POCKINT (a.k.a. Pocket Intelligence) is the OSINT swiss army knife for DFIR/OSINT professionals. A lightweight and portable GUI program, it provides users with essential OSINT capabilities in a compact form factor: POCKINT's input box accepts typical indicators (URL, IP, MD5) and gives users the ability to perform basic OSINT data mining tasks in an iterable manner.
You can grab the latest version from the releases page. POCKINT is provided as a single executable that can be stored and run anywhere on computers. POCKINT is available for Windows only.
Why use it? POCKINT is designed to be simple, portable and powerful.
β Simple: There's plenty of awesome OSINT tools out there. Trouble is they either require analysts to be reasonably comfortable with the command line (think pOSINT) or give you way too many features (think Maltego). POCKINT focuses on simplicity: INPUT > RUN TRANSFORM > OUTPUT ... rinse and repeat. It's the ideal tool to get results quickly and easily through a simple interface.
π¦ Portable: Most tools either require installation, a license or configuration. POCKINT is ready to go whenever and wherever. Put it in your jump kit USB, investigation VM or laptop and it will just run.
π Powerful: POCKINT combines cheap OSINT sources (whois/DNS) with the power of specialised APIs. From the get go you can use a suite of in-built transforms. Add in a couple of API keys and you can unlock even more specialised data mining capabilities.
The latest version is capable of running the following data mining tasks:
Hostnames
| Source | Transform | API key needed? |
|---|---|---|
| DNS | IP lookup | β |
| DNS | MX lookup | β |
| DNS | NS lookup | β |
| DNS | TXT lookup | β |
| WHOIS | Domain dnssec status | β |
| WHOIS | Domain creation | β |
| WHOIS | Domain expiration | β |
| WHOIS | Domain emails | β |
| WHOIS | Domain registrar | β |
| WHOIS | Registrant location | β |
| WHOIS | Registrant org | β |
| WHOIS | Registrant name | β |
| WHOIS | Registrant address | β |
| WHOIS | Registrant zipcode | β |
| crt.sh | Subdomains | β |
| Virustotal | Downloaded samples | βοΈ |
| Virustotal | Detected URLs | βοΈ |
| Virustotal | Subdomains | βοΈ |
| OTX | Passive DNS | βοΈ |
| OTX | malicious check | βοΈ |
| OTX | Malware type | βοΈ |
| OTX | Malware hash | βοΈ |
| OTX | Observed urls | βοΈ |
| OTX | Geolocate | βοΈ |
IP Adresses
Note: Only IPv4 Addresses are supported
| Source | Transform | API key needed? |
|---|---|---|
| DNS | Reverse lookup | β |
| Shodan | Ports | βοΈ |
| Shodan | Geolocate | βοΈ |
| Shodan | Coordinates | βοΈ |
| Shodan | CVEs | βοΈ |
| Shodan | ISP | βοΈ |
| Shodan | City | βοΈ |
| Shodan | ASN | βοΈ |
| Virustotal | Network report | βοΈ |
| Virustotal | Communicating samples | βοΈ |
| Virustotal | Downloaded samples | βοΈ |
| Virustotal | Detected URLs | βοΈ |
| OTX | Passive DNS | βοΈ |
| OTX | Malicious check | βοΈ |
| OTX | Malware type | βοΈ |
| OTX | Malware hash | βοΈ |
| OTX | Observed urls | βοΈ |
| OTX | Geolocate | βοΈ |
Urls
| Source | Transform | API key needed? |
|---|---|---|
| DNS | Extract hostname | β |
| Virustotal | Malicious check | βοΈ |
| Virustotal | Reported detections | βοΈ |
| OTX | Geolocate | βοΈ |
| OTX | Parse url | βοΈ |
| OTX | malicious check | βοΈ |
| OTX | Http response analysis | βοΈ |
Hashes
Note: Both MD5 and SHA256 hashes are supported
| Source | Transform | API key needed? |
|---|---|---|
| Virustotal | Malicious check | βοΈ |
| Virustotal | Malware type | βοΈ |
| OTX | Malicious check | βοΈ |
Emails
| Source | Transform | API key needed? |
|---|---|---|
| N/A | Extract domain | β |
New APIs and input integrations are in the works, consult the issues page to check out what's brewing or feel free to propose your own.
If you like the tool please consider contributing.
The tool received a few "honourable" mentions, including:
Please note: There have been a small number of reports indicating that pockint triggers false positives on antivirus protected systems (to date Avast, AVG and Norton). The issue seems to be caused by pyinstaller, the python package used to freeze and distribute pockint. If pockint triggers your antivirus please submit an issue and the author will submit a false positive report to the concerned antivirus provider.