What is OSINT (Passive recon phase)?
Open Source Intelligence, or "OSINT," was defined by the Department of Defense (DoD) as “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.” This process is also commonly referred to as “Digital Footprinting.”
OSINT sources can be divided up into six different categories of information flow:
- Internet: blogs, online publications, discussion groups, YouTube (videos) & Instagram, and other social media websites (i.e. Facebook, Twitter, Linkedin etc.). This source also outpaces a variety of other sources due to its timeliness and ease of access.
- Public: governmental data, public government reports, governmental previous data leaks, hearings, telephone directories, press conferences and websites. Although these come from official sources, they are publicly accessible and can be openly used.
- Academic publications, information acquired from journals, conferences, symposia, academic papers, dissertations, and these go under Professional sources of information.
Helpful online services for information gathering
Go.ScanForSecurity – This is a kind of mix where lots of solutions were integrated through API and it helps to identify subdomains, domains on the same IP, shows domain IP history, check for findings on OpenBugBounty and other useful checks.
Dnsdumpster is a domain research tool to find host-related information. It’s a HackerTarget.com project. Not just for subdomains, it gives you information about the DNS server, MX record, TXT record and nice mapping of your domain.
The OpenBugBounty platform can be easily used to see if there were any findings previously on tested target without sending any requests directly. This platform can help you identify issues such as XSS, Open Redirect and CSRF. This platform is also accessible through API, but I didn’t find much useful documentation for it publicly available.
VirusTotal can help you with subdomains’ enumeration process. It can show domain name history with IP changes, whether or not a domain was used for malware spreading and other useful information, including DNS reverse lookups. VirusTotal also has it own API which you can use, but it will be limited in the amount of sent requests you can send in the free version.
Shodan will give you all of the useful information about the target domain or IP address you could want, like open ports, used technology stack and possible vulnerabilities (you can use this data in combination with Vulners platform). The Shodan platform operates through API as well, so all actions can be easily automated.
With the help of the Hunter.io service, you can find tons of email addresses for specific domain name. Furthermore, it will show you sources where this information was published. API is available as well.
There are a good number of tools and methods available to find information about our targets in scope. The main thing is to correctly determine the goal in order to correctly collect information and not waste time in vain. Given the popularity of various social networks and the emergence of resources that perform massive scans or checks, the collection of information becomes only a matter of time and knowledge of such sources of information.
In next part I'll add some useful tools which you'll be able to launch from your PC, but still some of them will require integration with online services (including those, mentioned above).