"No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or any other public emergency, may be invoked as a justification of torture." -- U.N. Convention Against Torture
Doxing is a technique used to track, trace, and collect information on individuals or organizations online anonymously. The effectiveness of the dox is entirely based on the individual performing the dox and is directly proportionate to the doxer’s understanding of how information can be connected and shared. To perform a successful dox you must be able to analyze small bits of data and see where it fits in the big picture of your target. Having a large list and access to search tools will not make you a doxer. Googling someone does not make you a doxer. Doxing in my opinion is an art form and when performed correctly can yield utterly devastating results; often in as short as only a couple of minutes.
Social Engineering will not be covered in this article and I will explain why. SEing and doxing are two separate techniques. One can be good at one and fail at the other. Effectively used together they can significantly affect the quality of your results; and they often are. But again, they are two separate topics. Doxing does not require any direct interaction with you and your target and thus why I state in the definition as being anonymous. I will however mention a couple of SEing opportunities throughout this article to assist in explaining the technique.
The Goal and the Target:
When you begin a dox you are likely to not know the target in person and have very little details to start out with. You may only have a name, or a username, or an email, or a phone number, and that is all. The goal of every dox is to acquire as much information as possible on the target. A “successful” dox does not fall into a preset list of variables that must be discovered in order to be successful. You may simply be looking for a connection or a specific piece of information. A “full” dox however is often listed as being able to achieve the following in no particular order:
- Full Name
- Age / Birthday
- Usernames / Web Accounts
- Email Accounts
- IP Address
- Social Network Profiles
- Home Address
- Phone Number(s)
- Work / School Locations and Title
- Likes / Interests
- Family List
- Good Friend List
- Organization Affiliations
- Any other useful / interesting information
This list is more a guideline on information usually collected than a strict requirement. But if you hear someone say they want a full dox on someone this is generally what they want. Now, not all of this information may be found without the use of SE or some illegal techniques. IP addresses can be very difficult to come by whilst staying 100% anonymous. But I will discuss IP addresses further in a moment.
Let’s take a look at the information above. If a doxer was to successfully pull off a full dox on the target just imagine what might play out if this information fell into the hands of an identity thief, stalker, rapist, someone with a grudge, or a hacker with their own motives.
Doxing isn’t all that bad however and has many legitimate uses. Thus is the reason why I refer to the person performing the dox as a “doxer” and not a “hacker,” as you will find in nearly every single other tutorial on the web. Though it will come in handy if you are building a custom dictionary *hint*. Legitimate uses can range from simple curiosity to safety precautions to law enforcement. I’ll give some examples. If you need a babysitter and you want to ensure they aren’t someone who might leave your child in an unsafe situation. You perform a dox and determine that they like to throw parties while babysitting, with picture proof. This information won’t be included in a paid background check. Another example would be if you are conducting business online and you want to determine if the individual is a known scammer or appears to be trustworthy. Let’s take look at law enforcement. A teen vanishes into thin air and there isn’t a single clue on their whereabouts. In some cases doxing can lead to suspects and potentially even a location. How about your website is defaced and the skiddies left a big logo of their group on your front page claiming credit. I have personally mapped out more than a couple hacker groups and scamming organizations to a full, or near full dox of every single one of their members, just because the information was there to be found and by simply following the breadcrumbs.
How it’s possible:
If you are brand new to this technique or this is the first time you are hearing about it, this may appear scary. You should be thinking if you are vulnerable to being doxed. Prevention will be discussed last as it would be amateur to explain how an attack works and not how to defend against it. Now, in order for this information to be collected it must first be posted. That means that the information that can be found on the target will be 99% of time posted by the target themselves! We live in an age where social media sites have exploded; Facebook, Twitter, many others. Not only is it all the rage but you can access these sites from anywhere. I couldn’t believe it when I first heard about Facebook allowing the tagging of yourself and friends at a location / “checking in”. At first this sounds harmless and fun. People know where the party is at let’s do this! Or this gem; “Hey lost all my contacts. My new number is (#) text me!” Although social media is not the only place where people will freely give out their personal information, it is a treasure trove that should be sought after by any doxer. Forums, craigslist, instagram, etc. all seem to come with a free spirit of posting personal details.
