Becoming a Twitter OSINT Ninja
Twitter analytics – socialbearing.com
For basic twitter account analysis I start here. Social bearing will give us several account statistics including when the account was created, what types of different devices the tweets come from (desktop, tweet deck, iPhone, android). The analysis can include up to 3200 tweets and loads 200 at a time. Recently @FBIRecordsVault became active and since it only has 131 tweets in the lifetime of its account it makes a good punching bag… I mean example:
Down the left side of the page are many useful statistics, keywords and geotags (if enabled). The main panel if you scroll down shows the tweets that you have queried for the stats above.
There are times when a Twitter account may be run by multiple account “managers”. The ‘tweets by source’ would be a good way to analyze this as we may see several different types of devices contributing to the account. This is an example of an account allegedly run by multiple people:
There are some API limitations (3200 tweets) so an account that’s been around for a while may have limited or partial results but there is good data on SocialBearing.com
URL manipulation with tinfoleak.com
Tinfoleak is another analytic site.
This example is to show how you can sometime manipulate the URL of a webpage to get past registrations or email captures.
To use Tinfoleak you are supposed to enter a twitter username for research and an email address that a link will be sent to that allows you access to the data. This is a work around compliments Mike Bazzell of Inteltechniques. Enter this in a web browser:
www.tinfoleak.com/reports/<TwitterUserName>.html
changing out <TwitterUserName> with a target twitter account.
The results seem to be varied, but when it works the readout gives you very streamlined recap of hashtags, mentions, media posts and geotags. Try it on a few accounts and see what works.
Protected Accounts?
With protected accounts we can’t see tweets unless were are confirmed by the account owner. Try entering to:TwitterUserName in the search field of twitter at the top right of your browser.
This will show you tweets to the protected account which is like seeing half of a conversation. Not ideal, but you can glean information sometimes.
This One Crazy Trick to Hack Protected Accounts
There is a theory online that if you create a brand new account and follow a protected account. Log out, log back in and check the ‘who to follow’ section of your new account you will see suggestions that your protected target account has associations with.
This may have been a successful tactic a few years ago but twitter has updated the secret sauce to prevent this from working today.
So What Else Can We Do?
Analytics of a protected account just shows account creation date and what the user has in their profile.
PIPL Search
Head to Mike Bazzell’s search tools click on Twitter on the left and enter the profile name into the PIPL search:
After you hit search take a look at your web URL:
https://api.pipl.com/search/v5/?username=realdonaldtrump&key=sample_key
Realdonaldtrump is where the twitter account goes you can just type in a new Twitter handle and try again.
sample_key shows that we are using a sample API key. You will run into limitations on the sample key at some point if you do repeated searches.
I recommend registering on Pipl.com and they will give you free API keys to use. If you hit the sample key limit, just copy and paste your key into the URL where it says sample_key.
The results vary just like any OSINT target will, but I have found real names, addresses, phone numbers, job history, and known associations just by searching a protected twitter account handle.
When Does Your Target Sleep? - Sleepingtime.org
This site has a simple enough interface, but you have to sign in with Twitter to use the service. Make a fake account if you don’t trust this. You can also log into your Twitter account settings later and revoke access to your account here:
https://twitter.com/settings/applications
Ok, so when do I sleep?
That is fairly accurate but note some caveats. If the user is in a different time zone or has their time zone set incorrectly you will get some variance in this report. Protected accounts do not report on sleeping time at all.
Let’s say our target works a 2nd or 3rd shift job the sleeping patterns will be shifted. If you are trying to locate somebody in real life (like say a private investigator might need to) this could be a great way to find your windows of opportunity to catch a target on the way to work.
The Jester’s Internet AWACS http://internetawacs.jesterscourt.cc/
The Jester’s site has a few settings with impressive readouts. The Jester has different alert monitoring nodes that are driven from the Twitter fire hose. Check those out for fun and then run the Deep Dive Search on your target account.
Psyche – Activity – Geolocation are analyzed. If you ever need somebody to test geolocation on, Steve Wozniak’s account is good for target practice @SteveWoz :
Geo maps
Ever since the free portion of Echosec became defunct, I’ve been looking for a good geo-mapping replacement for twitter. MapD and Tweetpaths are the sites I end up on the most now.
MapD from MIT - Mapd.csail.mit.edu/tweetmap
MIT’s MapD allows some map based research on hashtags. If you have a target that uses geo tagging you can find tweets by hashtag within the last 30 days.
As you might expect #grrcon, a security conference, only had about 5 geotag enabled tweets with the conference name tagged.
However a hashtag #iphone7 nets about 1400 geotag enabled tweets in the last 30 days.
Tweetpaths.com
Once you find an account with geotags enabled Tweetpaths.com is a great way to see where they’ve been. This is another site that requires a sign-in with your twitter account so, once again, use a fake account or know how to revoke the permissions afterwards.
We will pick on Woz again: Enter his user name in the top left, click on advanced options and check the show path option:
We can see that Steve likes to tweet when travelling and at dinner time.
Further Down the Rabbit Hole – Osintframework.com
Once you’ve gathered some data with your Twitter ninja skills head over to Justin’s (@jnordine) www.osintframework.com and see what other data you can pivot your way into. The framework has a few twitter tools up its sleeve:
I hope you enjoyed this peak into OSINT tactics on Twitter. If you have any techniques to share or comments please drop me a line on Twitter @baywolf88
Happy OSINTing!
