Masto is an OSINT tool written in python to gather intelligence on Mastodon users and instances.
OTHER License
Masto provides information/intelligence on Mastodon.social users and fediverse instances (servers). Masto OSINT Tool has been added as a Python package on PyPI --> https://pypi.org/project/masto/
Masto OSINT Tool helps to:
OSINT
, whereas the mastodon.social (browser search bar) returns one result, as well as returning unreliable results, such as accounts that only start with osint
401 Search queries pagination is not supported without authentication
This is a nice feature, if you type social.network.europa.eu
on Mastodon.social , you won't get a result as the instance is set to not discoverable
.
This function helps to:
https://pypi.org/project/masto/
pip install masto==2.0.5
git clone https://github.com/C3n7ral051nt4g3ncy/Masto.git
cd masto
python3 setup.py install
Help:
masto -h
Search for user
masto -user {username}
Search for instance
masto -instance {instance_name}
Use case 1 | Searching for a user and bypassing the profile directory opt-out |
---|
Webbreacher
and @Webbreacher
1 result --> @[email protected]
Webbreacher
on Masto: 3 results --> ✅ 3 accounts foundcounter.social
profile, @Webbreacher's
settings are --> user opted to be on the profile directory = False
, this is why the browser search didn't find the counter.social profile!🪄 Masto successful outcome: Masto found all 3 accounts.
Use case 2 | Searching without getting a 401 error |
---|
load more
will give you a 401 error and request for the user to log in.🪄 Masto successful outcome: You can use Masto without logging in to Mastodon, you won't get a 401 error.
Use case 3 | Getting information on locked instances: |
---|
🪄 Masto successful outcome: Masto found more information on the instance and on the admin, including email address.
Use case 4 | Conducted a username search for Defcon: |
---|
defcon
, the Mastodon API returned 2 user accounts.🪄 Masto successful outcome: Masto OSINT Tool picked up after the initial API search by doing a full scan and found 4 accounts.
The same username can be found across different instances(servers):
@[email protected]
| @[email protected]
| @[email protected]
<a rel="me"
attribute which confirms you are behind the account, and will help avoid or detect impersonators.python3 masto.py -u Gargron
, the founder of Mastodon.social, this pulls a wopping 11 accounts!!! (keep in mind that the same username doesn't prove the 11 accounts belong to @Gargron {Gargron is the Mastodon Dev}).python3 masto.py -i social.network.europa.eu
There is no global search, the server will reply with what it knows about. If it has not encountered the account, it will not return it in search results.
fediverse_instances.json
file.Featured on the UK OSINT website. UK OSINT is headed by Neil Smith, a true OSINT legend who has been using the internet as an investigative tool for well over 20 years.
Featured in Week in OSINT #2022-45
by @Sector035
Featured in the OSINT Stuff Tool Collection by @cipher387
Mentionned by @DailyOsint
Mentionned by @Treadstone71
Mentionned in this Secjuice investigation
Mentionned in MAG'OSINT March 2023 Issue
Huge thanks to @EduardSchwarzkopf for all his contributions to Masto OSINT Tool.
Thanks to @Webbreacher for his input, help and ideas. I learn a great deal from him, and he is a great instructor & inspiring person.
Thanks to sthierolf for contributing
Thanks to @Roman-Kasianenko for his help.
MIT License
Tool made for the OSINT and Cyber community, feel free to contribute code
.