The purpose of OSINT is  collecting information as much as possible, without directly interacting to the target!

Note: The methods included here is not a complete OSINT methods

What Hackers Collect?

The information collected by them can be divided in two categories

Business Information

These information is all about the target company. For example

  • What kind business the company is running.
  • What is their activities.
  • Partners and Investors information.
  • Company Departments.
  • Full employee List.
  • Email List.
  • And other non-technical information.

When they have these all basic information, they will start collecting more personal information against every employees for the targeted company. For example below Personal Informations are valuable for a malicious hacker:

  • Nickname
  • Username for online accounts
  • Emails
  • Office/personal phone number
  • Date /place of birth
  • Schools
  • Jobs(Current and past)
  • Home address(past and current)
  • Favorite food, drink, music, color, sports team
  • SSN/Passport Number
  • Mother’s maiden name
  • Family Member names and relationships
  • Negative press about the target
  • Pet names 
  • Hobbies
  • Avatars and profiles photos
  • Place visited in last five years
  • etc

Technical Information

  • OS, and Software Information
  • Most used Software and Their versions
  • Sub-domains
  • IP Address List
  • Network Range
  • Services
  • Anti-Virus Information, etc.

How to find these information?

  • Search Engine
  • Job Posting.
  • Press.
  • Archive.
  • Social Media.
  • Harvesting.

How these info is useful for hackers?

These information can be used in lots of way! For example

  • Creating an effective attack plan.
  • Generating effective username and password.
  • Social Engineering.

Search Engine OSINT

Search engine like Google is a powerful tool to find most of the public information.

Most used Google Dork

Dork Example Description
site site:microsoft.com Show Result from specified site
cache cache:microsoft.com Display cached version
intitle intitle:“Admin Login” Display Result that has this keyword
inurl inurl:index.php Display result if the url has index.hp
intext intext:“CISO” Display those result if body hash CISO
filetype filetype:txt inurl:password Find the specified file type.
-(Operator) site:.microsoft.com -www Exclude keyword from the search result. Useful for subdomain

Some More dorks:

inurl:admin filetype:xls
intitle:"index of" "*.php"
inurl:"*admin | login" | inurl:.php | .asp
intitle:"index of" upload.asp "

Whatever files, information, images is found should be searched using below or similar search engine.

General Search Engines List

Privacy Oriented

These search engine usually does not store your search history, and does not track you.

Have an image? Don’t stop. It could be something. Search more about that image!

People OSINT

After finding company information, hackers, pentester, or red teamer usually will start gathering information for the peoples connected with the company. The best source is LinkedIn and Facebook. But other social media site also might be helpful! From these gathered information a hacker can identify the best target to exploit easily.

Social Media

Always use fake account to connect, and collect data. Social media is one of most important source for OSINT. A hacker can find all employee list, learn more about the victim, be friend and build trust, connect with mutual friend and look for more information. There are so many things can be in social media sites!

Facebook

Twitter

LinkedIn

Go To Company profile and get the list of all employees. There are automated tools can be used too which is mentioned below!

Username Check

Email OSINT

Found an email address? Search for more information against that email.

Password OSINT

Search if the company domain, email has been compromised.

Archive OSINT

Check for previous version of their website. They may have some old information which is useful for a hacker!

  • Wayback Machine
  • URLSCAN
  • Clone a Site: wget --mirror --adjust-extension --page-requisites --convert-links --no-parent

Job Posting

Why look at job posting?

  • May be company revealing too much information about their infrastructure.
  • Another open way make a social engineering attack by sending attachments.

Where to look?

  • Company website career pages.
  • Popular job posting site such as indeed, glassdor, linkedin, etc.
  • Search on country based job posting sites.

Meta Files

When a file is created, automatically some information is stored in the meta data, Such as, Creation date, Location, Username, Information about Software and it’s version used to create the file, etc. A hacker can download the files and use some tools to extract more information such as

exiftool -v -f hello.pdf/doc/png
strings hello.png

Supporting OSINT Tools

Automated tools speed up the OSINT process. There are some good open source tools built-in in Kali Linux and some tools needed to be downloaded from Github. But a hacker does not really lots of automated tools!

Recon-ng(OSINT Framework)

Recon-ng is a reconnaissance framework.

