Open-source Intelligence(OSINT) is the first step when it comes to red teaming. In this post, I will provide some reference and technique that is commonly used by penetration tester and red teamer for passive information gathering.

Search Engine OSINT

Search engines like Google is a powerful tool to find most of the publicly available information.

Dork	Example	Description
site	site:microsoft.com	Display those results if the body has `CISO`
cache	cache:microsoft.com	Display cached version
intitle	intitle:”Admin Login”	Display Result that has this keyword
inurl	inurl:index.php	Display the result if the URL has index.hp
intext	intext:”CISO”	Exclude the keyword from the search result. Useful for subdomain
filetype	filetype:txt inurl:password	Find the specified file type.
-(Operator)	site:.microsoft.com -www	Exclude keyword from the search result. Useful for subdomain

General Search Engines List

Google,
Google Advanced Search
Google Hacking Database
Bing
Yahoo
AOL
Yandex(Russian)
Baidu(China)
Search.ch(Switzerland)
Pipilika(Bangladesh)
Goo(Japan)

Privacy Oriented

These search engine usually does not store your search history and does not track you.

Image Search

Have an image? It could be something. Search more about that image!

Video Search

People OSINT

Here peoples mean, employees, and relative peoples of the target. To gather information about peoples the best source is LinkedIn and Facebook. You should try Other social media sites too!

General People Search

Social Media

Facebook

https://lookup-id.com/
https://findmyfbid.com/
https://www.facelive.org/
Dorks: site:facebook.com inurl:first name inurl:last name

Twitter

Go To the Company profile and get the list of all employees. There are automated tools that can be used too which are mentioned below!

Find ID

Username Check

Email OSINT

Found an email address? Search for more information against that email.

Password OSINT

Search if the company domain and email have been compromised.

Archive OSINT

Check for the previous version of their website. They may have some old information that is useful for a hacker!

Wayback Machine
URLSCAN
Clone a Site: wget --mirror --adjust-extension --page-requisites --convert-links --no-parent

Job Posting

Why look at job postings?

May be company revealing too much information about its infrastructure.
Another open way makes a social engineering attack by sending attachments.

Where to look?

Company website career pages.
Popular job posting sites such as indeed, Glassdoor, LinkedIn, etc.
Search on country-based job posting sites.

Meta Files

When a file is created, automatically some information is stored as metadata, Such as Creation date, Location, Username, Information about Software, and its version.

exiftool -v -f hello.pdf/doc/png
strings hello.png

Supporting OSINT Tools

Automated tools speed up the OSINT process. There is some good open-source tools built-in in Kali Linux and some tools needed to be downloaded from Github. But a hacker does not really have lots of automated tools!

Recon-ng(OSINT Framework)

Recon-ng is a reconnaissance framework.

> recon-ng
[recon-ng][default] > workspaces create osint
[recon-ng][osint] > workspaces list

+----------------------------------+
| Workspaces |       Modified      |
+----------------------------------+
| default    | 2022-03-17 17:57:28 |
| osint      | 2022-03-19 05:24:22 |
+----------------------------------+
[recon-ng][default] > marketplace search recon

[recon-ng][default] > marketplace install recon/domains-hosts/netcraft
[*] Module installed: recon/domains-hosts/netcraft
[*] Reloading modules...
[recon-ng][default] > marketplace
Interfaces with the module marketplace

Usage: marketplace <info|install|refresh|remove|search> [...]

[recon-ng][default] > modules
Interfaces with installed modules

Usage: modules <load|reload|search> [...]

[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...

[recon-ng][default] > modules load recon/domains-contacts/whois_pocs

[recon-ng][default][whois_pocs] > back

[recon-ng][default] > marketplace install ghdb
[*] Module installed: recon/domains-vulnerabilities/ghdb
[*] Reloading modules...

[recon-ng][default] > modules load recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > info recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > options set GHDB_WEB_SERVER_DETECTION true
GHDB_WEB_SERVER_DETECTION => true

[recon-ng][default][ghdb] > run

-------------
MICROSOFT.COM
-------------
[*] Searching Google for: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Category: Google Dork
[*] Example: https://support.google.com/websearch?p=ws_settings_location&hl=bn
[*] Host: support.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------
[*] Category: Google Dork
[*] Example: https://accounts.google.com/ServiceLogin?continue=https://www.google.com/search%3Fq%3Dsite:microsoft.com%2Bintitle:%2522Apache%2BHTTP%2BServer%2522%2Bintitle:%2522documentation%2522%26start%3D0%26num%3D100%26complete%3D0&hl=bn
[*] Host: accounts.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------

[recon-ng][default][ghdb] > show hosts

theHarvester(Find Email, Names, etc)

Gathers emails, names, subdomains, IPs, and URLs from public sources.

theHarvester -d microsoft.com -b all

Some public sources require an API key. In kali Linux the api-keys config file is located at /etc/theHarvester/api-keys.yaml

Metagoofil(Find Meta File)

Search for meta files.

proxychains4 metagoofil -d https://github.com -f -t pdf,doc,xls

Exiftool

exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u

Spiderfoot(Automated OSINT)

Opensource OSINT automation tools

Start the web server:

spiderfoot -l 127.0.0.1:1337

Datasploit/Foca(OSINT Automation)

Datasploit

Datasploit is another OSINT automation tool

More details on HackerTarget

Foca

And Foca is a windows OSINT tool to analyze metadata

Download: From Github

Amass(DNS Enumeration)

An information-gathering tool from owasp

amass enum -d microsoft.com -ip -dir microsoft -src
amass intel -d rednode.com,microsoft.com -ip -list

Email2phonenumber(Email to Phone Number)

If we have an email address, we can try to find the phone number

git clone https://github.com/martinvigo/email2phonenumber.git

#Scrape websites for phone number digits

email2phonenumber scrape -e [email protected]

#Generate a dictionary of valid phone numbers based on a phone number mask

python3 email2phonenumber.py generate -m 555XXX1234 -o /tmp/dic.txt

#Find target's phone number by resetting passwords on websites that do not alert the target using a phone number mask and proxies to avoid captchas and other abuse protections

email2phonenumber bruteforce -m 555XXX1234 -e [email protected] -p /tmp/proxies.txt -q

Tutorial: Youtube

CrossLinked & InSpy(Find Employee from Linkedin)

Find employees on LinkedIn and create a possible email addresses.

CrossLinked

Installation:

git clone https://github.com/m8r0wn/crosslinked
cd crosslinked
pip3 install -r requirements.txt

Usage:

python3 crosslinked.py -f '{first}.{last}@domain.com' company_name
python3 crosslinked.py -f 'domain\{f}{last}' -t 45 -j 1 company_name

InSpy

Note: This tool coded in Python2