Passive

OSINT (short for Open-Source Intelligence Gathering) is a way of knowing your target without any sorts of direct contact or leaving any evidence of the recon.

The OSINT Process

OSINT reconnaissance can be further broken down into the following 5 Phases:

Source Identification: As the starting point, in this initial phase the attacker identifies potential sources from which information may be gathered from. Sources are internally documented throughout the process in detailed notes to come back to later if necessary.

Data Harvesting: In this phase, the attacker collects and harvests information from the selected sources and other sources that are discovered throughout this phase.

Data Processing and Integration: During this phase, the attacker processes the harvested information for actionable intelligence by searching for information that may assist in enumeration.

Data Analysis: In this phase, the attacker performs data analysis of the processed information using OSINT analysis tools.

Results Delivery: In the final phase, OSINT analysis is complete and the findings are presented/reported to other members of the Red Team.

Note: In OSINT you should always ask questions like: how, who, when, where and why. Also try to collect and sort everything you find and make a structured map of the intel you have gathered using a mind mapping tool like XMind or Mind Master.

Workflow of OSINT Cheatsheet

DNS Harvesting

DNSDumpster - Find & lookup dns records for recon & researchDNSDumpster.com

DNS Lookup - Check All DNS Records for Any DomainDNS Checker

Email Harvesting

https://www.twilio.com/docs/glossary/email-harvestingwww.twilio.com

Find email addresses and send cold emails • HunterHunter

How to find email addresses for most GitHub userswww.nymeria.io

GitHub Dorks

We can use GitHub advanced search keywords and dorks to find sensitive data in repositories.

GitHub dorks work with filenames and extensions

filename:bashrc
extension:pem
langage:bash

Some examples of GitHub search keywords:

extension:pem private # Private SSH Keys
extension:sql mysql dump # MySQL dumps
extension:sql mysql dump password # MySQL dumps with passwords
filename:wp-config.php # Wordpress config file
filename:.htpasswd # .htpasswd
filename:.git-credentials # Git stored credentials
filename:.bashrc password # .bashrc files containing passwords
filename:.bash_profile aws # AWS keys in .bash_profiles
extension:json mongolab.com # Keys/Credentials for mongolab
HEROKU_API_KEY language:json # Heroku API Keys
filename:filezilla.xml Pass # FTP credentials
filename:recentservers.xml Pass # FTP credentials
filename:config.php dbpasswd # PHP Applications databases credentials
shodan_api_key language:python # Shodan API Keys (try others languages)
filename:logins.json # Firefox saved password collection (key3.db usually in same repo)
filename:settings.py SECRET_KEY # Django secret keys (usually allows for session hijacking, RCE, etc)

Open Job Requisitions

Job requisitions can help us get information about the information technology products used in a target organization, such as:

• Web Server Type

• Web Application Development Environment

• Firewall Type

• Routers

Google searches to find job requisitions

• site: [ companydomain ] careers Q , Keyword or Title 9

• site: [ companydomain ] jobs .

• site: [ companydomain ] openings

• Also, searches of job-related sites such as LinkedIn

PGP Public Key Servers

Organizations maintain servers that provide public PGP keys to clients. You can query these to reveal user email addresses and details.

OpenPGP Keyserverkeyserver.ubuntu.com

MIT PGP Key Serverpgp.mit.edu

Cloudflare / Tor IP Detection

Some tips to find real IP addresses hiding behind Cloudflare and Tor

https://www.secjuice.com/finding-real-ips-of-origin-servers-behind-cloudflare-or-tor/www.secjuice.com

Identify Host Sharing

See if a single server or ip is hosting multiple websites/domains:

# Bing dorks to identify host sharing
ip:xxx.xxx.xxx.xxx

Shodan

Search engine for the Internet of everything.

Shodan is the world's first search engine for Internet-connected devices including computers, servers, CCTV cameras, SCADA systems and everything that is connected to the internet with or without attention.

Shodan can be used both as a source for gathering info about random targets for mass attacks and a tool for finding weak spots in a large network of systems to attack and take the low-hanging fruit.

Shodan has a free and commercial membership and is accessible at shodan.io.

The search syntax in the search engine is somehow special and can be found in the help section of the website.

With Shodan you can search for specific systems, ports, services, regions and countries or even specific vulnerable versions of a software or OS service running on systems like SMB v1 and much more.

Here the keywords that are mostly used in Shodan search queries:

Ultimate OSINT with Shodan: 100+ great Shodan queriesosintme.com

Other OSINT Websites

I have put together a list of the most used OSINT sources that will usually cover about 90% of your needs in a regular pentest.

Remember there are endless ways to find Intel about your target.

The OSINT process is limited to your own imagination.

Top sources ( most used )

• Skip Tracing Framework (kind of all-in-one directory for recon)

• Robtex (search for IPs, domain names, etc )

• Netcraft (very useful for website and domain recon)

• SSL labs (test websites and domains SSL cert security)

• Security Headers (test website headers (browser plugin is available)

• Archive.org (the largest Internet archive)

• iseek (not as deep as others but still useful)

• Global file search (search for any file, used for passive metadata search )

• NSLookup (query DNS records, both web and CLI tool )

• DNSdumpster (great for DNS recon)

• Whois (both web and CLI tool )

• ONYPHE (internet SIEM website, that's what they call themselves )

Image search

• TinEye ( reverse image search )

• photo bucket ( image search )

Username and people search

• User search ( search for usernames, mostly social media networks )

• pipi ( investigation and research, you should sign up for it )

• Social mention ( social media search )

• Social searcher ( social media search )

• SPOKEO ( name, phone number, address, etc. )

• Find people search ( people search )

IOT and device search

• shodan ( search engine for internet connected devices, command line )

• open stream cam ( open stream camera )

• insecam ( live video camera search )

Dark web engines

pubpeer.com

scholar.google.com

arxiv.org

guides.library.harvard.edu

deepdotweb.com

Core.onion

OnionScan

Tor Scan

ahmia.fi

not evil

Monitoring and alerting

Google Alerts

HaveIBeenPwned.com

Dehashed.com

Spycloud.com

Ghostproject.fr

weleakinfo.com/

social-analyzer

For analyzing and finding a person's profile across 800+ social media websites

python3 -m pip install social-analyzer

social-analyzer --username "johndoe" --metadata --extract --mode fast

TWINT

Advanced Twitter scraping tool written in Python that allows for scraping Tweets from Twitter profiles without using Twitter's API.

GitHub - twintproject/twint: An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations.GitHub