Open-source Intelligence(OSINT) is the first step when it comes to red teaming. In this post, I will provide some reference and technique that is commonly used by penetration tester and red teamer for passive information gathering.
Search Engine OSINT
Search engines like Google is a powerful tool to find most of the publicly available information.
Dork | Example | Description |
---|---|---|
site | site:microsoft.com | Display those results if the body has CISO |
cache | cache:microsoft.com | Display cached version |
intitle | intitle:”Admin Login” | Display Result that has this keyword |
inurl | inurl:index.php | Display the result if the URL has index.hp |
intext | intext:”CISO” | Exclude the keyword from the search result. Useful for subdomain |
filetype | filetype:txt inurl:password | Find the specified file type. |
-(Operator) | site:.microsoft.com -www | Exclude keyword from the search result. Useful for subdomain |
General Search Engines List
- Google,
- Google Advanced Search
- Google Hacking Database
- Bing
- Yahoo
- AOL
- Yandex(Russian)
- Baidu(China)
- Search.ch(Switzerland)
- Pipilika(Bangladesh)
- Goo(Japan)
Privacy Oriented
These search engine usually does not store your search history and does not track you.
Image Search
Have an image? It could be something. Search more about that image!
- Google Image Search
- Yahoo Image Search
- Bing Image Search
- IMGUR
- Google Reverse Search
- Bing Reverse Search
Video Search
People OSINT
Here peoples mean, employees, and relative peoples of the target. To gather information about peoples the best source is LinkedIn and Facebook. You should try Other social media sites too!
General People Search
Social Media
- https://lookup-id.com/
- https://findmyfbid.com/
- https://www.facelive.org/
- Dorks:
site:facebook.com inurl:first name inurl:last name
- https://twitter.com/search-home
- https://twitter.com/search-advanced
- https://tweetdeck.twitter.com/
- https://www.allmytweets.net/
Go To the Company profile and get the list of all employees. There are automated tools that can be used too which are mentioned below!
Username Check
Email OSINT
Found an email address? Search for more information against that email.
- https://hunter.io/email-verifier
- https://centralops.net/co/emaildossier.aspx
- https://www.email-format.com/
Password OSINT
Search if the company domain and email have been compromised.
Archive OSINT
Check for the previous version of their website. They may have some old information that is useful for a hacker!
- Wayback Machine
- URLSCAN
- Clone a Site:
wget --mirror --adjust-extension --page-requisites --convert-links --no-parent
Job Posting
Why look at job postings?
- May be company revealing too much information about its infrastructure.
- Another open way makes a social engineering attack by sending attachments.
Where to look?
- Company website career pages.
- Popular job posting sites such as indeed, Glassdoor, LinkedIn, etc.
- Search on country-based job posting sites.
Meta Files
When a file is created, automatically some information is stored as metadata, Such as Creation date, Location, Username, Information about Software, and its version.
exiftool -v -f hello.pdf/doc/png
strings hello.png
Supporting OSINT Tools
Automated tools speed up the OSINT process. There is some good open-source tools built-in in Kali Linux and some tools needed to be downloaded from Github. But a hacker does not really have lots of automated tools!
Recon-ng(OSINT Framework)
Recon-ng is a reconnaissance framework.
> recon-ng
[recon-ng][default] > workspaces create osint
[recon-ng][osint] > workspaces list
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2022-03-17 17:57:28 |
| osint | 2022-03-19 05:24:22 |
+----------------------------------+
[recon-ng][default] > marketplace search recon
[recon-ng][default] > marketplace install recon/domains-hosts/netcraft
[*] Module installed: recon/domains-hosts/netcraft
[*] Reloading modules...
[recon-ng][default] > marketplace
Interfaces with the module marketplace
Usage: marketplace <info|install|refresh|remove|search> [...]
[recon-ng][default] > modules
Interfaces with installed modules
Usage: modules <load|reload|search> [...]
