Links for Doxing, Personal OSInt, Profiling, Footprinting, Cyberstalking
Links for Doxing, Personal OSInt, Profiling, Footprinting, Cyberstalking
Maybe you are doing a pen-test and need information before you carry out a
social engineering attack. Maybe you just want to see if someone who contacted
you online is legit, or know what data of yours is out there for others to find.
Here are a collection of sites I and others have found useful for finding data
about a person or organization. I’m posting them mostly so I don’t lose them,
and so I have a place to point others to when they ask. If you have ideas for
There are tools for automating some of these tasks, but there is something to be
said for doing it “by hand”. Computers are great at math and automation, but
extracting context is a bit more difficult for my silicon friends (and also for
my silicone friends). The human mind can be far better at these tasks, at least
some minds. The way you have to think is in making connections. One bread crumb
of data leads to another, which leads to another and then another. For example:
Finding a user name leads to other profiles with more data, this leads to a
full name, then this could lead to a physical address.
A user name can lead to pics, which could lead to license plates or physical
For common names like John Doe adding interests from a profile or a location
can lead to narrowing down the results to a specific person.
It’s all about making connections. Keep in mind, you will normally find more
information on someone who is tech savy then someone who is not. My granny ain’t
on Facebook after all.
Please note there a quite a few common problems with these sorts of social
network aggregation sites:
1. Some sites start out free, then go paid. When this happens you get a lot of
info teases that lead to companies wanting your credit card. Sucky!
2. People like to create mashups, but then abandon them after the fun is over.
Then the back end API changes, and the site no longer works. What sites are good
for a task changes over time.
3. Some may ask for social network credentials. You may want to make some
throw-away accounts just for the purposes of using these tools.
This page will need t be updated over time, so please send me suggestions.
Duh. Make sure you
know your operators
to get he most out of it however.
Ok, Bing gets made fun of a lot as an “also ran” next to Google, but it has a
few awesome features. Many of the same operators from Google work here, but one
I really dig that only Bing has is IP: to find other websites on the same IP
(shared host cross referencing fun).
Networking, Domain and Routing Information
Most of this page will cover finding out information on people from social
networks, not network networks. However, sometimes knowing who owns a
network/domain/IP is a great place so start, and people leave things in their
Whois records that may reveal a lot of useful leads. There are so many sites
that offer these types of services, but I’ll only cover my favorites.
While the interface is a bit weird in my opinion, this is a great site for doing
reverse DNS look-ups on IPs, grabbing Whois contacts, and finding other general
information about an IP or domain name.
This one is sort of an odd ball. Lots of sites offer Whois info, this one goes
for more exotic tools. You really have to just play with it to find all of its
features. It’s sometimes hard to remember which option is where. Just some of
the tools are: ICMP & TCP traceroutes, SSL Info, DNS reports and Hostnames on a
shared IP. It’s nice to have them do some of the recon for you if you don’t want
to use a proxy and don’t wish for your IP to show up in the target’s logs.
Looking for profiles on a person
Advanced Background Checks
For finding street addresses and relatives this is the bomb. So far, it has not
failed me on finding street addresses if I have a vague idea where someone lives
The interface is clean, and while it links off to pay sites it at least gives
you real information first. I seem to recall it being better in the past.
Search for a person using Email|Name|user name. There are not as many results
returned as other sites, but what it gives you is nice an clean, with out all of
the paid sites in the way.
Ok, got to say I love this site. It may not have been meant as a site for
profiling, but it works well for that task. We all talk about password reuse
being a problem, but for profiling someone user name reuse is where it is at.
This site lets you search 160 social network sites to see if a screen name is
taken. From there, you can go see what is in a persons profile on those sites by
hand. Saves some time verses checking for an account on each site yourself, but
there is still lots of work for you to do afterwards.
Similar to Check Usernames above, but claims to check over 500 sites to see if a
given user name is taken.
This use to be Spock ("Single Point Of Contact (by) Keyword"). Not sure when it
changed, my guess is after Intelius bought them. You can search on
Name|Phone|Emai|lScreen Name. Good for finding relatives I suppose. Once you
find a name from a user name you should step back and search for it as well, as
the results vary a lot. Seems to mostly drive people to paying money to Intelius.
You can search for Name|Email|user name|Phone and find related results. The
results can be very noisy, with links to a bunch of paid sites (Spokeo, Intellus,
etc.), but if you are willing to sort though the crap it’s pretty nice. I like
what it shows from public records, Amazon profiles, and social networks.
Much like all of the above. Links off to a bunch of other resources, some paid
and some not.
Ok, Spokeo has some nice layout features but it’s an info tease. It reports “hey
I found something” a lot, but you have to pay for the results. Much like crime,
I don’t pay. Still, it can be nice as a starting point to lead you elsewhere.
For example, once you know someone has a Facebook profile, you can just go to
Lets you looks up people by name or keyword (try user name as a keyword).
Seems pretty good for finding where someone works. I wonder how much of the
information is just from LinkedIn, and how much from other sources? Looking at
them side by side, Zoom Info does seem to augment the details with other
If you have the MAC address of a router (it happens) Samy has a tool to try to
geolocate it base on what Google knows. Seems likely that Google is using
Android phone to do a distributed wardrive to supplement their street view car
Bing Map Apps
The map apps are a nice extra to have, but you will need SilverLight and they
don’t seem stable unless you are using Internet Explorer (go figure). Look at
the Twitter map app.
Also nice to see where people are tweeting from, but not as slick or as
comprehensive as the Bing app.
I've had good luck with using this to find addresses and neighbors.
I imagine most folks know about Google Images, but did you know who can
upload images (or drag and drop them) to find similar results? Good for finding
profiles under different names. Tin Eye is similar, but does not seem to cover
Ever found a picture of someone, and wondered if it existed elsewhere? Tin Eye,
and it’s browser plugin, let you choose a picture and find similar ones online,
even ones that have been seriously shopped. Unfortunately, the database seems
small. My hope would be to go to a social network profile, right click on an
image I only know the user name of, then find other profiles with a real name
and better information. So far, it’s mostly been useful for finding out “who is
this actor/model”, but perhaps in the future it will be better.
Got to love people that leave Facebook comments open to the world. Even if one
person is privacy aware, a friend of theirs may not be and could make comments
Open Status Search
Open Book seems to be gone, and Open Status Search seems to be the next best
May find something good, may find something that scars you for life.
White Pages Find Neighbors
Might be useful if you need to SE someone close by.
I've had some pretty
good luck using this to scrape info on people.
Archive.org Wayback Machine
Sometimes someone drops their docs, but removes them. The Wayback Machine may
help you find the deleted info.
Maybe the person posts on some forums with a given user name? Could lead to
Another board search, like the above.
Ok, these are not websites, but damn useful tools that pull from web resources.
Nifty tool, and I like the way it draws connections between entities like name,
domain, email addresses, etc., good for building a mind map of how things are
related. I still prefer to do things by hand to clear up false positives and
interpret data. You will likely have to register for API keys to get the most
use out of it.
This could someday be an open source replacement for Maltego, but right now it
seems next to impossible to get working.
I really dig this tools. It can do searches for common document formats using
Google and other search engines, then download them to extract metadata. Lovely.
Great tool for geolocating/tracking Twitter/Foursquare users. Not only pulls
coordinates from the posts directly, but can grab them from the EXIF data in
pictures they link to.
Sites I’ve found so useless...
... that I won’t even link to them, but I want to keep people from asking “why
isn’t X listed?” Mostly you get on this list for having little to no free
information, and only leading to questionable for pay information.
yoname (use to like it, now the results seem pretty bad)
Thanks to @davemarcus,
2/26/2013: Added "Advanced Background Checks", "Yasni", "411", "Google
Images" and "Open Status Search".