OSINT CTF Beginner roadmap

OSINT CTF Beginner Roadmap

By Ahmed Elessaway

👋 Hello, It’s Ahmed Elessaway!

I’m totally hooked on Open-Source Intelligence (OSINT). It’s like being a digital detective, and I can’t get enough of it! It’s like puzzles that keep my brain buzzing. Recently, I’ve fallen head over heels for OSINT, and now I’m on a mission to share this awesome skill with you. Why? Because OSINT is not just cool, it’s super useful in today’s world. Whether you’re into cybersecurity, journalism, or just love solving mysteries, OSINT can be your secret weapon. So, buckle up! I’m here to guide you through the wild and wonderful world of OSINT. Let’s learn, explore, and have a blast together! Now, let’s kick things off.

Table of Contents

• Introduction to OSINT
• Basic OSINT Tools and Techniques
• Intermediate OSINT Skills
• OSINT for Specific Domains
• Cloud Storage OSINT
• Blockchain & Cryptocurrency OSINT
• Dark Web & Threat Intelligence
• Malware Research Resources
• Practicing
• Resources and Further Learning

Introduction to OSINT

OSINT stands for Open-Source Intelligence. Sounds fancy, right? But it’s actually pretty simple. OSINT is all about gathering and analyzing information that’s out there for everyone to see. We’re talking about stuff you can find on the internet, in newspapers, or even by watching TV. Imagine you’re a detective trying to solve a case. But instead of dusting for fingerprints, you’re combing through social media posts, public records, and online forums. That’s OSINT in action!

Why OSINT Matters

• It’s a Superpower: OSINT can help you find out all sorts of things. From tracking down an old friend to understanding a company’s reputation, the possibilities are endless.
• It’s Used Everywhere: Businesses use it to check out competitors. Journalists use it to dig up stories. Even law enforcement uses OSINT to solve crimes!
• It’s a Valuable Skill: In today’s digital world, knowing how to find and make sense of information is super important. It’s like having X-ray vision for the internet!

The OSINT Mindset

To rock at OSINT, you need to think like a curious cat. Always ask:

• Where else can I look for info?
• How can I connect these different pieces of data?
• What’s the story behind this information?

Remember, OSINT is like a treasure hunt. The clues are out there , you just need to know where to look and how to piece them together!

A Word on Ethics [IMPORTANT]

Before we dive deeper, let’s talk about playing nice. OSINT is powerful, but with great power comes great responsibility. Always:

• Respect people’s privacy
• Use information ethically
• Follow the law

OSINT should be about learning and helping, not snooping or causing harm. Keep it cool, and we’ll all have a great time exploring this amazing field!

Basic OSINT Tools and Techniques

Search Engines

• Google: Your main OSINT tool. Use it to find almost anything.
  Example: Google Dorking (Google Hacking)
• DuckDuckGo: Great for private searches without tracking.

Try this search: "xElessaway" OR "0xL4ugh" site:x.com

This will find mentions of either “xElessaway” or “0xL4ugh” on X (Twitter).

Social Media Investigation

• Tweetbinder: Analyze Twitter easily. Great for seeing popular tweets and user info.

• Sherlock: Find usernames across many platforms quickly.

• Snoop (AnkhCorp/Snoop): Powerful OSINT tool for researching social media accounts by username across multiple platforms.
• Maigret (krishpranav/maigret): A simple yet effective username OSINT tool built in Go for finding accounts across various platforms.
• WhatsMyName (whatsmynameapp.net): Comprehensive username search across hundreds of sites.

Image Analysis

• TinEye: Upload an image to find where else it appears online.

• Google Images: Reverse image search to find similar pictures or sources.

Geolocation Techniques

• Google Earth: Explore the world from your computer. Great for verifying locations.

• GeoGuessr: Fun game to practice identifying places from images.

Intermediate OSINT Skills

Domain and IP Investigation

• Whois.domaintools.com: Find out who owns a website.

IoT

• Shodan.io: Search for devices connected to the internet.

• Netlas.io (netlas.io): Advanced internet search engine similar to Shodan, great for discovering exposed services and devices.

• FOFA (en.fofa.info): Cyberspace search engine for finding network assets and security vulnerabilities.

Email Investigation

• Hunter.io: Find email addresses associated with a domain.
• Epieos: A good tool to find information about emails, especially gmails.

• Have I Been Pwned: Check if an email was part of a data breach.

Phone Number Lookup

• Truecaller: Identify unknown callers and find info about phone numbers.
• GetContact: Identify unknown callers and discover information about phone numbers.

Dark Web OSINT [TAKE CARE]

• Tor Browser: Safely access .onion sites. Remember, be careful and legal!

OSINT for Specific Domains

Cybersecurity OSINT

• AlienVault OTX: Find and share info about cyber threats.

