sn0int
Overview
Sezione intitolata “Overview”sn0int is a semi-automatic OSINT (Open Source Intelligence) framework combining reconnaissance automation with a package manager for OSINT modules. Designed for security researchers, penetration testers, and investigators to gather and correlate publicly available information systematically.
Installation
Sezione intitolata “Installation”Linux (Debian/Ubuntu)
Sezione intitolata “Linux (Debian/Ubuntu)”# Add repository
echo "deb https://apt.sn0int.com/ stable main" | \
sudo tee /etc/apt/sources.list.d/sn0int.list
# Add GPG key
curl -fsSL https://apt.sn0int.com/key.gpg | sudo apt-key add -
# Install
sudo apt update
sudo apt install sn0int
# Verify
sn0int --versionLinux (Arch)
Sezione intitolata “Linux (Arch)”sudo pacman -S sn0int# Homebrew
brew tap kpcyrd/sn0int https://github.com/kpcyrd/sn0int
brew install sn0int
# Manual installation
curl -L https://github.com/kpcyrd/sn0int/releases/download/v0.13.0/sn0int-0.13.0-x86_64-apple-darwin.tar.gz | tar -xz
sudo mv sn0int /usr/local/bin/# Run sn0int in container
docker run -it -v $HOME/.sn0int:/root/.sn0int kpcyrd/sn0int
# Create alias
alias sn0int='docker run -it -v $HOME/.sn0int:/root/.sn0int kpcyrd/sn0int sn0int'Build from Source
Sezione intitolata “Build from Source”git clone https://github.com/kpcyrd/sn0int.git
cd sn0int
cargo build --release
./target/release/sn0int --versionCore Concepts
Sezione intitolata “Core Concepts”Projects
Sezione intitolata “Projects”# Create new project
sn0int new target-company
# List projects
sn0int list
# Switch project
sn0int set-target target-company
# Export project
sn0int export-json target-company > export.jsonModules and Packages
Sezione intitolata “Modules and Packages”# Search available modules
sn0int search email
# Install module
sn0int pkg install sn0int/ipaddress
# List installed modules
sn0int pkg list
# Update modules
sn0int pkg update
# Remove module
sn0int pkg uninstall sn0int/module-nameCommon Modules
Sezione intitolata “Common Modules”| Module | Purpose | Usage |
|---|---|---|
ipaddress | IP and ASN lookup | Collect IP infrastructure info |
domaininfo | Domain enumeration | Find subdomains and NS records |
emailhunt | Email discovery | Locate email addresses |
phonebook | Phone number lookup | Gather contact information |
geoip | Geolocation lookup | Map IP locations |
whois | WHOIS queries | Domain registration info |
Working with Domains
Sezione intitolata “Working with Domains”Domain Enumeration
Sezione intitolata “Domain Enumeration”# Add domain to project
sn0int domain add example.com
# Run domain enumeration modules
sn0int run sn0int/dns-enum example.com
# Search DNS records
sn0int run sn0int/domaininfo example.com
# Gather WHOIS info
sn0int run sn0int/whois example.com
# Find subdomains
sn0int run sn0int/subdomain-enum example.comDNS and Name Server Enumeration
Sezione intitolata “DNS and Name Server Enumeration”# Query DNS records
sn0int dns example.com A
sn0int dns example.com MX
sn0int dns example.com NS
# Reverse DNS lookup
sn0int dns 8.8.8.8
# Zone transfer attempt
sn0int run sn0int/zone-transfer example.com
# Subdomain brute force
sn0int run sn0int/subdomains-list common-subdomains.txt example.comEmail and Contact Discovery
Sezione intitolata “Email and Contact Discovery”Email Finding
Sezione intitolata “Email Finding”# Hunt for emails on domain
sn0int run sn0int/emailhunt example.com
# Search by name pattern
sn0int email add firstname.lastname@example.com
sn0int email add f.lastname@example.com
sn0int email add firstnamel@example.com
# Validate email addresses
sn0int run sn0int/email-validation email@example.com
# Find associated accounts
sn0int run sn0int/email-lookup email@example.comPhone and Contact Information
Sezione intitolata “Phone and Contact Information”# Phone number lookup
sn0int phonebook add "+1-555-0100"
# Reverse phone lookup
sn0int run sn0int/phonebook-reverse +15550100
# Person search
sn0int run sn0int/person-search "John Doe"
# Find social media profiles
sn0int run sn0int/social-enum email@example.comIP Address and Network Reconnaissance
Sezione intitolata “IP Address and Network Reconnaissance”IP and ASN Lookup
