Skip to main content

Find Identifying Information from a Phone Number Using OSINT Tools

Find Identifying Information from a Phone Number Using OSINT Tools

Phone numbers often contain clues to the owner's identity and can bring up a lot of data during an OSINT investigation. Starting with a phone number, we can search through a large number of online databases with only a few clicks to discover information about a phone number. It can include the carrier, the owner's name and address, and even connected online accounts.
While a phone number may not seem like much information to give out, an OSINT researcher can quickly discover information that ties a phone number to a variety of other clues. The data can be used to detect whether a phone number is a throwaway VoIP number used to hide the owner's identity or a cell phone belonging to a real person. In the event of buying something online or replying to an apartment ad, this information is incredibly useful to know.
For a hacker, the ability to turn a phone number into multiple connected online accounts, email addresses, or screen names makes it a perfect starting point for bigger things to come. A quick scan to discover the carrier of a phone number can provide everything a hacker needs for a well-crafted phishing email pretending to be from the victim's carrier. Once a hacker can identify other details about the target that may be attached to the phone number, it's easy to identify the weakest link and attack the target using whatever information that's dug up.
 
 
 
Editor's note: The OSINT Tools by Mike Bazzel featured in this article was taken down from his website due to increased DDoS-style attacks, as well as DMCAs and cease-and-desists from some of the tools included. Phoneinfoga will still work in this guide, but for the others, you can try using each company's individual tool instead. You can see how it used to work, however, in the video and text below. 

OSINT Tools for Phone Numbers

For quickly searching through phone numbers, we can use both command-line and browser-based tools. Command line tools give the advantage of simple operation and greater customization but require you to have Python installed and updated. Today, we'll be using a tool called Phoneinfoga to quickly determine if the number is associated with a disposable phone number.
___ _                       _____        __
   / _ \ |__   ___  _ __   ___  \_   \_ __  / _| ___   __ _  __ _
  / /_)/ '_ \ / _ \| '_ \ / _ \  / /\/ '_ \| |_ / _ \ / _` |/ _` |
 / ___/| | | | (_) | | | |  __/\/ /_ | | | |  _| (_) | (_| | (_| |
 \/    |_| |_|\___/|_| |_|\___\____/ |_| |_|_|  \___/ \__, |\__,_|
                                                      |___/
 PhoneInfoga Ver. v1.6.4
 Coded by Sundowndev
One of the best resources for OSINT is Mike Bazzel's IntelTechniques website, which we'll also be focusing on here. This website contains several custom tools that Bazzel had organized to be useful for researchers. Many of these tools are already in Buscador OS, a virtual machine that can be run to provide an operating system geared towards OSINT investigations.

The Scenario

As an example, we'll take a sample business listing from a classified ad. How would we verify this? If the ad claims to be from a licensed professional, could we track down a license attached to the phone number? A simple reverse phone number lookup may find something, but to see the real data, you have to dig deeper and utilize more than just one reverse number lookup tool.

Step 1Install Phoneinfoga

To supplement the information you find online later, you can use a Python tool called Phoneinfoga, which allows you to search for details about phone numbers from the command line. To use Phoneinfoga, open a terminal window and enter the following four commands one by one or at the same time.

~$ git clone https://github.com/sundowndev/PhoneInfoga
~$ cd PhoneInfoga/
~/PhoneInfoga$ python3 -m pip install -r requirements.txt
~/PhoneInfoga$ cp config.example.py config.py

Cloning into 'PhoneInfoga'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (79/79), done.
remote: Total 886 (delta 43), reused 12 (delta 6), pack-reused 801
Receiving objects: 100% (886/886), 247.47 KiB | 550.00 KiB/s, done.
Resolving deltas: 100% (461/461), done.

