-
Notifications
You must be signed in to change notification settings - Fork 113
FAQ
Please make sure you are using Python 3, not Python 2.7 or earlier. I recommend using pipenv.
Like above, please make sure you are using Python 3. ODIN must be run in Python 3 and the requirements must be installed using pip or pip3 for Python 3. To make sure all required libraries are installed for Python 3, use pipenv and the provided Pipfile. The Pipfile enforces Python 3, so you should be good to go.
See the installation instructions at the top.
Absolutely. If an API key is missing from the keys.config file, any checks using those keys will be skipped. You are strongly encouraged to go get the free API keys to get the most out of ODIN, but you can skip any you don't want.
API access for Shodan, Censys, and EmailHunter are definitely worth it if you want to use only the bare minimum.
If you ask "why not use X API" or "why not do Y like this," that's not very helpful. Presumably, the question is meant to convey the idea that X would be a good addition or Y is a bad way to accomplish a task and you want to know the reason it is not currently supported. The answer is most likely "I wasn't aware of this." That also means I don't know anything about it. :)
If you have a suggestion for a change, service, or API, please explain what it does and provide some details explaining why you think it would be a good addition.
Clearbit looks useful for OSINT, but the free tier is restricted to 20 API calls in a month. That may even be 20 API calls for the life of the account. The details are unclear. Either way, that's very restrictive and I want ODIN to be as simple and free to use as possible. The paid tiers are quite expensive.
Wappalyzer is useful, but it's very difficult to automate fetching the results from Wappalyzer. Some tools can do this, but they use an unmaintained package called wappalyzer-python (https://github.com/scrapinghub/wappalyzer-python). This package still works, as far as I know, but there are several problems with it. The package has not been updated in three years, the developers have stated they have no plans to change that or support wappalyzer-python, and the package is Python 2. It could be used until it breaks one day, but the Python 2 bit is the real sticking point because ODIN is written in Python 3 and the two just are not compatible.
Like Clearbit, BuiltWith is a neat resource and some interesting details can be reviewed on the website. The API, however, is not free. The free version of the API won't give you any details, so at best it can be used to highlight a domain you may want to then review on the BuiltWith website. Scraping the website search results is certainly possible, but that could easily break and/or be unreliable.
Adding support for BuiltWith hasn't been ruled out, but the goal is to make ODIN entirely free to use.
Currently only the Company API is used. There are plans to incorproate the People API in the future.
No. Brute forcing can take a long time and there are many tools that take care of this quite well. Those tools are not so easy to incorporate into ODIN without just running the commands for those tools. For subdomain discovery via guessing, it's hard to beat Aquatone (Ruby gem) and Amass (OWASP project) right now and there's alwas Fierce and DNSRecon.
For now, ODIN leverages DNS Dumpster, Netcraft, and SSL/TLS certificate data to collect subdomains. That should get you a good number of subdomains to get started.