POCKINT (a.k.a. Pocket Intelligence) is the OSINT swiss army knife for DFIR/OSINT professionals. A lightweight and portable GUI program, it provides users with essential OSINT capabilities in a compact form factor: POCKINT's input box accepts typical indicators (URL, IP, MD5) and gives users the ability to perform basic OSINT data mining tasks in an iterable manner.

Installation

You can grab the latest version from the releases page. POCKINT is provided as a single executable that can be stored and run anywhere on computers. POCKINT is available for Windows only.

Features

Why use it? POCKINT is designed to be simple, portable and powerful.

⭐ Simple: There's plenty of awesome OSINT tools out there. Trouble is they either require analysts to be reasonably comfortable with the command line (think pOSINT) or give you way too many features (think Maltego). POCKINT focuses on simplicity: INPUT > RUN TRANSFORM > OUTPUT ... rinse and repeat. It's the ideal tool to get results quickly and easily through a simple interface.

📦 Portable: Most tools either require installation, a license or configuration. POCKINT is ready to go whenever and wherever. Put it in your jump kit USB, investigation VM or laptop and it will just run.

🚀 Powerful: POCKINT combines cheap OSINT sources (whois/DNS) with the power of specialised APIs. From the get go you can use a suite of in-built transforms. Add in a couple of API keys and you can unlock even more specialised data mining capabilities.

The latest version is capable of running the following data mining tasks:

Hostnames

Source	Transform	API key needed?
DNS	IP lookup	❌
DNS	MX lookup	❌
DNS	NS lookup	❌
DNS	TXT lookup	❌
WHOIS	Domain dnssec status	❌
WHOIS	Domain creation	❌
WHOIS	Domain expiration	❌
WHOIS	Domain emails	❌
WHOIS	Domain registrar	❌
WHOIS	Registrant location	❌
WHOIS	Registrant org	❌
WHOIS	Registrant name	❌
WHOIS	Registrant address	❌
WHOIS	Registrant zipcode	❌
crt.sh	Subdomains	❌
Virustotal	Downloaded samples	✔️
Virustotal	Detected URLs	✔️
Virustotal	Subdomains	✔️
OTX	Passive DNS	✔️
OTX	malicious check	✔️
OTX	Malware type	✔️
OTX	Malware hash	✔️
OTX	Observed urls	✔️
OTX	Geolocate	✔️

IP Adresses

Note: Only IPv4 Addresses are supported

Source	Transform	API key needed?
DNS	Reverse lookup	❌
Shodan	Ports	✔️
Shodan	Geolocate	✔️
Shodan	Coordinates	✔️
Shodan	CVEs	✔️
Shodan	ISP	✔️
Shodan	City	✔️
Shodan	ASN	✔️
Virustotal	Network report	✔️
Virustotal	Communicating samples	✔️
Virustotal	Downloaded samples	✔️
Virustotal	Detected URLs	✔️
OTX	Passive DNS	✔️
OTX	Malicious check	✔️
OTX	Malware type	✔️
OTX	Malware hash	✔️
OTX	Observed urls	✔️
OTX	Geolocate	✔️

Urls

Source	Transform	API key needed?
DNS	Extract hostname	❌
Virustotal	Malicious check	✔️
Virustotal	Reported detections	✔️
OTX	Geolocate	✔️
OTX	Parse url	✔️
OTX	malicious check	✔️
OTX	Http response analysis	✔️

Hashes

Note: Both MD5 and SHA256 hashes are supported

Source	Transform	API key needed?
Virustotal	Malicious check	✔️
Virustotal	Malware type	✔️
OTX	Malicious check	✔️

Emails

Source	Transform	API key needed?
N/A	Extract domain	❌

New APIs and input integrations are in the works, consult the issues page to check out what's brewing or feel free to propose your own.

Like it?

If you like the tool please consider contributing.

The tool received a few "honourable" mentions, including:

• KitPloit
• kalilinuxtutorials.com
• hacking.land
• awesomeopensource.com

Please note: There have been a small number of reports indicating that pockint triggers false positives on antivirus protected systems (to date Avast, AVG and Norton). The issue seems to be caused by pyinstaller, the python package used to freeze and distribute pockint. If pockint triggers your antivirus please submit an issue and the author will submit a false positive report to the concerned antivirus provider.