An Introduction To Doxing Methodology

Let us look at arguably the most well documented and most effective means of revenge and Social Engineering, Doxing.What Is Doxing?Doxing is a technique of tracing someone or gathering information about an individual using sources online and offline. The term is coined from several overlapping terms such as Docs, DocX, Info Dump, and Dropping Docs. Mashed together creates the term known today as Doxx or Doxing. Though more vocally common in the current decade with the rise of Hacktivist ideologies and the political unrest we see today, placed in the echo-champers of the Internet and Social Media, this is an old-school revenge tactic that emerged from hacker culture in 1990s. Used to pit the victims own habits and anonymity against themselves. Though other uses can be an engine for transparency for an injustice that can lead to legal repercussions. Consequently, doxing often comes with a negative connotation, because it can be used for revenge and is seen, for obvious reasons, as an invasion of privacy. Though this information is providing information to execute, it can be used also by readers to protect themselves from being victims. I highly recommend anyone to keep personal information secure and be aware of what data is available online and offline. I would also like to advise readers that peoples lives have been ruined by doxing. Both as victims and as attackers. The usage of doxing for revenge can lead to jail time or lead to a mass campaign of public shaming and embarrassment. Now since the disclaimer is all out of the way, let us move onward to find out more about doxing and potentially how to avoid it.Techniques And StrategyFor this portion of the post I shall be using the terminology typical for a Red Team/Blue Team game. Where Red Team is the attacker and Blue Team is the defender to make this portion easier to follow.Social MediaWith the advent of social media and the greater movement of convenience over security, anyone can harvest information from the Internet about individuals. There is no particular structure or proper procedure in place for doxing, meaning someone may seek out any kind of information related to the target and relay that information haphazardly. I also hope to alleviate that in this post. To start with the basics, a basic Web search can grant results. Social media platforms like Facebook, Twitter, Instagram, and Linkedin offer a wealth of private information, because many users have perceive these as a platform of self disclosure making social media as a One-Stop-Shop for their photos, place of employment, phone number, and email address. As Red Team you want to utilize this information generously. As Blue Team, You would want to ensure your privacy by locking accounts to private or using a web-sites maximum security settings to make positive your data is not public. Be sure both Teams keep a well detailed audit of these types of sites to keep a list of current and future changes to personal details.Branching OffOften Red Team does not collect information in one single place but from many sources. As a Red or Blue you need to ask the following as either Red Team or as Blue Team. I will be using (X) as an insert for either personal or target nouns.

Where does (X) spend time on online? Reddit or Image boards? Talking with loose family or friends?

Does (X) frequently like or re post statuses from Instagram or Twitter accounts?

Does (X) have images or personal information on job boards? What Jobs and Where?

This creates a profile. With the profile you start to see a more well rounded individual and this becomes a more well developed weapon. Now we must ask ourselves...

How separate are each of these accounts?

What is public? What is private?

What does public and private mean in the context of each site?

Take a moment to think about the ways all of these overlap in our profile. Feel free to also take a note of individual nuances of each site as of they were their own unique person. How does Blue Team act in each particular instance. This further fleshes out the profile and allows for easier following for later Red Team activities and also allow Blue Team to see how unique each profile is and what information can be highly compromising if their activities were to bleed into other sites.The Little DetailsEither Team can also take note in section of the following...

Relatives

How open is the relationship between (X) and blood/legal relatives? What could a stranger, having information on just one person in this network, discover about the others in the network, etc?

Politics

Does (X) discuss or post about political beliefs online? If so, on which platforms?

Friends and Community

If (X) has social media, make note of friends, followers. In what ways does (X) online communities reflect (X) offline communities?

Hobbies

What hobbies does (X) have? Does (X) have friends and community through them? Are (X) a part of any online communities dedicated to those hobbies?

Legal

Who is (X) on paper? What names, phone numbers, and addresses is (X) tied to? Do any of (X) accounts have this information? ( I will make a list of several in reference.)

Career

Does (X) job require an online activity, a website, or a social media account for business or otherwise? Would there be a problem if those sites overlapped with (X).

