In this blog, we’ll look at what OSINT – Open Source Intelligence is and tools we can use to gather information about the target.
Reconnaissance is the most important process during penetration testing and red teaming because the more information we have, the more chances we can get into the system.
I. What is OSINT
Simply put, it’s the process of gathering intelligence obtained from open-source databases without interacting with the target system such as:
- Company and personal websites
- Search engines (Google, Shodan, Netlas, Bing,…)
- Social Media Network (Facebook, Youtube, LinkedIn, Instagram,…)
- IP & Domain Registrar details
- Leaked & hacked data dumps
II. OSINT Tools
Although the manual process will yield more accurate results but we can leverage tools to speed up the process which can help us correlate data easier. We’ll go over some of the tools that can often be used as follows:
- Shodan
- Netlas
- Maltego
- theHarvester
- recon-ng
- metagoofil
- whois
- DNS utilities (dig, nslookup, dnsdumpser)
- Various public database such as HaveIBeenPwned, Dehased (paid but worth it)
- Google Dorks (https://exploit-db.com/google-hacking-database)
There is another tool which is can extract document Meta-Data named FOCA which can help reveal valuable information such as:
- Usernames
- Email Addresses
- Date Information
- EXIF data in images
- Camera details
- Image Thumbnails
- GPS coordinates
- Creator
- Application Name
Hence, please don’t forget to keep everything documented as you recon the target because we need to connect all the dots together in order to find the weakest point to attack.
Explore our topics: IDS & IPS, Firewalls, Data Security, Secure WordPress, Network Attack Vectors, Nmap