What is OSINT and How Pentesters Can Benefit From It?

OSINT is an acronym for open source intelligence. Think of it as a process of collecting data or information on people, organizations, or countries. The term open-source means that the sources from which data is collected are available to the public, meaning anybody could obtain this data if they wanted to.

Nowadays, most open-sourced data is on the internet, which means it can be easily utilized or exploited. That is why companies and businesses invest more and more resources into cybersecurity. They want to know what kind of data about them exists online, and what data they can harvest about their competitors.

OSINT may have a bad rep because we associate it with …hacking and data leaks. But at a simpler level, OSINT is used by us in everyday life when we need to find some special information or validate facts. For example, students can use OSINT when writing their course papers. 

Here are five basic examples of what they can do using OSINT:

  • Check what else the site or Page posts, especially on political topics; you can use advanced search graph operators to make this more efficient.
  • Check course paper on plagiarism using free tools
  • Check photos or images with reverse image search tools to see who was the first one to post these images.
  • Find credible resources.

As open-source intelligence became more accessible on the internet, companies began finding different ways of utilizing it. Further, we list the kinds of information that can be found on open sources and suggest several apps that can ease the pain of having to find it manually.

open-source intelligence

What Can Be Done Using OSINT

Here are a few things your company can do using OSINT technology:

  • Collect information on employees such as full names, job, emails, activity on different internet sites and forums, social networks used by the user (or company), and so on;
  • Reveal lots of information about a single person with data collection tools like Pipl;
  • Browse through old versions of websites using services like Wayback Machine;
  • Bulk search through photo and video content from popular sites like Flickr, Pinterest, Google Photos, etc.;
  • Use an automated version of OSINT like Spiderfoot or Spyse to gather data in bulk;
  • Use a specially designed OSINT browser, with services like (you guessed it) OSINT Browser;
  • Explore DNS services, domains, subdomains, IP addresses, open ports, etc., to gain enriched data on company infrastructures and its network vulnerabilities.

Best OSINT Tools Pentesters Can Use

  1. Spyse

It is an online search engine that gathers data from open-source intelligence. The best part is that they collect data in bulk and sort it, making it easier and more accessible. You can use Spyse to browse through server info, technologies on the server, analyze networks, check connections between entities, browse through subdomains of a domain, and more. This is an excellent tool for pentesters and security experts as it helps support your company’s network security and research competitors.

  1. Maltego

Maltego is another useful app for gathering lots of open-source data and letting you see connections between the data. You can use Malted to easily make connections between organizations, domains, documents, email structures, etc. Maltego parses loads of information from the upper layers of the internet based on the OSI model and provides it in clever graphs that are fantastic to work with.

  1. The Harvester

When it comes to collecting emails and domains for a specific target, the Harvester gets the prize. The tool is a part of the Kali Linux operating system. Pentesters use it during the early stages of penetration testing. With this tool, you can gather the following info: email addresses, usernames, subdomains, IPs, and URLs using various public data sources. They refer to their gathering of data as ‘harvesting’ which is pretty cool, and they will soon implement Spyse’s API to broaden their functionality.

  1. Recon-Ng

Another powerful tool for collecting intelligence on targets is Recon-ng, which is also part of the Kali Linux family tree. Like Metaspoilt, Recon-ng takes a modular approach. You can use different modules on a single target to extract the needed information. Just insert the domains into the workspace and work with the modules.

  1. Google Dorks

Although Google is a search engine which most of us use to get cooking tips or define a strange word,  it is the most powerful and largest search engine in the world. Google is extremely capable of crawling and indexing billions of pages every day and gathering all kinds of useful intelligence. A technique often used in the tech world is Google Dorking or Google hacking. This is when you use the advanced search parameters of google to refine search results and get specific information.

Here are some examples of Google Dorks:

  1. site:example.com  filetype:xml/pdf/other

This specific query will show all pdf, odcks etc on the example.com

  1. site:example.com intext:”@example.com”

This specific query will show all emails that end with “@example.com” on example.com

3.inurl:/wp-includes/certificates/

Find a lot of certificates from websites

4.inurl:q=user/password

for finding Drupal

Read Full Article Here – What is OSINT and How Pentesters Can Benefit From It?

Login/Register access is temporary disabled