Phone numbers often contain clues to the owner's identity and can bring up a lot of data during an OSINT investigation. Starting with a phone number, we can search through a large number of online databases with only a few clicks to discover information about a phone number. It can include the carrier, the owner's name and address, and even connected online accounts.
While a phone number may not seem like much information to give out, an OSINT researcher can quickly discover information that ties a phone number to a variety of other clues. The data can be used to detect whether a phone number is a throwaway VoIP number used to hide the owner's identity or a cell phone belonging to a real person. In the event of buying something online or replying to an apartment ad, this information is incredibly useful to know.
For a hacker, the ability to turn a phone number into multiple connected online accounts, email addresses, or screen names makes it a perfect starting point for bigger things to come. A quick scan to discover the carrier of a phone number can provide everything a hacker needs for a well-crafted phishing email pretending to be from the victim's carrier. Once a hacker can identify other details about the target that may be attached to the phone number, it's easy to identify the weakest link and attack the target using whatever information that's dug up.
Editor's note: The OSINT Tools by Mike Bazzel featured in this article was taken down from his website due to increased DDoS-style attacks, as well as DMCAs and cease-and-desists from some of the tools included. Phoneinfoga will still work in this guide, but for the others, you can try using each company's individual tool instead. You can see how it used to work, however, in the video and text below.
For quickly searching through phone numbers, we can use both command-line and browser-based tools. Command line tools give the advantage of simple operation and greater customization but require you to have Python installed and updated. Today, we'll be using a tool called Phoneinfoga to quickly determine if the number is associated with a disposable phone number.
___ _ _____ __ / _ \ |__ ___ _ __ ___ \_ \_ __ / _| ___ __ _ __ _ / /_)/ '_ \ / _ \| '_ \ / _ \ / /\/ '_ \| |_ / _ \ / _` |/ _` | / ___/| | | | (_) | | | | __/\/ /_ | | | | _| (_) | (_| | (_| | \/ |_| |_|\___/|_| |_|\___\____/ |_| |_|_| \___/ \__, |\__,_| |___/ PhoneInfoga Ver. v1.6.4 Coded by Sundowndev
One of the best resources for OSINT is Mike Bazzel's IntelTechniques website, which we'll also be focusing on here. This website contains several custom tools that Bazzel had organized to be useful for researchers. Many of these tools are already in Buscador OS, a virtual machine that can be run to provide an operating system geared towards OSINT investigations.
As an example, we'll take a sample business listing from a classified ad. How would we verify this? If the ad claims to be from a licensed professional, could we track down a license attached to the phone number? A simple reverse phone number lookup may find something, but to see the real data, you have to dig deeper and utilize more than just one reverse number lookup tool.
To supplement the information you find online later, you can use a Python tool called Phoneinfoga, which allows you to search for details about phone numbers from the command line. To use Phoneinfoga, open a terminal window and enter the following four commands one by one or at the same time.
~$ git clone https://github.com/sundowndev/PhoneInfoga ~$ cd PhoneInfoga/ ~/PhoneInfoga$ python3 -m pip install -r requirements.txt ~/PhoneInfoga$ cp config.example.py config.py Cloning into 'PhoneInfoga'... remote: Enumerating objects: 85, done. remote: Counting objects: 100% (85/85), done. remote: Compressing objects: 100% (79/79), done. remote: Total 886 (delta 43), reused 12 (delta 6), pack-reused 801 Receiving objects: 100% (886/886), 247.47 KiB | 550.00 KiB/s, done. Resolving deltas: 100% (461/461), done. Requirement already satisfied: requests==2.21.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.21.0) Collecting bs4==0.0.1 (from -r requirements.txt (line 2)) Downloading https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz Requirement already satisfied: html5lib==1.0.