4 videos 📅 2025-04-01 09:00:00 America/Bahia_Banderas
Watch Video
2:13:03
2025-04-01 11:45:10
6:17:04
2025-04-02 09:08:44
2:11:58
2025-04-03 09:02:54
1:55:54
2025-04-03 09:20:23

Course recordings on DaDesktop for Training platform

Visit NobleProg websites for related course

Summary

Overview

This course provides a comprehensive training in Open-Source Intelligence (OSINT) techniques for digital investigations, focusing on methods to identify individuals, devices, organizations, and exposed data using publicly available tools and operators. It covers advanced Google dorks, device enumeration via Shodan and Fofa, credential leak detection with HaveIBeenPwned and IntelX, facial recognition with PimEyes and FaceCheck, geolocation through metadata and reverse image search, phone number tracing, corporate data extraction, and social media analysis. The trainer emphasizes cross-tool correlation, lateral thinking, and ethical boundaries, with hands-on exercises using virtual machines and real-world case studies.

Topic (Timeline)

1. Google Hacking and OSINT Fundamentals [00:00:14 - 00:01:27]

  • Google’s search operators allow precise filtering of results to exclude irrelevant pages and focus on useful data for investigations.
  • Only ~30% of useful investigative data is indexed by Google; the rest resides in government sites, social media, and specialized databases.
  • A resource file titled “Google Hacking” in the VM’s “Recursos Escritos” folder contains detailed operator examples and combinations (e.g., site: + intitle: + filetype:).

2. Device Enumeration with Shodan, Fofa, and Leakix [00:02:59 - 00:09:53]

  • Tools like Shodan, Censys, Fofa, and Leakix identify internet-exposed devices, open ports, and vulnerabilities by querying IP addresses or domains.
  • Shodan revealed a Chinese IP with open ports (22, 111, 9999), two critical vulnerabilities (CVSS 9.8 and 2008), and infrastructure details (Aliyun, Alibaba ISP).
  • Fofa and Sumai require registration or CAPTCHA; Leakix returned no data for the tested IP, highlighting tool variability and the need for multiple sources.

3. Webcam and Public Camera Discovery [00:09:59 - 00:12:57]

  • insecam.org was used to discover publicly accessible webcams in Mexico, including one linked to CENACITA in Planepantla and another in San Nicolás.
  • Many cameras lack authentication and are accessible without credentials, posing significant privacy and security risks.
  • The trainer emphasizes that exposed cameras are often overlooked by organizations and actively exploited by attackers.

4. Credential Leak Detection and Password Spray [00:17:58 - 00:25:12]

  • HaveIBeenPwned was used to detect multiple breaches for a test email, including 00Webhost (2015), Collection One (2019), and Gravatar (2020).
  • Reused passwords from leaked sources enable “password spray” attacks across services like Gmail, LinkedIn, and Facebook.
  • LeakCheck.io was introduced as a complementary tool showing partial password fragments; users are advised to change exposed passwords and avoid reuse.

5. Advanced Credential Analysis with IntelX and BreachHawa [00:27:07 - 00:33:12]

  • IntelX.io (paid) revealed full plaintext passwords from the Collection One breach, enabling confirmation of credential exposure.
  • BreachHawa.com was used to scan the domain go.mx, uncovering 175 compromised accounts, 101 emails, and 842 leaked items, with a spike in 2022.
  • These tools are critical for organizations to monitor employee credential exposure and proactively mitigate risks.

6. Real-Time Breach Monitoring with ScatteredSecrets and AmaiBridge [00:33:12 - 00:43:25]

  • ScatteredSecrets.com and AmaiBridge.com offer free, real-time email monitoring for new breaches, sending automatic alerts when an email appears in leaks.
  • These services are recommended for proactive personal and organizational security, requiring only email registration with no payment.