Business Intelligence

• Crunchbase: Learn about companies, investments, and industry news.

Threat Intelligence

• ThreatConnect: Track and analyze potential security threats.

Cloud Storage OSINT

Cloud storage buckets are often misconfigured, exposing sensitive data to the public internet. These tools help security researchers and penetration testers identify exposed cloud storage.

• GreyHat Warfare (buckets.grayhatwarfare.com): Search for publicly exposed AWS S3 buckets, Azure Blobs, and Google Cloud Storage buckets. Excellent for finding exposed data and testing cloud security configurations.

Note: Always ensure you have proper authorization before accessing cloud storage buckets, even if they’re publicly exposed.

Blockchain & Cryptocurrency OSINT

Blockchain technology provides a transparent, immutable ledger that’s perfect for OSINT investigations. These tools help trace cryptocurrency transactions and analyze blockchain data.

Blockchain Explorers

• Etherscan (etherscan.io): The most popular Ethereum blockchain explorer. Track transactions, wallet addresses, smart contracts, and token movements.

• Blockchain.com Explorer: Bitcoin and Ethereum blockchain explorer with detailed transaction history and address tracking.

• BscScan: Binance Smart Chain explorer for tracking BSC transactions and tokens.

• Blockchair: Multi-blockchain search engine supporting Bitcoin, Ethereum, and 17+ other blockchains.

DeFi Analytics

DeFi (Decentralized Finance) refers to a blockchain-based financial system that allows people to access financial services without banks or intermediaries.

It uses smart contracts on blockchains (like Ethereum) to enable services such as lending, borrowing, trading, and earning interest in a transparent, permissionless, and automated way.

• DeBank: Track DeFi portfolios, monitor wallet balances, analyze yield positions, and explore DeFi protocols.

• DeFi Llama: Track Total Value Locked (TVL) across DeFi protocols, monitor yield farming opportunities, and analyze DeFi trends.

• Dune Analytics: Create and share custom blockchain analytics dashboards. Great for deep-dive investigations.

• CoinGecko / CoinMarketCap: Track cryptocurrency prices, market caps, and project information.

Use Case: Blockchain OSINT is invaluable for tracking ransomware payments, investigating crypto scams, following money trails, and understanding DeFi protocol vulnerabilities.

Dark Web & Threat Intelligence

The dark web is where many cyber threats originate. These resources help track ransomware groups, leaked data, and emerging threats. Always exercise extreme caution and follow legal guidelines.

Ransomware Tracking

• RansomWatch: Track ransomware attacks, monitor victim disclosures, and analyze global ransomware activity.

• Ransomlook.io: Monitors ransomware group leak sites and tracks victims. Provides real-time alerts about new ransomware attacks and data leaks.

• Ransomware.live: Real-time ransomware tracking platform that aggregates data from multiple ransomware groups and their leak sites.

Dark Web Monitoring

• Onion.live (onion.live): Directory and search engine for .onion sites with status monitoring.

• DeepDarkCTI (fastfire/deepdarkCTI on GitHub): Curated collection of Cyber Threat Intelligence (CTI) sources from the deep and dark web. Includes feeds for threat hunting and incident response.
• Ahmia.fi: Search engine for Tor hidden services with content filtering.
• DarkSearch.io: Another dark web search engine with a cleaner interface.

⚠️ Security Warning: Never access the dark web without proper security measures (Tor Browser, VPN, isolated environment). Never engage with illegal content. Use these tools for legitimate security research only.

Malware Research Resources

Understanding malware is crucial for cybersecurity professionals. These resources provide comprehensive databases of malware samples, analysis, and threat intelligence.

• Malpedia (malpedia.caad.fkie.fraunhofer.de): A resource providing rapid identification and actionable context for malware investigations. Maintained by Fraunhofer FKIE, it’s an excellent reference for malware families, actors, and campaigns.

• Open Source Malware (opensourcemalware.com): Community-driven repository of malware samples for research and analysis. Great for threat hunting and understanding attack patterns.

• VirusTotal: Upload files and URLs to scan them with 70+ antivirus engines. Also provides detailed analysis reports and community feedback.
• Hybrid Analysis: Free malware analysis service using advanced sandboxing technology.
• ANY.RUN: Interactive malware analysis sandbox where you can observe malware behavior in real-time.

Important: Handle malware samples in isolated environments only. Never execute malware on production systems. Follow responsible disclosure practices.