These will overlap in ways making them redundant which is their purpose. There also are some these categories you do not have to take into account. However, given that many people are present online in different ventures, it can be useful to think about how you are represented in each.People Tracking SitesNumerous sites exists for tracking information of people and publish personal details without their consent via a purchase from public file or other means. Ironically Vices Motherboard has an Opt Out list which can be a nice list for Red Team or Blue Team found here

https://motherboard.vice.com/en_us/article/

privacyrights.org

https://www.privacyrights.org/data-brokers

Using these can have a cost but for the information of a valued target can be worth it. From the Blue Team perspective, a little work will get you removed. But also can be a huge pain; Finding all of these sites and working their policies can be the biggest tedious. Hopefully too if done correctly Red Team will not have a starting point.Hacks And MoreThough this post has mainly focused on the legal means Red/Blue Teams with time and energy can use to find information, but there are other ways of obtaining data. Any account could be hacked with those whom have the skills. Though its not likely someone will crack an email password, data breaches are fairly common on large platforms. Even if someone is not a hacker, they can buy or find hacked data.

Have I Been Pwned?

Proper FormattingWhen doxing or self doxing I would highly recommend using the following formats to make a profile.

Personal Info

Full Name

Age

Birth Date

Former Email

Phone Number(s)

Former Phone Number(s)

Criminal Record

Geographic Location

School

University

Country

State

City

Country Code

Zip Code

Address(s)

Technology Info

Router

DNS Servers

Operating System

Web Browser

Password(s)

Social Media

Financial Info

SSN

Credit Card Info

Bank

Account Balance

Transactions

Parents Personal Info

Full Name

Age

Birth Date

Former Email

Phone Number(s)

Former Phone Number(s)

Criminal Record

Name:

Username/s/:

E-mail:

Home Address:

City:

Zip/Postal:

State/Province:

Country:

Phone number:

Cell Phone number:

Birth-date:

Family Members:

IP address:

ISP:

Operating System:

Website:

These are my two recommended formats to make the whole process concise and easy to read. Doxing is the method of searching for and publishing private or identifying information about an individual on the Internet. This guide section of the guide will start with how to find a basic piece of information, how to use it to find more information and what to do from there. I will be publishing a Blue Team Defense Guide shortly after this goes public to allow a diverse range of information.AnonymityYou first have to ensure that you are not using any personal information. If you are social engineering (Which I will cover later) you will want to take measure to keep your information safe such as, fake email accounts and fake social media accounts. You must always take into consideration what information you are leaving behind.

10 Minute Mail

Is a free email you get for 10 minutes. You can also extended the time if you need to.

Yo Mail

An alternative to 10minutemail.

Text EM

For texting, however, you cannot receive texts back. I would also recommend using a burner phone.

Fake Name Generator

Creates everything from a fake name, to a fake social security number, to a fake blood type. Also great for characters if you are a writer.

Discard Credit Card Generator

Allows you to see if a credit card number is legitimate.

Resources

Facebook - You can look up their email in Facebook search and find the persons Facebook Page. May contain information such as Phone Numbers, Family Members, License plate Numbers.

Twitter - You can find other sites they are linked to. You can find stuff they like and record it down for future notice.

Google - Every YouTube account is linked to Google and unless the user changes the setting every YouTube comment is posted on their Google page.

Instagram - If you have their pictures you can run their pictures through a reverse image search and might be able to find their other Social Media.

Zaba Search

411

Advanced Background Checks

Lullar - If you have their email, then you can use this to find what else the targets email is attached to.

Robtex - Gives information about IP addresses and DNS.

IP Address - You can use this to find their Zip, Location and Operating System.

Who.Is

IPAddress.IP-adress - Gives the longitude and latitude of and IP address. If target is using a VPN or proxy these services will not be useful.

Tiny Eye - Picture recognition website. It can see if the picture you found was posted elsewhere.

Webstagram - If the person you are looking up has an Instagram.

Fone Finder

Spy Dialer Can supply the name from a phone number or give you their voice-mail.