Sezione intitolata “IP and ASN Lookup”# Query IP information
sn0int ipaddress add 8.8.8.8
# Run IP modules
sn0int run sn0int/ipaddress 8.8.8.8
# ASN lookup
sn0int run sn0int/asn AS15169
# Find organization networks
sn0int run sn0int/org-asn-lookup "Google"
# Reverse IP lookup
sn0int run sn0int/reverse-ip 8.8.8.8Network Range Enumeration
Sezione intitolata “Network Range Enumeration”# Add network range
sn0int network add 8.8.8.0/24
# Enumerate IPs in network
sn0int run sn0int/network-enum 8.8.8.0/24
# GeoIP mapping
sn0int run sn0int/geoip 8.8.8.8
# Check for services
sn0int run sn0int/port-check 8.8.8.8 443Website and Hosting Analysis
Sezione intitolata “Website and Hosting Analysis”SSL/TLS Enumeration
Sezione intitolata “SSL/TLS Enumeration”# Query SSL certificate
sn0int run sn0int/ssl-cert example.com
# Find domain from certificate
sn0int run sn0int/ssl-reverse example.com
# Certificate transparency logs
sn0int run sn0int/ct-logs example.com
# Check certificate validity
sn0int run sn0int/ssl-validate example.com:443Web Reconnaissance
Sezione intitolata “Web Reconnaissance”# Grab HTTP headers
sn0int run sn0int/http-headers example.com
# Check web technologies
sn0int run sn0int/web-tech-detect example.com
# Crawl website structure
sn0int run sn0int/web-crawl example.com
# Find subdomains via HTTP
sn0int run sn0int/web-enum example.comCredential and Breach Data
Sezione intitolata “Credential and Breach Data”Breach Database Queries
Sezione intitolata “Breach Database Queries”# Search for email in breach databases
sn0int run sn0int/breach-check email@example.com
# Query Have I Been Pwned
sn0int run sn0int/hibp-search email@example.com
# Check for leaked passwords
sn0int run sn0int/password-breach search-term
# Get breach statistics
sn0int run sn0int/breach-stats email@example.comData Leaks and Dumps
Sezione intitolata “Data Leaks and Dumps”# Search data dumps
sn0int run sn0int/dataleaks email@example.com
# Query underground forums
sn0int run sn0int/forum-search email@example.com
# Track leaked databases
sn0int run sn0int/leakdb-query domain.comSocial Media and Account Enumeration
Sezione intitolata “Social Media and Account Enumeration”Username Discovery
Sezione intitolata “Username Discovery”# Hunt username across platforms
sn0int run sn0int/username-enum "johnsmith"
# Search on specific platforms
sn0int run sn0int/github-user johnsmith
sn0int run sn0int/twitter-user johnsmith
sn0int run sn0int/linkedin-user johnsmith
# LinkedIn profile enumeration
sn0int run sn0int/linkedin-enum "company-name"
# GitHub organization enumeration
sn0int run sn0int/github-org organizationSocial Profile Analysis
Sezione intitolata “Social Profile Analysis”# Extract profile information
sn0int run sn0int/profile-extract github.com/user
# Analyze social connections
sn0int run sn0int/social-graph username
# Track profile changes
sn0int run sn0int/profile-monitor username
# Find related accounts
sn0int run sn0int/account-linking email@example.comProject Management and Reporting
Sezione intitolata “Project Management and Reporting”Data Management
Sezione intitolata “Data Management”# List all stored data
sn0int ls
# Search within project
sn0int search "search term"
# Filter by type
sn0int ls domains
sn0int ls ipaddresses
sn0int ls emails
# Remove data
sn0int rm domain example.com
sn0int rm email email@example.com
# Clear project
sn0int clearExport and Reporting
Sezione intitolata “Export and Reporting”# Export full project
sn0int export-json > project_export.json
# Export specific data
sn0int export-json --domains > domains.json
sn0int export-json --emails > emails.json
# Import data
sn0int import < previous_export.json
# Generate report
sn0int export-json | jq . > formatted_report.jsonWorkflow Examples
Sezione intitolata “Workflow Examples”Complete Company Reconnaissance
Sezione intitolata “Complete Company Reconnaissance”#!/bin/bash
TARGET="example.com"
# Create project
sn0int new $TARGET
sn0int set-target $TARGET
# Domain enumeration
sn0int domain add $TARGET
sn0int run sn0int/domaininfo $TARGET
sn0int run sn0int/dns-enum $TARGET
# Subdomain discovery
sn0int run sn0int/subdomain-enum $TARGET
