The growing numbrs of OSINT sources out there is mind-boggling, and most remain free or at least provide API keys free of charge for low query volumes. In this release, eight new modules have been introduced:
SecurityTrails (sfp_securitytrails): One of my favourite recent discoveries, SecurityTrails has truly a shedload of DNS and Whois data that any threat intelligence analyst, security analyst or investigator should look into. This module will query their API for IP addresses, domain names, e-mail addresses and owned netblocks to identify co-hosted sites, domains registered under the same e-mail address and more. An API key is required, however limited free usage is provided. Check out their blog post about the integration.
FullContact.com (sfp_fullcontact): FullContact.com has loads of data about people and companies. This module uses their API (API key required) to look up domain names, e-mail addresses and names in an attempt to identify further e-mail addresses and names, but also physical locations and phone numbers.
ARIN (sfp_arin): ARIN (American Registry for Internet Numbers) is similar to RIPE (for which SpiderFoot already has a module - sfp_ripe) in that they provide an API to query information about network ranges. But more interestingly from an OSINT perspective, you can query by first and last name, and likewise query by domain name to get affiliated names. This module will take any identified domain name and return a list of human names and ARIN registry data, which will then be scanned by other modules to idenify potential e-mail addresses and hostnames. It will also look up any names to identify potential relevant data.
Hacked-Emails.com (sfp_hackedemails): Similar to haveibeenpwned.com, hacked-emails.com provides a free service to identify e-mail addresses mentioned in data leaks. This module will query their API for any e-mail address identified during a scan.
Citadel.pw (sfp_citadel): As above, citadel.pw provides a way to search a large number of leaks for mention of an e-mail address, which is what this module will do. Thanks to citadel.pw - at - protonmail.com for this contribution and for providing a public API key free of charge!
CIRCL.LU (sfp_circllu): CIRCL.LU (Computer Incident Response Center, Luxembourg) provide a free, however upon-request API to query their rich database of historical SSL and DNS data. This module will take hostnames, owned netblocks, IP addresses and domain names and identify further IP addresses and hostnames, plus SSL certificates and co-hosts related to your target.
Quad9.net (sfp_quad9): Quad9.net aggregate a number of threat intelligence data sources and integrate them into their resolver, which anyone can point to (220.127.116.11). The resolver will not resolve anything malicious according to the data feeds they have integrated. This module will attempt to resolve identified hostnames, affiliates and co-hosts using 18.104.22.168, and if they fail to resolve there but do resolve using the configured resolver, will report them as malicious.
RiskIQ / PassiveTotal (sfp_riskiq): RiskIQ provide a threat intelligence platform with an API (API key required) to query their passive DNS and other data. This module will query their API for any hostname, IP address, domain name or e-mail address identified, and return owned netblocks, further IP addresses, co-hosted sites and domain names also registered by the provided e-mail address (reverse Whois).