>OSINT_
- Open Source Intellegence (OSINT) -
Open Source Intellegence (OSINT) is the Act of gaining any sort of publicly
known Information about an entity. As many of us know (or may not know), there
are multiple different phashes when it comes to attacking a target.
- Scanning / Enumeration -
- Gaining Access -
- Maintaining Access -
- Covering Tracks -
Within the scanning and enumeration phase, there are two different types of recon.
The first type, is known as Active recon. Active recon deals with gathering
Information about a target using methods that may involve an attempt of social
engineering, sending spoofed emails to targets colleagues trying to gain information
from them, and dumpster diving (I'd wouldn't call this active, but for some reason many
certifications such as the CEH would label it as active). The outcome for being caught
when trying to perform active recon could lead to a huge fine, or posssibly jail time
(unless done legally via pentest/assessment).
The second type is Passive Recon. Passive recon deals with getting all of the information
from publicly known sources. For example, lets say that we have a target "EvilCorp.com".
where are some places to look, and gain information about the vitcim.
If you are familiar with Web
application
testing then it'll be good
to check for "Whois" information, DNS / Record information, use tools like theHarvester,
Maltego, Sublist3r, OWAPSPs' amass, knockpy (falls a bit into the
active recon cat.), Google,
peoplelookups, email lookups, there is an awesome site named "dehashed" that contains many
records of leaked passwords and all that you need to do is enter the email, and it gives
back results of passwords for that email ONLY IF that email is signed up to a site that's had a
really bad
previous
databreach.
Whois - information can give you names, emails, phone numbers, location of
server/s.
Information that can be gathered from DNS servers and Records can disclose the network
infrastructure
of a company without alerting the IDS/IPS. This is beacuse most of the organizations are not
monitoring their DNS server traffic, and those that do they only monitor the zone
transfers attempts (trying to grab all DNS records at once).
theHarvester - attempts to locate other hosts from the specified domain, but also looks
for emails on the site.
Matlego - can help search for emails, names, phone numbers.
Sublist3r - searches for subdomains. Perhaps EvilCorp.com has a subdomain
test.EvilCorp.com
that contains vulnerabilities in it that are not found inside of the original Domain.
There are tons of ways to gather information, I'm not going to describe them all.
The goal isn't to..
Pick a few that'll help you to accomplish what you're trying to do. Some may work better
than
others in certain occasions.
Learn how they work, and go from there.
Here are a few useful tips from my experience:
- Have a plan/starting point -
How do you know what inforamtion to collect if you don't know what you're looking for? Doing this will help prevent you from gathering information that you don't need.
- Link data together -
Found a username? Good. People will usually use the same username everywhere. Try searching that name in the browser. See what accounts are linked to it. Use sites that can identify which other social medias the target has, such as namechk
Also check out: Spiderfoot
- Social Media is your Best Friend -
Alot of people today post many of their information on their social media, names, age,
snapchat even has a feature that allows
you to share your location with followers, and its so accurate that you can find a
persons exact location with it.
Need to find out when someones birthday is? Search for anything stating "birthday" "hbd"
on their feed.
LinkedIn is also a really good source.
We've covered different types of ways at going about information gathering..
but what now? What do we do with all of the information that we've collected?
Take the time to look over your findings, begin to map out an attack vector. Look for a
weak point. Then Finally. Execute.