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (1.0.1) Collecting phonenumbers==8.10.2 (from -r requirements.txt (line 4)) Downloading https://files.pythonhosted.org/packages/d9/62/a176cfaf6edb90b68ae3426cf4fb8fd98189df550e2143cafc66bb2c1b82/phonenumbers-8.10.2-py2.py3-none-any.whl (3.2MB) 100% |████████████████████████████████| 3.2MB 381kB/s Collecting argparse==1.2.1 (from -r requirements.txt (line 5)) Downloading https://files.pythonhosted.org/packages/6f/ad/86448942ad49c5fe05bfdf7ebc874807f521dfcca5ee543afaca2974ad5a/argparse-1.2.1.tar.gz (69kB) 100% |████████████████████████████████| 71kB 5.8MB/s Collecting urllib3==1.24.2 (from -r requirements.txt (line 6)) Downloading https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl (131kB) 100% |████████████████████████████████| 133kB 7.4MB/s Collecting colorama==0.4.1 (from -r requirements.txt (line 7)) Downloading https://files.pythonhosted.org/packages/4f/a6/728666f39bfff1719fc94c481890b2106837da9318031f71a8424b662e12/colorama-0.4.1-py2.py3-none-any.whl Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from bs4==0.0.1->-r requirements.txt (line 2)) (4.7.1) Building wheels for collected packages: bs4, argparse Running setup.py bdist_wheel for bs4 ... done Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472 Running setup.py bdist_wheel for argparse ... done Stored in directory: /root/.cache/pip/wheels/30/35/38/aa7be52cca01ed539bd6f3789edb8489691cc7d9a010cbc982 Successfully built bs4 argparse Installing collected packages: bs4, phonenumbers, argparse, urllib3, colorama Found existing installation: urllib3 1.24.1 Not uninstalling urllib3 at /usr/lib/python3/dist-packages, outside environment /usr Can't uninstall 'urllib3'. No files were found to uninstall. Found existing installation: colorama 0.3.7 Not uninstalling colorama at /usr/lib/python3/dist-packages, outside environment /usr Can't uninstall 'colorama'. No files were found to uninstall. Successfully installed argparse-1.2.1 bs4-0.0.1 colorama-0.4.1 phonenumbers-8.10.2 urllib3-1.24.2
Next, you can run the program with the options displayed in the help file.
~/PhoneInfoga$ python3 phoneinfoga.py -h usage: phoneinfoga.py -n <number> [options] Advanced information gathering tool for phone numbers (https://github.com/sundowndev/PhoneInfoga) version v1.6.4 optional arguments: -h, --help show this help message and exit -n number, --number number The phone number to scan (E164 or international format) -i input_file, --input input_file Phone number list to scan (one per line) -o output_file, --output output_file Output to save scan results -s scanner, --scanner scanner The scanner to use --recon Launch custom format reconnaissance --no-ansi Disable colored output -v, --version Show tool version
To search for a phone number, we just need to add the -n flag and then whatever number we want to search for. If you use the --recon argument, it will perform an advanced search.
~/PhoneInfoga$ python3 phoneinfoga.py -n 1717███9539 --recon ___ _ _____ __ / _ \ |__ ___ _ __ ___ \_ \_ __ / _| ___ __ _ __ _ / /_)/ '_ \ / _ \| '_ \ / _ \ / /\/ '_ \| |_ / _ \ / _` |/ _` | / ___/| | | | (_) | | | | __/\/ /_ | | | | _| (_) | (_| | (_| | \/ |_| |_|\___/|_| |_|\___\____/ |_| |_|_| \___/ \__, |\__,_| |___/ PhoneInfoga Ver. v1.6.4 Coded by Sundowndev [!] ---- Fetching informations for 1717███9539 ---- [!] [*] Running local scan... [+] International format: +1 717-███-9539 [+] Local format: 717███9539 [+] Country found: United States (+1) [+] City/Area: Pennsylvania [+] Carrier: [+] Timezone: America/New_York [i] The number is valid and possible. [*] Running Numverify.com scan... [!] Numverify.com is not available [*] Running OVH scan... [*] Running custom format reconnaissance... Footprint reconnaissance for 717███9539 [+] URL: https://www.reverse-lookup.co/717-███-9539 [+] URL: http://staging.thatsthem.com/phone/717-███-9539 [+] URL: https://www.revealname.com/717-███-9539 [+] URL: https://www.okcaller.com/717███9586 [+] URL: http://www.ncsusigmanu.com/g-i/717/ig/███/9 Footprint reconnaissance for 1 717███9539 Footprint reconnaissance for 1 717 ███9539 Footprint reconnaissance for 717 ███9539 [+] URL: http://phonelookupus.com/who-called-me/1/432███1704 Footprint reconnaissance for 717-███9539 [+] URL: http://phonelookupus.com/who-called-me/1/432███1704 Footprint reconnaissance for 717-███-9539 [+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████ [+] URL: https://www.whitepages.com/phone/1-717-███-9539 [+] URL: https://safer.fmcsa.dot.gov/query.asp?query_type=queryCarrierSnapshot&query_param=USDOT&query_string=1███367 [+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███ [+] URL: https://www.kw.com/kw/agent/██████rauch Footprint reconnaissance for +1 717-███-9539 [+] URL: https://phonescheck.com/717-███ [+] URL: https://mobphonescheck.com/717-███ [+] URL: http://uk.popularphotolook.com/717-███-95 [+] URL: https://ownertelephone.com/1717███7777 [+] URL: http://opencallerlistings.com/listing/717-███-95 Footprint reconnaissance for (+1)717-███-9539 [+] URL: https://www.whitepages.com/phone/1-717-███-9539 [+] URL: https://www.whitepages.com/phone/1-717-███-9XXX [+] URL: https://www.whitepages.ca/phone/1-717-███-9538 [+] URL: http://www.google.comhttp://mrnumber.com/1-717-███%3Fpage%3D4%26thousand%3D9 [+] URL: http://www.google.comhttp://uk.popularphotolook.com/717-███-95 Footprint reconnaissance for +1/717-███-9539 [+] URL: https://www.whitepages.com/phone/1-717-███-9539 [+] URL: https://www.whitepages.com/phone/1-717-███-95XX [+] URL: https://www.whitepages.ca/phone/1-717-███-9538 [+] URL: http://mrnumber.com/1-717-███%3Fpage%3D4%26thousand%3D9 [+] URL: http://uk.popularphotolook.com/717-███-95 Footprint reconnaissance for (717) ███9539 [+] URL: http://phonelookupus.com/who-called-me/1/432███1704 Footprint reconnaissance for (717) ███-9539 [+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████ [+] URL: https://www.whitepages.com/phone/1-717-███-9539 [+] URL: https://safer.fmcsa.dot.gov/query.asp?query_type=queryCarrierSnapshot&query_param=USDOT&query_string=1███367 [+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███ [+] URL: https://www.kw.com/kw/agent/██████rauch Footprint reconnaissance for (717) ███.9539 Footprint reconnaissance for (717)███9539 [+] URL: http://phonelookupus.com/who-called-me/1/432███1704 Footprint reconnaissance for (717)███-9539 [+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████ [+] URL: https://www.whitepages.com/phone/1-717-███-9539 [+] URL: https://safer.fmcsa.dot.gov/query.asp%3Fquery_type%3DqueryCarrierSnapshot%26query_param%3DUSDOT%26query_string%3D1███367 [+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███ [+] URL: https://www.kw.com/kw/agent/██████rauch Footprint reconnaissance for (717)███.9539 [*] Running OSINT footprint reconnaissance... [i] Generating scan URL on 411.com... [+] Scan URL: https://www.411.com/phone/1-717-███-9539
Would you like to use an additional format for this number ? (y/N) n [i] ---- Web pages footprints ---- [i] Searching for footprints on web pages... (limit=10) [+] Result found: https://www.reverse-lookup.co/717-███-9539 [+] Result found: https://www.revealname.com/717-███-9539 [+] Result found: https://who-called.biz/state/pennsylvania/phones/1717███0000 [+] Result found: http://v-postal-cn.com/phones/note_17172780000_1717███9999_all2.htm [+] Result found: http://www.jihaoba.com/haoduan/xiaogan/1717███.htm [+] Result found: http://sm.cidu.net/gujialogall.asp?hm=1717███ [+] Result found: https://review-call.com/1717███0000 [+] Result found: https://number-review.com/1717███0000 [+] Result found: https://fast-scan.com/1717███0000 [i] Searching for documents... (limit=10) [i] ---- Reputation footprints ---- [i] Searching for reputation report on whosenumber.info... [i] Searching for phone fraud footprints... [i] Searching for reputation report on findwhocallsme.com... [i] Searching for reputation report on yellowpages.ca... [i] Searching for reputation report on phonenumbers.ie... [i] Searching for reputation report on who-calledme.com... [i] Searching for reputation report on usphonesearch.net... [i] Searching for reputation report on whocalled.us... [i] Searching for reputation report on quinumero.info... [i] Searching for reputation report on uk.popularphotolook.com... [i] Generating URL on scamcallfighters.com... [+] http://www.scamcallfighters.com/search-phone-1717███9539.html
Would you like to search for temporary number providers footprints ? (Y/n) n [i] ---- Social media footprints ---- [i] Searching for footprints on facebook.com... [i] Searching for footprints on twitter.com... [i] Searching for footprints on linkedin.com... [i] Searching for footprints on instagram.com... [i] ---- Phone books footprints ---- [i] Generating URL on True People... [+] https://www.truepeoplesearch.com/results?phoneno=+1717-███-9539 [i] Searching for footprints on numinfo.net... [i] Searching for footprints on sync.me... [i] Searching for footprints on whocallsyou.de... [i] Searching for footprints on pastebin.com... [i] Searching for footprints on whycall.me... [i] Searching for footprints on locatefamily.com... [i] Searching for footprints on spytox.com... Would you like to rerun OSINT scan ? (e.g to use a different format) (y/N) n [i] Scan finished.
