What do you think?
Rate this book
Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques
The skills and tools for collecting, verifying and correlating information from different types of systems is an essential skill when tracking down hackers. This book explores Open Source Intelligence Gathering (OSINT) inside out from multiple perspectives, including those of hackers and seasoned intelligence experts. OSINT refers to the techniques and tools required to harvest publicly available data concerning a person or an organization. With several years of experience of tracking hackers with OSINT, the author whips up a classical plot-line involving a hunt for a threat actor. While taking the audience through the thrilling investigative drama, the author immerses the audience with in-depth knowledge of state-of-the-art OSINT tools and techniques. Technical users will want a basic understanding of the Linux command line in order to follow the examples. But a person with no Linux or programming experience can still gain a lot from this book through the commentaries.
This book's unique digital investigation proposition is a combination of story-telling, tutorials, and case studies. The book explores digital investigation from multiple angles:
Through the eyes of the author who has several years of experience in the subject. Through the mind of the hacker who collects massive amounts of data from multiple online sources to identify targets as well as ways to hit the targets. Through the eyes of industry leaders. This book is ideal for:
Investigation professionals, forensic analysts, and CISO/CIO and other executives wanting to understand the mindset of a hacker and how seemingly harmless information can be used to target their organization.
Security analysts, forensic investigators, and SOC teams looking for new approaches on digital investigations from the perspective of collecting and parsing publicly available information.
CISOs and defense teams will find this book useful because it takes the perspective of infiltrating an organization from the mindset of a hacker. The commentary provided by outside experts will also provide them with ideas to further protect their organization's data.
This book's unique digital investigation proposition is a combination of story-telling, tutorials, and case studies. The book explores digital investigation from multiple angles:
Through the eyes of the author who has several years of experience in the subject. Through the mind of the hacker who collects massive amounts of data from multiple online sources to identify targets as well as ways to hit the targets. Through the eyes of industry leaders. This book is ideal for:
Investigation professionals, forensic analysts, and CISO/CIO and other executives wanting to understand the mindset of a hacker and how seemingly harmless information can be used to target their organization.
Security analysts, forensic investigators, and SOC teams looking for new approaches on digital investigations from the perspective of collecting and parsing publicly available information.
CISOs and defense teams will find this book useful because it takes the perspective of infiltrating an organization from the mindset of a hacker. The commentary provided by outside experts will also provide them with ideas to further protect their organization's data.
- GenresResearchTechnology
544 pages, ebook
Published January 27, 2020
70 people are currently reading
165 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 5 of 5 reviews
April 21, 2020
Last month, I reviewed Tribe of Hackers Security Leaders: Tribal Knowledge from the Best in Cybersecurity Leadership, and referenced the classic hacking series Hacking Exposed: Network Security Secrets & Solutions by Stuart McClure, Joel Scambray and George Kurtz.
Obviously, there has been a tremendous amount of change in the past 20 years of hacking tools and techniques. In Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques, Vinny Troia has written a splendid guide on hacking, with a focus on its investigative techniques.
Troia is well-known in the security world and has a habit of finding massive sets of highly confidential data in highly unsecured locations. From All American Entertainment to Exactis and others, Troia has found large buckets of unsecured data in the cloud.
The book goes through not only a vast amount of hacking tools, but it also details how to use them to perform a thorough investigation. The goal is not to simply download the most tools and run them; instead, it is to use them in a structured manner to perform effective intelligence gathering and investigations.
Troia also details his mission to discover the real-life identity of The Dark Overlord (TDO). TDO was an international hacker group that targeted high-profile targets and threatened to release embarrassing data and pictures of the victims unless they were paid. If the victims didn't pay, TDO put the data up for sale and also shared it via numerous forums.
As I write this, there are tens of thousands of brilliant scientists working to find a cure for COVID-19. But there might be just as many attackers attempting to use COVID-19 as a means to launch attacks. From phishing emails, malicious COVID-19 information websites with malware and more, hackers are using the current crisis to further their goals.
For those who have been a victim of such attacks, the book shows numerous ways and details many tools to discover clues to identify who the attackers were.
From a more proactive perspective, the book shows the many ways in which to test systems, identify data flow, test web applications and more to ensure that vulnerabilities are fixed before they can be exploited.
Rather than rely on him alone, Troia includes many expert tips from industry luminaries such as Chris Roberts, Troy Hunt, Chris Hadnagy and others. With these tips, the experts show how to more effectively use the specific tools, and avoid many of the pitfalls they first ran into.
