Open Source Intelligence (OSINT) is a critical phase in cybersecurity that involves the process of gathering information about an organization or a target, often to identify vulnerabilities that malicious actors could exploit. Footprinting and reconnaissance are integral components of OSINT, enabling security professionals to assess an organization’s digital footprint, discover potential entry points, and understand the structure and personnel within the organization.
OSINT Framework
The OSINT Framework is a comprehensive resource that plays a pivotal role in open source intelligence (OSINT) operations. OSINT encompasses the legal gathering of information from various public sources, such as text, images, videos, public speeches, and more, about individuals or organizations. The data collected can serve multiple purposes, from malicious activities to penetration testing and security analysis. The OSINT Framework simplifies the process of gathering intelligence by providing access to a wide array of tools and resources that cover tasks like email address harvesting, social media searching, dark web exploration, and much more.
The OSINT Framework acts as a valuable starting point for anyone looking to delve into the world of open source data and discover an array of powerful tools for gathering intelligence. For more detailed information, you can explore the OSINT Framework at https://osintframework.com/.
Footprinting & Reconnaissance
Identifying Entry Points
One of the primary objectives of the footprinting phase is to identify potential entry points into the target organization’s network. This involves collecting data on specific IP addresses, domains, subdomains, and other infrastructure elements. Attackers can leverage this information to identify weak spots that may be exploited to gain unauthorized access.
Understanding the Organizational Structure
A comprehensive understanding of the target organization’s structure is essential for conducting successful reconnaissance. Knowing how the organization is organized, including its departments, subsidiaries, and hierarchy, can be crucial in pinpointing potential targets or points of contact within the organization.
Employee Information
Another aspect of footprinting is the collection of information about the employees of the organization. Attackers may seek to identify key personnel, their roles, and contact details. This information can be used in social engineering attacks or to tailor phishing campaigns.
Organization Sturcture
The following services provide information about the organizational structure
- Hunter.io
- Theorg.com – in addition to the organization’s information provides information about the emailing services like outlook.
- Clearbit connect
- http://phonebook.cz/
- rocketreach
- Apolo.io
Breach Lookup
- Have I Been Pwned: A free service that checks if an email address has been part of a data breach.
- IntelX: A semi-free tool that archives breaches, pastes, and websites, showing leaked data.
- Breach Directory: A free tool that shows leaked data and supports multiple types of information.
Public Documents
- Data.occrp.org: Provides access to public documents that may be difficult to obtain through other means.
Public Records
- Xlek: Offers comprehensive records for free, particularly useful for records in the USA.
- Thatsthem: Supports multiple lookups (email, address, name, etc.) and provides financial information.
Social Media Hunting
- Sherlock: A free tool with no rate limits that searches for social media profiles.
- Blackbird: A free tool that quickly checks a large number of social media platforms.
- Knowem: Offers searches across over 500 social networks.
- Namecheckr: A fast and reliable tool for checking the availability of usernames on various platforms.
- Social-Searcher: A tool that searches for mentions instead of profiles, allowing you to filter results.
- Whatsmyname.app: A free tool that provides links to social media profiles, is fast, and allows result export.
Types of Scans
- Active Scanning: Active scanning involves making direct contact with the target systems to gather information. It can yield fast and accurate results. However, it also comes with a downside – it may alert the target organization to the scanning activity, and the attacker’s anonymity is compromised.
- Passive Testing: Passive testing, on the other hand, does not involve direct contact with the target. Instead, third-party resources are used to gather information without alerting the target. This approach can be more discreet but may yield less detailed results.
Websites for Collecting Information
- Search Engines: Search engines like Google are valuable tools for collecting information. Advanced search techniques, often referred to as “Google Dorks,” allow for precise searches to extract specific information.
- Searchdns.netcraft: Netcraft’s search engine specializes in gathering information about an organization’s domain name system (DNS). It is a powerful resource that hackers may use to identify vulnerabilities in an organization’s DNS server, potentially redirecting traffic.
- Shodan: Shodan is known as the “search engine for hackers.” It scans the entire internet and reveals open ports in various organizations. In some cases, it may even provide passwords, making it a valuable resource for reconnaissance.
- GHDB (Google Hacking Database): GHDB is a repository of pre-made Google Dorks organized by topic. These dorks can be used to execute precise Google searches and uncover sensitive information.
- Black Widow: Black Widow is a crawler and spider tool that navigates websites, maps their content, and can download information. This tool is particularly useful for systematically exploring websites for potential vulnerabilities.
- Censys: Censys is another valuable resource that scans the internet and compiles data on hosts and their corresponding services. It can be used to identify potential weaknesses in target systems.
Whois & DNS
- Whois Engines: Whois engines provide extensive details about websites and their domain registrations. The “whois” command can be be used to query the registration details of a URL.
- Dmitry: Dmitry is a tool that offers comprehensive information about a specific website, including its IP address, hosting provider, and more.
- Traceroute: Traceroute is a network diagnostic tool that traces the path taken by packets from your location to a target server. It reveals the routers and hops in between, helping to map the network topology. Adding a time-to-live (TTL) parameter can provide detailed information about each hop.
- Maltego: Maltego is a graphical user interface (GUI) tool available on Linux systems. It is used to search the internet for information related to a specific target. It is particularly effective in visualizing and analyzing the collected data.
- Recon-ng: Recon-ng is a powerful tool for collecting information about a network. It is commonly found in Kali Linux, a popular penetration testing distribution.
- Foca: Foca is a GUI tool that performs tasks similar to Recon-ng, making it easier to extract valuable information about a target.
- Sublist3r: Sublist3r is a tool designed to search for subdomains associated with organizations. It employs Google searches and brute-force techniques to discover subdomains, making it a useful resource for identifying potential entry points.
Practice:
- Shodan search tool from the KALI terminal
- Read about shodan capabilities and filters.
- Take a target for investigation and what information is available about it on the Internet.
- Make a Word document and find as much information as possible about a company: usernames, passwords, what services, etc…