> recon-ng
[recon-ng][default] > workspaces create osint
[recon-ng][osint] > workspaces list

+----------------------------------+
| Workspaces |       Modified      |
+----------------------------------+
| default    | 2022-03-17 17:57:28 |
| osint      | 2022-03-19 05:24:22 |
+----------------------------------+
[recon-ng][default] > marketplace search recon

[recon-ng][default] > marketplace install recon/domains-hosts/netcraft
[*] Module installed: recon/domains-hosts/netcraft
[*] Reloading modules...
[recon-ng][default] > marketplace
Interfaces with the module marketplace

Usage: marketplace <info|install|refresh|remove|search> [...]

[recon-ng][default] > modules
Interfaces with installed modules

Usage: modules <load|reload|search> [...]

[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...

[recon-ng][default] > modules load recon/domains-contacts/whois_pocs

[recon-ng][default][whois_pocs] > back

[recon-ng][default] > marketplace install ghdb
[*] Module installed: recon/domains-vulnerabilities/ghdb
[*] Reloading modules...

[recon-ng][default] > modules load recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > info recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > options set GHDB_WEB_SERVER_DETECTION true
GHDB_WEB_SERVER_DETECTION => true

[recon-ng][default][ghdb] > run

-------------
MICROSOFT.COM
-------------
[*] Searching Google for: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Category: Google Dork
[*] Example: https://support.google.com/websearch?p=ws_settings_location&hl=bn
[*] Host: support.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------
[*] Category: Google Dork
[*] Example: https://accounts.google.com/ServiceLogin?continue=https://www.google.com/search%3Fq%3Dsite:microsoft.com%2Bintitle:%2522Apache%2BHTTP%2BServer%2522%2Bintitle:%2522documentation%2522%26start%3D0%26num%3D100%26complete%3D0&hl=bn
[*] Host: accounts.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------

[recon-ng][default][ghdb] > show hosts

theHarvester(Find Email, Names, etc)

Gathers emails, names,subdomain, ips, and urls from public sources.

theHarvester -d microsoft.com -b all

Some public source require API key. In kali linux the api-keys config file located at /etc/theHarvester/api-keys.yaml

Metagoofil(Find Meta File)

Search for meta files.

proxychains4 metagoofil -d https://github.com -f -t pdf,doc,xls

Exiftool

exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u

Spiderfoot(Automated OSINT)

Opensource OSINT automation tools

Start the web server:

spiderfoot -l 127.0.0.1:1337

Datasploit/Foca(OSINT Automation)

Datasploit

Datasploit is another OSINT automation tool

More details on HackerTarget

Foca

And Foca is a windows OSINT tool to analyze meta data

Download: From Github

Amass(DNS Enumeration)

An information gathering tool from owasp

amass enum -d microsoft.com -ip -dir microsoft -src
amass intel -d redtm.com,microsoft.com -ip -list

Email2phonenumber(Email to Phone Number)

If we have email address, we can try to find the phone number

git clone https://github.com/martinvigo/email2phonenumber.git

#Scrape websites for phone number digits

email2phonenumber scrape -e [email protected]

#Generate a dictionary of valid phone numbers based on a phone number mask

python3 email2phonenumber.py generate -m 555XXX1234 -o /tmp/dic.txt

#Find target's phone number by resetting passwords on websites that do not alert the target using a phone number mask and proxies to avoid captchas and other abuse protections

email2phonenumber bruteforce -m 555XXX1234 -e [email protected] -p /tmp/proxies.txt -q

Tutorial: Youtube

CrossLinked & InSpy(Find Employee from Linkedin)

Find employee names from linkedin and create possible email address.

CrossLinked

Installation:

git clone https://github.com/m8r0wn/crosslinked
cd crosslinked
pip3 install -r requirements.txt

Usage:

python3 crosslinked.py -f '{first}.{last}@domain.com' company_name
python3 crosslinked.py -f 'domain\{f}{last}' -t 45 -j 1 company_name

InSpy

Note: This tool coded in Python2

Installation:

git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
pip install -r requirements.txt
python2 InSpy.py --domain microsoft.com --email [email protected]

Maltego(Commercial)

Maltego is a good OSINT tool but unfortunately, It is not free and the price also not for everyone. Look like they are targeting Enterprise customers. 

More details on their website!

Sherlock(Find social media username)

Sherlock is opensource tool to find one or multiple username from dozens of social media site.

> sherlock redtm
> sherlock redtm redtm1 redtm2

Another Wonderful OSINT Framework

There is a wonderful framework, that can be found at: https://osintframework.com/