Practicing

CTF OSINT Challenges

• TryHackMe: Fun, gamified platform to learn OSINT skills.
• HackTheBox: More advanced challenges for when you level up.
• OSINT Dojo: Practice with real-world scenarios.
• GeoGuessr: Good for GEOINT and finding geospatial locations.
• TraceLabs: Good place to join others in their OSINT tasks and challenges.
• sourcing.games: Good for multiple disciplines in OSINT.
• 0xL4ugh OSINT CTF on THM: https://tryhackme.com/jr/0xl4ughosintctf

Resources and Further Learning

Books

1. “Open Source Intelligence Techniques”
2. “The OSINT Handbook”
3. “OSINT: How to Find Information on Anyone”
4. “Hiding from the Internet”
5. “Google Hacking for Penetration Testers”
6. “Intelligence-Driven Incident Response”
7. “Operator Handbook”
8. “Digital Witness”
9. “Kase Scenarios”

Websites and Communities

1. IntelTechniques.com
2. OSINT Framework (osintframework.com)
3. Reddit r/OSINT
4. OSINT Curious Project (osintcurio.us)
5. Bellingcat (bellingcat.com)
6. OSINT Techniques (osinttechniques.com)
7. OSINT Dojo (osintdojo.com)
8. Toddington International (tilearning.com)

Comprehensive OSINT Tools List

Full List of Tools: https://github.com/jivoi/awesome-osint

Search Engines and Aggregators

1. Google (with advanced operators)
2. DuckDuckGo
3. Bing
4. Yandex
5. Baidu
6. Wayback Machine
7. Archive.today

Social Media Tools

1. Tweetdeck
2. Followerwonk
3. IntelX
4. Twint (Twitter scraping tool)
5. Sherlock (username search)
6. Maigret (username search in Go)
7. Snoop (social media account research)
8. Namechk
9. Social-Searcher
10. WhatsMyName (whatsmynameapp.net)

Image Analysis

1. TinEye
2. Google Images
3. Yandex Images
4. ExifTool
5. FotoForensics

Geolocation Tools

1. Google Earth Pro
2. SunCalc
3. Wikimapia
4. What3Words
5. GeoGuessr (for practice)
6. ShadowCalculator

Domain and IP Investigation

1. Whois.domaintools.com
2. Shodan.io
3. Netlas.io
4. FOFA (en.fofa.info)
5. Censys.io
6. VirusTotal
7. DNSDumpster
8. Domaintools
9. SecurityTrails

Email Investigation

1. Hunter.io
2. Epieos
3. Email Hippo
4. HaveIBeenPwned
5. Emailrep.io

Phone Number Lookup

1. Truecaller
2. Phoneinfoga
3. Numverify
4. Sync.me
5. GetContact

Cloud Storage OSINT

1. GreyHat Warfare (buckets.grayhatwarfare.com)
2. S3Scanner
3. CloudScraper

Blockchain & Cryptocurrency

1. Etherscan
2. Blockchain.com Explorer
3. BscScan
4. Blockchair
5. DeFi Llama
6. Dune Analytics

OSINT Frameworks and Automation

1. Recon-ng
2. SpiderFoot
3. theHarvester
4. OSINT Framework
5. Metagoofil
6. Spyse.com
7. Amass

Cybersecurity OSINT

1. AlienVault OTX
2. ThreatCrowd
3. Recorded Future
4. CrowdStrike Falcon Intelligence

Business Intelligence

1. Crunchbase
2. LinkedIn Sales Navigator
3. Google Trends
4. SimilarWeb

Threat Intelligence

1. ThreatConnect
2. IBM X-Force Exchange
3. MISP (Malware Information Sharing Platform)
4. VirusTotal

Dark Web OSINT [TAKE CARE]

1. Tor Browser
2. OnionSearch
3. Ahmia.fi
4. DarkSearch.io
5. Onion.live
6. Ransomlook.io
7. Ransomware.live
8. DeepDarkCTI (GitHub)

Malware Research

1. Malpedia (malpedia.caad.fkie.fraunhofer.de)
2. Open Source Malware (opensourcemalware.com)
3. Hybrid Analysis
4. ANY.RUN
5. Joe Sandbox

Miscellaneous Tools

1. CyberChef (data encoding/decoding)
2. FOCA (metadata analysis)
3. Wigle.net (wireless network mapping)
4. Hunchly (web capture and organization)

Conclusion

As we wrap up this OSINT roadmap, remember that Open-Source Intelligence is all about curiosity and ethical information gathering. The tools and techniques you’ve learned are just the beginning , OSINT is a skill that grows with practice and continuous learning. Always use these skills responsibly and legally. Whether you’re interested in cybersecurity, research, or problem-solving, OSINT can be incredibly valuable. Keep exploring, stay curious, and don’t forget to follow me and the 0xL4ugh Team on social media for more cybersecurity insights. Thanks for joining me on this journey into the world of OSINT. Happy investigating!

My Social Media

• X (Twitter) 🇵🇸
• LinkedIn
• Facebook
• GitHub

0xL4ugh’s Social Media

• Website
• Facebook Page
• X (Twitter) 0xL4ugh