Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/c3n7ral051nt4g3ncy/masto

Masto is an OSINT tool written in python to gather intelligence on Mastodon users and instances.
https://github.com/c3n7ral051nt4g3ncy/masto

mastodon mastodon-api mastodon-social-network open-source open-source-community open-source-intelligence osint osint-tool python python-script python3 social social-media social-network

Last synced: 3 days ago
JSON representation

Masto is an OSINT tool written in python to gather intelligence on Mastodon users and instances.

Host: GitHub
URL: https://github.com/c3n7ral051nt4g3ncy/masto
Owner: C3n7ral051nt4g3ncy
License: other
Created: 2022-11-07T01:39:43.000Z (almost 2 years ago)
Default Branch: master
Last Pushed: 2023-10-05T18:26:56.000Z (12 months ago)
Last Synced: 2024-05-23T04:54:13.139Z (4 months ago)
Topics: mastodon, mastodon-api, mastodon-social-network, open-source, open-source-community, open-source-intelligence, osint, osint-tool, python, python-script, python3, social, social-media, social-network
Language: Python
Homepage: https://mastodon.social
Size: 6.91 MB
Stars: 230
Watchers: 5
Forks: 24
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Security: security_bandit.md

Awesome Lists containing this project

README

# **Masto OSINT Tool**

Masto_logo

[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)

[![security: bandit](https://img.shields.io/badge/security-bandit-green.svg)](https://github.com/PyCQA/bandit)
[![MIT License](https://img.shields.io/pypi/l/ansicolortags.svg)](https://github.com/C3n7ral051nt4g3ncy/Masto/blob/master/LICENSE)

[![HitCount](http://hits.dwyl.com/C3n7ral051nt4g3ncy/Masto.svg)](http://hits.dwyl.com/C3n7ral051nt4g3ncy/Masto)

[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/dwyl/esta/issues)
[![PyPI version](https://badge.fury.io/py/masto.svg)](https://badge.fury.io/py/masto)

## 🐘 **About Masto**

**Masto provides information/intelligence on [Mastodon.social](https://mastodon.social) users and fediverse instances (servers).**

Masto OSINT Tool has been added as a Python package on PyPI --> https://pypi.org/project/masto/
- Latest version --> https://pypi.org/project/masto/2.0.5/

## 🚀 **Masto capabilities**
**Masto OSINT Tool** helps to:
- Find user ID
- Find exact username match across instances (the tool currently pulls many accounts with the username **```OSINT```**, whereas the mastodon.social (browser search bar) returns one result, as well as returning unreliable results, such as accounts that only start with ```osint```
- Find all accounts belonging to a user without logging in to Mastodon (**Mastodon requires users to log in and after 5 results you get**: ```401 Search queries pagination is not supported without authentication```
- Find username correlation (can't be found by browser)
- Check if the user is a bot
- Check if the account is a group
- Check if the account is locked
- Check if the user opted to be listed on the profile directory
- Get avatar link with an **additional choice** of opening the avatar within your browser
- Get profile creation date
- Get number of followers & following
- Get number of posts
- Get user last status date
- Get user's bio

### **Additional instance (server) feature**
**This is a nice feature**, if you type ```social.network.europa.eu``` on [Mastodon.social](https://mastodon.social/search) , you won't get a result as the instance is set to ```not discoverable```.

**This function helps to**:
- Get information on an instance
- Get instance Admin ID
- Get instance email
- Get a short description
- Get server thumbnail link
- Get instance creation date
- Get instance language used
- Get instance admin count of followers and following
- Get instance admin last status date
- Get header image link and avatar link
- Get instance display name
- Get admin url
- Get admin avatar
- Check if instance admin account is locked
- Check if registration is required and if the admin needs to approve the request
- Check if the admin is a bot

## Masto Workflow

![](assets/workflow.png)

## 🛠️ **Installation**

### Using PyPI

https://pypi.org/project/masto/

```pip install masto==2.0.5```

### Using GitHub

```bash
git clone https://github.com/C3n7ral051nt4g3ncy/Masto.git
cd masto
python3 setup.py install
```

## 👨‍💻 **Usage**

- Help:
```masto -h```

- Search for user
```masto -user {username}```

- Search for instance
```masto -instance {instance_name}```

## ⭐ **Tool use cases**

| **Use case 1** | **Searching for a user and bypassing the profile directory opt-out**|
| ---------------- |:------------------------------------------------------------------:|

- Tried searching via browser both terms `Webbreacher` and `@Webbreacher` **1 result** --> `@[email protected]`
- Searched `Webbreacher` on **Masto**: **3 results** --> ✅ 3 accounts found
- On the `counter.social` profile, `@Webbreacher's` settings are --> user opted to be on the profile directory = `False`, this is why the browser search didn't find the counter.social profile!