Requirement already satisfied: requests==2.21.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.21.0)
Collecting bs4==0.0.1 (from -r requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz
Requirement already satisfied: html5lib==1.0.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (1.0.1)
Collecting phonenumbers==8.10.2 (from -r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/d9/62/a176cfaf6edb90b68ae3426cf4fb8fd98189df550e2143cafc66bb2c1b82/phonenumbers-8.10.2-py2.py3-none-any.whl (3.2MB)
    100% |████████████████████████████████| 3.2MB 381kB/s
Collecting argparse==1.2.1 (from -r requirements.txt (line 5))
  Downloading https://files.pythonhosted.org/packages/6f/ad/86448942ad49c5fe05bfdf7ebc874807f521dfcca5ee543afaca2974ad5a/argparse-1.2.1.tar.gz (69kB)
    100% |████████████████████████████████| 71kB 5.8MB/s
Collecting urllib3==1.24.2 (from -r requirements.txt (line 6))
  Downloading https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl (131kB)
    100% |████████████████████████████████| 133kB 7.4MB/s
Collecting colorama==0.4.1 (from -r requirements.txt (line 7))
  Downloading https://files.pythonhosted.org/packages/4f/a6/728666f39bfff1719fc94c481890b2106837da9318031f71a8424b662e12/colorama-0.4.1-py2.py3-none-any.whl
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from bs4==0.0.1->-r requirements.txt (line 2)) (4.7.1)
Building wheels for collected packages: bs4, argparse
  Running setup.py bdist_wheel for bs4 ... done
  Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472
  Running setup.py bdist_wheel for argparse ... done
  Stored in directory: /root/.cache/pip/wheels/30/35/38/aa7be52cca01ed539bd6f3789edb8489691cc7d9a010cbc982
Successfully built bs4 argparse
Installing collected packages: bs4, phonenumbers, argparse, urllib3, colorama
  Found existing installation: urllib3 1.24.1
    Not uninstalling urllib3 at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'urllib3'. No files were found to uninstall.
  Found existing installation: colorama 0.3.7
    Not uninstalling colorama at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'colorama'. No files were found to uninstall.
Successfully installed argparse-1.2.1 bs4-0.0.1 colorama-0.4.1 phonenumbers-8.10.2 urllib3-1.24.2
Next, you can run the program with the options displayed in the help file.

~/PhoneInfoga$ python3 phoneinfoga.py -h

usage: phoneinfoga.py -n <number> [options]

Advanced information gathering tool for phone numbers
(https://github.com/sundowndev/PhoneInfoga) version v1.6.4

optional arguments:
  -h, --help            show this help message and exit
  -n number, --number number
                        The phone number to scan (E164 or international
                        format)
  -i input_file, --input input_file
                        Phone number list to scan (one per line)
  -o output_file, --output output_file
                        Output to save scan results
  -s scanner, --scanner scanner
                        The scanner to use
  --recon               Launch custom format reconnaissance
  --no-ansi             Disable colored output
  -v, --version         Show tool version

Step 2Search a Phone Number with Phoneinfoga

To search for a phone number, we just need to add the -n flag and then whatever number we want to search for. If you use the --recon argument, it will perform an advanced search.

~/PhoneInfoga$ python3 phoneinfoga.py -n 1717███9539 --recon

    ___ _                       _____        __
   / _ \ |__   ___  _ __   ___  \_   \_ __  / _| ___   __ _  __ _
  / /_)/ '_ \ / _ \| '_ \ / _ \  / /\/ '_ \| |_ / _ \ / _` |/ _` |
 / ___/| | | | (_) | | | |  __/\/ /_ | | | |  _| (_) | (_| | (_| |
 \/    |_| |_|\___/|_| |_|\___\____/ |_| |_|_|  \___/ \__, |\__,_|
                                                      |___/
 PhoneInfoga Ver. v1.6.4
 Coded by Sundowndev

