The Operative Framework is a powerful Python-based open-source intelligence (OSINT) tool that can be used to find domains registered by the same email address, as well as many other investigative functions. This reconnaissance tool provides insight about your target through examining relationships in the domains they own.
Today, I'll show you how to run a web domain through both a WHOIS query and through an email-to-domain query. This will let us build a profile on a target, and ultimately, link the results to entries in primary-source data (like business filings and government databases) that contain a wealth of information.
The internet is a rich source of data about people, organizations, and the various records and registrations they leave behind through their journey on the web. The Operative Framework tags, collects, and correlates this information. Taken together, it becomes simple to create a complete picture of a person or business from within a familiar framework interface.
The amount of information that can be accessed with a few keystrokes often surprises people who submitted the information into the public domain in the first place, without knowing how easy it would be to find. Tools like theHarvester can turn up the personal and work email addresses of a target, which can be run through the Operative Framework to fingerprint and expand our knowledge of a person by mining the data for relationships.
Tools like Maltego are robust frameworks to conduct investigations, but lighter OSINT modules and scripts exist to accomplish more specific OSINT investigations.
A favorite of mine is the Operative Framework (obviously), which provides a uniquely well-equipped suite to conduct reconnaissance on individuals or organizations from online databases. The Operative Framework allows you to conduct reverse WHOIS queries to email addresses and other information to correlate information. This creates a detailed overall picture by stitching together many details about a person or business from WHOIS and social directories.
This tutorial will focus on installing the Operative Framework and running the email-to-domain tool to use found emails and discover other domains owned by an individual. While many people register their domains privately, domain registrars can leak the information anyway. Using research or scraping tools, or even just a person's business card, we will discover if they own any domains related to that email account.
This tool is most useful to run against businesses, business owners, and anyone likely to own online domains. It is possible to determine what kind of business a person is in, what assets they own, and other information by examining the web domains they have purchased to support such projects.
We will need Python to use the Operative Framework, but the benefit is that this allows the tool to run on macOS (aka Mac OS X), Windows, or Kali Linux. You can set it up by cloning the Git directory by typing the following into terminal.
git clone https://github.com/graniet/operative-framework.git
pip install -r requirements.txt
If you don't have pip, you can get it by running the following and installing via the python setup.py.
git clone https://github.com/pypa/pip.git
The Operative Framework is more similar to Metasploit than it to theHarvester. You can run modules which require you to set variables to then execute the module. You can examine the list of modules by typing modules.
To select a module, you'll type use (the path of the module to use).
In this case, we will be running an email-to-domain search. First, let's generate a sample to run through our list. We will run a domain through the WHOIS module to pull an email address and see if the registrar owns any other domains. To load the WHOIS module, type this into the terminal:
Once we are in a module, we can see the available options by typing the following.
It is fussy about the underscore, and doesn't understand any other way of asking about options. In this case, we're trying to learn some info about technology, so let's use the random example technology.info.
Here we see that "website" is the only unset option. Let's set this as the example with the following.
Bam! We get an email address for us to feed into the reverse domain tool. Type Control C to go back to the main menu, and then load the email to domain module by entering the text below.
We will set our sample email the same way we set the website in the last module. Run the following.
Run show_options to confirm the variable is set and then type run to begin the search. Here, we can see the results of the module. If the target does not own any domains, you can expect to see no results.
In our example, our search brings us back to an umbrella of domains owned by a single entity. When the website for the active entity on the domain is visited, it seems the business is a domain management portfolio specializing in technology-related domains.
This is the point at which we can make some decisions about where further information can be found to definitively correlate a person behind an email or domain. The Operative Framework contains a fingerprinting framework database to help collect and organize details about a target, which I will teach in future tutorials.
To expand our search, we should combine our domain pull with a query to a city, state, or local government agency database to provide primary source information.
In our example domain, I narrowed the search to target the director of the business. Via the main domain, I see they have a California subsidiary, which means it's worth running a check with the California Secretary of State database.
No luck there for corporations or LLCs, but the UK equivalent for their home office has a bounty of information including corporate filings and other information about the current staff and directors. In those documents, I was able to find the executive director's personal details including date of birth and individual email address for contacting.
The Operative Framework is a tool to help you pull clues together to fill in pieces of an investigation. By running queries on who owns a domain, and an email-to-domain query to assess what other domains they own, you can quickly assess a target.
A target business's operations, locations, and other information is easy to infer from this data. Here, we were able to go from a randomly selected domain to the ability to contact the director of the company who owns it through a series of database pulls.
An important note about OSINT tools — you must have a goal with your investigation, and the question you are answering must make sense. If it doesn't, your answer will not make sense either.