# Find organization emails
sn0int run sn0int/emailhunt $TARGET
# SSL/TLS analysis
sn0int run sn0int/ssl-cert $TARGET
# Generate report
sn0int export-json > $TARGET-osint-report.jsonSocial Media Footprint Mapping
Sezione intitolata “Social Media Footprint Mapping”#!/bin/bash
TARGET="target-company"
sn0int new $TARGET
sn0int set-target $TARGET
# LinkedIn enumeration
sn0int run sn0int/linkedin-enum $TARGET
# Find employee emails
sn0int run sn0int/emailhunt company.com
# Username enumeration
for user in $(sn0int export-json | jq -r '.emails[] | .username'); do
sn0int run sn0int/username-enum "$user"
done
# Track social profiles
sn0int export-json | jq . > social-footprint.jsonThreat Intelligence Gathering
Sezione intitolata “Threat Intelligence Gathering”#!/bin/bash
TARGET_IP="1.2.3.4"
sn0int new threat-intel
sn0int set-target threat-intel
# IP analysis
sn0int ipaddress add $TARGET_IP
sn0int run sn0int/ipaddress $TARGET_IP
# ASN enumeration
ASN=$(sn0int export-json | jq -r '.ipaddresses[0].asn')
sn0int run sn0int/asn $ASN
# Reverse IP lookups
sn0int run sn0int/reverse-ip $TARGET_IP
# Domain correlation
sn0int export-json > threat-analysis.jsonAdvanced Usage
Sezione intitolata “Advanced Usage”Creating Custom Modules
Sezione intitolata “Creating Custom Modules”# Module structure
cat > my-module.lua << 'EOF'
-- Custom sn0int module
function run(arg)
-- Module logic here
local result = req:get('https://api.example.com/' .. arg)
if result.status == 200 then
return result.body
end
end
EOF
# Install custom module
sn0int pkg install ./my-module.luaScripting and Automation
Sezione intitolata “Scripting and Automation”# Batch processing domains
cat domains.txt | while read domain; do
sn0int domain add $domain
sn0int run sn0int/domaininfo $domain
done
# Automated reporting
sn0int export-json | jq > report.json
# Scheduled OSINT collection
# Add to cron for regular updates
0 */6 * * * sn0int set-target target && sn0int run sn0int/emailhunt target.comBest Practices
Sezione intitolata “Best Practices”- Authorization: Only conduct OSINT on targets with proper authorization
- Documentation: Log all reconnaissance activities and findings
- Accuracy Verification: Cross-reference findings with multiple sources
- Rate Limiting: Space out API-dependent modules to avoid detection
- Data Protection: Secure project exports containing sensitive information
- Regular Updates: Keep modules updated for latest intelligence sources
Module Installation Examples
Sezione intitolata “Module Installation Examples”# Popular OSINT modules
sn0int pkg install sn0int/domaininfo
sn0int pkg install sn0int/geoip
sn0int pkg install sn0int/whois
sn0int pkg install sn0int/ipinfo
sn0int pkg install sn0int/tlspect
# Update all modules
sn0int pkg update
# List installed
sn0int pkg listTroubleshooting
Sezione intitolata “Troubleshooting”Module Failures
Sezione intitolata “Module Failures”# Check module compatibility
sn0int pkg info sn0int/module-name
# Reinstall module
sn0int pkg uninstall sn0int/module-name
sn0int pkg install sn0int/module-name
# View module logs
sn0int run -v sn0int/module-name argumentAPI Rate Limiting
Sezione intitolata “API Rate Limiting”# Space out module runs
for domain in $(cat domains.txt); do
sn0int run sn0int/domaininfo $domain
sleep 5
doneData Export Issues
Sezione intitolata “Data Export Issues”# Fix JSON export
sn0int export-json | jq . > fixed_export.json
# Export specific records
sn0int export-json | jq '.domains[]' > domains_only.jsonRelated Tools
Sezione intitolata “Related Tools”- Recon-ng: Reconnaissance framework for web-based OSINT
- Shodan: Internet-connected device search engine
- OSINT Framework: Web-based collection of OSINT tools
- Maltego: Visual link analysis and OSINT platform
- Censys: Search engine for internet-connected devices
References
Sezione intitolata “References”- sn0int GitHub: https://github.com/kpcyrd/sn0int
- sn0int Documentation: https://docs.sn0int.com/
- OSINT Framework: https://osintframework.com/
- SANS OSINT Cheat Sheet: https://www.sans.org/white-papers/
- Intelligence-Driven Incident Response: Industry best practices