I have always disliked webinars and articles with titles such as To Beat a Hacker, You Have to Think Like a Hacker and How to Think Like a Hacker. The truth is that most people simply do not know how to think like a hacker. That is not their fault; they also don’t know how to think like a neurosurgeon or civil engineer. With that, Hunting Cyber Criminals, in fact, does a great job of showing how it is possible to think like a hacker, except a white hat in this case. And you want to do that to make sure you do not become a victim of a black hat.
Obviously, there has been a tremendous amount of change in the past 20 years of hacking tools and techniques. In Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques, Vinny Troia has written a splendid guide on hacking, with a focus on its investigative techniques.
Troia is well-known in the security world and has a habit of finding massive sets of highly confidential data in highly unsecured locations. From All American Entertainment to Exactis and others, Troia has found large buckets of unsecured data in the cloud.
The book goes through not only a vast amount of hacking tools, but it also details how to use them to perform a thorough investigation. The goal is not to simply download the most tools and run them; instead, it is to use them in a structured manner to perform effective intelligence gathering and investigations.
Troia also details his mission to discover the real-life identity of The Dark Overlord (TDO). TDO was an international hacker group that targeted high-profile targets and threatened to release embarrassing data and pictures of the victims unless they were paid. If the victims didn't pay, TDO put the data up for sale and also shared it via numerous forums.
As I write this, there are tens of thousands of brilliant scientists working to find a cure for COVID-19. But there might be just as many attackers attempting to use COVID-19 as a means to launch attacks. From phishing emails, malicious COVID-19 information websites with malware and more, hackers are using the current crisis to further their goals.
For those who have been a victim of such attacks, the book shows numerous ways and details many tools to discover clues to identify who the attackers were.
From a more proactive perspective, the book shows the many ways in which to test systems, identify data flow, test web applications and more to ensure that vulnerabilities are fixed before they can be exploited.
Rather than rely on him alone, Troia includes many expert tips from industry luminaries such as Chris Roberts, Troy Hunt, Chris Hadnagy and others. With these tips, the experts show how to more effectively use the specific tools, and avoid many of the pitfalls they first ran into.
I have always disliked webinars and articles with titles such as To Beat a Hacker, You Have to Think Like a Hacker and How to Think Like a Hacker. The truth is that most people simply do not know how to think like a hacker. That is not their fault; they also don’t know how to think like a neurosurgeon or civil engineer. With that, Hunting Cyber Criminals, in fact, does a great job of showing how it is possible to think like a hacker, except a white hat in this case. And you want to do that to make sure you do not become a victim of a black hat.
October 10, 2024
A useful guide to using OSINT tools and techniques to investigate threat actors, explaining how to collect data about files and people from networks and websites. The book is structured around the dramatic story of Troia's multi-year investigation into The Dark Overlord (TDO) threat actor group, and the book includes chat excerpts and screenshots. The many tools are a mix of free and paid, and Troia says you generally get what you pay for. He's a big fan of Maltego, but doesn't cover it in this book because he says there are so many other books that cover it.
This isn't a book for beginners; Troia expects you to keep up without giving much explanation for novices.
Notes
Getting Started
OSINT resources
• https://osintframework.com
• https://osint.link
• https://www.inteltechniques.com
• https://www.hunch.ly
• Wordlists and generators (https://github.com/danielmiessler/Sec..., https://github.com/digininja/CeWL, https://sourceforge.net/projects/crun...)
• Proxies (https://www.limeproxies.com, https://www.squidproxies.com, https://stormproxies.com)
Cryptocurrency data to research
• Number of transactions
• Value received over time
• Current value
• Date of 1st transaction
• Date of last transaction
• Transaction patterns
To identify addresses belonging to exchanges and traders: https://www.walletexplorer.com, https://www.bitcoinwhoswho.com
Investigations and Threat Actors
Alias hijacking: choose a name similar to another actor's name to make it easier to contact their contacts.
Most threat actors are after money, so if they detect that you're not, it could blow your cover.
Manual Network Exploration
Network asset discovery tools
• https://whois.arin.net/
• https://dnsdumpster.com/
• https://hackertarget.com/reverse-dns-...
• https://www.shodan.io/
• https://www.censys.io/
• https://github.com/mschwager/fierce
• https://github.com/aboul3la/Sublist3r
• https://github.com/jhaddix/domain
Looking for Network Activity (Advanced NMAP Techniques)
NMAP is 1st tool to use when looking for active hosts.
