<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Saveliy</title>
    <description>The latest articles on DEV Community by Saveliy (@trulysoulless).</description>
    <link>https://dev.to/trulysoulless</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3867772%2F08a5be5b-0bc6-4263-b2a2-b91aca7425e6.jpeg</url>
      <title>DEV Community: Saveliy</title>
      <link>https://dev.to/trulysoulless</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/trulysoulless"/>
    <language>en</language>
    <item>
      <title>How to Run a Full OSINT Recon on Any Domain in One Command</title>
      <dc:creator>Saveliy</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:15:21 +0000</pubDate>
      <link>https://dev.to/trulysoulless/how-to-run-a-full-osint-recon-on-any-domain-in-one-command-5hic</link>
      <guid>https://dev.to/trulysoulless/how-to-run-a-full-osint-recon-on-any-domain-in-one-command-5hic</guid>
      <description>&lt;p&gt;If you've ever needed to profile a domain — subdomains, open ports, breached emails, DNS hygiene, TLS posture — you know the pain: a dozen separate tools, a dozen output formats, and a lot of copy-paste.&lt;/p&gt;

&lt;p&gt;Here's how to do all of it in &lt;strong&gt;one command&lt;/strong&gt;, fully self-hosted, with no data leaving your machine.&lt;/p&gt;

&lt;h2&gt;
  
  
  The tool
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://github.com/NovaCode37/Prism-platform" rel="noopener noreferrer"&gt;PRISM&lt;/a&gt; is an open-source (MIT) OSINT platform. One target → 25+ modules run in parallel: WHOIS, DNS, certificate-transparency subdomains, Shodan, breach checks, dark-web mirrors, GeoIP, and more. It gives you an entity graph and an OPSEC exposure score at the end.&lt;/p&gt;

&lt;h2&gt;
  
  
  1. Get it running
&lt;/h2&gt;

&lt;p&gt;Clone the repo and install:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;git clone https://github.com/NovaCode37/Prism-platform
&lt;span class="nb"&gt;cd &lt;/span&gt;Prism-platform
pip &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; requirements.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Use it straight from the CLI:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;python cli.py scan example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Or run the web UI in Docker (built from the repo):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;docker build &lt;span class="nt"&gt;-t&lt;/span&gt; prism &lt;span class="nb"&gt;.&lt;/span&gt;
docker run &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="nt"&gt;-p&lt;/span&gt; 8080:8080 &lt;span class="nt"&gt;-e&lt;/span&gt; &lt;span class="nv"&gt;ALLOW_ANON_API&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;true &lt;/span&gt;prism
&lt;span class="c"&gt;# open http://localhost:8080&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  2. Scan a domain
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;python cli.py scan example.com &lt;span class="nt"&gt;--type&lt;/span&gt; domain
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In ~40 seconds you get, for &lt;code&gt;example.com&lt;/code&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Subdomains&lt;/strong&gt; from certificate transparency logs&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Open ports + CVEs&lt;/strong&gt; (via Shodan, if you add a key)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DNS records&lt;/strong&gt; and whether SPF/DMARC are missing (spoofing risk)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;WHOIS&lt;/strong&gt; exposure (contact emails, org)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Archived sensitive URLs&lt;/strong&gt; from the Wayback Machine&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  3. Read the OPSEC score
&lt;/h2&gt;

&lt;p&gt;Every scan ends with a 0–100 exposure score across four categories — Data Exposure, Identity OPSEC, Infrastructure, Web Security. Lower = more exposed. It's a quick way to triage which targets need attention.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Tip: the score only reflects modules that actually ran — if you skip Shodan/VirusTotal, treat a high score as "less data," not "clean."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  4. Export for reporting
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;python cli.py scan example.com &lt;span class="nt"&gt;--html&lt;/span&gt; &lt;span class="nt"&gt;-o&lt;/span&gt; report.html
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;HTML/PDF reports, plus CSV/Markdown/JSON, and a graph export to &lt;strong&gt;GraphML/GEXF&lt;/strong&gt; for Gephi or Maltego.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why self-host it
&lt;/h2&gt;

