Navegando en Github encontré una herramienta Osint muy interesante llamada GoSearch. Esta herramienta, al igual que muchas otras, nos permite encontrar a alguien en Internet por su nombre de usuario. Hasta aquí es más de lo mismo. Sin embargo, GoSearch también nos encuentra filtraciones de correos electrónicos y equipos comprometidos por Infostealers.
Instalación de GoSearch.
Para instalar GoSearch se necesita tener previamente instalado Go (el lenguaje de programación). Si aún no lo tiene, puede descargarlo aquí para su sistema operativo Linux, Mac o Windows. Yo lo instalé en un sistema Kali Linux siguiendo los siguientes pasos en la terminal:
wget https://dl.google.com/go/go1.23.6.linux-386.tar.gz # Descarga el paquete.
tar-xvf go1.23.6.linux-386.tar.gz # Lo descomprime.
sudo mv go /usr/local # Mueve el directorio que contiene el paquete a /usr/local/
export PATH=$PATH:/usr/local/go/binPATH=$PATH:/usr/local/go/bin # Agrega el binario a la variable de entorno PATH.
Para comprobar que Go está instalado escribiremos el comando go version y, en mi caso, la salida será: go version go1.23.6 linux/amd64. A ustedes les saldrá la versión que instalaron, obvio. Con Go instalado ya podemos descargar y correr GoSearch. Esto también es muy sencillo. En la misma terminal escribiremos:
go install github.com/ibnaleem/gosearch@latest
Eso instalará la última versión de GoSearch en nuestro sistema.
Uso.
GoSearch es una de las herramientas más sencillas de su tipo. Basta indicarle un nombre de usuario y ella hará el resto. Hagamos la prueba con un bodeguero del petrismo que se hace llamar FisicoImpuro. El comando sería tan simple como gosearch FisicoImpuro. La respuesta fue:
GoSearch nos arrojó bastante información sobre ese bodeguero. No obstante, todas esas herramientas también arrojan falsos positivos. Debemos confirmar que los perfiles encontrados en efecto pertenezcan al objetivo que estamos investigando.
No hay duda. Se trata del mismo sujeto repulsivo, lamentable e insignificante que cobra de nuestros impuestos por defender al indefendible camarada Aureliano. Dejemos a ese payaso quieto para que después no se vaya a victimizar y sigamos adelante.
Ahora vamos a buscar a otro usuario pero pidiéndole a GoSearch que, además de sus perfiles públicos, busque y encuentre filtraciones tanto de sus posibles correos como de Infostealers.
| 💡 Los Infostealers son unos tipos de malwares cuyo objetivo es, una vez que han infectado los equipos de sus víctimas, robar la información confidencial de estos, en especial nombres de usuarios y contraseñas guardados en los navegadores. Las versiones más recientes de infostealers también roban la información de billeteras de criptomonedas. |
Para ello vamos a necesitar la API (Application Programming Interface) de BreachDirectory que es gratuita (aunque con limitaciones de uso). Para obtenerla vamos al sitio, pinchamos en donde dice API, obvio, nos creamos una cuenta que nos lleva a RapidAPI y ya está.