🪄 **Masto successful outcome**: **Masto found all 3 accounts**.

|**Use case 2** | **Searching without getting a 401 error**|
| ---------------- |:----------------------------------------:|

- Many people don't want an account on Mastodon, and if you don't have an account, you can search on Mastodon, but you will only get 5 results.
- Clicking on `load more` will give you a 401 error and request for the user to log in.

🪄 **Masto successful outcome**: **You can use Masto without logging in to Mastodon**, you won't get a 401 error.

|**Use case 3** | **Getting information on locked instances**:|
| ---------------- |:-------------------------------------------:|

- Tried searching for the instance [0sint.social](https://0sint.social/about), there isn't much information via a browser search because it's locked.

🪄 **Masto successful outcome**: **Masto found more information on the instance and on the admin, including email address.**

|**Use case 4** | **Conducted a username search for Defcon**:|
| ---------------- |:-------------------------------------------:|

- Conducted a search with Masto for the username ```defcon```, the Mastodon API returned 2 user accounts.

🪄 **Masto successful outcome**: **Masto OSINT Tool picked up after the initial API search by doing a full scan and found 4 accounts.**

## 🐘 **Mastodon.social understanding**
The **same username** can be found across different instances(servers):
- example: ```@[email protected]``` | ```@[email protected]``` | ```@[email protected]```
- Finding the same username on different instances does not prove it's the same person behind each account.
- Each instance can only have **one unique username** in the server. Tip: verify your account with the `

## 👤 **Testing on known users and instances**

- For a username test, try: ```python3 masto.py -u Gargron```, the founder of [Mastodon.social](https://mastodon.social), this pulls a wopping 11 accounts!!! (keep in mind that the same username doesn't prove the 11 accounts belong to @Gargron {Gargron is the Mastodon Dev}).
- For an instance test, try: ```python3 masto.py -i social.network.europa.eu```

## :white_circle: **Mastodon API reliability issues**
- You may know of a valid user & have the link to the user's profile, you input the username on Masto but get no result.
- I asked the Mastodon Team about this api issue, they replied:
> There is no global search, the server will reply with what it knows about. If it has not encountered the account, it will not return it in search results.

- 🟢 **Masto v2.0 fixes this**, the scan of Masto's own json instances list comes in support of Mastodon's API and picks up on things the API missed.
- **v2.0 is 100% reliable** if the server is listed in the Masto ```fediverse_instances.json``` file.
- This fix is thanks to [@Webbreacher](https://github.com/WebBreacher) who suggested this feature.

## Community mentions about Masto

- Featured on the [UK OSINT](https://www.uk-osint.net/mastodon.html) website. UK OSINT is headed by [Neil Smith](https://twitter.com/UKOSINT), a true OSINT legend who has been using the internet as an investigative tool for well over 20 years.

- Featured in [Week in OSINT](https://sector035.nl/articles/2022-45) `#2022-45` by [@Sector035](https://github.com/Sector035)

- Featured in the [OSINT Stuff Tool Collection](https://cipher387.github.io/osint_stuff_tool_collection/) by [@cipher387](https://github.com/cipher387)

- Mentionned by [@DailyOsint](https://twitter.com/DailyOsint/status/1604827757426475008?s=20&t=W0v5uwWLaXgtQ1Ncn3G0Qg)

- Mentionned by [@Treadstone71](https://twitter.com/Treadstone71LLC)

- Mentionned in this [Secjuice investigation](https://www.secjuice.com/mastodon-child-porn-pedophiles)

- Mentionned in [MAG'OSINT March 2023 Issue](https://www.aege.fr/global/gene/link.php?news_link=2023113354_mag-osint-13-aege.pdf&fg=1)

## 🙏 **Thanks**!

Huge thanks to [@EduardSchwarzkopf](https://github.com/EduardSchwarzkopf) for all his contributions to **Masto OSINT Tool**.

Thanks to [@Webbreacher](https://github.com/WebBreacher) for his input, help and ideas. I learn a great deal from him, and he is a great instructor & inspiring person.

Thanks to [sthierolf](https://github.com/sthierolf) for contributing

Thanks to [@Roman-Kasianenko](https://github.com/Roman-Kasianenko) for his help.

## 📝 **License**

[MIT License](https://opensource.org/licenses/MIT)

*Tool made for the OSINT and Cyber community, feel free to contribute **```code```** .*