&lt;p&gt;No third party sees your targets. You bring your own API keys, set your own rate limits, and everything runs on your box. For anyone doing authorized recon, that's the whole point.&lt;/p&gt;

&lt;p&gt;Repo: &lt;a href="https://github.com/NovaCode37/Prism-platform" rel="noopener noreferrer"&gt;https://github.com/NovaCode37/Prism-platform&lt;/a&gt;&lt;br&gt;
Live demo (no signup): &lt;a href="https://getprism.su" rel="noopener noreferrer"&gt;https://getprism.su&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Built and maintained in the open — issues and PRs welcome.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>selfhosted</category>
      <category>python</category>
      <category>security</category>
    </item>
    <item>
      <title>Self-Hosted OSINT Tools in 2026 — an honest SpiderFoot/Maltego alternatives comparison</title>
      <dc:creator>Saveliy</dc:creator>
      <pubDate>Mon, 29 Jun 2026 07:54:41 +0000</pubDate>
      <link>https://dev.to/trulysoulless/self-hosted-osint-tools-in-2026-an-honest-spiderfootmaltego-alternatives-comparison-of4</link>
      <guid>https://dev.to/trulysoulless/self-hosted-osint-tools-in-2026-an-honest-spiderfootmaltego-alternatives-comparison-of4</guid>
      <description>&lt;h1&gt;
  
  
  Self-Hosted OSINT Tools in 2026: An Honest Comparison
&lt;/h1&gt;

&lt;p&gt;If you do reconnaissance, you've probably bounced between ten browser tabs and a dozen CLI tools. This is an honest look at the main &lt;strong&gt;self-hosted, open-source OSINT tools&lt;/strong&gt; in 2026 — what each is good at, where it falls short, and which fits which workflow.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Disclosure:&lt;/strong&gt; I built one of the tools below (PRISM), so I'm biased. I've tried to keep the comparison fair — every tool here is genuinely good at something.&lt;/p&gt;

&lt;h2&gt;
  
  
  What "good" means for an OSINT tool
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Coverage&lt;/strong&gt; - how many sources/targets it handles&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Self-hosted &amp;amp; private&lt;/strong&gt; - your investigation targets don't sit in someone else's logs&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Usable&lt;/strong&gt; - CLI power vs a dashboard you can actually read&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Zero-key friendly&lt;/strong&gt; - how much works before you start paying for API keys&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  theHarvester
&lt;/h2&gt;

&lt;p&gt;The classic. Pulls emails, subdomains, and hosts for a domain from many passive sources. Fast, scriptable, and a staple of any recon pipeline. CLI-only, single-purpose — it does domain footprinting and nothing else, but it does it well.&lt;br&gt;
&lt;strong&gt;Best for:&lt;/strong&gt; quick domain/email footprinting in a terminal.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sherlock / Maigret
&lt;/h2&gt;

&lt;p&gt;Username hunters. Sherlock checks a username across hundreds of sites; Maigret pushes that to thousands and scrapes profile data. Indispensable for people-focused OSINT. CLI-first; you'll parse the output yourself.&lt;br&gt;
&lt;strong&gt;Best for:&lt;/strong&gt; finding every account a username owns.&lt;/p&gt;

&lt;h2&gt;
  
  
  SpiderFoot
&lt;/h2&gt;

&lt;p&gt;The automation powerhouse. Point it at a target and it recursively pulls from a huge set of modules, with a web UI and an entity graph. Deep and powerful - also heavier to run and configure, and the UI feels dated.&lt;br&gt;
&lt;strong&gt;Best for:&lt;/strong&gt; deep, automated attack-surface mapping.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recon-ng
&lt;/h2&gt;

&lt;p&gt;A full, Metasploit-style recon framework in your terminal. Modular, scriptable, great for repeatable workflows — but it's CLI and has a learning curve.&lt;br&gt;
&lt;strong&gt;Best for:&lt;/strong&gt; power users who want a scriptable recon framework.&lt;/p&gt;

&lt;h2&gt;
  
  
  Maltego CE
&lt;/h2&gt;