[!] ---- Fetching informations for 1717███9539 ---- [!]
[*] Running local scan...
[+] International format: +1 717-███-9539
[+] Local format: 717███9539
[+] Country found: United States (+1)
[+] City/Area: Pennsylvania
[+] Carrier:
[+] Timezone: America/New_York
[i] The number is valid and possible.
[*] Running Numverify.com scan...
[!] Numverify.com is not available
[*] Running OVH scan...
[*] Running custom format reconnaissance...
Footprint reconnaissance for 717███9539
[+] URL: https://www.reverse-lookup.co/717-███-9539
[+] URL: http://staging.thatsthem.com/phone/717-███-9539
[+] URL: https://www.revealname.com/717-███-9539
[+] URL: https://www.okcaller.com/717███9586
[+] URL: http://www.ncsusigmanu.com/g-i/717/ig/███/9
Footprint reconnaissance for 1 717███9539
Footprint reconnaissance for 1 717 ███9539
Footprint reconnaissance for 717 ███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for 717-███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for 717-███-9539
[+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://safer.fmcsa.dot.gov/query.asp?query_type=queryCarrierSnapshot&query_param=USDOT&query_string=1███367
[+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███
[+] URL: https://www.kw.com/kw/agent/██████rauch
Footprint reconnaissance for +1 717-███-9539
[+] URL: https://phonescheck.com/717-███
[+] URL: https://mobphonescheck.com/717-███
[+] URL: http://uk.popularphotolook.com/717-███-95
[+] URL: https://ownertelephone.com/1717███7777
[+] URL: http://opencallerlistings.com/listing/717-███-95
Footprint reconnaissance for (+1)717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-9XXX
[+] URL: https://www.whitepages.ca/phone/1-717-███-9538
[+] URL: http://www.google.comhttp://mrnumber.com/1-717-███%3Fpage%3D4%26thousand%3D9
[+] URL: http://www.google.comhttp://uk.popularphotolook.com/717-███-95
Footprint reconnaissance for +1/717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://www.whitepages.com/phone/1-717-███-95XX
[+] URL: https://www.whitepages.ca/phone/1-717-███-9538
[+] URL: http://mrnumber.com/1-717-███%3Fpage%3D4%26thousand%3D9
[+] URL: http://uk.popularphotolook.com/717-███-95
Footprint reconnaissance for (717) ███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for (717) ███-9539
[+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://safer.fmcsa.dot.gov/query.asp?query_type=queryCarrierSnapshot&query_param=USDOT&query_string=1███367
[+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███
[+] URL: https://www.kw.com/kw/agent/██████rauch
Footprint reconnaissance for (717) ███.9539
Footprint reconnaissance for (717)███9539
[+] URL: http://phonelookupus.com/who-called-me/1/432███1704
Footprint reconnaissance for (717)███-9539
[+] URL: http://www.buzzfile.com/business/Rauch-█████████-███-██-██-████
[+] URL: https://www.whitepages.com/phone/1-717-███-9539
[+] URL: https://safer.fmcsa.dot.gov/query.asp%3Fquery_type%3DqueryCarrierSnapshot%26query_param%3DUSDOT%26query_string%3D1███367
[+] URL: https://www.manta.com/c/mtmr6yw/rauch-█████████-███
[+] URL: https://www.kw.com/kw/agent/██████rauch
Footprint reconnaissance for (717)███.9539
[*] Running OSINT footprint reconnaissance...
[i] Generating scan URL on 411.com...
[+] Scan URL: https://www.411.com/phone/1-717-███-9539
Would you like to use an additional format for this number ? (y/N)  n

[i] ---- Web pages footprints ----
[i] Searching for footprints on web pages... (limit=10)
[+] Result found: https://www.reverse-lookup.co/717-███-9539
[+] Result found: https://www.revealname.com/717-███-9539
[+] Result found: https://who-called.biz/state/pennsylvania/phones/1717███0000
[+] Result found: http://v-postal-cn.com/phones/note_17172780000_1717███9999_all2.htm
[+] Result found: http://www.jihaoba.com/haoduan/xiaogan/1717███.htm
[+] Result found: http://sm.cidu.net/gujialogall.asp?hm=1717███
[+] Result found: https://review-call.com/1717███0000
[+] Result found: https://number-review.com/1717███0000
[+] Result found: https://fast-scan.com/1717███0000
[i] Searching for documents... (limit=10)
[i] ---- Reputation footprints ----
[i] Searching for reputation report on whosenumber.info...
[i] Searching for phone fraud footprints...
[i] Searching for reputation report on findwhocallsme.com...
[i] Searching for reputation report on yellowpages.ca...
[i] Searching for reputation report on phonenumbers.ie...
[i] Searching for reputation report on who-calledme.com...
[i] Searching for reputation report on usphonesearch.net...
[i] Searching for reputation report on whocalled.us...
[i] Searching for reputation report on quinumero.info...
[i] Searching for reputation report on uk.popularphotolook.com...
[i] Generating URL on scamcallfighters.com...
[+] http://www.scamcallfighters.com/search-phone-1717███9539.html
Would you like to search for temporary number providers footprints ? (Y/n) n

[i] ---- Social media footprints ----
[i] Searching for footprints on facebook.com...
[i] Searching for footprints on twitter.com...
[i] Searching for footprints on linkedin.com...
[i] Searching for footprints on instagram.com...
[i] ---- Phone books footprints ----
[i] Generating URL on True People...
[+] https://www.truepeoplesearch.com/results?phoneno=+1717-███-9539
[i] Searching for footprints on numinfo.net...
[i] Searching for footprints on sync.me...
[i] Searching for footprints on whocallsyou.de...
[i] Searching for footprints on pastebin.com...
[i] Searching for footprints on whycall.me...
[i] Searching for footprints on locatefamily.com...
[i] Searching for footprints on spytox.com...

