OSINT & Recon Tool: Odin
Reading Time: 2 Minutes
Reading Time: 2 Minutes
OSINT & Recon Tool: Odin
ODIN
Observe, Detect, and Investigate Networks
Open Source Intelligence Gathering and Reconnaissance are the most important steps when it comes to Pentesting or Bug Bounty Hunting. Relying on an automated controlled technique is crucial to speed up the process of gathering, and focusing on the outcome.
ODIN by Chris Maddalena is Python tool for automating intelligence gathering, asset discovery, and reporting.
See Also: Complete Offensive Security and Ethical Hacking Course
What Can ODIN Do?
ODIN aims to automate the basic recon tasks used by red teams to discover and collect data on network assets, including domains, IP addresses, and internet-facing systems. The key feature of ODIN is the data management and reporting. The data is organized in a database and then, optionally, that database can be converted into an HTML report or a Neo4j graph database for visualizing the data.
ODIN performs this in multiple phases:
Phase 1 – Asset Discovery
- Collect basic organization information from sources like the Full Contact marketing database.
- Check DNS Dumpster, Netcraft, and TLS certificates to discover subdomains for the provided domains.
- Resolve domain and subdomains to IP addresses via socket connections and DNS records.
- Collect information for all IP addresses, such as ownership and organization data, from RDAP, whois, and other data sources.
- Lookup domains and search for IP addresses on Shodan to collect additional data, such as operating systems, service banners, and open ports.
- Check for the possibility of takeovers and domain fronting with the domains and subdomains.
Phase 2 – Employee Discovery
- Harvest email addresses and employee names for the target organization.
- Link employees to social media profiles via search engines and the Twitter API.
- Cross check discovered email addresses with Troy Hunt’s Have I Been Pwned.
See Also: New tool can uncover redacted, pixelated text to reveal sensitive data
Phase 3 – Cloud and Web Services
- Hunt for Office files and PDFs under the target domain, download them, and extract metadata.
- Search for AWS S3 buckets and Digital Ocean Spaces using keywords related to the organization.
- Take screenshots of discovered web services for a quick, early review of services.
Phase 4 – Reporting
- Save all data to a SQLite3 database to allow the data to be easily queried.
- Generate an HTML report using default SQL queries to make it simple to peruse the data in a web browser.
- Create a Neo4j graph database that ties all of the discovered entities (IP addresses, domains, subdomains, ports, and certificates) together with relationships (e.g. RESOLVES_TO, HAS_PORT).
At the end of all of this you will have multiple ways to browse and visualize the data. Even a simple Neo4j query like MATCH (n) RETURN n (display everything) can create a fascinating graph of the organization’s external perimeter and make it simple to see how assets are linked. The Neo4j wiki pages contain better query examples.
See Also: How ILOVEYOU worm became the first global computer virus pandemic