Open Source Intelligence (OSINT) Techniques (en)
Jump to navigation
Jump to search
Open Source Intelligence (OSINT) techniques are methods of gathering information from open and public sources. It is often used in the passive reconnaissance phase. OSINT involves using various tools, techniques, and platforms to search for public information that can help a pentester or attacker understand their target.
Here are some commonly used OSINT techniques:
Search Engine Dorking
- Using specific queries or keywords in search engines (Google, Bing, etc.) to find sensitive information, such as incorrect server configurations, publicly available files, or internal documents.
- Examples of tools: Google Dorks, Bing Dorking
Social Media Scraping
- Collecting information from social media such as LinkedIn, Facebook, Twitter, etc. to find out organizational structure, employee details, email addresses, or other relevant information. Some tools can be downloaded from github.com
- Examples of tools: Maltego, SpiderFoot
DNS and WHOIS Enumeration
- Searching WHOIS systems and DNS records to identify details related to domains, servers used, IP addresses, and domain owner information.
- Examples of tools: WHOIS Lookup, DNSDumpster
Email Harvesting
- Collecting email addresses associated with a specific domain or organization through websites, forums, social media, or even publicly available email leaks.
- Examples of tools: Hunter.io, theHarvester
Metadata Extraction
- Extracting metadata from documents or image files available on the internet, which can provide important information such as the software version used, the user, or the location where the file was created.
- Examples of tools: ExifTool, FOCA
Public Code Repositories
- Accessing open source code repositories such as GitHub to find application code, technical documentation, or API keys that have not been properly hidden by developers.
- Examples of tools: GitHub, GitLab, Bitbucket
Online Footprint Mapping
- Mapping the target's online footprint, including websites, subdomains, servers, cloud services used, to viewing change history and service architecture.
- Examples of tools: Shodan, Censys
Breached Database Search
- Searching for information that may have been leaked in previous data breach incidents to obtain login credentials or other sensitive data.
- Examples of tools: Have I Been Pwned, Dehashed
Website Scraping and Analysis
- Retrieving data from the target website, including page structure, comments, JavaScript, or other elements that can help understand the architecture of the system or application.
- Examples of tools: Wget, Scrapy, Burp Suite
Benefits and Risks of OSINT
Benefits
- OSINT allows attackers or pentesters to gather information without directly disrupting the target system.
- Information obtained from OSINT can be used to develop a more effective attack strategy.
- This technique is legal if done within the bounds of using public information and for ethical purposes.
Risks
- If not used carefully, OSINT can be used by attackers to facilitate real attacks.
- Companies should be aware of how much of their public information is accessible through OSINT, so they can mitigate the risk by limiting their digital footprint.
OSINT is an important component in the process of penetration testing and cyber investigations, because it provides an initial picture of the target without leaving too obvious a digital footprint.