Automated Tools for Network Discovery
Automated network discovery tools
• SpiderFoot
• https://github.com/intrigueio
• Recon‐NG
Website Information Gathering
Website information gathering
• https://github.com/1N3/Sn1per
• https://builtwith.com
• https://github.com/jekyc/wig
• https://github.com/Dionach/CMSmap
• https://wpscan.org/ (for WordPress)
Directory Hunting
Searching for directories in websites and web apps
• https://github.com/Nekmo/dirhunt
• https://github.com/xmendez/wfuzz
• https://github.com/s0md3v/Photon
• https://github.com/intrigueio/intrigu...
Search Engine Dorks
List of dorks: https://www.exploit-db.com/google-hac...
Automated dorking tool: https://github.com/googleinurl/SCANNE...
Whois
Best WHOIS search services: https://whoisology.com/, https://www.domaintools.com/
Certificate Transparency and Internet Archives
Certificate Transparency makes TLS certs publicly viewable. You can find subdomains and related domains.
Certificate Transparency search tools
• https://github.com/UnaPibaGeek/ctfr
• https://crt.sh
• https://github.com/christophetd/Cloud... (automates process of finding origin of publicly exposed servers that don't properly restrict access to Cloudflare.com IP ranges)
https://cachedview.com searches Google's cache, Archive.org, Coral Cache.
To list every copy of a site cached by Archive.org: https://web.archive.org/cdx/search?ur...
To see every site‐specific URL cached by Archive.org: https://web.archive.org/cdx/search?ur...
Iris by DomainTools
DomainTools Iris (paid): most comprehensive historical domain registration search tool, full threat intelligence and investigation platform focused on providing context on threats with domain registration and passive DNS data.
Document Metadata
• https://www.sno.phy.queensu.ca/~phil/...
• https://github.com/laramies/metagoofil: uses Google dorks to find files about your target
• Recon‐NG metadata modules (Metacrawler, Interesting_Files, Pushpin)
• https://github.com/intrigueio
• https://github.com/ElevenPaths/FOCA
Interesting Places to Look
Places to look for info
• https://github.com/laramies/theHarvester
• Paste sites (Pastebin.com, 0bin.net, Doxbin.org, Justpaste.it, Psbdmp.ws)
• Hacker forums (HackForums.net, Nulled.to, OGUsers.com)
• Non-hacker forums
• Code repositories (GitHub, Bitbucket, GitLab, etc.); search via https://searchcode.com, https://github.com/michenriksen/gitrob
• Wikipedia revision history
Publicly Accessible Data Storage
Shodan's CLI can download all the results of a particular database type.
https://github.com/digininja/CloudSto... can search publicly accessible Amazon S3 buckets, Digital Ocean spaces, SpiderOak shared folders.
Researching People, Images, and Locations
• https://pipl.com
• Background checks: https://freebackgroundcheck.org, https://www.skipease.com
https://www.ancestry.com
• Criminal records: https://www.ncsc.org
Image searching
• Google reverse image search
• https://tineye.com
• https://github.com/ThoughtfulDev/Eagl...
Geolocation: https://www.geocreepy.com
To more accurately geolocate IP addresses, do a traceroute on the IP address of the target, take the IP address of the last routing hop, and geolocate that IP address instead.
Searching Social Media
SOCMINT
• https://osint.rest allows you to collect social media info on targets. It works the same as the SocialLinks plugin for Maltego.
• https://github.com/xillwillx/skiptracer harvests info on people.
• https://github.com/thelinuxchoice/use... searches for usernames on many social networks.
Profile Tracking and Password Reset Clues
To track threat actor, create a spreadsheet with 3 sheets/tabs: accounts (website accounts), verifications (password reset and verification question information), dumps (data from password dumps and other hacked data).
Passwords, Dumps, and Data Viper
https://snusbase.com: thousands of data dumps of major sites
This isn't a book for beginners; Troia expects you to keep up without giving much explanation for novices.
Notes
Getting Started
OSINT resources
• https://osintframework.com
• https://osint.link
• https://www.inteltechniques.com
• https://www.hunch.ly
• Wordlists and generators (https://github.com/danielmiessler/Sec..., https://github.com/digininja/CeWL, https://sourceforge.net/projects/crun...)
• Proxies (https://www.limeproxies.com, https://www.squidproxies.com, https://stormproxies.com)
Cryptocurrency data to research
• Number of transactions
• Value received over time
• Current value
• Date of 1st transaction
• Date of last transaction
• Transaction patterns
To identify addresses belonging to exchanges and traders: https://www.walletexplorer.com, https://www.bitcoinwhoswho.com
Investigations and Threat Actors
Alias hijacking: choose a name similar to another actor's name to make it easier to contact their contacts.
Most threat actors are after money, so if they detect that you're not, it could blow your cover.
Manual Network Exploration
Network asset discovery tools
• https://whois.arin.net/
• https://dnsdumpster.com/
• https://hackertarget.com/reverse-dns-...
