How To: Find Identifying Information from a Phone Number Using OSINT Tools

Find Identifying Information from a Phone Number Using OSINT Tools

Phone numbers often contain clues to the owner's identity and can bring up a lot of data during an OSINT investigation. Starting with a phone number, we can search through a large number of online databases with only a few clicks to discover information about a phone number. It can include the carrier, the owner's name and address, and even connected online accounts.

While a phone number may not seem like much information to give out, an OSINT researcher can quickly discover information that ties a phone number to a variety of other clues. The data can be used to detect whether a phone number is a throwaway VoIP number used to hide the owner's identity or a cell phone belonging to a real person. In the event of buying something online or replying to an apartment ad, this information is incredibly useful to know.

For a hacker, the ability to turn a phone number into multiple connected online accounts, email addresses, or screen names makes it a perfect starting point for bigger things to come. A quick scan to discover the carrier of a phone number can provide everything a hacker needs for a well-crafted phishing email pretending to be from the victim's carrier. Once a hacker can identify other details about the target that may be attached to the phone number, it's easy to identify the weakest link and attack the target using whatever information that's dug up.

Editor's note: The OSINT Tools by Mike Bazzel featured in this article was taken down from his website due to increased DDoS-style attacks, as well as DMCAs and cease-and-desists from some of the tools included. Phoneinfoga will still work in this guide, but for the others, you can try using each company's individual tool instead. You can see how it used to work, however, in the video and text below.

OSINT Tools for Phone Numbers

For quickly searching through phone numbers, we can use both command-line and browser-based tools. Command line tools give the advantage of simple operation and greater customization but require you to have Python installed and updated. Today, we'll be using a tool called Phoneinfoga to quickly determine if the number is associated with a disposable phone number.

___ _                       _____        __
   / _ \ |__   ___  _ __   ___  \_   \_ __  / _| ___   __ _  __ _
  / /_)/ '_ \ / _ \| '_ \ / _ \  / /\/ '_ \| |_ / _ \ / _` |/ _` |
 / ___/| | | | (_) | | | |  __/\/ /_ | | | |  _| (_) | (_| | (_| |
 \/    |_| |_|\___/|_| |_|\___\____/ |_| |_|_|  \___/ \__, |\__,_|
                                                      |___/
 PhoneInfoga Ver. v1.6.4
 Coded by Sundowndev

One of the best resources for OSINT is Mike Bazzel's IntelTechniques website, which we'll also be focusing on here. This website contains several custom tools that Bazzel had organized to be useful for researchers. Many of these tools are already in Buscador OS, a virtual machine that can be run to provide an operating system geared towards OSINT investigations.

The Scenario

As an example, we'll take a sample business listing from a classified ad. How would we verify this? If the ad claims to be from a licensed professional, could we track down a license attached to the phone number? A simple reverse phone number lookup may find something, but to see the real data, you have to dig deeper and utilize more than just one reverse number lookup tool.

Step 1: Install Phoneinfoga

To supplement the information you find online later, you can use a Python tool called Phoneinfoga, which allows you to search for details about phone numbers from the command line. To use Phoneinfoga, open a terminal window and enter the following four commands one by one or at the same time.

~$ git clone https://github.com/sundowndev/PhoneInfoga
~$ cd PhoneInfoga/
~/PhoneInfoga$ python3 -m pip install -r requirements.txt
~/PhoneInfoga$ cp config.example.py config.py

Cloning into 'PhoneInfoga'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (79/79), done.
remote: Total 886 (delta 43), reused 12 (delta 6), pack-reused 801
Receiving objects: 100% (886/886), 247.47 KiB | 550.00 KiB/s, done.
Resolving deltas: 100% (461/461), done.