Would you like to rerun OSINT scan ? (e.g to use a different format) (y/N) n

[i] Scan finished.
Sometimes, this tool can get you temporarily blacklisted from Google searches because of the way it's programmed. It's annoying but easily resolved with a Google abuse exemption, detailed at the end of the video above.

As you can see above, there are lots of links to dive into, and right away the name and business associated with the phone number are available in the output.

Step 3Access the IntelTechniques OSINT Portal

Now, let's concentrate on the web tools that are free on Bazzel's website since they're a little bit easier to work with than with the command line tool above. To follow along, you can go to inteltechniques.com/menu.html, then click on the "Telephone Number" tab.
A submenu appears when you click on "Telephone Number," and you'll need to select the "Telephone Search Tool" to bring up the page that will allow us to search many tools at once.
As you can see, it's a healthy mix of people-searching tools, phonebook directories, scam reporting websites, and social media connections. These are free, public resources combined into one easy-to-use search tool, allowing anyone with a browser and internet connection to begin researching who is on the other end of a phone number.
We can input a number into each tool one by one, but the easiest way is to enter the number into the field at the top, and click "Populate All."

Step 4Search a Phone Number on IntelTechniques

In the search tool, enter the number into the field next to the "Populate All" button, then click the button to auto-populate the number into the rest of the fields. Next, select "Submit All" under the list of services to run all searches on the phone number. All of the services will open up in different tabs or pop-ups with the search already submitted (you may need to allow pop-ups in your browser).

Step 5Search Results for Clues & Patterns

Now, check out some of the resources loaded from the search. Here, some of the people searching services have turned our phone number into a name.
Along with the person's name is a startling amount of information, the most important of which is a location and address for us to tie together further details. We found a lot of results with the name, making a pretty strong likelihood that this is the person behind our ad. So how would we prove they are a licensed professional?

Step 6Locate Information That Can Be Verified

On another search site result, we can see the name of a business associated with the phone number, which is what we're looking for! If we can tie the name of a company and the name we've found associated with the number, we can look up a source we trust, like a state listing of active businesses, to determine whether this is a real business. Here, we have a name, address, and business name; everything we need to verify whether a business exists.

Step 7Verify with Primary Source Data

To check out the information we found, we should look for some primary source information that backs up our discovery. In our case, the best database to search is the Department of State business database for the state we discovered the business in. Here, we were able to pull a valid business listing, one which matches the address we previously found. It appears the person behind the online advertisement is honest — they are a licensed professional after all.

Phone Numbers Can Tie Everything Together

As a starting point, a phone number can provide everything you need to locate information about a target. With tools like Phoneinfoga, you can quickly discover whether a phone number is a throwaway or a legitimate number. If the number is real, the IntelTecniques website tools can piece together clues to build a picture of the person behind the phone number, sometimes quite literally.
With the right tools, a single phone number can lead you from clue to clue, piecing together everything you need to learn about a target.
I hope you enjoyed this guide to using phone numbers in an OSINT investigation! If you have any questions about this tutorial on phone number recon, or if you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.

Comments

Popular posts from this blog

Difference Between POP3 and IMAP

Difference Between POP3 and IMAP POP3 and IMAP are the protocols that are used to retrieve mail from the mailbox at the mail server to the recipient’s computer. Both are message accessing agents (MAA). The two protocols POP3 and IMAP are used when both the sender and recipient of mail are connected to the mail server by WAN or LAN .  SMTP protocol transfers the mail from client’s computer to the mail server and from one mail server to another mail server.POP3 has a limited functionality whereas, the IMAP has extra features over POP3. The basic difference between POP3 and IMAP is that using POP3 ; the user has to download the email before checking its content whereas, the user can partially check the content of mail before downloading it, using IMAP . Let us check out some more differences between POP and IMAP with the help of comparison chart. Content: POP3 Vs IMAP Comparison Chart Definition Key Differences Conclusion Comparison Chart Basis for Comparison POP...

How to use hping3 in kali Linux(Performing dos attack)

How to use hping3 in kali Linux (Performing dos attack) What is hping3 hping3 is a network tool able to send custom TCP/IP packets and to dis‐ play target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Hping3 is extremely powerful you can do following things with hping3 Test firewall rules Advanced port scanning Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. Path MTU discovery Transferring files between even really fascist firewall rules. Traceroute-like under different protocols. Firewalk-like usage. What is dos Attack Dos stands for denial of service. Dos attack shuts down Webservers/systems and completely makes them inaccessible to users. Dos attack floods target network with excess ...