Performing a Dox:
This portion we will cover some of the ways this all done. Remember, having the tools or even knowing the common techniques won’t make you a doxer. You must pay attention to the details and follow the leads specific to your target. Your own ability to do this will determine the outcome of your results and if you are new to this, it takes practice.
What I’m going to say next will shatter some of your minds.
Google won’t tell you everything! Google won’t give you all the results. Google will miss, not be able to find, and straight up deny showing what it is you are looking for. But, Google is the best tool to at your disposal. That means you need to know how to use it effectively. If all you know how to do simply type in what you seek and hit search you need to get on this right away: http://www.googleguide.com/
Knowing how to Google can mean the difference between a failed dox and a successful dox. It will also make your task easier. I’ll give one example;
You have a phone number and you want to see any other listings for it. You type in the number and it shows some results then the results aren’t the exact number and out of order. Throw quotations around it. Awesome, now you don’t want to see all the reverse phone number lookups and such. So you change your search to look like this:
Bam, there is a post on craigslist that would have normally been on page 70 of a regular search. That is only the tip of the iceberg of what you can do. Go check that guide.
A lot of this information applies across the board so I will start to dwindle down to what you might need to know when searching for and using a said piece of information. Keep that in mind.
Emails are a meal ticket. If you are performing a dox, you want them. Sometimes you start with just an email address and sometimes you don’t. Let’s start by saying this is your starting point. If you have an email address one of the first things you should check is the security measures on the email address (after googling it of course and pulling those results). This tips the scales of being legal and illegal. Only doing this is still technically legal; if you take it further then not so much. Go to the client and without attempting to login to the email select the ‘Forgot Password’ option. This should ALWAYS be done using a proxy or VPN. Some clients will log IPs of those clicking on this link. Same goes for attempting to login. You will normally see 1 of 3 things. Security questions, a backup email account, or a phone number with only the last 2 digits in plain text. Take note of whatever you see. Let’s break this down. Security questions are very vulnerable and are most commonly questions that are geared for the user to remember. This information also happens to be a common discussion topic among friends. “What is your pets name?”, “What was your high school mascot?”, “Where were you born?” You know these questions. I don’t need to list them all. A backup email is usually has a couple asterisks to prevent you from seeing the full email. But through your dox you are likely piece it together, so copy it down. Finally the phone number will only show you the last 2 digits. What you probably don’t know is that using various people searches you can sometimes find the first 6 digits in plain text and the last 4 blanked out. That means you only need to decipher 2 digits to have the complete number. It is also a good reference if you already have the targets number to make sure they line up. This is good to check before attempting to break into the email if you know it’s an old number so they don’t get texted by the client of the break in. Oh right, that’s illegal. Moving on then.
Emails can also give you direct links to social media profiles. There used to be a separate unlisted search page to search facebook by email but it has since been integrated into the normal search bar now. This makes it easier for you. Try it.
Emails flow right into this area of focus and vice versa. A lot of times the username is the same as the email address without the @ and what follows. Plug and play with these. You will get lucky a lot of times and find the targets email address this way. Usernames can also be one of two things; very unique and very common. The unique ones make it easier to find when googling and should be a focus point for you if they are. If they are common don’t become discouraged, it just means more data to sift through. But you will eventually make your connections.
4. IP Addresses
Just to get this out of the way. As previously mentioned it will be tough to pull IP addresses without some basic SE. But if you do have one make sure you cross reference a couple IP lookups to correctly determine a location if you don’t already have a trusted one that you already use. As this information is very often incorrect.