• https://www.shodan.io/
• https://www.censys.io/
• https://github.com/mschwager/fierce
• https://github.com/aboul3la/Sublist3r
• https://github.com/jhaddix/domain
Looking for Network Activity (Advanced NMAP Techniques)
NMAP is 1st tool to use when looking for active hosts.
Automated Tools for Network Discovery
Automated network discovery tools
• SpiderFoot
• https://github.com/intrigueio
• Recon‐NG
Website Information Gathering
Website information gathering
• https://github.com/1N3/Sn1per
• https://builtwith.com
• https://github.com/jekyc/wig
• https://github.com/Dionach/CMSmap
• https://wpscan.org/ (for WordPress)
Directory Hunting
Searching for directories in websites and web apps
• https://github.com/Nekmo/dirhunt
• https://github.com/xmendez/wfuzz
• https://github.com/s0md3v/Photon
• https://github.com/intrigueio/intrigu...
Search Engine Dorks
List of dorks: https://www.exploit-db.com/google-hac...
Automated dorking tool: https://github.com/googleinurl/SCANNE...
Whois
Best WHOIS search services: https://whoisology.com/, https://www.domaintools.com/
Certificate Transparency and Internet Archives
Certificate Transparency makes TLS certs publicly viewable. You can find subdomains and related domains.
Certificate Transparency search tools
• https://github.com/UnaPibaGeek/ctfr
• https://crt.sh
• https://github.com/christophetd/Cloud... (automates process of finding origin of publicly exposed servers that don't properly restrict access to Cloudflare.com IP ranges)
https://cachedview.com searches Google's cache, Archive.org, Coral Cache.
To list every copy of a site cached by Archive.org: https://web.archive.org/cdx/search?ur...
To see every site‐specific URL cached by Archive.org: https://web.archive.org/cdx/search?ur...
Iris by DomainTools
DomainTools Iris (paid): most comprehensive historical domain registration search tool, full threat intelligence and investigation platform focused on providing context on threats with domain registration and passive DNS data.
Document Metadata
• https://www.sno.phy.queensu.ca/~phil/...
• https://github.com/laramies/metagoofil: uses Google dorks to find files about your target
• Recon‐NG metadata modules (Metacrawler, Interesting_Files, Pushpin)
• https://github.com/intrigueio
• https://github.com/ElevenPaths/FOCA
Interesting Places to Look
Places to look for info
• https://github.com/laramies/theHarvester
• Paste sites (Pastebin.com, 0bin.net, Doxbin.org, Justpaste.it, Psbdmp.ws)
• Hacker forums (HackForums.net, Nulled.to, OGUsers.com)
• Non-hacker forums
• Code repositories (GitHub, Bitbucket, GitLab, etc.); search via https://searchcode.com, https://github.com/michenriksen/gitrob
• Wikipedia revision history
Publicly Accessible Data Storage
Shodan's CLI can download all the results of a particular database type.
https://github.com/digininja/CloudSto... can search publicly accessible Amazon S3 buckets, Digital Ocean spaces, SpiderOak shared folders.
Researching People, Images, and Locations
• https://pipl.com
• Background checks: https://freebackgroundcheck.org, https://www.skipease.com
https://www.ancestry.com
• Criminal records: https://www.ncsc.org
Image searching
• Google reverse image search
• https://tineye.com
• https://github.com/ThoughtfulDev/Eagl...
Geolocation: https://www.geocreepy.com
To more accurately geolocate IP addresses, do a traceroute on the IP address of the target, take the IP address of the last routing hop, and geolocate that IP address instead.
Searching Social Media
SOCMINT
• https://osint.rest allows you to collect social media info on targets. It works the same as the SocialLinks plugin for Maltego.
• https://github.com/xillwillx/skiptracer harvests info on people.
• https://github.com/thelinuxchoice/use... searches for usernames on many social networks.
Profile Tracking and Password Reset Clues
To track threat actor, create a spreadsheet with 3 sheets/tabs: accounts (website accounts), verifications (password reset and verification question information), dumps (data from password dumps and other hacked data).
Passwords, Dumps, and Data Viper
https://snusbase.com: thousands of data dumps of major sites
August 18, 2021
Good book. Accessibly written. Real life narrative. Humble and objective about the realities of his job. Well worth a read.
April 15, 2022
If I could change anything, it'd be the title.
Great and interesting reference book.
Great and interesting reference book.
May 14, 2025
This is a decent reference book for OSINT tools and techniques, but the author focused more on pentesting recon rather than hunting cybercriminals.
Displaying 1 - 5 of 5 reviews