sn0int

Overview

sn0int is a semi-automatic OSINT (Open Source Intelligence) framework combining reconnaissance automation with a package manager for OSINT modules. Designed for security researchers, penetration testers, and investigators to gather and correlate publicly available information systematically.

Installation

Linux (Debian/Ubuntu)

# Add repository
echo "deb https://apt.sn0int.com/ stable main" | \
  sudo tee /etc/apt/sources.list.d/sn0int.list

# Add GPG key
curl -fsSL https://apt.sn0int.com/key.gpg | sudo apt-key add -

# Install
sudo apt update
sudo apt install sn0int

# Verify
sn0int --version

Linux (Arch)

sudo pacman -S sn0int

macOS

# Homebrew
brew tap kpcyrd/sn0int https://github.com/kpcyrd/sn0int
brew install sn0int

# Manual installation
curl -L https://github.com/kpcyrd/sn0int/releases/download/v0.13.0/sn0int-0.13.0-x86_64-apple-darwin.tar.gz | tar -xz
sudo mv sn0int /usr/local/bin/

Docker

# Run sn0int in container
docker run -it -v $HOME/.sn0int:/root/.sn0int kpcyrd/sn0int

# Create alias
alias sn0int='docker run -it -v $HOME/.sn0int:/root/.sn0int kpcyrd/sn0int sn0int'

Build from Source

git clone https://github.com/kpcyrd/sn0int.git
cd sn0int
cargo build --release
./target/release/sn0int --version

Core Concepts

Projects

# Create new project
sn0int new target-company

# List projects
sn0int list

# Switch project
sn0int set-target target-company

# Export project
sn0int export-json target-company > export.json

Modules and Packages

# Search available modules
sn0int search email

# Install module
sn0int pkg install sn0int/ipaddress

# List installed modules
sn0int pkg list

# Update modules
sn0int pkg update

# Remove module
sn0int pkg uninstall sn0int/module-name

Common Modules

Module	Purpose	Usage
ipaddress	IP and ASN lookup	Collect IP infrastructure info
domaininfo	Domain enumeration	Find subdomains and NS records
emailhunt	Email discovery	Locate email addresses
phonebook	Phone number lookup	Gather contact information
geoip	Geolocation lookup	Map IP locations
whois	WHOIS queries	Domain registration info

Working with Domains

Domain Enumeration

# Add domain to project
sn0int domain add example.com

# Run domain enumeration modules
sn0int run sn0int/dns-enum example.com

# Search DNS records
sn0int run sn0int/domaininfo example.com

# Gather WHOIS info
sn0int run sn0int/whois example.com

# Find subdomains
sn0int run sn0int/subdomain-enum example.com

DNS and Name Server Enumeration

# Query DNS records
sn0int dns example.com A
sn0int dns example.com MX
sn0int dns example.com NS

# Reverse DNS lookup
sn0int dns 8.8.8.8

# Zone transfer attempt
sn0int run sn0int/zone-transfer example.com

# Subdomain brute force
sn0int run sn0int/subdomains-list common-subdomains.txt example.com

Email and Contact Discovery

Email Finding

# Hunt for emails on domain
sn0int run sn0int/emailhunt example.com

# Search by name pattern
sn0int email add firstname.lastname@example.com
sn0int email add f.lastname@example.com
sn0int email add firstnamel@example.com

# Validate email addresses
sn0int run sn0int/email-validation email@example.com

# Find associated accounts
sn0int run sn0int/email-lookup email@example.com

Phone and Contact Information

# Phone number lookup
sn0int phonebook add "+1-555-0100"

# Reverse phone lookup
sn0int run sn0int/phonebook-reverse +15550100

# Person search
sn0int run sn0int/person-search "John Doe"

# Find social media profiles
sn0int run sn0int/social-enum email@example.com

IP Address and Network Reconnaissance

IP and ASN Lookup

# Query IP information
sn0int ipaddress add 8.8.8.8

# Run IP modules
sn0int run sn0int/ipaddress 8.8.8.8

# ASN lookup
sn0int run sn0int/asn AS15169

# Find organization networks
sn0int run sn0int/org-asn-lookup "Google"

# Reverse IP lookup
sn0int run sn0int/reverse-ip 8.8.8.8

Network Range Enumeration

# Add network range
sn0int network add 8.8.8.0/24

# Enumerate IPs in network
sn0int run sn0int/network-enum 8.8.8.0/24

# GeoIP mapping
sn0int run sn0int/geoip 8.8.8.8

# Check for services
sn0int run sn0int/port-check 8.8.8.8 443

Website and Hosting Analysis

SSL/TLS Enumeration

# Query SSL certificate
sn0int run sn0int/ssl-cert example.com

# Find domain from certificate
sn0int run sn0int/ssl-reverse example.com

# Certificate transparency logs
sn0int run sn0int/ct-logs example.com

# Check certificate validity
sn0int run sn0int/ssl-validate example.com:443

Web Reconnaissance

# Grab HTTP headers
sn0int run sn0int/http-headers example.com

# Check web technologies
sn0int run sn0int/web-tech-detect example.com

# Crawl website structure
sn0int run sn0int/web-crawl example.com

# Find subdomains via HTTP
sn0int run sn0int/web-enum example.com

Credential and Breach Data

Breach Database Queries

# Search for email in breach databases
sn0int run sn0int/breach-check email@example.com

# Query Have I Been Pwned
sn0int run sn0int/hibp-search email@example.com

# Check for leaked passwords
sn0int run sn0int/password-breach search-term

# Get breach statistics
sn0int run sn0int/breach-stats email@example.com

Data Leaks and Dumps

# Search data dumps
sn0int run sn0int/dataleaks email@example.com

# Query underground forums
sn0int run sn0int/forum-search email@example.com

# Track leaked databases
sn0int run sn0int/leakdb-query domain.com

Social Media and Account Enumeration

Username Discovery

# Hunt username across platforms
sn0int run sn0int/username-enum "johnsmith"

# Search on specific platforms
sn0int run sn0int/github-user johnsmith
sn0int run sn0int/twitter-user johnsmith
sn0int run sn0int/linkedin-user johnsmith

# LinkedIn profile enumeration
sn0int run sn0int/linkedin-enum "company-name"

# GitHub organization enumeration
sn0int run sn0int/github-org organization

Social Profile Analysis

# Extract profile information
sn0int run sn0int/profile-extract github.com/user

# Analyze social connections
sn0int run sn0int/social-graph username

# Track profile changes
sn0int run sn0int/profile-monitor username

# Find related accounts
sn0int run sn0int/account-linking email@example.com

Project Management and Reporting

Data Management

# List all stored data
sn0int ls

# Search within project
sn0int search "search term"

# Filter by type
sn0int ls domains
sn0int ls ipaddresses
sn0int ls emails

# Remove data
sn0int rm domain example.com
sn0int rm email email@example.com

# Clear project
sn0int clear

Export and Reporting

# Export full project
sn0int export-json > project_export.json

# Export specific data
sn0int export-json --domains > domains.json
sn0int export-json --emails > emails.json

# Import data
sn0int import < previous_export.json

# Generate report
sn0int export-json | jq . > formatted_report.json

Workflow Examples

Complete Company Reconnaissance

#!/bin/bash
TARGET="example.com"

