The purpose of OSINT is collecting information as much as possible, without directly interacting to the target!
Note: The methods included here is not a complete OSINT methods
What Hackers Collect?
The information collected by them can be divided in two categories
Business Information
These information is all about the target company. For example
- What kind business the company is running.
- What is their activities.
- Partners and Investors information.
- Company Departments.
- Full employee List.
- Email List.
- And other non-technical information.
When they have these all basic information, they will start collecting more personal information against every employees for the targeted company. For example below Personal Informations are valuable for a malicious hacker:
- Nickname
- Username for online accounts
- Emails
- Office/personal phone number
- Date /place of birth
- Schools
- Jobs(Current and past)
- Home address(past and current)
- Favorite food, drink, music, color, sports team
- SSN/Passport Number
- Mother’s maiden name
- Family Member names and relationships
- Negative press about the target
- Pet names
- Hobbies
- Avatars and profiles photos
- Place visited in last five years
- etc
Technical Information
- OS, and Software Information
- Most used Software and Their versions
- Sub-domains
- IP Address List
- Network Range
- Services
- Anti-Virus Information, etc.
How to find these information?
- Search Engine
- Job Posting.
- Press.
- Archive.
- Social Media.
- Harvesting.
How these info is useful for hackers?
These information can be used in lots of way! For example
- Creating an effective attack plan.
- Generating effective username and password.
- Social Engineering.
Search Engine OSINT
Search engine like Google is a powerful tool to find most of the public information.
Most used Google Dork
| Dork | Example | Description |
|---|---|---|
| site | site:microsoft.com | Show Result from specified site |
| cache | cache:microsoft.com | Display cached version |
| intitle | intitle:“Admin Login” | Display Result that has this keyword |
| inurl | inurl:index.php | Display result if the url has index.hp |
| intext | intext:“CISO” | Display those result if body hash CISO |
| filetype | filetype:txt inurl:password | Find the specified file type. |
| -(Operator) | site:.microsoft.com -www | Exclude keyword from the search result. Useful for subdomain |
Some More dorks:
inurl:admin filetype:xls
intitle:"index of" "*.php"
inurl:"*admin | login" | inurl:.php | .asp
intitle:"index of" upload.asp "
Whatever files, information, images is found should be searched using below or similar search engine.
General Search Engines List
- Google,
- Bing
- Yahoo
- AOL
- Yandex(Russian)
- Baidu(China)
- Search.ch(Switzerland)
- Pipilika(Bangladesh)
- Goo(Japan)
Privacy Oriented
These search engine usually does not store your search history, and does not track you.
Image Search
Have an image? Don’t stop. It could be something. Search more about that image!
- Google Image Search
- Yahoo Image Search
- Bing Image Search
- IMGUR
- Google Reverse Search
- Bing Reverse Search
Video Search
People OSINT
After finding company information, hackers, pentester, or red teamer usually will start gathering information for the peoples connected with the company. The best source is LinkedIn and Facebook. But other social media site also might be helpful! From these gathered information a hacker can identify the best target to exploit easily.
General People Search
Social Media
Always use fake account to connect, and collect data. Social media is one of most important source for OSINT. A hacker can find all employee list, learn more about the victim, be friend and build trust, connect with mutual friend and look for more information. There are so many things can be in social media sites!
- https://lookup-id.com/
- https://findmyfbid.com/
- https://www.facelive.org/
- Dorks:
site:facebook.com inurl:first name inurl:last name
- https://twitter.com/search-home
- https://twitter.com/search-advanced
- https://tweetdeck.twitter.com/
- https://www.allmytweets.net/
Go To Company profile and get the list of all employees. There are automated tools can be used too which is mentioned below!
Username Check
Email OSINT
Found an email address? Search for more information against that email.
- https://hunter.io/email-verifier
- https://centralops.net/co/emaildossier.aspx
- https://www.email-format.com/
Password OSINT
Search if the company domain, email has been compromised.
Archive OSINT
Check for previous version of their website. They may have some old information which is useful for a hacker!
- Wayback Machine
- URLSCAN
- Clone a Site:
wget --mirror --adjust-extension --page-requisites --convert-links --no-parent
Job Posting
Why look at job posting?
- May be company revealing too much information about their infrastructure.
- Another open way make a social engineering attack by sending attachments.
Where to look?
- Company website career pages.
- Popular job posting site such as indeed, glassdor, linkedin, etc.
- Search on country based job posting sites.
Meta Files
When a file is created, automatically some information is stored in the meta data, Such as, Creation date, Location, Username, Information about Software and it’s version used to create the file, etc. A hacker can download the files and use some tools to extract more information such as
exiftool -v -f hello.pdf/doc/png
strings hello.png
Supporting OSINT Tools
Automated tools speed up the OSINT process. There are some good open source tools built-in in Kali Linux and some tools needed to be downloaded from Github. But a hacker does not really lots of automated tools!