Requirement already satisfied: requests==2.21.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.21.0)
Collecting bs4==0.0.1 (from -r requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz
Requirement already satisfied: html5lib==1.0.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (1.0.1)
Collecting phonenumbers==8.10.2 (from -r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/d9/62/a176cfaf6edb90b68ae3426cf4fb8fd98189df550e2143cafc66bb2c1b82/phonenumbers-8.10.2-py2.py3-none-any.whl (3.2MB)
    100% |████████████████████████████████| 3.2MB 381kB/s
Collecting argparse==1.2.1 (from -r requirements.txt (line 5))
  Downloading https://files.pythonhosted.org/packages/6f/ad/86448942ad49c5fe05bfdf7ebc874807f521dfcca5ee543afaca2974ad5a/argparse-1.2.1.tar.gz (69kB)
    100% |████████████████████████████████| 71kB 5.8MB/s
Collecting urllib3==1.24.2 (from -r requirements.txt (line 6))
  Downloading https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl (131kB)
    100% |████████████████████████████████| 133kB 7.4MB/s
Collecting colorama==0.4.1 (from -r requirements.txt (line 7))
  Downloading https://files.pythonhosted.org/packages/4f/a6/728666f39bfff1719fc94c481890b2106837da9318031f71a8424b662e12/colorama-0.4.1-py2.py3-none-any.whl
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from bs4==0.0.1->-r requirements.txt (line 2)) (4.7.1)
Building wheels for collected packages: bs4, argparse
  Running setup.py bdist_wheel for bs4 ... done
  Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472
  Running setup.py bdist_wheel for argparse ... done
  Stored in directory: /root/.cache/pip/wheels/30/35/38/aa7be52cca01ed539bd6f3789edb8489691cc7d9a010cbc982
Successfully built bs4 argparse
Installing collected packages: bs4, phonenumbers, argparse, urllib3, colorama
  Found existing installation: urllib3 1.24.1
    Not uninstalling urllib3 at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'urllib3'. No files were found to uninstall.
  Found existing installation: colorama 0.3.7
    Not uninstalling colorama at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'colorama'. No files were found to uninstall.
Successfully installed argparse-1.2.1 bs4-0.0.1 colorama-0.4.1 phonenumbers-8.10.2 urllib3-1.24.2

Next, you can run the program with the options displayed in the help file.

~/PhoneInfoga$ python3 phoneinfoga.py -h

usage: phoneinfoga.py -n <number> [options]

Advanced information gathering tool for phone numbers
(https://github.com/sundowndev/PhoneInfoga) version v1.6.4

optional arguments:
  -h, --help            show this help message and exit
  -n number, --number number
                        The phone number to scan (E164 or international
                        format)
  -i input_file, --input input_file
                        Phone number list to scan (one per line)
  -o output_file, --output output_file
                        Output to save scan results
  -s scanner, --scanner scanner
                        The scanner to use
  --recon               Launch custom format reconnaissance
  --no-ansi             Disable colored output
  -v, --version         Show tool version

Step 2: Search a Phone Number with Phoneinfoga

To search for a phone number, we just need to add the -n flag and then whatever number we want to search for. If you use the --recon argument, it will perform an advanced search.

~/PhoneInfoga$ python3 phoneinfoga.py -n 1717███9539 --recon

    ___ _                       _____        __
   / _ \ |__   ___  _ __   ___  \_   \_ __  / _| ___   __ _  __ _
  / /_)/ '_ \ / _ \| '_ \ / _ \  / /\/ '_ \| |_ / _ \ / _` |/ _` |
 / ___/| | | | (_) | | | |  __/\/ /_ | | | |  _| (_) | (_| | (_| |
 \/    |_| |_|\___/|_| |_|\___\____/ |_| |_|_|  \___/ \__, |\__,_|
                                                      |___/
 PhoneInfoga Ver. v1.6.4
 Coded by Sundowndev