&lt;p&gt;The graph king. Unmatched for visual link analysis via transforms. But it's a commercial desktop app, the community edition is limited, and it's not really self-hosted-open-source in the same sense.&lt;br&gt;
&lt;strong&gt;Best for:&lt;/strong&gt; visual link analysis when you can live with the licensing.&lt;/p&gt;

&lt;h2&gt;
  
  
  PRISM
&lt;/h2&gt;

&lt;p&gt;The one I built. It takes the breadth of the tools above — domain, IP, email, phone, and username recon across 22+ modules - and puts it in a &lt;strong&gt;self-hosted web dashboard&lt;/strong&gt; with an entity graph, a GeoIP map, an OPSEC exposure score, and HTML/PDF reports. 14 of the 22 modules work with no API keys, and it runs with one &lt;code&gt;docker compose up&lt;/code&gt;. It's not as deep as SpiderFoot on pure attack-surface recursion, and it's newer/less battle-tested - but if you want all-target recon in one readable dashboard instead of ten tabs, that's the niche.&lt;br&gt;
&lt;strong&gt;Best for:&lt;/strong&gt; all-in-one recon in a self-hosted dashboard, no CLI required.&lt;/p&gt;

&lt;h2&gt;
  
  
  Quick comparison
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Targets&lt;/th&gt;
&lt;th&gt;Interface&lt;/th&gt;
&lt;th&gt;Self-hosted&lt;/th&gt;
&lt;th&gt;Zero-key&lt;/th&gt;
&lt;th&gt;License&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;theHarvester&lt;/td&gt;
&lt;td&gt;domain&lt;/td&gt;
&lt;td&gt;CLI&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;partial&lt;/td&gt;
&lt;td&gt;open source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sherlock/Maigret&lt;/td&gt;
&lt;td&gt;username&lt;/td&gt;
&lt;td&gt;CLI&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;open source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SpiderFoot&lt;/td&gt;
&lt;td&gt;many&lt;/td&gt;
&lt;td&gt;web (dated)&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;partial&lt;/td&gt;
&lt;td&gt;open source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Recon-ng&lt;/td&gt;
&lt;td&gt;many&lt;/td&gt;
&lt;td&gt;CLI&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;partial&lt;/td&gt;
&lt;td&gt;open source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Maltego CE&lt;/td&gt;
&lt;td&gt;many&lt;/td&gt;
&lt;td&gt;desktop&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;commercial&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PRISM&lt;/td&gt;
&lt;td&gt;domain/IP/email/phone/username&lt;/td&gt;
&lt;td&gt;web dashboard&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;14/22 modules&lt;/td&gt;
&lt;td&gt;MIT&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  How to pick
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Just a domain, fast?&lt;/strong&gt; theHarvester.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Chasing a username?&lt;/strong&gt; Maigret.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Deep automated recon?&lt;/strong&gt; SpiderFoot.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Scriptable framework?&lt;/strong&gt; Recon-ng.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Visual link analysis?&lt;/strong&gt; Maltego.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;One readable dashboard for everything, self-hosted?&lt;/strong&gt; PRISM.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;All of these are free to try (Maltego CE aside). Pick the one that matches how you actually work - and for the self-hosted ones, your targets never have to leave your machine.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;PRISM is open source (MIT): &lt;a href="https://github.com/NovaCode37/Prism-platform" rel="noopener noreferrer"&gt;github.com/NovaCode37/Prism-platform&lt;/a&gt; · &lt;a href="https://getprism.su" rel="noopener noreferrer"&gt;live demo&lt;/a&gt;. For lawful, authorized OSINT only.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>osint</category>
      <category>security</category>
      <category>selfhosted</category>
      <category>opensource</category>
    </item>
    <item>
      <title>I Built an Evil Twin Attack in 15 Minutes — Here's What I Learned About Public Wi-Fi</title>
      <dc:creator>Saveliy</dc:creator>
      <pubDate>Thu, 30 Apr 2026 15:29:36 +0000</pubDate>
      <link>https://dev.to/trulysoulless/i-built-an-evil-twin-attack-in-15-minutes-heres-what-i-learned-about-public-wi-fi-51c5</link>
      <guid>https://dev.to/trulysoulless/i-built-an-evil-twin-attack-in-15-minutes-heres-what-i-learned-about-public-wi-fi-51c5</guid>
      <description>&lt;p&gt;A full lab reproduction of the Evil Twin attack on isolated Kali Linux + airgeddon, plus a 6-rule defense framework for everyday users. Awarded 3rd place at the Lomonosov Readings 2026 research conference."&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;TL;DR&lt;/strong&gt; — I reproduced an end-to-end Evil Twin attack in an air-gapped VirtualBox lab using &lt;code&gt;airgeddon&lt;/code&gt; on Kali Linux. From "VM boot" to "captured credentials shown on the attacker's terminal" took about &lt;strong&gt;15 minutes&lt;/strong&gt;. The attacker doesn't break cryptography — they bypass it by exploiting &lt;em&gt;auto-connect&lt;/em&gt; and user trust. Below: the 5-stage attack chain, what actually happens at each layer, and a practical 6-rule defense framework.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;This is a write-up of an individual research project I conducted at MAOU Gymnasium №16 (Tyumen, Russia), which was awarded &lt;strong&gt;3rd Place at the Lomonosov Readings 2026&lt;/strong&gt; research conference (Informatics category). Full repository, paper, and slides are linked at the bottom.&lt;/p&gt;




