What is OSINT: Basic Guide
Pentesting should absolutely never be done without first going over the main target.
20:19 23 November 2019
To begin with, it is fundamental to collect data from a specific type of aim within the project’s area, which in turn opens the pentester to tracking possible blind spots within a structure’s protection barrier, which could be used to break or hack the system, whether it be logical, physical, socially engineered, or a case of the three together. OSINT and information alike are the latest trade products on the market today and a vast amount of information regarding close to everybody of knowledge is openly accessible at the click of a mouse. But, what is OSINT?
OSINT Definition And Process
The use of openly accessible web sources to collect data regarding people or other entities on the Internet, in other words, intelligence or just Open-source intelligence (OSINT). This processcan be carried out while in the Inspection phase, overlooking cyber-theft. Important information is gathered in this phase and transferred to the web Itemization stage.
It is because of openly accessible data or OSINT, that hackers need a straight-forward scheme including a broad range of source scavenging devices to organize and help with using the information, If not they could go astray into the information maze of the world wide web. Such an inspection can break down into 5 stages:
Stages of the OSINT information gathering process
- Source Identification: Is the first stage, in which the hacker recognizes potential sources where data can be gathered. Sources are recorded throughout this stage and well documented in case of later need.
- Information Collection: This stage involves the hacker’s accumulation of information from chosen places as well as other sources that are picked up on throughout the information collection stage.
- Data Handling and Incorporation: In this stage, the hacker takes in the collected data for a usable database through seeking data that can support itemization.
- Information Evaluation: In this stage, the hacker conducts information evaluation of the collected data by applying OSINT instruments.
- Outcome Transport: In the last stage, OSINT evaluation is finished and what is gathered is shown and published to the associates of Red Team.
It should be mentioned that conducting OSINT is lawfully permitted, conducting OSINT system and its instruments presented here are meant to flow in union with Red Team’s pursuits as a means of agreed labor with the authorization of the objective goal. While running pentesting, one should at all times protect themselves with an accepted agreement that is authenticated by the objective person, group, or business permitting you to cyber-breach their company for reasons of pentesting weak evaluations that have the scale of the task. Express alertness for you have been given due notice!
There are many great OSINT tools exist on hand so it isn’t realistic to go over all of them, but the ones with the greatest frequency of use are in fact Red Team handy, which is noteworthy. Conducting OSINT involves gathering the nuts and bolts of the data that one can use in order to draw conclusions regarding somebody or something and dig deeper by testing the data through the use of OSINT tools. By doing this one can find out what other aspects remain. Some OSINT tools are free and cost nothing at all, while the best OSINT
tools have a big price tag attached to them.
Google Searching & Dorks
As an example, imagine you have to pentest a company at https://sample.com. You headed to the website and at the bottom of it you found a couple more links titled “Alternative Web Assets”. You hit the initial selection: www.examplewebsite.com and you decide to look for more data regarding this website. The site is truly unsettling to say the least because of its dated format. If you choose to go further into this long lost cyberspace, in what way will you be able to reveal more, regarding the given website?
A way about this is you could use Google Dorking otherwise known as Google Hacking, both are elite search engines. What’s generally worked with is the Google web crawler search engine which is used for cyber theft and is also how cyber-thieves steal technology and flip it around forcing it to operate outside of its original intention. Experiment with Google Dorks so you can see all the different kinds of outcomes.
Now we can type in Google Dork commands straight into the browser and come out with outcomes such as:
site:www.example.com ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:Bootleg 2019 version | intext: visitor statistics) inurl:confidential
This type of inquiry will withhold all conclusions, but supposing that one creates a more synthetic version through switching to a Boolean search engine like OR, then you can take a look at the different kinds of outcomes.
site:www.example.com OR ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:”budget 2019”) inurl:confidential
With the given sample over top, you could work with a cybersecurity search engine such as Spyse to resolve the DNS of www.examplewebsite.com. You will also see WHOIS data, for example registrar information (godaddy.com); started (year–month–data); and the ICANN inquiry provided two web-servers, addressed (NS1.EXAMPLE.NET & NS2.EXAMPLE.NET). Just a couple years ago there were no services that would allow to conduct all in one reconnaissance. You would have to use simple WHOIS tools in order to find such data. Plus, such services have quite limited functionality and some data isn’t shown, for example data about IP’s.
Now there are services like Spyse where you can get information about almost anything at once. It really saves a lot of time by deploying different services for scanning, and saves a lot of time on scanning itself. Spyse automatically scans the Internet once a day and all I have to do is just extract the data from their database.
For example, for a simple bug bounty, I usually just need to gather and examine data about the external infrastructure regarding the given the target:
- Their domains and subdomains
- Digital Certificates - maybe some of them are expired
- DNS and reverse DNS (to find key servers)
- AS (because why not, you could find something interesting there, and penetrate to the server via “neighbors”)
- IPv4 hosts of course
- And open ports - the most valuable part in some cases, cause no one likes to properly maintain their infrastructures.
Spyse shows a bunch of information that might be useful in identifying weaknesses in infrastructures or choosing an attack vector.
They work in beta, so they are not 100% stable, but the problems that I described were quickly solved. In any case, I recommend trying them.
If you are a hacker, you would probably make use of the CLI to GUI services. You can try Spyse.py - python wrapper, created by zer0pwn.
A typical output from API on the ports of one IP looks something like this. As you can see CLI is not always convenient.
And here’s how this looks on the Spyse web version.
The type of scan depends on your purpose. For most, it will definitely be enough to just use the browser version of Spyse.
You can see that Spyse demonstrates a good deal of data that could be of possible use, pointing out defects in a system’s structure or hack a vector selection.
These are the most fundamental references used in inspection. How to work with this information and other services to order to search for people, emails, loT instruments will be covered in the following articles.
Remember OSINT reserve is only restricted by one’s own lack of imagination.