An important function of any cyber security team is monitoring their companies external assets for any signs of breaches, attacks or suspicious activity. There are many paid tools to do this, however they can be expensive. Instead, here I am going to show you free, open source tools we can use to monitor your domains, emails, keywords and much more.

Before I get into this, none of these tools are mine, and I have not contributed to any of them. Thanks go to the Author/s of these fantastic tools, names mentioned below.

WATCHER

I’m going to start this list with Watcher Threat Reporting, which was developed by the Thales Group CERT.

So, what are the main features of this tool?

It is a Djago and React JS automated platform which can discover threats targeting your organisation such as:

• Detect keywords in Pastebin and other similar sites.
• Detect suspicious domain names using dnstwist.
• Monitor malicious domains using TLSH.
• Can helpfully IOC export to create events on MISP and cases on The Hive.

It can be set up incredibly quickly using docker, see the guide here. This guide also has useful usage tips and tricks.

OPENSQUAT

Next up, openSquat – Domain Squatting and Phishing Watchdog created by Andre Tenreiro.

So, what are the main features of this tool? (There’s a 40 second demo here)

The tool focuses on identifying cyber squatting threats to specific companies or domains, such as:

• Phishing campaigns
• Domain squatting
• Typo squatting
• Bitsquatting
• IDN homograph attacks
• Doppenganger domains
• Other brand/domain related scams

There is also a simple version of openSquat available at phishydomains.com. However, this is only a light version with a 24 hour search and is missing various features.

The Installation / Upgrade steps are as follows.

• Make sure you have Python 3.6+ and pip3 in your environment
• git clone https://github.com/atenreiro/opensquat
• pip install -r requirements.txt
• Then to upgrade your current version type git pull followed by pip install -r requirements.txt

URLWATCH

Something a bit different next, urlwatch from Thomas Perl.

So, what are the main features of this tool?

Well, it is used for one purpose – monitoring changes on web-pages, and receiving a notification of the changes via email or other services. This is extremely useful for keeping track of web-pages which you may believe to be targeting your company via typo squatting or phishing. You can receive a notification if the page is taken down, or if the phishing page is updated; for example.

Installation is simple if you have Python3 and pip, you can install the latest version and its dependencies using the following command pip3 install –upgrade urlwatch. Otherwise, the current version can be found here, or all versions here.

All documentation for the tool can be found here.

AIL-FRAMEWORK

AIL-framework (Framework for Analysis of Information Leaks) was created by CIRCL (Computer Incident Response Center Luxembourg) . I recommend checking out all their work here.

So, what are the main features of this tool?

There are a lot of features (See the Github for the full list), however put simply; it is a framework to collect and analyse information leaks from Pastebin, similar sites and various other data sources.

Training documentation can be found here and there is also a HOWTO here.

Installation is simple. Ensure you have Python 3.6+ and are running a Debian or Ubuntu based distro and then type the following commands:

• git clone https://github.com/ail-project/ail-framework.git
• cd ail-framework
• ./installing_deps.sh
• cd ~/ail-framework/
• cd bin/
• ./LAUNCH.sh -l

If you are not running a Ubuntu or Debian system, there is a Travis file here.

OBLIVION

Oblivion Data leak checker created by Gustavo is up next.

So, what are the main features of this tool?

• Scrapes pastebin to check for data leaks.
• Uses google dorks to search google for past data leaks.
• Searches word lists on github for passwords.
• Searches API’s from Intelx, Scylla and HaveIBeenPwned to check for leaked credentials.
• Tells you if user data has been leaked before.

Results from the above can be sent to S3 buckets, Google Drive or via SSH. Notifications can also be sent via Telegram and email.

For installation and usage instructions, I recommend following the in-depth PDF from the creators. The installation will differ slightly, depending if you want to use the Oblivion Client (Graphical) or Oblivion Server (Mode with API functions) .

H8MAIL

Last but not least, h8mail from kh4st3x.

So, what are the main features of this tool?

h8mail is an email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt’s “Collection1” and the infamous “Breach Compilation” torrent.

It uses the following API’s (Some free, some paid):

• HaveIBeenPwned
• Hunter.io
• Snusbase
• Leak-Lookup
• Emailrep.io
• Scylla.sh
• Dehashed.com
• IntelX.io

There are a few methods of installation, a guide can be found here.

A full Wiki (Basics, Searching etc) can be found here and there are some incredibly useful demo’s of the tool here.

I hope you found this article helpful. If you know any other tools like this, please tell me at my Twitter. I also really appreciate feedback there.

If you enjoy the content on this site and want to support me, please see https://www.buymeacoffee.com/blueteamblog