[!] ---- Fetching informations for 1717███9539 ---- [!]
[*] Running local scan...
[+] International format: +1 717-███-9539
[+] Local format: 717███9539
[+] Country found: United States (+1)
[+] City/Area: Pennsylvania
[+] Carrier:
[+] Timezone: America/New_York
[i] The number is valid and possible.
[*] Running Numverify.com scan...
[!] Numverify.com is not available
[*] Running OVH scan...
[*] Running custom format reconnaissance...
Footprint reconnaissance for 717███9539
[+] URL: https://www.reverse-lookup.co/717-███-9539
[+] URL: http://staging.thatsthem.com/phone/717-███-9539
[+] URL: https://www.revealname.com/717-███-9539
[+] URL: https://www.okcaller.com/717███9586
[+] URL: http://www.ncsusigmanu.com/g-i/717/ig/███/9
Footprint reconnaissance for 1 717███9539
Footprint reconnaissance for 1 717 ███9539
Footprint reconnaissance for 717 ███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for 717-███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for 717-███-9539
[+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://safer.fmcsa.dot.gov/query.asp?query_type=queryCarrierSnapshot&query_param=USDOT&query_string=1███367
[+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███
[+] URL: https://www.kw.com/kw/agent/██████rauch
Footprint reconnaissance for +1 717-███-9539
[+] URL: https://phonescheck.com/717-███
[+] URL: https://mobphonescheck.com/717-███
[+] URL: http://uk.popularphotolook.com/717-███-95
[+] URL: https://ownertelephone.com/1717███7777
[+] URL: http://opencallerlistings.com/listing/717-███-95
Footprint reconnaissance for (+1)717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-9XXX
[+] URL: https://www.whitepages.ca/phone/1-717-███-9538
[+] URL: http://www.google.comhttp://mrnumber.com/1-717-███%3Fpage%3D4%26thousand%3D9
[+] URL: http://www.google.comhttp://uk.popularphotolook.com/717-███-95
Footprint reconnaissance for +1/717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-95XX
[+] URL: https://www.whitepages.ca/phone/1-717-███-9538
[+] URL: http://mrnumber.com/1-717-███%3Fpage%3D4%26thousand%3D9
[+] URL: http://uk.popularphotolook.com/717-███-95
Footprint reconnaissance for (717) ███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for (717) ███-9539
[+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://safer.fmcsa.dot.gov/query.asp?query_type=queryCarrierSnapshot&query_param=USDOT&query_string=1███367
[+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███
[+] URL: https://www.kw.com/kw/agent/██████rauch
Footprint reconnaissance for (717) ███.9539
Footprint reconnaissance for (717)███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for (717)███-9539
[+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://safer.fmcsa.dot.gov/query.asp%3Fquery_type%3DqueryCarrierSnapshot%26query_param%3DUSDOT%26query_string%3D1███367
[+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███
[+] URL: https://www.kw.com/kw/agent/██████rauch
Footprint reconnaissance for (717)███.9539
[*] Running OSINT footprint reconnaissance...
[i] Generating scan URL on 411.com...
[+] Scan URL: https://www.411.com/phone/1-717-███-9539
Would you like to use an additional format for this number ? (y/N)  n

[i] ---- Web pages footprints ----
[i] Searching for footprints on web pages... (limit=10)
[+] Result found: https://www.reverse-lookup.co/717-███-9539
[+] Result found: https://www.revealname.com/717-███-9539
[+] Result found: https://who-called.biz/state/pennsylvania/phones/1717███0000
[+] Result found: http://v-postal-cn.com/phones/note_17172780000_1717███9999_all2.htm
[+] Result found: http://www.jihaoba.com/haoduan/xiaogan/1717███.htm
[+] Result found: http://sm.cidu.net/gujialogall.asp?hm=1717███
[+] Result found: https://review-call.com/1717███0000
[+] Result found: https://number-review.com/1717███0000
[+] Result found: https://fast-scan.com/1717███0000
[i] Searching for documents... (limit=10)
[i] ---- Reputation footprints ----
[i] Searching for reputation report on whosenumber.info...
[i] Searching for phone fraud footprints...
[i] Searching for reputation report on findwhocallsme.com...
[i] Searching for reputation report on yellowpages.ca...
[i] Searching for reputation report on phonenumbers.ie...
[i] Searching for reputation report on who-calledme.com...
[i] Searching for reputation report on usphonesearch.net...
[i] Searching for reputation report on whocalled.us...
[i] Searching for reputation report on quinumero.info...
[i] Searching for reputation report on uk.popularphotolook.com...
[i] Generating URL on scamcallfighters.com...
[+] http://www.scamcallfighters.com/search-phone-1717███9539.html
Would you like to search for temporary number providers footprints ? (Y/n) n

[i] ---- Social media footprints ----
[i] Searching for footprints on facebook.com...
[i] Searching for footprints on twitter.com...
[i] Searching for footprints on linkedin.com...
[i] Searching for footprints on instagram.com...
[i] ---- Phone books footprints ----
[i] Generating URL on True People...
[+] https://www.truepeoplesearch.com/results?phoneno=+1717-███-9539
[i] Searching for footprints on numinfo.net...
[i] Searching for footprints on sync.me...
[i] Searching for footprints on whocallsyou.de...
[i] Searching for footprints on pastebin.com...
[i] Searching for footprints on whycall.me...
[i] Searching for footprints on locatefamily.com...
[i] Searching for footprints on spytox.com...