&lt;h2&gt;
  
  
  1. Why Evil Twin still matters in 2026
&lt;/h2&gt;

&lt;p&gt;You walk into a cafe. Your phone shows two networks named &lt;code&gt;CoffeeHouse_Guest&lt;/code&gt;. You connect to the one with the stronger signal — because that's what your OS does by default. Within seconds you might be:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Connected to a rogue laptop, not the real router&lt;/li&gt;
&lt;li&gt;Browsing through an attacker-controlled DNS and HTTP gateway&lt;/li&gt;
&lt;li&gt;One redirect away from a captive portal asking for your "Wi-Fi password" or Google credentials&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The attack does &lt;strong&gt;not&lt;/strong&gt; require breaking WPA2. It does not require advanced skills. The barrier is so low that the most useful contribution a researcher can make today isn't a new exploit — it's a clear, reproducible explanation of how trivial the attack already is, and what users can actually do about it.&lt;/p&gt;




&lt;h2&gt;
  
  
  2. Lab architecture (fully air-gapped)
&lt;/h2&gt;

&lt;p&gt;Ethics first: the entire experiment ran in a &lt;strong&gt;VirtualBox Internal Network&lt;/strong&gt;, with zero connectivity to any physical network. All credentials were synthetic. All hardware was mine.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;[Windows host]
    └─ VirtualBox Internal Network  ──►  no external connectivity
          ├── Kali Linux 2024.1   (attacker)
          └── Android VM/device   (victim — manually connected)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Stack:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Kali Linux 2024.1&lt;/strong&gt; + USB Wi-Fi adapter capable of monitor/AP mode&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;airgeddon v11.22&lt;/strong&gt; as the orchestration layer&lt;/li&gt;
&lt;li&gt;Underneath airgeddon: &lt;code&gt;airodump-ng&lt;/code&gt;, &lt;code&gt;aireplay-ng&lt;/code&gt;, &lt;code&gt;hostapd&lt;/code&gt;, &lt;code&gt;dnsmasq&lt;/code&gt;, &lt;code&gt;lighttpd&lt;/code&gt;, &lt;code&gt;iptables&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you want to replicate: do it &lt;strong&gt;only&lt;/strong&gt; on hardware you own, in an isolated network. Unauthorized deployment is a criminal offense in most jurisdictions (in Russia, Articles 272–273 of the Criminal Code).&lt;/p&gt;




&lt;h2&gt;
  
  
  3. The 5-stage attack chain
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Recon → Rogue AP → Deauth → Interception → Phishing Portal
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Stage 1 — Reconnaissance
&lt;/h3&gt;