7. Facial Recognition and Identity Reconstruction [00:46:18 - 01:08:17]

  • Tools PicTrip, PimEyes, and FaceCheck analyzed a suspect photo, identifying gender, age, and matching images across the web.
  • PimEyes returned a name (Andrés Velázquez) linked to a public image; Google search with “Mática” (company name) confirmed identity and led to academic and professional profiles.
  • The second surname (Solavarrita) was deduced using Google dorks: "Andrés Velázquez" AND Mática, then confirmed via LinkedIn and university records.

8. Reverse Image Geolocation [01:08:17 - 01:22:38]

  • Reverse image search via Google Images, Yandex, TinEye, and Bing was used to identify the origin of a photo as the Texas Capitol.
  • Architectural details (columns, roof shape, entrance features) were cross-validated with Google Street View to confirm exact location and camera angle.
  • The exercise demonstrated that even without metadata, visual context enables precise geolocation.

9. Metadata Analysis and Forensic Extraction [01:29:49 - 01:47:52]

  • EXIF metadata from a diploma photo revealed an iPhone 7, GPS coordinates, and timestamps; initial coordinates were misinterpreted as U.S. but corrected to Mexico City campus.
  • ExifTool (local, offline tool) confirmed exact coordinates: 19°46'21.50" N, 99°00'06.13" W — matching the Tecnológico Nacional de México campus.
  • Social media platforms strip metadata by default, but original files are retained; users are advised to disable GPS on cameras to prevent location exposure.

10. Email Reconnaissance and Validation [01:49:00 - 02:07:53]

  • osint.rocks, epios.com, and leakpeak.com reconstructed a digital identity from a single email: linked to YouTube, Google Photos, Spotify, Twitter, and past breaches.
  • epios.com revealed the person’s real name (Fernando Espinoza) and Google+ profile photo, enabling further image-based investigations.
  • Email validation tools (Email Checker, VerifyEmailAdres.org) verify account existence without sending emails, using SMTP response analysis.

11. Automated Email Harvesting and Scripting [02:08:18 - 02:10:42]

  • Email Harvester (CMD tool) extracts emails from company websites by crawling public pages; requires local execution and is blocked for U.S.-based IPs.
  • Command example: emailharvester -d gov.mx to retrieve all detected email addresses from a domain.
  • EOLGG is recommended as a stable web-based alternative for automation tasks.

12. Vehicle and License Plate Investigation [02:16:59 - 02:31:55]

  • Mexican license plates are not reliably searchable via REPUBE; instead, state-specific government portals (e.g., for tax or vehicle verification) are used.
  • A security flaw in a state portal allowed downloading the vehicle registration document, revealing the owner’s name, address, and email.
  • A single plate led to full identity reconstruction: name, email, home address, vehicle photos from Mercado Libre, and social media links.

13. Username and Online Identity Mapping [02:38:43 - 02:47:20]

  • whatsmyname.app and username.social mapped the username “Cybercrime” across 20+ platforms (Twitter, Instagram, GitHub, Mastodon).
  • False positives are common; validation requires cross-checking with known profile photos or real names.
  • This technique enables mapping a person’s digital footprint across platforms for deeper OSINT investigations.

14. Phone Number OSINT and Privacy Risks [02:47:22 - 03:14:46]

  • sns.ift.org.mx (official telecom authority) identifies region and carrier (e.g., Telcel in Veracruz).
  • Tools like Sync.me, TrueColor, and Shall I Answer return names via crowdsourced contact data — raising privacy concerns as they harvest users’ address books.
  • Users are advised to use dedicated devices or emulators to avoid exposing personal contacts.
  • Number formats (with/without +52, spaces, groups) must be tested in Google to uncover public listings.

15. Bank Account Key Verification [03:21:23 - 03:24:51]

  • A phishing campaign used a bank account key (137730104471919593); tools on the VM returned the account holder’s name.
  • A low-risk method: make a 1-peso transfer at a Bancomer ATM — the receipt displays the account holder’s full name.
  • This technique is critical in fraud investigations where only the account key is available.