Recon-ng(OSINT Framework)
Recon-ng is a reconnaissance framework.
> recon-ng
[recon-ng][default] > workspaces create osint
[recon-ng][osint] > workspaces list
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2022-03-17 17:57:28 |
| osint | 2022-03-19 05:24:22 |
+----------------------------------+
[recon-ng][default] > marketplace search recon
[recon-ng][default] > marketplace install recon/domains-hosts/netcraft
[*] Module installed: recon/domains-hosts/netcraft
[*] Reloading modules...
[recon-ng][default] > marketplace
Interfaces with the module marketplace
Usage: marketplace <info|install|refresh|remove|search> [...]
[recon-ng][default] > modules
Interfaces with installed modules
Usage: modules <load|reload|search> [...]
[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...
[recon-ng][default] > modules load recon/domains-contacts/whois_pocs
[recon-ng][default][whois_pocs] > back
[recon-ng][default] > marketplace install ghdb
[*] Module installed: recon/domains-vulnerabilities/ghdb
[*] Reloading modules...
[recon-ng][default] > modules load recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > info recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > options set GHDB_WEB_SERVER_DETECTION true
GHDB_WEB_SERVER_DETECTION => true
[recon-ng][default][ghdb] > run
-------------
MICROSOFT.COM
-------------
[*] Searching Google for: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Category: Google Dork
[*] Example: https://support.google.com/websearch?p=ws_settings_location&hl=bn
[*] Host: support.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------
[*] Category: Google Dork
[*] Example: https://accounts.google.com/ServiceLogin?continue=https://www.google.com/search%3Fq%3Dsite:microsoft.com%2Bintitle:%2522Apache%2BHTTP%2BServer%2522%2Bintitle:%2522documentation%2522%26start%3D0%26num%3D100%26complete%3D0&hl=bn
[*] Host: accounts.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------
[recon-ng][default][ghdb] > show hosts
theHarvester(Find Email, Names, etc)
Gathers emails, names,subdomain, ips, and urls from public sources.
theHarvester -d microsoft.com -b all
Some public source require API key. In kali linux the api-keys config file located at /etc/theHarvester/api-keys.yaml
Metagoofil(Find Meta File)
Search for meta files.
proxychains4 metagoofil -d https://github.com -f -t pdf,doc,xls
Exiftool
exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u
Spiderfoot(Automated OSINT)
Opensource OSINT automation tools
Start the web server:
spiderfoot -l 127.0.0.1:1337
Datasploit/Foca(OSINT Automation)
Datasploit
Datasploit is another OSINT automation tool
More details on HackerTarget
Foca
And Foca is a windows OSINT tool to analyze meta data
Download: From Github
Amass(DNS Enumeration)
An information gathering tool from owasp
amass enum -d microsoft.com -ip -dir microsoft -src
amass intel -d redtm.com,microsoft.com -ip -list
Email2phonenumber(Email to Phone Number)
If we have email address, we can try to find the phone number
git clone https://github.com/martinvigo/email2phonenumber.git
#Scrape websites for phone number digits
email2phonenumber scrape -e [email protected]
#Generate a dictionary of valid phone numbers based on a phone number mask
python3 email2phonenumber.py generate -m 555XXX1234 -o /tmp/dic.txt
#Find target's phone number by resetting passwords on websites that do not alert the target using a phone number mask and proxies to avoid captchas and other abuse protections
email2phonenumber bruteforce -m 555XXX1234 -e [email protected] -p /tmp/proxies.txt -q
Tutorial: Youtube
CrossLinked & InSpy(Find Employee from Linkedin)
Find employee names from linkedin and create possible email address.
CrossLinked
Installation:
git clone https://github.com/m8r0wn/crosslinked
cd crosslinked
pip3 install -r requirements.txt
Usage:
python3 crosslinked.py -f '{first}.{last}@domain.com' company_name
python3 crosslinked.py -f 'domain\{f}{last}' -t 45 -j 1 company_name
InSpy
Note: This tool coded in Python2
Installation:
git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
pip install -r requirements.txt
python2 InSpy.py --domain microsoft.com --email [email protected]
Maltego(Commercial)
Maltego is a good OSINT tool but unfortunately, It is not free and the price also not for everyone. Look like they are targeting Enterprise customers.
More details on their website!
Sherlock(Find social media username)
Sherlock is opensource tool to find one or multiple username from dozens of social media site.
> sherlock redtm
> sherlock redtm redtm1 redtm2
Another Wonderful OSINT Framework
There is a wonderful framework, that can be found at: https://osintframework.com/