses from mobile carriers may change, but correlate **time of use**.
• Combine with social media timestamps or travel habits to narrow locations.
• Compare IP ASN (e.g., “Comcast Residential”) to city-level data from data brokers.
------------------------------------------------------------------------------------------------------
9.7 TOOLING & FRAMEWORKS
------------------------------------------------------------------------------------------------------
• SecurityTrails – WHOIS history + passive DNS + infrastructure graphing.
• RiskIQ PassiveTotal – combine domains, IPs, SSL certs.
• Maltego – visualize relationships (domains, IPs, emails).
• SpiderFoot – automated OSINT (DNS, IPs, leaks, brokers).
• Nmap – active probing (in authorized engagements only).
------------------------------------------------------------------------------------------------------
9.8 OPSEC REMINDERS (WHEN PERFORMING LEGAL TESTING)
------------------------------------------------------------------------------------------------------
• Never probe infrastructure you don’t own or have permission to test.
• Use throwaway domains/URLs for tracking; never tie to personal infra.
• Isolate tooling on VMs/VPS and scrub logs (per legal retention policy).
• Avoid accidental “dox” of innocent users sharing IP addresses (NAT, VPNs).
------------------------------------------------------------------------------------------------------
9.9 ATTACK CHAIN EXAMPLES (SIMULATED)
------------------------------------------------------------------------------------------------------
**Example 1: IP From Link Click**
• Target clicks on Grabify link → capture IP.
• IP belongs to corporate VPN gateway → reverse DNS reveals vpn.corp.com.
• crt.sh reveals dev.corp.com & git.corp.com on same cert → internal apps exposed.
**Example 2: Passive DNS + WHOIS**
• Start with blogsite.com → SecurityTrails shows it resolved to 192.0.2.50 last year.
• Reverse IP lookup → finds payrollportal.com → WHOIS has same registrant email.
• That email is found in breach data → password reuse risk.
**Example 3: Shodan Pivot**
• IP from email header shows port 3389 (RDP) open.
• Shodan reveals it’s Windows Server 2012 with expired SSL cert.
• Pivot to associated domains from passive DNS → identify 3 other servers in same ASN.
======================================================================================================
0x10. OSINT TOOLSETS & FRAMEWORKS
======================================================================================================
- SpiderFoot (OSINT automation)
- Maltego (graphs)
- Amass (subdomains)
- Holehe (email enumeration)
- Sherlock / Maigret (username sweeps)
- Epieos (Google account leaks)
======================================================================================================
0x11. GOOGLE DORKING – MASSIVE EXPOSURE
======================================================================================================
- site:target.com filetype:log
- inurl:/backup.zip
- ext:env DB_PASSWORD
- intitle:"index of" "private"
======================================================================================================
0x12. DARK WEB INTELLIGENCE
======================================================================================================
- Ahmia, OnionLand (Tor search)
- DarkOwl, Flashpoint (paid)
- Telegram groups for leaks
- Pastebin, Ghostbin, Anonfiles indexed dumps
======================================================================================================
0x13. OPSEC & ANONYMITY
======================================================================================================
- Multi-hop VPN + Tor + isolated VMs
- Burner devices & accounts
- Never use real identity when testing
======================================================================================================
END OF GUIDE
======================================================================================================