Voy a buscar a un hipotético usuario de nombre Castor. El comando usado fue: gosearch Castor [aquí-su-api-key]. Y la salida fue:
[!] A yellow link indicates that I was unable to verify whether the username exists on the platform. [?] Twitter/X: https://twitter.com/Castor [?] PSNProfiles Forum: https://forum.psnprofiles.com/profile/Castor [?] Kick: https://kick.com/Castor [?] Guns.lol: https://guns.lol/Castor [?] LinkedIn: https://www.linkedin.com/in/Castor [?] Threads: https://www.threads.net/Castor [?] Archive.org: https://archive.org/details/@Castor [?] Leetcode: https://leetcode.com/u/Castor [?] ArtStation: https://www.artstation.com/Castor [?] Cloudflare Community: https://community.cloudflare.com/u/Castor [?] Polymart: https://polymart.org/user/Castor [?] Codepen: https://codepen.io/Castor [?] Fameswap: https://fameswap.com/user/Castor [?] Nextcloud Forum: https://help.nextcloud.com/u/Castor/summary [?] Rate Your Music: https://rateyourmusic.com/~Castor [?] HackenProof: https://hackenproof.com/hackers/Castor [?] FortniteTracker: https://fortnitetracker.com/profile/all/Castor [?] HackerRank: https://hackerrank.com/Castor [?] DailyMotion: https://www.dailymotion.com/Castor [?] Pinkbike: https://www.pinkbike.com/u/Castor/ [?] Kick: https://kick.com/api/v2/channels/Castor [+] Vimeo: https://vimeo.com/Castor [+] VSCO: https://vsco.co/Castor/gallery [+] Substack: https://Castor.substack.com [+] SoundCloud: https://soundcloud.com/Castor [+] Code Snippet Wiki: https://codesnippets.fandom.com/wiki/User:Castor [+] SmugMug: https://Castor.smugmug.com [+] Carrd: https://Castor.carrd.co [+] Polarsteps: https://polarsteps.com/Castor [+] Buzzfeed: https://www.buzzfeed.com/Castor [+] Grailed: https://www.grailed.com/Castor [+] Behance: https://behance.net/Castor [+] Steam Community (Group): https://steamcommunity.com/groups/Castor [+] TikTok: https://www.tiktok.com/@Castor [+] Replit.com: https://replit.com/@Castor [+] Monkeytype: https://monkeytype.com/profile/Castor [+] Archive Of Our Own (AO3): https://archiveofourown.org/users/Castor [+] Steam Community (User): https://steamcommunity.com/id/Castor [+] Disqus: https://disqus.com/by/Castor [+] TripAdvisor Forums: https://www.tripadvisor.com/Profile/Castor [+] Audio Jungle: https://audiojungle.net/user/Castor [+] Redbubble: https://www.redbubble.com/people/Castor [+] Giphy: https://giphy.com/channel/Castor [+] Bitwarden Forums: https://community.bitwarden.com/u/Castor [+] Gutefrage: https://www.gutefrage.net/nutzer/Castor [+] Letterboxd: https://letterboxd.com/Castor [+] Medium: https://medium.com/@Castor [+] Hashnode: https://hashnode.com/@Castor [+] Gumroad: https://Castor.gumroad.com/ [+] Exophase: https://www.exophase.com/user/Castor/ [+] Codeforces: https://codeforces.com/profile/Castor [+] ReverbNation: https://www.reverbnation.com/Castor [+] Crowdin: https://crowdin.com/profile/Castor [+] OpenStreetMap: https://www.openstreetmap.org/user/Castor [+] Beacons.ai: https://beacons.ai/Castor [+] Buy Me a Coffee: https://buymeacoffee.com/Castor [+] Rarible: https://rarible.com/Castor [+] Flickr: https://flickr.com/photos/Castor [+] Codechef: https://www.codechef.com/users/Castor [+] Figma: https://www.figma.com/@Castor [+] Keybase: https://keybase.io/Castor [+] GitHub: https://github.com/Castor [+] Wattpad: https://www.wattpad.com/user/Castor [+] Star Citizen: https://robertsspaceindustries.com/citizens/Castor [+] Imgur: https://imgur.com/user/Castor [+] Pastebin: https://pastebin.com/u/Castor [+] Brave Community: https://community.brave.com/u/Castor [+] HackerNews: https://news.ycombinator.com/user?id=Castor [+] Linktree: https://www.linktr.ee/Castor [+] Chess: https://www.chess.com/member/Castor [+] MyMiniFactory: https://www.myminifactory.com/users/Castor [+] LibraryThing: https://www.librarything.com/profile/Castor [+] Tinder: https://tinder.com/@Castor [+] Codecademy: https://www.codecademy.com/profiles/Castor [+] ColourLovers: https://www.colourlovers.com/lover/Castor [+] Roblox: https://www.roblox.com/user.aspx?username=Castor [+] Needrom: https://www.needrom.com/author/Castor/ [+] Flightradar24: https://my.flightradar24.com/Castor [+] GoodReads: https://www.goodreads.com/Castor [+] Kaskus: https://www.kaskus.co.id/@Castor [+] Ko-fi: https://ko-fi.com/Castor [+] Strava: https://www.strava.com/athletes/Castor [+] Newgrounds: https://Castor.newgrounds.com [+] KASKUS: https://www.kaskus.co.id/@Castor [+] BOOTH: https://Castor.booth.pm/ [+] Packagist: https://packagist.org/packages/Castor/ [+] Patreon: https://www.patreon.com/Castor [+] 1337x.to: https://www.1337x.to/user/Castor/ [+] Duolingo: https://www.duolingo.com/profile/Castor [+] Pinterest: https://www.pinterest.com/Castor [+] 9GAG: https://9gag.com/u/Castor [+] DeviantART: https://Castor.deviantart.com [+] GitBook: https://Castor.gitbook.io/ [+] Freesound: https://freesound.org/people/Castor/ [+] Apple Discussions: https://discussions.apple.com/profile/Castor [+] Gitee: https://gitee.com/Castor [+] Apple Developers: https://developer.apple.com/forums/profile/Castor [+] PromoDJ: http://promodj.com/Castor [+] Independent Academia: https://independent.academia.edu/Castor [+] RuneScape: https://apps.runescape.com/runemetrics/app/overview/player/Castor [+] Kaggle: https://www.kaggle.com/Castor [+] BoardGameGeek: https://boardgamegeek.com/user/Castor [+] Facebook: https://www.facebook.com/Castor [+] PyPi: https://pypi.org/user/Castor [+] About Me: https://about.me/Castor [+] Giant Bomb: https://www.giantbomb.com/profile/Castor/ [+] Mastodon Social: https://mastodon.social/@Castor [+] Issuu: https://issuu.com/Castor [+] Airliners: https://www.airliners.net/user/Castor/profile/photos [+] Pokemon Showdown: https://pokemonshowdown.com/users/Castor [+] Airbit: https://airbit.com/Castor [+] Discogs: https://www.discogs.com/user/Castor [+] Hashnode: https://hashnode.com/@Castor [+] Flipboard: https://flipboard.com/@Castor [+] Slack: https://Castor.slack.com [+] Exposure: https://Castor.exposure.co/ [+] Genius (Users): https://genius.com/Castor [+] Genius (Artists): https://genius.com/artists/Castor [+] Scratch: https://scratch.mit.edu/users/Castor [+] Codewars: https://www.codewars.com/users/Castor [+] Kongregate: https://www.kongregate.com/accounts/Castor [+] Myspace: https://myspace.com/Castor [+] Sketchfab: https://sketchfab.com/Castor [+] Codecademy: https://www.codecademy.com/profiles/Castor [+] SlideShare: https://slideshare.net/Castor [+] NitroType: https://www.nitrotype.com/racer/Castor [+] Techhub Social: https://techhub.social/@Castor [+] NintendoLife: https://www.nintendolife.com/users/Castor [+] EyeEm: https://www.eyeem.com/u/Castor [+] MyAnimeList: https://myanimelist.net/profile/Castor [+] MixCloud: https://www.mixcloud.com/Castor/ [+] Scribd: https://www.scribd.com/Castor [+] Clapper: https://clapperapp.com/Castor [+] Tiendanube: https://Castor.mitiendanube.com/ [+] Gamespot: https://www.gamespot.com/profile/Castor/ [+] Cracked: https://www.cracked.com/members/Castor [+] MMORPG Forum: https://forums.mmorpg.com/profile/Castor [+] Aniworld.to: https://aniworld.to/user/profil/Castor [+] Nyaa.si: https://nyaa.si/user/Castor [+] Topcoder: https://profiles.topcoder.com/Castor/ [+] Minecraft: https://api.mojang.com/users/profiles/minecraft/Castor [+] Quizlet: https://quizlet.com/user/Castor/sets [+] Fanpop: https://www.fanpop.com/fans/Castor [+] Bookcrossing: https://www.bookcrossing.com/mybookshelf/Castor [+] LastFM: https://last.fm/user/Castor [+] Speedrun.com: https://speedrun.com/users/Castor [+] Smule: https://www.smule.com/Castor [+] Clubhouse: https://www.clubhouse.com/@Castor [+] Clubhouse: https://www.joinclubhouse.com/@Castor [+] Atcoder: https://atcoder.jp/users/Castor [+] Reisefrage: https://www.reisefrage.net/nutzer/Castor [+] Rajce.net: https://Castor.rajce.idnes.cz/ [+] MyDramaList: https://www.mydramalist.com/profile/Castor [+] Bandcamp: https://www.bandcamp.com/Castor [+] Dealabs: https://www.dealabs.com/profile/Castor [+] Sporcle: https://www.sporcle.com/user/Castor [+] Autofrage: https://www.autofrage.net/nutzer/Castor [+] Mastodon World: https://mastodon.world/@Castor [+] CGTrader: https://www.cgtrader.com/Castor [+] Gravatar: http://en.gravatar.com/Castor [+] Hackaday: https://hackaday.io/Castor [+] GaiaOnline: https://www.gaiaonline.com/profiles/Castor [+] Periscope: https://www.periscope.tv/Castor/ [+] Slashdot: https://slashdot.org/~Castor [+] Freelance.habr: https://freelance.habr.com/freelancers/Castor [+] NationStates Nation: https://nationstates.net/nation=Castor [+] Eintracht Frankfurt Forum: https://community.eintracht.de/fans/Castor [+] Motorradfrage: https://www.motorradfrage.net/nutzer/Castor [+] SportsRU: https://www.sports.ru/profile/Castor/ [+] 7Cups: https://www.7cups.com/@Castor [+] Memrise: https://www.memrise.com/user/Castor/ [+] Championat: https://www.championat.com/user/Castor [+] LiveJournal: https://Castor.livejournal.com [+] Launchpad: https://launchpad.net/~Castor [+] HackerEarth: https://hackerearth.com/@Castor [+] YVision KZ: https://yvision.kz/u/Castor [+] Cults3D: https://cults3d.com/en/users/Castor [+] Instagram: https://instagram.com/Castor
Una puta locura. Si de verdad estuviera investigando a ese personaje me pondría a comprobar cada resultado pero no es el caso. Lo que quiero mostrar es lo que la herramienta GoSearch encontró en cuanto a Infostealers y filtraciones de correo se refiere. Veamos:
[*] Searching HudsonRock's Cybercrime Intelligence Database... :: This username is associated with a computer that was infected by an info-stealer, all the credentials saved on this computer are at risk of being accessed by cybercriminals. [-] Stealer #1 :: Stealer Family: Lumma :: Date Compromised: 2025-01-30T15:42:20.000Z :: Computer Name: TOSHIBA :: Operating System: Windows 11 Pro (10.0.22000) x64 :: Malware Path: C:\Users\TOSHIBA\AppData\Local\Temp\745469\AutoIt3.exe :: IP: 124.107.***.*** [-] Top Passwords: :: c**********y :: a*********4 :: A*********4 :: [*********] :: A**********4 [-] Top Logins: :: a********l :: m*********@gmail.com :: d***x :: a***********@gmail.com :: d*******3 [-] Stealer #2 :: Stealer Family: Lumma :: Date Compromised: 2025-01-29T17:39:39.000Z :: Computer Name: sisca :: Operating System: Windows 10 Pro (10.0.19041) x64 :: Malware Path: C:\WINDOWS\SysWOW64\explorer.exe :: IP: 103.105.**.** [-] Top Passwords: :: 0*******a :: i*****9 :: s*******6 :: 5*********h :: S*******6 [-] Top Logins: :: s**************@gmail.com :: 0**********5 :: s************@gmail.com :: 0********4 :: j******e [-] Stealer #3 :: Stealer Family: Lumma :: Date Compromised: 2024-12-27T11:46:42.000Z :: Computer Name: casto :: Operating System: Windows 10 Pro (10.0.19045) x64 :: Malware Path: C:\Windows\SysWOW64\explorer.exe :: IP: 181.233.**.*** [-] Top Passwords: :: D******* :: D******* :: 0******2 :: c******0 :: D******* [-] Top Logins: :: c**********@gmail.com :: c*********@gmail.com :: c********a :: 1******0 :: c*******m [-] Stealer #4 :: Stealer Family: Lumma :: Date Compromised: 2024-12-18T09:30:52.000Z :: Computer Name: IT-SPECIALIST (SAM) :: Operating System: Windows 10 Pro (10.0.19045) x64 :: Malware Path: C:\Users\IT-SPE~1\AppData\Local\Temp\ensuer.com :: IP: 119.94.