If we’ve said it once, we’ve said it a thousand times: OSINT is an attacker’s best friend. There are a plethora of tools out there that we use everyday as pentesters to accomplish our tasks. For those of you starting out in the field, or are hobbyists, you probably have virtual machine with Kali Linux installed. Kali is a great pentesting tool, the best part about it is it comes with all of the tools we need pre-installed. This is fantastic, the worse part about building a new attack VM is installing every tool and configuring them correctly. Wouldn’t it be great if there was a prebuilt VM that was tailored specifically for OSINT? Well we are in luck! OSINT expert, Michael Bazzell, David Westcott have released Buscador which will satisfy all your OSINT needs.
Buscador is built on Ubuntu GNOME and is available for download in both iso and ova formats. Out of the box it comes preloaded with:
- Maltego CE
- FireFox – with add-ons
- Incognito Chrome – with extensions
Those are just a few of the tools available. This VM is really geared towards online investigation and passive information gathering, as opposed to penetration testing. A majority of the tools are meant for gathering as much information on a specified target as possible. Most of these tools we are familiar with, like Recon-NG and theHarvester. These two in particular help us find users and footprint an organizations’ web presence. However there are a couple of tools/features I would like to highlight that are useful for individual targets and passive web recon.
The first tools I’ve had some fun with are Tinfoleak and Twitter Export. It’s no secret that we as a society overshare on social media. With both of these Twitter focused tools, you can provide a username and they will pull down all the Twitter information related to the target. What would be good to have from a users Twitter account? How about any images they’ve tweeted or uploaded?
Awesome, we can go through all of the images and get an idea of the targets personality and their interests. But what else can we find?
Even better, the applications they use to actually tweet. This is a great insight into what products they use and even their hobbies.
Another great strength of Buscador are the custom Firefox and Chrome extensions.
To lead things off there are some extensions that allow you to manipulate how you are browsing. First there is Disconnect which acts as a web browsing proxy, allowing you to keep any searches you make private. Not only great for maintaining stealth when touching client websites, but useful for protecting your browsing data from other websites and ISPs. Next we have User-Agent Switcher which does exactly what it says. This extension provides will a list of different user agents, allowing you to switch between them; obfuscating what device/browser you are actually using.
One thing as pentesters we need are screenshots to highlight and annotate our findings. There are couple of extensions that do just that in browser, but my favorite is Lightshot. Lightshot allows you screenshot the area of your choosing within the browser, but also allows you the draw and add text prior to saving it.
Finally to round out the extensions we have shodan and ipinfo.io. These two extension offer some great information on the specific webpage you are currently viewing. Shodan is great for viewing what ports and services are available. Ipinfo.io will get the site’s public IP address and the geolocation associated with it.
Now some of you may be reading this and thinking: “All of this is cool, but I already have a Kali Linux VM. What’s the difference? And is there value in having both?”. And this is a valid question, so let us take a look at both.
There are a few tools that Kali has that Buscador lacks, such as:
- John the Ripper
These tools are missing from Buscador but the commonality they all share is that they are tools generally used after OSINT, the actual penetration test. Kali’s strength is being an out of the box pentesting machine, so anyone can essential plug in and begin hacking away. It has some OSINT tools like theHarvester, Recon-NG, and Maltego, but it only scratches the surfact of the OSINT world.
Buscador’s main focus is gathering information on individuals and domains. Where Kali may fall short with intelligence gathering, Buscador would pick up the slack. Of course the inverse of that is where Buscador falls behind in penetration and exploitation, Kali excels.
So, is there value in having both of these VMs? My answer to this is: If you starting out in this field, yes. For those of us who know what tools do what and which we prefer to have on an engagement, probably not. .
For those of you that may be new to security or OSINT, Buscador is a great way to get your feet wet. With all of the necessary tools preinstalled, you can download and go. However, where it lacks is actually having exploitation tools like Metasploit. Exploitation is not one of the things this VM is meant to do though. Both Kali and Buscador have their strengths and serve their purpose. Use both of these VMs to get a feel of what you like to use, and then odds are you will build your own machine to have exactly what you like and need.