&lt;p&gt;Put the wireless interface in monitor mode and dump nearby APs and clients:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;airmon-ng start wlan0
airodump-ng wlan0mon
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Output gives you BSSID, channel, encryption, and connected client MACs for every AP in range. This is the targeting data for everything that follows.&lt;/p&gt;

&lt;h3&gt;
  
  
  Stage 2 — Rogue Access Point
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;hostapd&lt;/code&gt; is told to broadcast an SSID identical to the legitimate target — same name, attacker's BSSID, encryption deliberately disabled to look like a "guest" variant:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight conf"&gt;&lt;code&gt;&lt;span class="n"&gt;ssid&lt;/span&gt;=&lt;span class="n"&gt;Free_Public_Lab&lt;/span&gt;
&lt;span class="n"&gt;channel&lt;/span&gt;=&lt;span class="m"&gt;6&lt;/span&gt;
&lt;span class="n"&gt;hw_mode&lt;/span&gt;=&lt;span class="n"&gt;g&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is the entire trick. There is no protocol violation. 802.11 simply has no built-in mechanism for a client to tell two APs with the same SSID apart.&lt;/p&gt;

&lt;h3&gt;
  
  
  Stage 3 — Deauthentication
&lt;/h3&gt;

&lt;p&gt;To force migration from the real AP to the twin, send forged 802.11 deauth frames:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;aireplay-ng &lt;span class="nt"&gt;--deauth&lt;/span&gt; 0 &lt;span class="nt"&gt;-a&lt;/span&gt; &amp;lt;real_BSSID&amp;gt; wlan0mon
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Most clients will silently reconnect — and because the rogue AP is open and stronger, that's where they land. &lt;strong&gt;Auto-connect&lt;/strong&gt; is what makes this stage devastating.&lt;/p&gt;

&lt;h3&gt;
  
  
  Stage 4 — Traffic interception
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;dnsmasq&lt;/code&gt; provides DHCP + DNS to the victim, and &lt;code&gt;iptables&lt;/code&gt; redirects all HTTP traffic to a local web server:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;iptables &lt;span class="nt"&gt;-t&lt;/span&gt; nat &lt;span class="nt"&gt;-A&lt;/span&gt; PREROUTING &lt;span class="nt"&gt;-p&lt;/span&gt; tcp &lt;span class="nt"&gt;--dport&lt;/span&gt; 80 &lt;span class="nt"&gt;-j&lt;/span&gt; REDIRECT &lt;span class="nt"&gt;--to-port&lt;/span&gt; 80
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now the victim has "internet" — except every DNS query and every cleartext request flows through the attacker.&lt;/p&gt;

&lt;h3&gt;
  
  
  Stage 5 — Captive portal
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;lighttpd&lt;/code&gt; serves a clone of a familiar login page (router admin, ISP portal, or a generic "Confirm your connection" form). The user submits credentials. They appear immediately in the attacker's terminal.&lt;/p&gt;

&lt;p&gt;In my run, the test victim entered &lt;code&gt;test_user&lt;/code&gt; / &lt;code&gt;Sup3rSecret!&lt;/code&gt; — captured in plaintext within seconds.&lt;/p&gt;

&lt;p&gt;I also validated the &lt;strong&gt;WPA2 variant&lt;/strong&gt;: even when the legitimate network has a shared password (&lt;code&gt;PublicPassword123&lt;/code&gt;), the attack still works, because the password is shared and any client (including the attacker) can use it to host a convincing twin.&lt;/p&gt;




&lt;h2&gt;
  
  
  4. Why the usual advice fails
&lt;/h2&gt;

&lt;p&gt;A few lessons that actually mattered after running this end-to-end:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;"Just check for HTTPS"&lt;/strong&gt; is not enough. Captive portals can serve valid Let's Encrypt certs for attacker-controlled domains. Your browser's padlock confirms the connection is encrypted to the &lt;em&gt;attacker&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;"Use the password-protected network"&lt;/strong&gt; is not enough. WPA2-PSK protects only against outsiders who don't know the key. In a public cafe, the key is on a chalkboard.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;"I'll just notice"&lt;/strong&gt; is not enough. Modern OSes hide BSSIDs and silently roam between APs with the same SSID. The attack is invisible at the UI layer.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The attack doesn't break cryptography. It bypasses it by exploiting an architectural assumption baked into 802.11 itself: that SSIDs are trustworthy identifiers.&lt;/p&gt;