More Reading

https://en.wikipedia.org/wiki/Doxing

https://www.hackthissite.org/articles/read/1107

A Blue Team Defense GuideSo let us jump right in to defending yourself from doxing. The most effective defense is a good sense of self. Though you may not think that you are ever likely ever be doxed; start by controlling the amount of your personal information that ends up online. Keeping a personal audit of available information on you via the methods I go over in the Red Team Guide. This means that you should always be aware of the private information you are sharing.AntiTrustTo also be put simply, stop trusting online services with your data. Google, Facebook, and other such services have your data and out of convenience you give it. Though many of us know that we should not trust these platforms, we do. This is an easy way for you to get more data and in turn they can also get more data. But this opens up exploits into your personal being because others can also retrieve such data by also using those same services. Data cannot be forgotten.PatternsDue to human nature patterns are used by us to create stability and control in our lives. Perhaps a schedule or set of foods you like. This is also common online via user-names and passwords. We often use similar if not the exact same series of user-names. This allows an attacker to run those user-names through a search engine such as Google and compile all the results. This creates a fairly discernible pattern of websites that are shared from a target. From there it is just connecting dots and going further down the rabbit hole. Change up all user-names, this makes it difficult to correlate. Same can also be said about passwords. But I assume most are aware of their own password patterns. Change your passwords often using the methods previously listed in the Passwords section. Usually I recommend an encrypted hard-drive to store sensitive information but writing the password down and storing it in a safe is best.And now to the more technical...Your NetworkPrevent using public hot-spots or open WiFi without proper security precautions. You can be a victim of Network Sniffing. Though Public hot-spots this type of attack is more common, do not feel safe using your own network as this attack flow can also be used at home as well.A network based attack flow is as follows...

War-Driving

This involves a hacker driving around various locations, looking for vulnerable WiFi networks to attack at a later time.

Password Attack

These can be used by hackers to bypass a public WiFi password either by mass testing a huge amount of passwords or by using software and tools.

WiFi Sniffing

This involves intercepting network traffic and data using tools or software, This attacks the data sent between a router and a device. It is very easy to set up a WiFi sniffer since all you need is a laptop and some widely available software, Leading you to fall victim to an attack.

To secure yourself from such an attack you can do as follows...

Turn off public network sharing

Keep your firewall active

Use a VPN

Turn off WiFi when not in use

Update your software always

Avoid personal data transactions online such as banking

Use 2FA (2 Factor Authorization)

Your SystemI have made mention of using a GNU/Linux system before and I will make it a point now. Get away from Windows and MacOS. These system take a large portion of active users and thus are valuable targets for hackers, why use a sniper in a crowd when you can use a shotgun. Using GNU/Linux can create a smaller attack vector and make it far more difficult to become victim to malware and spyware attacks. Due to the GNU/Linux user-base, everyone can see and edit code. This creates a highly dense web of watchdogs keeping vulnerabilities out of yours and everyone's system https://www.gnu.org/distros/free-distros.htmlWe talked about exploitation of your network and your system so let us now move onto your personal browsing ethic. Not to jump to conclusions but I can assure you, you are browsing incorrectly. Now this is not a personal attack on your character as there are many, many people that do the same.Use the Tor Browser - Tor is the currently the leading anti-surveillance browser at the moment because it is built on an entire infrastructure of relay servers. It bounces your connection through a number of nodes, and should obscure the public IP address you are connecting to the internet with. This can be installed on a Windows, Mac, though once again I would use it on your GNU/Linux system. For added security and leaving your system clean, it can be used via USB stick. To add though I would recommend reading the manual for tor. The Tor Project offers a list of do and don't for using it securely, including being very careful about downloading and opening documents which require applications https://www.torproject.org/We Will Do It Live - To take the last 2 mentioned points and being them together in beautiful harmony, use a incognito Live USB System such as Tails or more preferable, Heads. I did a full breakdown of Heads in an earlier post. This is a Live system that pipes all network through Tor and keep all sensitive data on the USB Drive it is running on. Thus after your system shuts down, it takes all data along with it, without a trace.

https://heads.dyne.org/

https://tails.boum.org/

Not So Smart-Phon - A Stalin dream, a device in your pocket that is not only connected at all times but also comes with a camera. Your smart device is a huge security leak waiting to be tapped. Having your name connected to something like a phone number and having a device that screams at all connections HERE I AM can obviously create issues. Though I offer a simple solution. Use a Basic Prepaid phone or none at all. Smart devices have become many main source of communication and connectivity though these devices run into the same issues as the network attacks listed above as well as an introduction to a few others. Blue-Tooth attacks and Social-Engineering exploits using your personal cell number to name a couple. So best option to remain anonymous and secure is to dumb down or ditch it all together.Additional OSINT Tools

https://archive.org/details/DoxToolV2

Archive.org A running archive of over 390 billion sites.

EXIF Data is short for Exchangeable Image File, a format that is a standard for storing interchange information in digital photography image files using JPEG compression.

https://github.com/brut0s/DFW

theHarvester a tool designed to gather emails, names, subdomains, IPs, and URLs using multiple public data aggregates.

Have I Been Pwned? Check if you have an account that has been compromised in a data breach.

