Microsoft Subnet An independent Microsoft community View more

Famous Patriot Hacktivist The Jester Shares Battle Chest of OSINT Tools

Love him or hate him, the famous American patriot hacker th3j35t3r started a series about his battle chest of Open Source Intelligence (OSINT) tools. These are not the type of intel-gathering surveillance tools that require being an intelligence agency to track people. Used by pen testers, hackers and social engineers, you may find it unnerving how easily your illusionary veil of privacy can be shredded by just these six OSINT tools.

The famous and often-controversial American patriot hacktivist that goes by the alias th3j35t3r was compared to acting "as David slaying a few giants" in the SANS Institute published whitepaper, Jester Dynamic Lesson Asymmetric Unmanaged Cyber Warfare. "The Jester has proved that a single individual is very capable of waging cyber war at a level we previously attributed only to intelligence agencies or crime syndicates," the paper concluded.

The Jester describes himself as a "Hacktivist for good. Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys." Known for warring online with Anonymous, jihadists, 4chan, WikiLeaks, and for taking down websites through DDoS attacks, the Jester has also been the target of countless DOX attempts. Sadly, some of the causes he (or she) supports have also been targeted, such as when the UGNazis attacked the Wounded Warrior Project website allegedly for "no reason but to spite The Jester." Love him or hate him, the Jester started a series about his battle chest of tools. The first post includes a list of six Open Source Intelligence (OSINT) tools that are openly available to everyone: Maltego, Creepy, Spokeo, CaseFile, Recorded Future and The Jester's own FoxOne Scanner.

Don't confuse freely available with a price tag of all for free, but you may find it unnerving how easily your illusionary veil of privacy can be shredded. While there is nothing particularly new about The Jester's list of OSINT tools, especially for pen testers or social engineers, it's a good reminder how simple it is for you to be tracked online by anyone at all.

Let's start with the geolocation information aggregator Creepy since it can be downloaded for the low, low price of absolutely nothing. The Jester wrote that it "hooks into social networks like Twitter and Flickr to glean information about a targeted user's location. It's surprisingly effective, even in its early stages. After Creepy has finished its analysis, it reveals a map that pinpoints the location where the targeted user posted every geo-tagged tweet and every shared image. Clusters would logically indicate a person's residence or workplace."

Developer Ioannis Kakavas wrote that "creating Creepy was not to help stalkers or promote/endorse stalking. It was to show exactly how easy it is to aggregate geolocation information and make you think twice next time you opt-in for geolocation features in twitter, or hitting 'allow' in the 'this application wants to use your current location' dialog on your iPhone." It "can be a valuable tool for information gathering when social engineering is allowed during a penetration test."

Next let's look at th3j35t3r's "Non- Invasive and Non-Detectable WebServer Reconnaissance Scanner." FoxOne Scanner was described as "Bypassing API limitations and currently detecting 6500+ vulnerable server paths/files - without ever touching the target server. Very good for getting hold of intel on a given domain (example.com). The intel gained serves both as actionable in the sense that it could be directly used to help root a box, while at the same time giving a good overview of stuff that's present on the box and where it is within the directory structure."

 The Jester called CaseFile the less expensive little brother to Maltego. CaseFile "targets a unique market of 'offline' analysts whose primary sources of information are not gained from the open-source intelligence side or can be programmatically queried." The Jester wrote, "We see these people as investigators and analysts who are working 'on the ground', getting intelligence from other people in the team and building up an information map of their investigation."

According to th3j35t3r, the basic focus of the open-source intelligence and forensics application Maltego "is analyzing real-world relationships between people, groups, websites, domains, networks, internet infrastructure, and affiliations with online services such as Twitter and Facebook." He (or she) provided this example image of Maltego.

The company Paterva shows several screenshots and provides further explanations of what Maltego and CaseFile can do; both applications can be downloaded here.

We've looked at spooky data broker Spokeo when an abuse of privacy complaint was filed with the FTC, claiming that Spokeo sold inaccurate information and violated consumer protection laws. Spokeo aggregates data from online and offline sources, shows the searcher a few possible teasers and then charges to reveal the full digital probe into a person's real life including topics like "wealth."

We've also looked at the predictive analytics engine Recorded Future which trawls over half a million websites, Twitter feeds, YouTube, and blog posts, looking for 'future, past, or present' connections between people, groups, and events. Since the "basic" plan is free, I've played around with Recorded Future to see what potential future privacy-related topics the no cost option allows you to track. The Jester wrote, "The software analyzes sources and forms 'invisible links' between documents to find links that tie them together and may possibly indicate the entities and events involved."

That's the basic overview, the first in The Jester's battle chest tools series. These were all openly available OSINT tools that anyone, not just someone from an intelligence agency, can use to dig into your life. The Jester added, "Obviously there are 'other' proprietary tools I use and I won't be discussing those, so with respect to you all, please don't ask me."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies