Pockint Save
A portable OSINT Swiss Army Knife for DFIR/OSINT professionals 🕵️ 🕵️ 🕵️
POCKINT (a.k.a. Pocket Intelligence) is the OSINT swiss army knife for DFIR/OSINT professionals. A lightweight and portable GUI program, it provides users with essential OSINT capabilities in a compact form factor: POCKINT's input box accepts typical indicators (URL, IP, MD5) and gives users the ability to perform basic OSINT data mining tasks in an iterable manner.
Installation
You can grab the latest version from the releases page. POCKINT is provided as a single executable that can be stored and run anywhere on computers. POCKINT is available for Windows only.
Features
Why use it? POCKINT is designed to be simple, portable and powerful.
:star: Simple: There's plenty of awesome OSINT tools out there. Trouble is they either require analysts to be reasonably comfortable with the command line (think pOSINT) or give you way too many features (think Maltego). POCKINT focuses on simplicity: INPUT > RUN TRANSFORM > OUTPUT ... rinse and repeat. It's the ideal tool to get results quickly and easily through a simple interface.
:package: Portable: Most tools either require installation, a license or configuration. POCKINT is ready to go whenever and wherever. Put it in your jump kit USB, investigation VM or laptop and it will just run.
:rocket: Powerful: POCKINT combines cheap OSINT sources (whois/DNS) with the power of specialised APIs. From the get go you can use a suite of in-built transforms. Add in a couple of API keys and you can unlock even more specialised data mining capabilities.
The latest version is capable of running the following data mining tasks:
Hostnames
| Source | Transform | API key needed? |
|---|---|---|
| DNS | IP lookup | :x: |
| DNS | MX lookup | :x: |
| DNS | NS lookup | :x: |
| DNS | TXT lookup | :x: |
| WHOIS | Domain dnssec status | :x: |
| WHOIS | Domain creation | :x: |
| WHOIS | Domain expiration | :x: |
| WHOIS | Domain emails | :x: |
| WHOIS | Domain registrar | :x: |
| WHOIS | Registrant location | :x: |
| WHOIS | Registrant org | :x: |
| WHOIS | Registrant name | :x: |
| WHOIS | Registrant address | :x: |
| WHOIS | Registrant zipcode | :x: |
| crt.sh | Subdomains | :x: |
| Virustotal | Downloaded samples | :heavy_check_mark: |
| Virustotal | Detected URLs | :heavy_check_mark: |
| Virustotal | Subdomains | :heavy_check_mark: |
| OTX | Passive DNS | :heavy_check_mark: |
| OTX | malicious check | :heavy_check_mark: |
| OTX | Malware type | :heavy_check_mark: |
| OTX | Malware hash | :heavy_check_mark: |
| OTX | Observed urls | :heavy_check_mark: |
| OTX | Geolocate | :heavy_check_mark: |
IP Adresses
Note: Only IPv4 Addresses are supported
| Source | Transform | API key needed? |
|---|---|---|
| DNS | Reverse lookup | :x: |
| Shodan | Ports | :heavy_check_mark: |
| Shodan | Geolocate | :heavy_check_mark: |
| Shodan | Coordinates | :heavy_check_mark: |
| Shodan | CVEs | :heavy_check_mark: |
| Shodan | ISP | :heavy_check_mark: |
| Shodan | City | :heavy_check_mark: |
| Shodan | ASN | :heavy_check_mark: |
| Virustotal | Network report | :heavy_check_mark: |
| Virustotal | Communicating samples | :heavy_check_mark: |
| Virustotal | Downloaded samples | :heavy_check_mark: |
| Virustotal | Detected URLs | :heavy_check_mark: |
| OTX | Passive DNS | :heavy_check_mark: |
| OTX | Malicious check | :heavy_check_mark: |
| OTX | Malware type | :heavy_check_mark: |
| OTX | Malware hash | :heavy_check_mark: |
| OTX | Observed urls | :heavy_check_mark: |
| OTX | Geolocate | :heavy_check_mark: |
Urls
| Source | Transform | API key needed? |
|---|---|---|
| DNS | Extract hostname | :x: |
| Virustotal | Malicious check | :heavy_check_mark: |
| Virustotal | Reported detections | :heavy_check_mark: |
| OTX | Geolocate | :heavy_check_mark: |
| OTX | Parse url | :heavy_check_mark: |
| OTX | malicious check | :heavy_check_mark: |
| OTX | Http response analysis | :heavy_check_mark: |
Hashes
Note: Both MD5 and SHA256 hashes are supported
| Source | Transform | API key needed? |
|---|---|---|
| Virustotal | Malicious check | :heavy_check_mark: |
| Virustotal | Malware type | :heavy_check_mark: |
| OTX | Malicious check | :heavy_check_mark: |
Emails
| Source | Transform | API key needed? |
|---|---|---|
| N/A | Extract domain | :x: |
New APIs and input integrations are in the works, consult the issues page to check out what's brewing or feel free to propose your own.
Like it?
If you like the tool please consider contributing.
The tool received a few "honourable" mentions, including:
Please note: There have been a small number of reports indicating that pockint triggers false positives on antivirus protected systems (to date Avast, AVG and Norton). The issue seems to be caused by pyinstaller, the python package used to freeze and distribute pockint. If pockint triggers your antivirus please submit an issue and the author will submit a false positive report to the concerned antivirus provider.
Open Source Agenda Badge