***.*** [-] Top Passwords: :: p***************************************************************************= :: @*********! :: @********4 :: v*******1 :: s******9 [-] Top Logins: :: e************@gmail.com :: s**************@vynexsigns.com :: 0*********9 :: s***********************@gmail.com :: k*********@vynexsigns.com [-] Stealer #5 :: Stealer Family: Lumma :: Date Compromised: 2024-12-14T23:42:33.000Z :: Computer Name: User :: Operating System: Windows 10 Pro (10.0.19045) x64 :: Malware Path: C:\Users\User\Desktop\Wondershare Filmora\Set-up.exe :: IP: 95.92.***.*** [-] Top Passwords: :: [*********] :: 1**********o :: 1**********o :: S********e :: 1****************2 [-] Top Logins: :: v****************@gmail.com :: 1****@aepinhalfrades.edu.pt :: c*********o :: 1***7 :: c****o
Genial. Si lo que buscamos es de mucho interés podemos pagar el servicio de Hudson Rock y desbloqueamos la información completa. Ahora veamos qué encontró GoSearch en cuanto a filtraciones de correos con el nombre de usuario Castor:
[*] Searching Castor on ProxyNova for any compromised passwords... [+] Found 2726 compromised passwords for Castor: :: Email: [email protected] :: Password: 123456789 :: Email: [email protected] :: Password: le-castor :: Email: [email protected] :: Password: MUSICANTE :: Email: [email protected] :: Password: lolote :: Email: [email protected] :: Password: fuck :: Email: [email protected] :: Password: caspwd :: Email: [email protected] :: Password: jaxefehu :: Email: [email protected] :: Password: castor72 :: Email: [email protected] :: Password: castor :: Email: [email protected] :: Password: samsung :: Email: [email protected] :: Password: Jak1jes2 :: Email: [email protected] :: Password: ashley :: Email: [email protected] :: Password: bernau_georgia :: Email: [email protected] :: Password: Vencer :: Email: [email protected] :: Password: upinder4057 :: Email: [email protected] :: Password: bg567 :: Email: [email protected] :: Password: jeffis1pig :: Email: [email protected] :: Password: bcura :: Email: [email protected] :: Password: p0l0wanga :: Email: [email protected] :: Password: castor16
¡Encontró más de 2.000 contraseñas comprometidas! Lo mejor es que nos da las contraseñas en texto plano. Esas contraseñas, aunque ya no sean las que den acceso a los servicios, son muy útiles pues sabemos que la mayoría de internautas cambian sus contraseñas por variaciones de sus passwords anteriores, por ejemplo, castor16 por castor61 🙁 Siendo así, lo que podemos hacer es crear diccionarios personalizados partiendo de la información que conocemos.
Para terminar, GoSearch nos busca dominios registrados con el nombre de usuario que le dimos. Para el caso de Castor encontró lo siguiente:
[*] Searching 26 domains with the username Castor ... [+] 200 OK: Castor.com [+] 200 OK: Castor.net [+] 200 OK: Castor.pro [+] 200 OK: Castor.cat [+] 200 OK: Castor.me [+] 200 OK: Castor.io [+] 200 OK: Castor.xyz [+] 200 OK: Castor.store [+] Found 8 domains with the username Castor
Verificamos la información y en efecto hay algunos dominios registrados con el nombre Castor. Para la muestra:
GoSearch funciona muy bien porque los internautas son muy tontos. La mayoría de personas usan el mismo nickname en varios servicios y otros, los casos más graves y posiblemente irrecuperables, usan sus nombres y apellidos como usernames. Eso es sumamente inconveniente para su privacidad y, quizás, para su bolsillo. Espero les sirva, hasta la próxima.
