Hey everybody! In this post, I would like to share how I do Open-Source Intel assessments and guide you through one step by step. I think using the tools I mention you can’t harm anyone but just in case I say that do everything on your own responsibility. Also, here I would like to say that keeping good notes is the most important thing during an assessment. Make sure you note every finding down, so you make yourself work less in the phase of report writing. Ready? Let’s get into it!^^
Step 0
So you have been contacted by a company to research them using information which is openly available on the Internet, cool, now what? I don’t usually go into the legal stuff, during an OSINT assessment we never interact with the target directly. I truly believe that business still can be sealed with a handshake only.
So, this step is super easy. You need a target and permission. A target can be a domain, IP address, email, name, phone number…etc and permission, well you will have permission when you explain to the client what you are going to do and ask them if it’s okay. If it is, then you are good to go.
Staying at step 0, I tend to know little to nothing about my target so I do quick research on them. If it is a company, then I have to know where it’s located, what services they offer or what products they sell. You don’t need to go full into the details, you just enough to have some idea about your target.
Step 1
Let’s start the work! As in every engagement, we are going to widen the attack surface. Let’s say we have a domain name. The first thing is getting the whois records to know who owns that domain (https://who.is/), and checking if the owner has multiple domains or just one. Enumerate the subdomains, using google search or another search engine (https://github.com/darklotuskdb/sd-goo). Use wappalyzer to check what technologies have been used to build the website (mostly they are WordPress or drupal), and check if the additional plugins are actualized or if they have any vulnerabilities.
One of my favourite tools is FOCA, this is a crawler which can be used to download every file from a website and extract metadata from them. Sometimes you can get very interesting stuff like passwords, usernames or the firmware of the printer used by the company.
I love using shodan and Cenys if I have to retrieve information about IPs or domains. They can be very useful and while using them you are still not interacting with the resources of the client.
Amass is another great tool I use daily to automate the enumeration phase a little bit.
At this point you should have a general understanding of the company, you should have a geolocation (at least the HQ of the company), and a fully footprinted website. And right now you should take a deep breath and forget about Nmap this time. If you are using it against unauthorized targets you could get yourself into a lot of trouble.
DURING AN OSINT SCAN WE ARE NEVER INTERACTING DIRECTLY WITH THE CLIENT RESOURCES.
So far our checklist looks something like this:
- Research the company using Google, Yandex, Duckduckgo…etc to get context.
- Check the company’s website for info (whois, dnsdumpster, amass, spyse,)
- Check the company’s website for possible easy wins/low-hanging fruits (shodan/cenys, wappalyzer)
- Using FOCA to download files and extracting metadata from them.
Step 2
After footprinting the website I hunt information about people using social media, I try to collect usernames, and email addresses, map out the chain of command in the company and last but not least I look out for breached passwords.
Start with LinkedIn, you can see who works for that company, who are the C-type executives, the size of the company..etc. LinkedIn is a goldmine, I highly recommend you master it. One time I found somebody who put his promotion there and could see the company’s internal template. If I wanted to mount a phishing campaign that would come in a handful.
Use Google search operators such as:
- site:http://linkedin.com/in “<person name>”
- site:http://linkedin.com/in “<company name>”
- site:http://linkedin.com/in “<job title>”
- site:http://linkedin.com/in “<keyword of interest>”
After this, I’ll go with Twitter, the username used on Twitter is almost always the same as anywhere else. Check for posts, interests, follows…etc. I tend to use the advanced search feature on Twitter and this amazing tool.
I’ll do a quick check on Insta and Facebook as well, but these platforms don’t have as much valuable info as the others. You can download photos for extracting metadata, or see 40 photos of cars or nails in your target’s story. imginn is a great tool for downloading all the photos you found.
And my favourite part: checking for the breached passwords! I use dehashed and haveibeenpawned to see if a specific username has been part of a data breach. I also have a torrent file which contains more than one million entries of breached usernames and passwords. Furthermore, you can check for breached passwords on the forums of the dark web. This part of the investigation holds the most value if somebody’s password and username are out there and you give this information to your client I am 100% that they gonna call you back for more work.
Make sure you are making good notes and feel free to make graphics as well. People like graphics and statistics. I use Maltego for visualizing the found information and Joplin for taking good notes.
So in the end, our checklist looks something like this:
- Research the company using Google, Yandex, Duckduckgo…etc to get context.
- Check the company’s website for info (whois, dnsdumpster, amass, spyse,)
- Check the company’s website for possible easy wins/low-hanging fruits (shodan/cenys, wappalyzer)
- Using FOCA to download files and extracting metadata from them.
- Check the company’s LinkedIn for info about the company, chain of command…etc
- Check Twitter for possible usernames, hashtags related to the company…etc
- Check Facebook and Insta for personal info about the employees, extract metadata from the uploaded fotos.
- Using the collected usernames and email addresses, look for breached passwords.
We can insert things in this list like checking the MX record of the target’s domain for getting email addresses, there are a lot of tricks and tips, OSINT is an art itself so feel free to modify this list as it works best for you.
Step 3
Report writing, is the part which is hated by everyone, but you all know how this goes: “We are hacking assets for fun and write reports for money”.
Your report needs to following structure:
- Cover page
- Table of contents
- Summary (x was tasked by y to research z, this includes…etc)
- Target, info about the target (domain-list, chain of command, phone number, list of usernames..etc)
- Technical evidence (Here you put the technique you used, a link to the tool you used, additional notes and a screenshot about the findings.)
Doing this type of investigation we rarely sign NDA-s or put a confidelity statement in our report. In the end, every intel we find is publicly available.
Before saying goodbye, I would like to mention an amazing project called Tracelab-VM. Tracelab is a Linux-based image containing every OSINT tool you need for an assessment.
So this was all, thanks for reading, I hope you found something interesting in my post or a new tool which you can use. Have a great week!^^
Join to our Discord server:
https://discord.gg/DX2ycpP8
Follow me on LinkedIn for more:
https://www.linkedin.com/in/gergo-valentin-krkos/
Support my work at: