osint

SecurityTrails Blog · Dec 13 2018 · SecurityTrails team

Top 10 Popular OSINT Facebook Tools

We hope you enjoyed the article we wrote about OSINT a while back, which explored the meaning of the term, the history behind the concept and the ease with which one can use it — even without knowing too much about it. We also explored the most popular OSINT Tools you can use on any information security investigation.

Social networks are indeed a big part of any OSINT investigation. They can reveal useful information about individuals, what they look for, how they do it, what they like and many other personal details.

But OSINT Facebook data-gathering doesn’t stop with tools that show you only information about Facebook profiles. Today we’ll show you the best OSINT utilities that not only gather information about Facebook public data but also dig a little bit deeper under the surface — so keep reading.

Let’s start with the best online tools to help you get the most out of Facebook intel gathering.

NetBootCamp

NetBootCamp is a great tool for searching different strings within Facebook.

It allows you to generate requests inside Facebook from a simple web-based interface. It will build the query URL for you so you can examine all the details.

In the following examples, we launched a couple of queries using their web interface, which is just a simple front end for common Facebook operations but simplified to help you choose your search without any complications.

NetBootCamp

This interface and its options will generate a request that looks like this:

  • https://www.facebook.com/search/str/John+M+Smith/users-named/
  • https://www.facebook.com/search/people?q=johnsmith%40gmail.com
  • https://www.facebook.com/search/str/London/pages-named/home-residents/

For most requests, you need to have a fully activated Facebook account. You can also choose to search for details about the profile, photos, videos and much more.

Maltego

Whether you’re performing an investigation on an organization or an individual, Maltego is an essential OSINT Facebook utility. This excellent software will show you how exposed you are on the Internet.

Maltego can easily help you correlate and find links between individuals, organizations, geolocations, addresses, emails and phone numbers.

In Facebook’s case, Maltego offers numerous modules (known as “transforms” within the Maltego community) to investigate social profiles. The most popular ones would be SocialLinks or SocialNet, which are commercial OSINT Facebook modules.

Maltego

This app is available for Windows, Linux, and Mac OS. Java 1.8 or greater is the only requirement.

Creepy

Creepy is a very powerful (and powerfully creepy, as its name implies) geo-location OSINT Facebook tool that will empower you to get the exact geolocation of any person in the world.

How does it work?

Creepy launches queries against different social networks like Facebook, Twitter, etc., to see if anyone has uploaded an image with the geolocation feature activated. If it finds one, then this software will geolocate that person.

It allows you to export the results in KML or CSV formats. See it live in action in this video:

FB People Directory

FB People Directory is a native tool built by Facebook so you can, as its name suggests, search their people directory. It’s super useful and one of the easiest tools to use when you’re looking for someone.

The directory will show you the full list of Facebook members worldwide, where you can filter the results by first or last name.

FB People Directory

Search is Back

Search is Back is a similar tool to NetBootCamp, as it allows you to search for people and events on Facebook — but it also lets you search by location, relationships, gender, job title, language spoken, and other details.

Search is Back

StalkScan (known as Facebook Scan)

StalkScan follows on the same line as the tools listed previously but has a nice, wide interface with a lot of options. The bad thing is, most of the queries use old Facebook URLs that no longer work.

But you can still get some details — for this test, we grabbed Kevin Mitnick’s profile URL: https://www.facebook.com/kmitnick007

Then we ran some tests, and some of the functions were working as expected. For example, getting photos of this user ID from the current year 2018 generated this URL:

  • https://www.facebook.com/search/818300009/photos-by/2018/date/photos/intersect

StalkScan

The same goes with his 2018 videos and stories:

  • https://www.facebook.com/search/818300009/videos-by/2018/date/videos/intersect
  • https://www.facebook.com/search/818300009/stories-by/2018/date/stories/intersect

Facebook Live Map

Facebook Live Map is an interactive global map function that comes with Facebook by default. Using the URL gives you the ability to watch live streaming videos from anywhere in the world.

In this case, we were able to grab some locations where live transmissions are being streamed right now.

Facebook Live Map

If you zoom in and click on one of the blue dots, you’ll be able to see who’s streaming the video, the transmitted content and its exact location.

Facebook Email Search is a simple URL that lets search for any Facebook profile by using an email address. The resulting URL will be something like:

https://www.facebook.com/search/top/?q=email%40gmail.com

You can replace this with any email you know to confirm whether it belongs to the person you suspect.

For example, we searched for the email address morrison@pucc.princeton.edu, and we discovered that it belongs to the famous Pulitzer Prize winner Toni Morrison. A Facebook page associated with that email appears as the first result.

Facebook Email Search

Facebook Sleep Stats

Facebook Sleep Stats is an interesting app that was built not to fetch email, location or other common details, but to exploit a Facebook security flaw that lets you keep track of any online or offline profile status. Thanks to this utility, you’ll know when they connect and disconnect, information that can generate a pretty accurate image of their sleep pattern.

Watching how it works will give you a general idea about the potential privacy implications of modern social media, information that’s largely unfamiliar to the average non-technical person:

This application makes it possible to get a full list of Facebook users IDs, along with timestamps of their most recent online activity:

"lastActiveTimes": {  
"3443534": 1456065265,  
"675631492": 1456066386,  
"8657643": 1456062331,  
}

The above data can later be translated into human readable date and time information, such as “John Doe was last active on Dec 03 2018 12:50:22.”

The only requirements to get it running are Node.js and Git.

SecurityTrails

While all these tools can be helpful for gathering details about social profiles from individuals, there is much more to gathering OSINT Facebook data. We’re talking about investigating Facebook and all of its domains, servers, IPs and its SSL infrastructure from a single place.

Our passive DNS technology allows you to investigate everything you can imagine about any organization or company in the world, way beyond a simple citizen profile. Let’s see it in action for facebook.com

  • Move to https://securitytrails.com
  • Enter facebook.com in the first text bot
  • A full interface with all facebook.com-related details will appear, as shown below:

Facebook DNS

As you can see, you’ll be able to grab numerous details from the Facebook.com domain name, which includes current DNS records from A, AAA, TXT, MX, SOA, and CNAME.

By querying our passive DNS API you’ll also be able to grab the entire Facebook DNS History, ordered by date or value, as seen here:

Facebook DNS History

This DNS history is also available for the rest of the AAA, MX, NS, SOA and TXT records. But our intel information about Facebook.com doesn’t end there. SecurityTrails technology lets you explore the entire list of Facebook subdomains from the same web interface:

Facebook subdomains

In this example, we filtered the exact 2,056 results to match any subdomain that contains the word “edge.” There many more filters and options to explore in our DSL documentation. You can also order the results by hosting provider or by WHOIS historical records.

By using our passive DNS API, you can fetch those details along with:

  • WHOIS History
  • Associated Domains
  • IP Subnet
  • PTR Search
  • Open Ports

A tremendous advantage is the ability to integrate our API with your apps, using popular programming languages such as PHP, Node, Ruby, JavaScript, and Python.

You can even launch manual requests using curl command, as you see below:

curl –request GET –url https://api.securitytrails.com/v1/history/twilio.com/whois –header ‘apikey: >’

Furthermore, our recently launched SurfaceBrowser product enables you to integrate all these great tools into one single powerful interface, now one of the best sources available for your OSINT Facebook investigation.

Conclusion

No company is immune from getting spied on or analyzed, and the fact that Facebook is one of the most popular social networks in use makes it an easy target in the infosec market.

The good thing is there are ways to protect yourself. Now you know the right OSINT Facebook tools to analyze not only individuals but your own organization or company, helping you prevent exposing too many details about your online domains and internet infrastructure.


Have you tried SurfaceBrowser, our rock star product that offers WHOIS live data from all the popular domain names, as well as historical WHOIS records?

Schedule a SurfaceBrowser Demo

SecurityTrails strives to be the biggest cybersecurity treasure trove available, so you can easily use it as your #1 OSINT tool to audit your domain names, subdomains, IP addresses, SSL certificates and much more. Start testing our fabulous API by opening a free account today.

If you need anything you don’t see here yet, get in touch with us. We can build a wide range of custom solutions to match your needs!