Google Dorks Learning how to use this collections of shortcuts and keyword tool can make you a master of Google-Fu.

OSINT Framework is focused on gathering information from free tools or resources.

OSINT Links Provides a list of Keyword research tools, Search Engines, Meta Engines, FTP, Image Search, Video Search, IOT, Exploits, etc.

Recon-ng is a full-featured Web Reconnaissance framework.

Search Code searches code from public projects using Github, Bitbucket, Google Code, Codeplex, Sourceforge, Fedora Project, GitLab and more.

Tiny Eye Basic reverse image search, great for finding alternate profiles or accounts.

FOCA is a tool used mainly to find meta-data and hidden information in the documents its scans.

Geo Creepy A Geo-location OSINT Tool. Offers Geo-location information gathering through social networking platforms.

Maltego is a fantastic mapping tool and easy to pick up. Maltego is a widely used tool for open source intelligence and graphical link analyses.

Sec.gov Edgar All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR.

Shodan is a large and in depth Internet of Things discovery tool. Discover which devices are connected to the Internet where they are located and who is using them.

You Get Signal A collection of network tools ranging from Geo-location to ID open ports on a network.

Metagoofil is an information gathering tool designed for extracting metadata of public documents belonging to a target.

Check User Names or Know Em To check the availability of a username on over 500 social networks.

What To Do If DoxedPrefaceMany of us fear having the light of curiosity shown on us, be it through being doxed or someone becoming a bit too interested in us and what we are about. Sadly, many people do not take the needed precautions of lessening their digital footprint and removing their information from the internet. A lot of people just let it sit and fester until someone comes along and picks at the infected blister that was a forgotten account or teenage edginess, however not all is lost. You have already started your adventure in privacy.Stay Calm And Do Not ReactThe majority of people who have been doxed had had their information found through simple search engine queries or because they, themselves, provided this information without knowing that they have done so. This is because we have been conditioned by social media and sites like Reddit to crave the instant gratification of arbitrary numbers that come with exposing ourselves online; baring everything we can to the perverse, voyeuristic masses that give us a +1 click on our profiles. Because of this, you have most likely have fell for the meme that the current state of doxing is something akin to CSI's take on hacking. Do not fret, though, most people who threaten to dox someone have not found the information or are not willing to use it, ergo relax and do not panic of a threat. Yes, take it seriously, however not all states will grant you the legal power to sue or track someone down in a digital witch-hunt. What you can do, though, is quite simple: Remove your information. Before you remove your information, you must first monitor yourself and the threat at hand. Do not react, for if you do then they get a bigger rise out of you and a reason to actually dox you, or if they already have done so... provoke you more and continue this assault. Simply remember: Stay calm, breathe and do not react. You do not need to defend yourself or get into a digital slap fight on the internet. Just ignore it and learn that by not reacting to any threats or accusations, you deny them one of the things they want the most: You acting out. Now move onto the next chapter.Realize It Is Not Always YouOne thing most people need to realize is that it is not always them but what they are perceived as representing. Due to the political climate being so explosive, people on both sides of the spectrum are targeting each other simply because they can. This means that a Republican, Democrat, Socialist, Communist, Capitalist or Fascist or whatever will be picked out from a series of people on social media and made into an example of what happens to someone’s political or ideology’s opponent. This means you, at any given moment, could be targeted simply because you fit a preconceived image or notion of what someone believes their enemies to look like. It is a small consolation to realize you were not chosen, possibly, because of what you said or did, however it still means someone was upset enough to target you. Take precautions and start lessening what you say or do online when it comes to specific topics. Choose your battles carefully and wisely. Not every comment or person needs a response.Identify The SourceOne of the things you need to do before looking toward cleaning your digital footprint is to identify the source of your dox or the leak of your information. If you have been doxed or received a threat of being doxed, then you need to ensure your information has not been posted by someone within your community or on another website. If someone has posted your information, then you must identify what information they have found.If it is public information, there is not much you can do about it. This information includes your home address, phone number, place of work, place of education, birth date, full name and even your car's license plate, however while public it is personal information and some websites might actually remove it upon simple request. You must first ensure the website is not encouraging this or a part of the act taking place. If they are not, and it is a site like Reddit, then go ahead and ask the administrators and/or website owner to remove your information. If it is an image board or a forum, then do not ask anyone and ignore it further. However do identify what information they have found, as you can work on lessening the damage by removing information that they have yet to found.If the information is private, like passwords, credit card numbers, social security numbers or anything similar, then yes, you might actually have a case for a potential lawsuit. But Remember: It must not be information that was made public by your own actions or a data breach or leak. If this information can be found VIA Google or Bing, then a lawsuit can not take place against the people posting your information but one could be placed against the owners of the database that got breached and/or leaked. Personal information, while both public and private, does not matter much because either way it matches one of the above descriptions. So do not fret so much over whether or not it is personal information but whether if it is private or public. Once you have gotten that mindset in place, you will see how doxing, while quite alarming, is not really up for any legal actions most of the time due to the information being found readily on your own accounts or a search engine.Act AccordinglyOnce you have identified the source, and learned of what information has been posted, you can act accordingly to the level of threat that is being presented to you. While everything that is classed as a potential threat may seem dangerous, not everything must be met with a call to arms or requests of a personal army or attorney at law. If it is just an account or e-mail address, then continue ignoring it and working toward removing your data and lessening the information that is out there on you. If they are obsessed with an old account that you can not or have forgotten to remove, then they are distracted and have not worked toward finding more information. This means you can work toward lessening the potential harm and continue toward a safer experience online.If they have found your home address, regardless of how they did it, then you must look toward what you can do to lessen the potential harm that can stem from this, like, for instance, replacing your mailbox with one that can lock to prevent theft of mail. You can ensure your windows are locked and covered by blackout curtains to prevent spying, and you can even remove your phone’s custom voicemail message to the default robotic one. Remember, just because they have your address or phone number does not mean they will do anything. Most people are satisfied with going “I doxed you! You live at 123 Road Avenue, New York, New York!” and hoping someone else will say or do something. You have to fear at most, usually, getting the sophomoric junkmail spam that consists of boxes, pizzas and possibly even prostitutes. While nothing more than a prank, it does cause panic for your younger targets/victims, like the teenagers that Tumblr has inexplicably targeted.If you are under the age of 18 or live with someone else, you must let them know what’s happening if it has progressed as far as your phone number and/or address being posted online. The reason for this is so the other residents within the home know what is coming off and for you, the target/victim to tell the home owner and/or adults living with you what is happening. If it advances enough to a possible lawsuit and court date, then they will know about it anyways. It is better to come clean now and deal with the brunt of the lecturing now than later as, like it or not, parents and guardians do know how to handle things better than most minors.Ultimately, the worst they can do is tattle to your parents or contact your place of work, or go as far as to contact your landlord. This has a 50/50 chance of working against you or not, ergo another reason for you to lessen your digital footprint online. Less you do online, the less they have that they can use against you. This means less accounts, little to no social media use and learning to not tell the internet everything you've seen, said or done on any given day.Steps To TakeLearn to not react, to anything said or done to your or your accounts, and once this is over do not mention it, ever. If you let people know it is bothering you, they will continue their assault on you and your privacy. They will push forward, looking for even greater ways to provoke you into doing something potentially harmful to yourself and others. Even if the information is incorrect, do not react. Just ignore them and take things slowly.