5. Phone Numbers:
Numbers can be a hassle and can prove very difficult to find as most people often feel a bit uncomfortable posting their numbers out in open public. This is where SE will help especially if you know their work email address. A lot of times for example for work emails people will have their signature setup to show their title, work location, and contact information to make communication between other employees easier. Refer to the above on my example of Google searching when searching out number connections. Did I mention you can also find Facebook accounts by putting a phone number in the search bar? Yep. If they have listed in their profiles or in the account you bet. Not a 100% guarantee but it does work enough to take a second to check.
6. Language Comparisons:
If you are running dry and having difficulty making connections you might want to try this. Language comparisons are something you should watch out for anyway though. I once doxed a guy who liked to Capitalize The First Letter Of Every Word Just Like This. It made tracking him pretty easy. But something else is try taking information already posted and search for just that. Suppose we have an individual come into the forums and say they ask asking for someone to hack a website. No emails listed on their profiles and the username is yielding nothing. But do a quoted search of part of one of his sentences and now we find he has posted the exact same question in 5 different locations. To which then we find his email address, then his facebook, his phone number, and turns out the website belongs to a guy he goes to school with who stole his girlfriend away from him.
That being said, that is how I found out that my first two articles were straight copypasta to other sites and the “author” claimed credit for writing them. Now I personally don’t mind this too much if you want to do it, albeit annoying. Just at the very least say you got it from HTS.
Profiles can contain a little or a lot. We already know social media profiles provide a plethora of information. But any site your target has an account on you need to check the profile to see what is listed. You may find another piece of information that you didn’t already have.
8. People Searches
This is big and is exactly where Google will fail you. There are sites that are by design made to search specifically for profiles and public records. Google won’t do this because as an admin of a site you can prevent Google Bots from doing their thing. You need to already know the profile URL location of the sites for people searches to work (if by username or email). I will say this, a lot of them suck, and a lot of them want money. But there are some out there that can prove invaluable in your doxing endeavors.
This is huge. Image trails can and will often be your yellow brick road. Pinterest, instagram, imgur, reddit, 4chan, pictures everywhere all day every day. Often posted with complete disregard on what pictures can yield. In some cases with some work you can pull original file names (ie: names of who the picture is of, id codes of social media profiles and camera information), dates of creation (taken), and sometimes even GPS location if taken with a phone. But even if you don’t know how to do that you can still find solid connections to various accounts in question if you find the same pictures. I’ll explain this with an example. You find a picture of a girl flashing her breasts. It’s hosted on Imgur. You look to the right and see her Imgur account name and click on it. Now you see her other files and some pictures of her and her family. Now search by image and find her facebook, she is only 16. Imgur and Instagram are vulnerable to the careful observer to finding your other pictures. Imgur will not however show images not in a file and not in files listed as hidden. Instagram tries to prevent you from seeing the account on the main site but with webstagram you can see it all.
Now I just mentioned searching by image. There are two ways to do this. You can use a website designed to as such, but like before most of them suck. Or you can use Google. An image search site will give you the option to upload or use a link. With Google you can only use a link. So if you have a downloaded image, upload it somewhere first then use that link. To use Google’s image search simply throw in the image link and it will say no results found (most likely) due to it searching for the link and not the image. It will then give you the option to search by image, doing this will show other locations for the same image and like images. This can be extremely handy. Now, if you search for an image link and it actually gives you normal search results, you can instead throw this up in your URL to search by the image if Google doesn’t give you the option:
Prevention should be pretty apparent by now. This has been said before and now you can see why.
- Use different email accounts.
- Create common usernames and don’t repeat use them.
- Do not allow profiles to list your email address and other personal details.
- Ensure all profiles that can be private are.
- Don’t post all of your information all over the place!
In conclusion, I hope this provides you a decent head start into the world of doxing. There are more advanced techniques and some that I did not mention. I like to encourage some work on the reader to seek out and learn on their own. You will remember more that way. Now if you are interested, in the forums I have hosted a doxing challenge that I have personally created and manage if you want to give doxing a test run. It can be found here:
If anyone has any questions or wish to discuss or add some of your techniques and tools please do so. Thanks for reading.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 9 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.