Home
Current version: v2.0.0 "Huginn"
A Python tool for automating intelligence gathering, asset discovery, and reporting. ODIN is still in active development, so check the dev branch for the bleeding edge. Feedback is welcome!
Note: ODIN is designed to be run on Linux and tested on macOS. 99% of it will absolutely work on Windows or MacOS with Python 3.7, but the extract tool, used for pulling metadata from non-PDF files (i.e. Office documents), is exclusive to Linux. You'll be fine using an OS without access to extract, but you'll see some warnings and get less information. You can always extract the metadata yourself later from the downloaded files! Office document metadata extraction will hopefully be implemented in Python in a future release.
You may also want a SQLite3 database viewer/browser (to run your own custom queries against the OSINT database) and Neo4j installed (to view graphs of the external perimeter). Neo4j is strongly recommended! The graphs and tables you can create are powerful tools for analysis and presentations. See the NEO4J.md documentation in the docs folder for examples and additional information.
ODIN aims to automate the basic recon tasks used by red teams to discover and collect data on network assets, including domains, IP addresses, and internet-facing systems. The key feature of ODIN is the data management and reporting. The data is organized in a database and then, optionally, that database can be converted into an HTML report or a Neo4j graph database for visualizing the data.
ODIN performs this in multiple phases:
- Collect basic organization information from sources like the Full Contact marketing database.
- Check DNS Dumpster, Netcraft, and TLS certificates to discover subdomains for the provided domains.
- Resolve domain and subdomains to IP addresses via socket connections and DNS records.
- Collect information for all IP addresses, such as ownership and organization data, from RDAP, whois, and other data sources.
- Lookup domains and search for IP addresses on Shodan to collect additional data, such as operating systems, service banners, and open ports.
- Check for the possibility of takeovers and domain fronting with the domains and subdomains.
- Harvest email addresses and employee names for the target organization.
- Link employees to social media profiles via search engines and the Twitter API.
- Cross check discovered email addresses with Troy Hunt's Have I Been Pwned.
- Hunt for Office files and PDFs under the target domain, download them, and extract metadata.
- Search for AWS S3 buckets and Digital Ocean Spaces using keywords related to the organization.
- Take screenshots of discovered web services for a quick, early review of services.
- Save all data to a SQLite3 database to allow the data to be easily queried.
- Generate an HTML report using default SQL queries to make it simple to peruse the data in a web browser.
- Create a Neo4j graph database that ties all of the discovered entities (IP addresses, domains, subdomains, ports, and certificates) together with relationships (e.g. RESOLVES_TO, HAS_PORT).
At the end of all of this you will have multiple ways to browse and visualize the data. Even a simple Neo4j query like MATCH (n) RETURN n (display everything) can create a fascinating graph of the organization's external perimeter and make it simple to see how assets are linked. The wiki pages on Neo4j contain better query examples.