Would you like to rerun OSINT scan ? (e.g to use a different format) (y/N) n

[i] Scan finished.

Sometimes, this tool can get you temporarily blacklisted from Google searches because of the way it's programmed. It's annoying but easily resolved with a Google abuse exemption, detailed at the end of the video above.

As you can see above, there are lots of links to dive into, and right away the name and business associated with the phone number are available in the output.

Step 3: Access the IntelTechniques OSINT Portal

Now, let's concentrate on the web tools that are free on Bazzel's website since they're a little bit easier to work with than with the command line tool above. To follow along, you can go to inteltechniques.com/menu.html, then click on the "Telephone Number" tab.

A submenu appears when you click on "Telephone Number," and you'll need to select the "Telephone Search Tool" to bring up the page that will allow us to search many tools at once.

As you can see, it's a healthy mix of people-searching tools, phonebook directories, scam reporting websites, and social media connections. These are free, public resources combined into one easy-to-use search tool, allowing anyone with a browser and internet connection to begin researching who is on the other end of a phone number.

We can input a number into each tool one by one, but the easiest way is to enter the number into the field at the top, and click "Populate All."

Step 4: Search a Phone Number on IntelTechniques

In the search tool, enter the number into the field next to the "Populate All" button, then click the button to auto-populate the number into the rest of the fields. Next, select "Submit All" under the list of services to run all searches on the phone number. All of the services will open up in different tabs or pop-ups with the search already submitted (you may need to allow pop-ups in your browser).

Step 5: Search Results for Clues & Patterns

Now, check out some of the resources loaded from the search. Here, some of the people searching services have turned our phone number into a name.

Along with the person's name is a startling amount of information, the most important of which is a location and address for us to tie together further details. We found a lot of results with the name, making a pretty strong likelihood that this is the person behind our ad. So how would we prove they are a licensed professional?

Step 6: Locate Information That Can Be Verified

On another search site result, we can see the name of a business associated with the phone number, which is what we're looking for! If we can tie the name of a company and the name we've found associated with the number, we can look up a source we trust, like a state listing of active businesses, to determine whether this is a real business. Here, we have a name, address, and business name; everything we need to verify whether a business exists.

Step 7: Verify with Primary Source Data

To check out the information we found, we should look for some primary source information that backs up our discovery. In our case, the best database to search is the Department of State business database for the state we discovered the business in. Here, we were able to pull a valid business listing, one which matches the address we previously found. It appears the person behind the online advertisement is honest — they are a licensed professional after all.

Phone Numbers Can Tie Everything Together

As a starting point, a phone number can provide everything you need to locate information about a target. With tools like Phoneinfoga, you can quickly discover whether a phone number is a throwaway or a legitimate number. If the number is real, the IntelTecniques website tools can piece together clues to build a picture of the person behind the phone number, sometimes quite literally.

With the right tools, a single phone number can lead you from clue to clue, piecing together everything you need to learn about a target.

I hope you enjoyed this guide to using phone numbers in an OSINT investigation! If you have any questions about this tutorial on phone number recon, or if you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.

Cover photo by Justin Meyers/Null Byte; Screenshots by Kody/Null Byte

Get The Null Byte Newsletter

Never miss a new hacking or security guide

11 Comments

i am getting these erros both kali and windows

C:\x>phoneinfoga.py -v
Traceback (most recent call last):
File "C:\x\phoneinfoga.py", line 21, in <module>
from scanners.footprints import osintScan
File "C:\x\scanners\footprints.py", line 12, in <module>
from lib.googlesearch import search
File "C:\x\lib\googlesearch.py", line 14, in <module>
from config import *
ModuleNotFoundError: No module named 'config'

cp config.example.py config.py

thanks for the solution for this error

Same problem occuring in my machine. please help if you get solution.

Thank you for the post . works well.

but all above methods are not able to find information of indian number. so plz anyone help me.....

india is a backward country.....go to that recharge wale bhaiya and ask info about victim...lol

Check out PhoneSearch.us if you still need to look up phone numbers, and linking to Social Media accounts, etc.

Best $5 search on the web.

the tools whiuch u r ginven website is not working

Yes, I also tried, That tool is not working.

IntelTechniques OSINT Portal this website is not working and not accepting registration of new users,,,,,,,plz help

Share Your Thoughts

  • Hot
  • Latest