&lt;h2&gt;
  
  
  5. The 6-Rule Defense Framework
&lt;/h2&gt;

&lt;p&gt;This is the practical output of the project — a checklist designed for non-technical users.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;#&lt;/th&gt;
&lt;th&gt;Rule&lt;/th&gt;
&lt;th&gt;Why it works&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Use a VPN&lt;/strong&gt; (WireGuard / OpenVPN, no-logs provider)&lt;/td&gt;
&lt;td&gt;Encrypts the entire tunnel before it touches the rogue AP. The attacker sees opaque traffic to the VPN server.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Disable auto-connect&lt;/strong&gt;, delete saved public networks&lt;/td&gt;
&lt;td&gt;Removes the silent reconnection that makes deauth effective.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;No sensitive actions on public Wi-Fi without VPN&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Use 4G/5G for banking, email, work logins. Cellular has built-in link-layer encryption.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Enable 2FA everywhere&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Captured passwords become useless without the second factor.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Technical verification&lt;/strong&gt; — confirm SSID with staff, watch for duplicate BSSIDs (Wi-Fi Analyzer)&lt;/td&gt;
&lt;td&gt;Catches the most obvious twin deployments.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Keep OS and browser updated&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Closes vulnerabilities a MitM can exploit even inside a session.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Comparative effectiveness (from the paper):&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Method&lt;/th&gt;
&lt;th&gt;Protection&lt;/th&gt;
&lt;th&gt;Speed&lt;/th&gt;
&lt;th&gt;Accessibility&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;VPN (WireGuard / OpenVPN)&lt;/td&gt;
&lt;td&gt;★★★★★&lt;/td&gt;
&lt;td&gt;★★★★☆&lt;/td&gt;
&lt;td&gt;★★★★☆&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Personal hotspot (4G/5G)&lt;/td&gt;
&lt;td&gt;★★★★★&lt;/td&gt;
&lt;td&gt;★★★★★&lt;/td&gt;
&lt;td&gt;★★★☆☆&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tor Browser&lt;/td&gt;
&lt;td&gt;★★★★☆&lt;/td&gt;
&lt;td&gt;★★☆☆☆&lt;/td&gt;
&lt;td&gt;★★★☆☆&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;HTTPS only&lt;/td&gt;
&lt;td&gt;★★☆☆☆&lt;/td&gt;
&lt;td&gt;★★★★★&lt;/td&gt;
&lt;td&gt;★★★★★&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Auto-connect disabled&lt;/td&gt;
&lt;td&gt;★★★☆☆&lt;/td&gt;
&lt;td&gt;★★★★★&lt;/td&gt;
&lt;td&gt;★★★★★&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  6. What I took away from the project
&lt;/h2&gt;

