Omnibus

General Informations

https://github.com/InQuest/omnibus

# An Omnibus is defined as a volume containing several novels or other items previously published separately
# and that is exactly what the InQuest Omnibus project intends to be for  Open Source Intelligence collection, research, and artifact management.

# By providing an easy to use interactive command line application,  users are able to create sessions to investigate various artifacts such as
# IP addresses, domain names, email addresses, usernames, file hashes,  Bitcoin addresses, and more as we continue to expand.
# This project has taken motivation from the greats that came before it  such as SpiderFoot, Harpoon, and DataSploit

# API keys
/projectfolder/etc/apikeys.json
# In CLI
> cat apikeys


Vocabulary

- Artifact:
   → An item to investigate
   → Artificats can be created in two ways:• Using the “new” command or by being discoverd through module execution


- Session:
   → Cache of artifacts created after starting the Omnibus CLI
   → Each artifact in a session is given an ID to quickly identify and retrieve the artifact from the cache
   → Commands can be executed against an artifact either by providing it's name or it's corresponding session ID

- Module:
   → Python script that performs some arbitirary OSINT task against an artifact


Commands

# Main commands are
- session
- cat
- open
- new
- find


| Command | Description |
| session | Start a new session |
| new <artifact> | Create a new artifact for investigation |
| modules | display a list of available modules |
| open <file path> | load a text file list of artifacts into Omnibus as artifacts |
| ls | show all active artifacts |
| rm | remove an artifact from the database |
| wipe | clear the current artifact session |
| cat <xx> | view beautified JSON database records |
| general | overall commands such as help, histiry, quit, set, clear, banner etc. |
| artifacts | display commands specific to artifacts and their management |
| sessions | display helpful commands around managing sessions |
| modules | show a list of all available modules |


Artifacts

# After searching and analyzing, relationships begin to form and you can pivot through connected data points.
# These data points are called Artifacts within Omnibus and represent any item you wish to investigate.

# One of the following type
- IPv4 adress
- FQDN
- Email address
- Bitcoin Address
- File Hash (MD5, SHA1, SHA256, SHA512)
- User name

# Create a new artifact
new <artifact-name>

# Omnibus will auto detect artifact type
# Store a record of the artifact within MongoDB. This record holds the artifact name, type, subtype, module results
# source, notes, tags, children information (as needed) and time of creation.
# Every time you run a module against a created or stored artifact, the database document will be
# updated to reflect the newly discovered information.


Sessions

# Sessions are temporary caches created via Redis each time you start a CLI session.
# Every time you create an artifact, that artifacts name is added to the Session along with 
# a numeric key that makes for easy retrieval, searching, and action against the related artifact.

# Example
# If session is for haax.fr
# You can do “virustotal 1” instead of “virustotal haax.fr”

# Sessions are here for easy access to artifacts and will be cleared each time you quit the command line session.
# If you wish to clear the session early, run the command "wipe" and you'll get a clean slate.


Modules

# Typing the module name will show you the help information

# Supported modules
- Blockchain.info
- Censys, Clearbit, CSIRTG, Cymon
- DNS resolution, DShield (SANS ISC)
- Full Contact
- Geolocation, Github Username Search
- HackedEmails.coms, HaveIBeenPwned.com, Hurricane Electrics
- IPinfo, IPvoid
- Keybase username lookup, 
- Nmap Scanner
- OTX (AlienVault)
- PassiveTotal (RiskIQ), PGP Key Search
- RSS reader
- Shodan
- ThreatCrowd, ThreatExpert, Twitter
- URLVoid
- VirusTotal
- Whois, WhoisMind


Machines

# Machines are a simple way to run all available modules for an artifact type against a given artifact.
# This is a fast way if you want to gather as much information on a target as possible using a single command.

# Run and wait (some minutes)
machine <artifact name | session id>

# Take care, it returns a large amount of data and child artifacts