Sometimes, this tool can get you temporarily blacklisted from Google searches because of the way it's programmed. It's annoying but easily resolved with a Google abuse exemption, detailed at the end of the video above.
As you can see above, there are lots of links to dive into, and right away the name and business associated with the phone number are available in the output.
Now, let's concentrate on the web tools that are free on Bazzel's website since they're a little bit easier to work with than with the command line tool above. To follow along, you can go to inteltechniques.com/menu.html, then click on the "Telephone Number" tab.
A submenu appears when you click on "Telephone Number," and you'll need to select the "Telephone Search Tool" to bring up the page that will allow us to search many tools at once.
As you can see, it's a healthy mix of people-searching tools, phonebook directories, scam reporting websites, and social media connections. These are free, public resources combined into one easy-to-use search tool, allowing anyone with a browser and internet connection to begin researching who is on the other end of a phone number.
We can input a number into each tool one by one, but the easiest way is to enter the number into the field at the top, and click "Populate All."
- Don't Miss: Use SpiderFoot for OSINT Gathering
In the search tool, enter the number into the field next to the "Populate All" button, then click the button to auto-populate the number into the rest of the fields. Next, select "Submit All" under the list of services to run all searches on the phone number. All of the services will open up in different tabs or pop-ups with the search already submitted (you may need to allow pop-ups in your browser).
Now, check out some of the resources loaded from the search. Here, some of the people searching services have turned our phone number into a name.
Along with the person's name is a startling amount of information, the most important of which is a location and address for us to tie together further details. We found a lot of results with the name, making a pretty strong likelihood that this is the person behind our ad. So how would we prove they are a licensed professional?
On another search site result, we can see the name of a business associated with the phone number, which is what we're looking for! If we can tie the name of a company and the name we've found associated with the number, we can look up a source we trust, like a state listing of active businesses, to determine whether this is a real business. Here, we have a name, address, and business name; everything we need to verify whether a business exists.
To check out the information we found, we should look for some primary source information that backs up our discovery. In our case, the best database to search is the Department of State business database for the state we discovered the business in. Here, we were able to pull a valid business listing, one which matches the address we previously found. It appears the person behind the online advertisement is honest — they are a licensed professional after all.
As a starting point, a phone number can provide everything you need to locate information about a target. With tools like Phoneinfoga, you can quickly discover whether a phone number is a throwaway or a legitimate number. If the number is real, the IntelTecniques website tools can piece together clues to build a picture of the person behind the phone number, sometimes quite literally.
With the right tools, a single phone number can lead you from clue to clue, piecing together everything you need to learn about a target.
I hope you enjoyed this guide to using phone numbers in an OSINT investigation! If you have any questions about this tutorial on phone number recon, or if you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.
It’s Black Friday week in the Null Byte shop! If you’ve been wanting to improve your skill set in hacker- and cybersecurity-geared topics such as Python, Raspberry Pi, and Linux, now’s the time. We’ve got huge sales on online courses, and we’ve outlined 13 favorites you won’t want to miss. Check them out!