Useful sites and tools for an Investigation


Lets say that we are investigating a company as a part of an assessment, during this recon process we must use anything available on internet (Surface Web, DeepWeb or DarkWeb). This includes free tools and sites, but also if you can/want use paid services, is up to you. Just remember, we are to good guys, so don’t cross the line.

But don’t worry, we are smart enough and we know how to perform and intelligence analysis ¿ok?

When I investigate a company with no previous information provided by them, I usually begin with the Domain and web services. You will probably know the organization’s name, domain and/or at least one email account. If not, you can start with Google/ DuckDuckGo 🙂

With this simple piece of information we can start scanning the domain, looking for anything useful like registered IP addresses, open ports, outdated protocols or vulnerable technologies :


We could also use tools like Nmap or Rustscan to validate around the same information, but FYI: this kind of tool might raise alerts on the IDS/Firewalls and/or perimeter security tools. Anyway…you can install them easily on Windows, Linux, etc systems:


If we go one step further, we can use vulnerability scanners like Nessus from Tenable or you can choose an open-source tool like Nikto, which is a web server scanner. Even if they’re oriented to Pentesting or Vulnerability Assessments, they can also be used during the Recon phase to obtain information on the target’s vulnerabilities. As a especial mention, you can add to your browser (Firefox) this amazing extension called Wappalyzer which basically can detect most of the technologies used on a website. Going back to the recon idea, what better tool to be mentioned than Recon-ng:


And let’s not forget those sites that could put some light on old incidents or linked/related threats to an organization, Virustotal and JoeSandbox:


Lets say we want to start digging into available email accounts for domain users, along with the names they belong to, also maybe even some aliases for different sites. Here I introduce TheHarvester and Sherlock, two open source tools that conducts search-and-gathering through all kind of social networks and search engines:


When we try to analyze the email accounts that we were able to gather, we would find quite a good list of sites that will provide us with very useful information. Simple Email Reputation website can analyze the records for the account’s domain, the blacklist state, along with possible password breaches. Talking about leaks, here we can use another very simple and useful site called ‘;–have i been pwned?, which basically tells you on which known leak shown up the account. On the same line, you can use a paid resource like DeHashed which will tell you not only if it was leaked or when, but also the extracted passwords and hashes. Another site where sometimes we can find information is the most known pasting site: Pastebin.


Lets put something stronger in your plate: Maltego is an intelligence tool used to conduct open source investigations and centralize the information gathering trough different sources (both free and paid versions are available). This tool is a little bit more complex than the ones we already mentioned, but it worthwhile the learning process. You need to create a free account at the Maltego website and once you have downloaded it, you must login to use it. You need to configure the “Transforms” that integrate different platforms. Some of them are paid, and others are free, but in any case, you will need to create an account to connect with your private API (E.g. SHODAN, AlienVault, VirusTotal, etc.):


Lets continue in the same line of thought, now, the next tool is a bless for the ones we like to analyze metadata. FOCA Pentest is a metadata gathering tool that allows you to search for around 20 different type of extensions (you can customize this). After you found them, you will be able to download them in a directory, extract the metadata and even analyze them for possible infection.


Now, let’s imagine that among the information that you recollected, you got with some PCI/USB device information. Here’s a very awesome site that will let you ‘hunt‘ any possible intel about the device: DeviceHunt. Now, if you find a different type of information like possible SSIDs, Wi-Fi names, and/or any network information, you should definitely check WIGLE:


A quick tip and trick, very useful when we need to find something, someplace or someone through a photograph is to reverse search through images with search engines. We can Use Google Images, Yandex or another great website Tineye:


The last ones for today, since we could continue for a while. If we collected personal information and around this we get Twitter accounts, we can use a geolocation website called BirdHunt to try to find the location of the account’s owner. Continuing with Twitter, we can monitor it’s activities and perform tag/hashtag searches using another great website: TweetDeck. As a last mention, another geolocation tool, but this time for YouTube accounts is the website YouTube Geofind:


That’s it for today, I will probably do a second part for this, especially because I left out all the DarkWeb stuff. The reason for that is that we need to take extra precautions around it, so you should not just go on your own visiting DarkWeb sites. Next time!

Threat Intel

The APT that hunts other APT’s: “APT49”, “BlueHornet”, “AgaintsTheWest”

This amazing picture is from the genius Valentin Tkach

Around October of the past year, a new group who self-procalimed BlueHornet aka AgainstTheWest shown up at forums like the already dead RAID Forums (This was a well-known site to share information about security breaches, leaks, but also to sell drugs, personal data, etc. The owner of the site was captured at the United Kingdom the 21st of January).

More recently, at the successor of the RAID forums, a website called Breached.co, this Actor shown up again with the following account:

He got banned from the site by the admins on March 18, but he created a new account the same day, which is the one we can see on the previous picture.

¿What’s the peculiarity about this group? ¿What makes them so different from the rest?

Their motivation is quite interesting if you allow me to be said. They act as Hacktivist pursuing mainly other Threat Actors’ information (but not exclusively). So far, their focus has been groups from China (Including China’s Banks), Russia, Iran and North Korea. Profs, so far, points them to be from North America or at least from the OTAN block. Though this doesn’t mean this is a state-sponsored group, quite contrary, since they submitted quizzes on their Twitter account asking people to vote for potential targets, and they are self-proclaimed hacktivists and journalists, among other things.

¿Which communication platforms they use?

So far, we have seen publications related to all their leaks on Twitter, Telegram, and the previously mentioned site Breached.io. They also have a Github repository called AgaintsTheWest.

¿What’s the information leaked about the other APTs and which ones?

The information published at Breached.io was related to some members of the Threat Actors Known as APT3, APT28, APT38 and APT40.

We have to clarify that part of this information was already known by the Feds, but wasn’t public.

APT3: Gothic Panda

Introduction from MITRE ATT&CK

APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

In 2017, MITRE developed an APT3 Adversary Emulation Plan.

Member Information:

APT28: Fancy Bear

Introduction from MITRE ATT&CK

APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Member Information:

APT38: Lazarus Group

Introduction from MITRE ATT&CK

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Member Information:

APT40: Leviathan aka Kryptonite Panda

Introduction from MITRE ATT&CK

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.

Member Information:

Potential Allies

Intrusion Truth
-Belarusian Cyber Partisans
-Anonymous Taiwan

Giving closure to this

Recently, the group stated on its Telegram account that it would stop its activities, pursuing a “normal life” for all its members. Nonetheless, their account remains active and is being used at the Breached Forum.

Im, sure there’s probably a more complete inform our there. Still, I hope this information will be helpful for other Cybersec Researchers, Threat Intelligence Analysts, and SOC Analysts in the wild.

If you find this information useful or you liked it, feel free to add a comment 😉

See ya’ space cowboy…