-
Notifications
You must be signed in to change notification settings - Fork 113
APIs and Services
ODIN uses several APIs to gather information. Some of these require an API key, but most of the APIs are free. That is to say, you can get a free key and then pay for more requests/day. Shodan is a good example of this. You may prefer to not use APIs at all for one reason or another. You can still use ODIN, but a few of the APIs are just really fantastic and you should consider using them, specifically Censys and Shodan.
Both of these services are used to collect data on domains and IP addresses. This includes attaching domains to IP addresses, identifying the network CIDRs for these addresses, and pulling information about the owners.
No API key is needed.
The Robtex free REST API is used to collect domain names tied to IP addresses. This information is displayed alongside the RDAP information for IP addresses, so you can see what else is hosted at that IP address.
No API key is needed.
Shodan is used to search for domains and lookup hosts (IP addresses). This pulls in information like open ports, banners, hostnames, and location data. Shodan also flags hosts for well known vulnerabilities like Heartbleed. This data is recorded as well, if it exists, but does tend to be outdated (or just wrong) a lot of the time.
Sign-up for an account to get your API key: shodan.io
Censys is very much like Shodan, except less information about open ports/services is available. However, Censys provides a way to search for certificates tied to a domain. This can be a lot of data, but you may find new hosts, like those tied to an employee's email address and used for a VPS in the cloud.
Sign-up for an account to get your API key: censys.io
If you setup a Twitter app for ODIN, the tokens can be used with Tweepy to collect account data (e.g. real name, location, follower count, and user description) from Twitter profiles ODIN has linked to the target organization.
In the future, this may be used to collect analytics from Twitter to help you find very active users or get a profile of them.
Become a Twitter developer by going to dev.twitter.com and then create an app on apps.twitter.com.
eSentire's Cymon is used to check domains and IP addresses to see if the target appears in any of Cymon's collected threat intelligence feeds. This is used for reputation checks, but also used in combination with urlcrazy to check similar, registered domains to see if the domain or the domain's A-record IP addresses have been reported.
Note that appearing in a threat feed doesn't mean something is wrong or that Cymon has bad data. A domain may have been used for phishing, been detected and seized, and is now dormant with the old malicious A records. Then you have things like cloud service IPs that change hands often. Events like that can lead to a domain or IP being used for malicious activities one day and safe the next. Always investigate these findings before crying wolf to your client.
Sign-up for an account to get your API key: cymon.io
URLVoid offers reputation data for domains, including Alexa and Google rankings, domain age, and location data. It also keeps track of domains that have been flagged for malicious activity by various entities (e.g. Fortinet, Avira).
Like Cymon, this may help you identify typosqautted domains (identified via URCrazy) that are/have been linked to malicious activity.
Sign-up for an account to get your API key: urlvoid.com/api
Email addresses are checked against HIBP to determine if any email addresses for the organization have been mentioned in any pastes or been involved in any security breaches.
No API key is needed.
DNS Dumpster is a cool project you can find at dnsdumpster.com. Subdomain information is collected from DNS Dumpster, including a neat domain map image!
No API key is needed.
ODIN will check Netcraft for domain history and known subdomains. This does require a web driver for Selenium. If you download a driver and provide the path to it in your keys.config file (Yes, this isn't really a key, but so be it), NetCraft searches will be kicked off automatically when you perform domain OSINT.
The Chrome browser must be installed and the Chrome WebDriver for the host OS is also required:
Meant for marketing folks to find leads and contacts at a company, this service offers free API keys for harvesting their contact information organizaed by company/domain. Hunter will return names, email addresses, phone numbers, Twitter handles, LinkedIn profile links, and job titles.
Sign-up for an account to get your API key: hunter.io
Full Contact support is implemented only for their Company API at the moment, but support for the People API may come in the future. For now, this is used to build a company profile based on a target domain, such as the client's primary domain used for email and their website. Full Contact catalogues everything from website info and company logo(s) to website blurbs and social media profiles.
It's likely Full Contact will get some things wrong, such as number of employees. In my experience, the data is usually not too far off the mark, but the profile is only meant to act as a snapshot to get you started.
Sign-up for an account to get your API key: app.fullcontact.com
Yes, Amazon Web Services. ODIN will perform recon against AWS to find things like S3 buckets and accounts names and aliases. Account names are strings of numbers, so you will need some idea of what you're looking for there. Aliases, however, can be anything, like a company name, and those can be validated as existing or not.
By default, ODIN uses the client (-c) name and domain (-d) for searches. ODIN will search for the name with spaces stripped out, the domain with the TLD, and the domain without the TLD. Then ODIN will add some common suffices and prefixes, like "downloads-" or "-apps" to these keywords.
Optional wordlists can be provided for additional keywords and 'fixes. Keywords can be anything, really. Consider assembling a list of related words, alternate client names, etc.
An Amazon and awscli are required.
ODIN will search for Digital Ocean Spaces just like it searches for S3 buckets. Spaces follows the same standards as S3, so it is simple to verify existing Spaces.
No API key is needed.
WhoXY offers a nice fallback for a regular whois lookup. When whois fails to return any contact information, that can mean domain privacy is enabled or that the registrar is keeping that information behind their own whois tool. Querying individual registrars is not feasible (there's too many and not all make it remotely possible for automated queries), but WhoXY assists by cataloguing a lot of the available whois data out there. The WhoXY whois API is used as a fallback if whois fails to return anything. It's only a fallback to reduce API calls and credit usage when it's not necessary.
Also, WhoXY's database can be searched with a company name, email address, or a keyword to find related domains. ODIN will take the provided organization name and any organization names returned from whois lookups and perform the reverse lookups through WhoXY for domains tied to the organization.
A WhoXY API key is required. whoxy.com
Note: A WhoXY account is free, but does eventually cost some money. It's inexpensive and they do offer a program for free API access, but you get a good number fo API credits for free with an account. Then, once you run out, whois credits are 2 for 1,000 credits and reverse whois credits are $2 for 250 credits. Just $4 will reload your account and set you up for a good long time.