&lt;p&gt;Three things stuck with me after the lab work:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;The interesting layer is human, not technical.&lt;/strong&gt; Every interesting failure mode I observed was a UX decision (auto-connect, hidden BSSID, identical SSID rendering) rather than a cryptographic weakness.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Live demonstrations change behavior more than warnings.&lt;/strong&gt; Showing classmates their own captured test credentials on a screen produced a sharper reaction than any infographic. That's why the deliverable is education, not tooling.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Reproducibility is half the value.&lt;/strong&gt; A one-off attack proves nothing. A documented, isolated, repeatable lab — with the exact tool versions and a step-by-step chain — is what makes the result useful to someone else.&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  7. Repository
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Repo:&lt;/strong&gt; &lt;a href="https://github.com/NovaCode37/eviltwin" rel="noopener noreferrer"&gt;https://github.com/NovaCode37/eviltwin&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Full paper (RU, ~21 pages):&lt;/strong&gt; &lt;code&gt;materials/ru/&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;English executive summary:&lt;/strong&gt; &lt;code&gt;docs/executive-summary.md&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Diagrams (Mermaid):&lt;/strong&gt; &lt;code&gt;diagrams/&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Award:&lt;/strong&gt; 3rd Place — Lomonosov Readings 2026, MAOU Gymnasium №16, Tyumen&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you build a similar lab or want to discuss any stage of the chain in more depth, I'd be glad to compare notes in the comments.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Disclaimer: All experiments were conducted on the researcher's own equipment, in a fully isolated virtual environment, using synthetic test credentials. This article is for educational and defensive purposes only.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>networking</category>
      <category>wifi</category>
      <category>beginners</category>
    </item>
    <item>
      <title>How I built a self-hosted alternative to Maltego and SpiderFoot (with AI analysis)</title>
      <dc:creator>Saveliy</dc:creator>
      <pubDate>Wed, 08 Apr 2026 12:31:24 +0000</pubDate>
      <link>https://dev.to/trulysoulless/i-built-an-open-source-osint-platform-with-20-recon-modules-and-ai-analysis-51f7</link>
      <guid>https://dev.to/trulysoulless/i-built-an-open-source-osint-platform-with-20-recon-modules-and-ai-analysis-51f7</guid>
      <description>&lt;p&gt;A few months ago, I started building PRISM — a self-hosted OSINT platform designed to replace the patchwork of CLI tools I was using for passive reconnaissance. What started as a weekend project grew into a full-stack application featuring 22+ modules, an AI analysis layer, and a real-time dashboard.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Problem
&lt;/h2&gt;

&lt;p&gt;If you have ever tried to investigate a domain or check what is publicly exposed about an email address, you know the friction: run &lt;code&gt;whois&lt;/code&gt;, then &lt;code&gt;dig&lt;/code&gt;, then check Shodan, then VirusTotal, then search usernames manually across sites, and finally paste everything into a document. It takes too much time, and it is easy to miss critical data.&lt;/p&gt;

&lt;p&gt;I wanted a single tool that handles all of these checks in parallel and presents the results in a unified dashboard.&lt;/p&gt;

&lt;h2&gt;
  
  
  What PRISM Does
&lt;/h2&gt;

&lt;p&gt;You enter a target — domain, IP, email, phone number, or username — and PRISM runs 22+ passive recon modules simultaneously:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Infrastructure &amp;amp; Threat Intel&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;WHOIS, DNS (A/MX/NS/TXT/CNAME/SOA), certificate transparency via crt.sh&lt;/li&gt;
&lt;li&gt;Shodan (open ports, services, CVEs), VirusTotal, AbuseIPDB&lt;/li&gt;
&lt;li&gt;Censys, and Wayback Machine&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Leaks &amp;amp; Dark Web&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Breach/credential leak lookup&lt;/li&gt;
&lt;li&gt;Email reputation (MX, SPF, DKIM, DMARC, disposable checks)&lt;/li&gt;
&lt;li&gt;SMTP mailbox verification&lt;/li&gt;
&lt;li&gt;Dark web .onion mirror checks via Ahmia and DarkSearch&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;People &amp;amp; Usernames&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Blackbird (async username search across 50+ platforms)&lt;/li&gt;
&lt;li&gt;Maigret (deep search across 3,000+ sites)&lt;/li&gt;
&lt;li&gt;Telegram user lookup&lt;/li&gt;
&lt;li&gt;Phone HLR validation&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;File Analysis&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;EXIF, GPS coordinates, and PDF/DOCX metadata extraction&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; 14 out of 22 modules work with zero API keys. The remaining modules utilize free-tier keys (Shodan, VirusTotal, Censys, etc.).&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Architecture &amp;amp; Stack
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;User → Next.js 14 Dashboard → FastAPI Backend → 22+ OSINT Modules → External APIs
                                    ↓
                              Scan Orchestrator (asyncio)
                                    ↓
                    WebSocket events → real-time progress in UI
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Backend:&lt;/strong&gt; Python 3.10+, FastAPI, asyncio, WebSockets, Pydantic, slowapi&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Frontend:&lt;/strong&gt; Next.js 14 (App Router), React, TypeScript, Tailwind CSS, Leaflet&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The backend runs each module as an async task. As modules complete, WebSocket events stream directly to the frontend, updating the per-module status and progress bar in real time. Results are cached per module with a 24-hour TTL.&lt;/p&gt;

