Open Source Intelligence (OSINT) are skills used for reconnaissance and data gathering using publicly available information (i.e,, search engines, public repositories, social media, etc.) to gain in-depth knowledge on a topic or target. When conducting an OSINT exercise in preparation for a penetration test, the testers may want operate in a clandestine manner so not to disclose their presence.
OSINT Process Steps:
- Source Id
- Harvesting (Active or Passive Reconnaissance)
- Data Analysis
- Results Delivery
Types of Reconnaissance:
- Passive reconnaissance – attempt to gain information about targeted computers and networks, using publicly available resources, without actively engaging with the systems.
- Active reconnaissance – type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities.
Types of Data:
- Technology infrastructure
- IP, Hostnames, Services, Networks
- Software / hardware versions, OS information
- Network diagram
- papers, articles, blogs, presentations, spreadsheets and configuration files
- Metadata –
- Personnel Info:
- Employee data (Email and other personal information)
- Social Media
- Browser Tools:
- Network Domain Info:
- Social Media Lookups:
- Who.Unfollowedme – Twitter follower information
- Web Site Archives:
- Image Files:
- Wifi & IOT Devices:
- OSINT Framework – queries free search engines, resources, and tools for publicly available info.
- Maltego – Included in Kali Linux ; collects footprints of any target
- Google Dorks – ways to query Google against certain information using operators that may be useful.
- Nmap – open source utility utilized for security auditing and network exploration across local and remote hosts”.
- Recon-ng – built in the Kali Linux distribution; used to perform reconnaissance on remote targets.
- Shodan – network security monitor and search engine focused on the deep web & the internet of things.
- OpenVAS (Open Vulnerability Assessment System) – open source version of Nessus used for vulnerability scanner & security manager
- Fierce – IP and DNS recon tool written in PERL for finding target IPs associated with domain names.
- FOCA (Fingerprinting Organizations with Collected Archives) – analyze web servers and their hidden info. Collects data from MS Office, OpenOffice, PDF, as well as Adobe InDesign, SVG and GIF files. Works with Google, Bing and DuckDuckGo.
- Youtube: ‘Solving CTF Challenges: Reconnaissance‘ (57:25)
- Youtube: ‘Open Source Intelligence 101‘ (46:49)
- Youtube: ‘HackMiami %27 – OSINT 101 with Buscador and Maltegock‘
- YouTube: Information Gathering with Kali Linux : Use Maltego to Gather & Visualize Information|packtpub.com
- How Can You Build Your Cyber Skills By Open Source Intelligence (Medium)
- OSINT Treasure Trove