16. Corporate and Shareholder Research [03:24:58 - 03:38:33]

  • IMPI’s marca.acervomarcas.impi.gov.mx was used to find shareholders of IQSEC by reviewing trademark filings (2024 declaration), revealing two individuals: Kiros Plata Israel and David.
  • Other tools: Apollo (employee data), IroLits (email pattern detection), Datanice, and Registro Público del Comercio (government business registry).
  • Access to SIGER (government registry) requires formal authorization and corporate email.

17. Person Search and Lateral Thinking [03:38:33 - 03:55:38]

  • Search strategies: combine names and surnames in different orders, use quotes, and cross-reference with phone, email, photo, or CURP.
  • For a public official (Antonio Atolini Murra), salary was found via state transparency portal (temáticos.plataformadetransparencia.vrg.mx).
  • To find a professional’s sister: searched academic thesis repositories; the acknowledgments section named “Sigrid” as the sister — demonstrating lateral thinking over tool reliance.

18. Telegram Bots for OSINT Aggregation [03:57:36 - 04:22:46]

  • Truecaller and Universal Search bots on Telegram aggregate data from multiple sources: phone numbers return names, location, WhatsApp/Telegram status, and leak data.
  • Universal Search returned email breach data (Nitro, Explog.in, 00Webhost), language (Spanish), and avatar links.
  • Users are advised to use disposable phone numbers and old devices to avoid privacy contamination.

19. Social Media Analysis in Mexico [04:22:49 - 05:02:32]

  • Top platforms: WhatsApp (92.6%), Facebook, Instagram, TikTok, X; focus investigations on these due to user density (86.6% of internet users).
  • Age demographics: 18–34 years dominate; older users (55+) are less active on Instagram and Facebook.
  • Facebook advanced search (using “A” or “Eva” filters) revealed public posts, employment (Cinemex), and relocation history without being a friend.
  • For a target (Rocío), her partner was identified via a gym’s Facebook page: a photo with an Exxon ID matched LinkedIn and Google results.

20. Social Media Network Theory and Indirect Discovery [04:25:54 - 05:02:32]

  • Stanley Milgram’s “six degrees of separation” applies: indirect connections (friends, family) can reveal hidden profiles.
  • If a target’s profile is private, search their relatives’ or colleagues’ posts, comments, or tagged photos.
  • Use public groups (neighborhood, workplace) to find common names; avatars or fake accounts may be used for research.

Appendix

Key Concepts

  • OSINT: Gathering intelligence from publicly accessible sources without direct interaction.
  • Lateral Thinking: Using indirect, contextual clues (e.g., thesis acknowledgments) to solve problems when direct data is unavailable.
  • Password Spray: Using a small set of common passwords against many accounts, exploiting credential reuse.
  • Reverse Image Search: Identifying origin, location, or identity of a person via image metadata and visual matching.
  • Metadata: Hidden data in files (GPS, device, timestamp) that can reveal location and origin, often stripped by social media but retained in originals.

Tools & Commands

  • Google Dorks: site:, intitle:, filetype:, "exact phrase" AND keyword
  • Device Scanners: Shodan, Fofa, Censys, Leakix, FullHunt
  • Credential Checkers: HaveIBeenPwned, LeakCheck.io, IntelX.io, BreachHawa.com
  • Facial Recognition: PimEyes, FaceCheck, PicTrip
  • Reverse Image Search: Google Images, Yandex, TinEye, Bing
  • Metadata Tool: ExifTool (local, offline)
  • Email Recon: osint.rocks, epios.com, leakpeak.com
  • Email Validation: Email Checker, VerifyEmailAdres.org
  • Email Harvester: emailharvester -d example.com (CMD)
  • Phone OSINT: sns.ift.org.mx, Sync.me, TrueColor, Shall I Answer, QuienHabla.mx
  • Account Key Lookup: Government payment portals, Bancomer ATM (1-peso test)
  • Corporate Research: IMPI (marca.acervomarcas.impi.gov.mx), IroLits, Apollo
  • Telegram Bots: Truecaller Bot, Universal Search Bot
  • Social Media: Facebook Advanced Search, LinkedIn, TikTok, Instagram (via public profiles)