Blur out your house/property view on online maps.

Change your phone number if needed.

Change your phone's voice messages to the default robotic one.

Get off the blogs and stop saying things online. It is better to lurk and learn instead of interacting and putting yourself into danger.

Get your mail ASAP. The longer you leave your mail in the mailbox, the sooner someone may snap it up for nefarious means.

Never answer the phone for anyone you do not recognize. If it is important, they will leave a voicemail.

If things turn violent, please follow the below...

Cut contact with anyone you suspect.

Do not delete any voice mail left on your phone, this can be used in potential legal actions.

Do not delete asks/PMs/fan mail/chat requests that contain threats or anything of a similar violent nature. These can used in potential legal actions.

Do not destroy any documents sent your home or business, this can be used in potential legal actions.

Do notify the police of any incidents that happen, like property theft or damage...etc

Do not open letters or packages you do not recognize.

Look into purchasing cameras for your property.

AfterwardThis is the end result of social networks and the forced "inter-connectivity" meme of smart gadgets. The more we move forward to web 3.0, the smaller our pool of privacy shall become. While we can scream and whine about lawsuits and calling our uncle in the FBI, none of it matters because you have put yourself in harm's way in the first place by not remembering the simple golden rule: Do not post your real world information on the internet. Do not post your name or address online. Do not talk to strangers and do not post images of yourself, where you live, or go to school on the internet.