# Create project
sn0int new $TARGET
sn0int set-target $TARGET

# Domain enumeration
sn0int domain add $TARGET
sn0int run sn0int/domaininfo $TARGET
sn0int run sn0int/dns-enum $TARGET

# Subdomain discovery
sn0int run sn0int/subdomain-enum $TARGET

# Find organization emails
sn0int run sn0int/emailhunt $TARGET

# SSL/TLS analysis
sn0int run sn0int/ssl-cert $TARGET

# Generate report
sn0int export-json > $TARGET-osint-report.json

Social Media Footprint Mapping

#!/bin/bash
TARGET="target-company"

sn0int new $TARGET
sn0int set-target $TARGET

# LinkedIn enumeration
sn0int run sn0int/linkedin-enum $TARGET

# Find employee emails
sn0int run sn0int/emailhunt company.com

# Username enumeration
for user in $(sn0int export-json | jq -r '.emails[] | .username'); do
  sn0int run sn0int/username-enum "$user"
done

# Track social profiles
sn0int export-json | jq . > social-footprint.json

Threat Intelligence Gathering

#!/bin/bash
TARGET_IP="1.2.3.4"

sn0int new threat-intel
sn0int set-target threat-intel

# IP analysis
sn0int ipaddress add $TARGET_IP
sn0int run sn0int/ipaddress $TARGET_IP

# ASN enumeration
ASN=$(sn0int export-json | jq -r '.ipaddresses[0].asn')
sn0int run sn0int/asn $ASN

# Reverse IP lookups
sn0int run sn0int/reverse-ip $TARGET_IP

# Domain correlation
sn0int export-json > threat-analysis.json

Advanced Usage

Creating Custom Modules

# Module structure
cat > my-module.lua << 'EOF'
-- Custom sn0int module
function run(arg)
  -- Module logic here
  local result = req:get('https://api.example.com/' .. arg)
  if result.status == 200 then
    return result.body
  end
end
EOF

# Install custom module
sn0int pkg install ./my-module.lua

Scripting and Automation

# Batch processing domains
cat domains.txt | while read domain; do
  sn0int domain add $domain
  sn0int run sn0int/domaininfo $domain
done

# Automated reporting
sn0int export-json | jq > report.json

# Scheduled OSINT collection
# Add to cron for regular updates
0 */6 * * * sn0int set-target target && sn0int run sn0int/emailhunt target.com

Best Practices

1. Authorization: Only conduct OSINT on targets with proper authorization
2. Documentation: Log all reconnaissance activities and findings
3. Accuracy Verification: Cross-reference findings with multiple sources
4. Rate Limiting: Space out API-dependent modules to avoid detection
5. Data Protection: Secure project exports containing sensitive information
6. Regular Updates: Keep modules updated for latest intelligence sources

Module Installation Examples

# Popular OSINT modules
sn0int pkg install sn0int/domaininfo
sn0int pkg install sn0int/geoip
sn0int pkg install sn0int/whois
sn0int pkg install sn0int/ipinfo
sn0int pkg install sn0int/tlspect

# Update all modules
sn0int pkg update

# List installed
sn0int pkg list

Troubleshooting

Module Failures

# Check module compatibility
sn0int pkg info sn0int/module-name

# Reinstall module
sn0int pkg uninstall sn0int/module-name
sn0int pkg install sn0int/module-name

# View module logs
sn0int run -v sn0int/module-name argument

API Rate Limiting

# Space out module runs
for domain in $(cat domains.txt); do
  sn0int run sn0int/domaininfo $domain
  sleep 5
done

Data Export Issues

# Fix JSON export
sn0int export-json | jq . > fixed_export.json

# Export specific records
sn0int export-json | jq '.domains[]' > domains_only.json

Related Tools

• Recon-ng: Reconnaissance framework for web-based OSINT
• Shodan: Internet-connected device search engine
• OSINT Framework: Web-based collection of OSINT tools
• Maltego: Visual link analysis and OSINT platform
• Censys: Search engine for internet-connected devices

References

• sn0int GitHub: https://github.com/kpcyrd/sn0int
• sn0int Documentation: https://docs.sn0int.com/
• OSINT Framework: https://osintframework.com/
• SANS OSINT Cheat Sheet: https://www.sans.org/white-papers/
• Intelligence-Driven Incident Response: Industry best practices