&lt;h2&gt;
  
  
  AI Analysis &amp;amp; OPSEC Scoring
&lt;/h2&gt;

&lt;p&gt;After all modules finish, PRISM aggregates the results and sends them to an LLM via the free tiers of OpenRouter (Nvidia Nemotron) or Groq (Llama-3). The AI generates:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;An &lt;strong&gt;executive summary&lt;/strong&gt; highlighting the most critical findings&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;risk assessment&lt;/strong&gt; with prioritized action items&lt;/li&gt;
&lt;li&gt;An &lt;strong&gt;interactive chat&lt;/strong&gt; interface for follow-up questions about the scan data&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The AI consistently catches cross-module patterns that are hard to spot manually — such as correlating a leaked credential from one database with an exposed admin panel found in Wayback URLs.&lt;/p&gt;

&lt;p&gt;Additionally, the system computes a &lt;strong&gt;0–100 OPSEC Score&lt;/strong&gt; across four categories: data exposure, identity footprint, infrastructure vulnerabilities, and web security hygiene.&lt;/p&gt;

&lt;h2&gt;
  
  
  Security &amp;amp; What's New in v2.2
&lt;/h2&gt;

&lt;p&gt;The platform has been hardened with a strong focus on security and production readiness:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Hardened Auth&lt;/strong&gt; — API keys are accepted strictly via headers (&lt;code&gt;X-API-Key&lt;/code&gt; / &lt;code&gt;Bearer&lt;/code&gt;). Query-string tokens are rejected, and strict CORS is enabled by default&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Webhook Callbacks&lt;/strong&gt; — Complete scans trigger HMAC-signed payloads (&lt;code&gt;X-Prism-Secret&lt;/code&gt;). SSRF protection blocks private, loopback, and link-local IP addresses&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Mapping UI&lt;/strong&gt; — The legacy single-iframe GeoIP embed has been replaced with a native, multi-marker Leaflet map&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Localization&lt;/strong&gt; — HTML and PDF report exports now fully render in English, Russian, and German&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Quick Start
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;git clone https://github.com/NovaCode37/Prism-platform.git
&lt;span class="nb"&gt;cd &lt;/span&gt;Prism-platform
&lt;span class="nb"&gt;cp&lt;/span&gt; .env.example .env
docker compose up &lt;span class="nt"&gt;--build&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Open &lt;a href="http://localhost:3000" rel="noopener noreferrer"&gt;http://localhost:3000&lt;/a&gt; in your browser to run your first scan.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;GitHub:&lt;/strong&gt; &lt;a href="https://github.com/NovaCode37/Prism-platform" rel="noopener noreferrer"&gt;https://github.com/NovaCode37/Prism-platform&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;License:&lt;/strong&gt; MIT&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Looking for Contributors
&lt;/h2&gt;

&lt;p&gt;PRISM is fully open source. If you are looking to build up your resume or practice Python, TypeScript, or Docker, we have several open issues tagged as &lt;code&gt;good first issue&lt;/code&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Add French or Spanish locale support (translating a single JSON file)&lt;/li&gt;
&lt;li&gt;Add a Docker &lt;code&gt;HEALTHCHECK&lt;/code&gt; instruction&lt;/li&gt;
&lt;li&gt;Implement keyboard shortcuts for navigating result tabs&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check out the &lt;a href="https://github.com/NovaCode37/Prism-platform/issues" rel="noopener noreferrer"&gt;GitHub issues&lt;/a&gt; if you want to contribute! I would love to hear your feedback: what modules or open data sources should we add next?&lt;/p&gt;

</description>
      <category>opensource</category>
      <category>security</category>
      <category>python</category>
      <category>webdev</category>
    </item>
  </channel>
</rss>