[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...
[recon-ng][default] > modules load recon/domains-contacts/whois_pocs
[recon-ng][default][whois_pocs] > back
[recon-ng][default] > marketplace install ghdb
[*] Module installed: recon/domains-vulnerabilities/ghdb
[*] Reloading modules...
[recon-ng][default] > modules load recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > info recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > options set GHDB_WEB_SERVER_DETECTION true
GHDB_WEB_SERVER_DETECTION => true
[recon-ng][default][ghdb] > run
-------------
MICROSOFT.COM
-------------
[*] Searching Google for: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Category: Google Dork
[*] Example: https://support.google.com/websearch?p=ws_settings_location&hl=bn
[*] Host: support.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------
[*] Category: Google Dork
[*] Example: https://accounts.google.com/ServiceLogin?continue=https://www.google.com/search%3Fq%3Dsite:microsoft.com%2Bintitle:%2522Apache%2BHTTP%2BServer%2522%2Bintitle:%2522documentation%2522%26start%3D0%26num%3D100%26complete%3D0&hl=bn
[*] Host: accounts.google.com
[*] Notes: None
[*] Publish_Date: None
[*] Reference: site:microsoft.com intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------
[recon-ng][default][ghdb] > show hosts
theHarvester(Find Email, Names, etc)
Gathers emails, names, subdomains, IPs, and URLs from public sources.
theHarvester -d microsoft.com -b all
Some public sources require an API key. In kali Linux the api-keys config file is located at /etc/theHarvester/api-keys.yaml
Metagoofil(Find Meta File)
Search for meta files.
proxychains4 metagoofil -d https://github.com -f -t pdf,doc,xls
Exiftool
exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u
Spiderfoot(Automated OSINT)
Opensource OSINT automation tools
Start the web server:
spiderfoot -l 127.0.0.1:1337
Datasploit/Foca(OSINT Automation)
Datasploit
Datasploit is another OSINT automation tool
More details on HackerTarget
Foca
And Foca is a windows OSINT tool to analyze metadata
Download: From Github
Amass(DNS Enumeration)
An information-gathering tool from owasp
amass enum -d microsoft.com -ip -dir microsoft -src
amass intel -d rednode.com,microsoft.com -ip -list
Email2phonenumber(Email to Phone Number)
If we have an email address, we can try to find the phone number
git clone https://github.com/martinvigo/email2phonenumber.git
#Scrape websites for phone number digits
email2phonenumber scrape -e [email protected]
#Generate a dictionary of valid phone numbers based on a phone number mask
python3 email2phonenumber.py generate -m 555XXX1234 -o /tmp/dic.txt
#Find target's phone number by resetting passwords on websites that do not alert the target using a phone number mask and proxies to avoid captchas and other abuse protections
email2phonenumber bruteforce -m 555XXX1234 -e [email protected] -p /tmp/proxies.txt -q
Tutorial: Youtube
CrossLinked & InSpy(Find Employee from Linkedin)
Find employees on LinkedIn and create a possible email addresses.
CrossLinked
Installation:
git clone https://github.com/m8r0wn/crosslinked
cd crosslinked
pip3 install -r requirements.txt
Usage:
python3 crosslinked.py -f '{first}.{last}@domain.com' company_name
python3 crosslinked.py -f 'domain\{f}{last}' -t 45 -j 1 company_name
InSpy
Note: This tool coded in Python2
Installation:
git clone https://github.com/leapsecurity/InSpy.git
cd InSpy
pip install -r requirements.txt
python2 InSpy.py --domain microsoft.com --email [email protected]
Maltego(Commercial)
Maltego is a good OSINT tool but unfortunately, It is not free, and the price is also not for everyone.
More details on their website!
Sherlock(Find social media username)
Sherlock is an open-source tool to find one or multiple usernames from dozens of social media sites.
> sherlock redtm
> sherlock redtm redtm1 redtm2