☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • C Language
      • Introduction
      • Calling Conventions
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • Binary Exploitation
    • Stack Smashing
      • x86
      • x86_64
    • pwntools
      • Processes and Communication
      • Logging and Context
      • Cyclic
      • Packing
      • ELF
      • ROP
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Windows Internals
        • PEB
      • Academy
        • Basics
      • Sektor7
        • Essentials
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • The OSINT Process
  • OSINT reconnaissance can be further broken down into the following 5 Phases:
  • Workflow of OSINT Cheatsheet
  • DNS Harvesting
  • Email Harvesting
  • GitHub Dorks
  • Open Job Requisitions
  • Job requisitions can help us get information about the information technology products used in a target organization, such as:
  • Google searches to find job requisitions
  • PGP Public Key Servers
  • Cloudflare / Tor IP Detection
  • Identify Host Sharing
  • Shodan
  • Other OSINT Websites
  • Top sources ( most used )
  • Image search
  • Username and people search
  • IOT and device search
  • Dark web engines
  • Monitoring and alerting
  • social-analyzer
  • TWINT
  1. Offensive Security
  2. Recon

Passive

OSINT (short for Open-Source Intelligence Gathering) is a way of knowing your target without any sorts of direct contact or leaving any evidence of the recon.

PreviousMass ScanNextMetadata

The OSINT Process

OSINT reconnaissance can be further broken down into the following 5 Phases:

Source Identification: As the starting point, in this initial phase the attacker identifies potential sources from which information may be gathered from. Sources are internally documented throughout the process in detailed notes to come back to later if necessary.

Data Harvesting: In this phase, the attacker collects and harvests information from the selected sources and other sources that are discovered throughout this phase.

Data Processing and Integration: During this phase, the attacker processes the harvested information for actionable intelligence by searching for information that may assist in enumeration.

Data Analysis: In this phase, the attacker performs data analysis of the processed information using OSINT analysis tools.

Results Delivery: In the final phase, OSINT analysis is complete and the findings are presented/reported to other members of the Red Team.

Workflow of OSINT Cheatsheet

DNS Harvesting

Email Harvesting

GitHub Dorks

We can use GitHub advanced search keywords and dorks to find sensitive data in repositories.

GitHub dorks work with filenames and extensions

filename:bashrc
extension:pem
langage:bash

Some examples of GitHub search keywords:

extension:pem private # Private SSH Keys
extension:sql mysql dump # MySQL dumps
extension:sql mysql dump password # MySQL dumps with passwords
filename:wp-config.php # Wordpress config file
filename:.htpasswd # .htpasswd
filename:.git-credentials # Git stored credentials
filename:.bashrc password # .bashrc files containing passwords
filename:.bash_profile aws # AWS keys in .bash_profiles
extension:json mongolab.com # Keys/Credentials for mongolab
HEROKU_API_KEY language:json # Heroku API Keys
filename:filezilla.xml Pass # FTP credentials
filename:recentservers.xml Pass # FTP credentials
filename:config.php dbpasswd # PHP Applications databases credentials
shodan_api_key language:python # Shodan API Keys (try others languages)
filename:logins.json # Firefox saved password collection (key3.db usually in same repo)
filename:settings.py SECRET_KEY # Django secret keys (usually allows for session hijacking, RCE, etc)

Open Job Requisitions

Job requisitions can help us get information about the information technology products used in a target organization, such as:

  • Web Server Type

  • Web Application Development Environment

  • Firewall Type

  • Routers

Google searches to find job requisitions

  • site: [ companydomain ] careers Q , Keyword or Title 9

  • site: [ companydomain ] jobs .

  • site: [ companydomain ] openings

  • Also, searches of job-related sites such as LinkedIn

PGP Public Key Servers

Organizations maintain servers that provide public PGP keys to clients. You can query these to reveal user email addresses and details.

Cloudflare / Tor IP Detection

Some tips to find real IP addresses hiding behind Cloudflare and Tor

Identify Host Sharing

See if a single server or ip is hosting multiple websites/domains:

# Bing dorks to identify host sharing
ip:xxx.xxx.xxx.xxx

Shodan

Search engine for the Internet of everything.

Shodan is the world's first search engine for Internet-connected devices including computers, servers, CCTV cameras, SCADA systems and everything that is connected to the internet with or without attention.

Shodan can be used both as a source for gathering info about random targets for mass attacks and a tool for finding weak spots in a large network of systems to attack and take the low-hanging fruit.

The search syntax in the search engine is somehow special and can be found in the help section of the website.

With Shodan you can search for specific systems, ports, services, regions and countries or even specific vulnerable versions of a software or OS service running on systems like SMB v1 and much more.

Here the keywords that are mostly used in Shodan search queries:

Other OSINT Websites

I have put together a list of the most used OSINT sources that will usually cover about 90% of your needs in a regular pentest.

Remember there are endless ways to find Intel about your target.

The OSINT process is limited to your own imagination.

Top sources ( most used )

Image search

Username and people search

IOT and device search

Dark web engines

pubpeer.com

scholar.google.com

arxiv.org

guides.library.harvard.edu

deepdotweb.com

Core.onion

OnionScan

Tor Scan

ahmia.fi

not evil

Monitoring and alerting

Google Alerts

HaveIBeenPwned.com

Dehashed.com

Spycloud.com

Ghostproject.fr

weleakinfo.com/

social-analyzer

For analyzing and finding a person's profile across 800+ social media websites

python3 -m pip install social-analyzer

social-analyzer --username "johndoe" --metadata --extract --mode fast

TWINT

Advanced Twitter scraping tool written in Python that allows for scraping Tweets from Twitter profiles without using Twitter's API.

Note: In OSINT you should always ask questions like: how, who, when, where and why. Also try to collect and sort everything you find and make a structured map of the intel you have gathered using a mind mapping tool like or .

Shodan has a free and commercial membership and is accessible at .

XMind
Mind Master
shodan.io
Skip Tracing Framework (kind of all-in-one directory for recon)
Robtex (search for IPs, domain names, etc )
Netcraft (very useful for website and domain recon)
SSL labs (test websites and domains SSL cert security)
Security Headers (test website headers (browser plugin is available)
Archive.org (the largest Internet archive)
iseek (not as deep as others but still useful)
Global file search (search for any file, used for passive metadata search )
NSLookup (query DNS records, both web and CLI tool )
DNSdumpster (great for DNS recon)
Whois (both web and CLI tool )
ONYPHE (internet SIEM website, that's what they call themselves )
TinEye ( reverse image search )
photo bucket ( image search )
User search ( search for usernames, mostly social media networks )
pipi ( investigation and research, you should sign up for it )
Social mention ( social media search )
Social searcher ( social media search )
SPOKEO ( name, phone number, address, etc. )
Find people search ( people search )
shodan ( search engine for internet connected devices, command line )
open stream cam ( open stream camera )
insecam ( live video camera search )
🏴‍☠️
Page cover image
https://dnsdumpster.com/dnsdumpster.com
DNS Lookup - Check DNS All RecordsDNS Checker
Email Harvesting
Find email addresses in seconds • Hunter (Email Hunter)Hunter
How to find almost any GitHub user's email addressNymeria
OpenPGP Keyserver
Logo
MIT PGP Key Server
Logo
Finding real IPs of origin servers behind CloudFlare or TorSecjuice
Ultimate OSINT with Shodan: 100+ great Shodan queriesosintme.com
GitHub - twintproject/twint: An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations.GitHub
Logo
Logo
Logo
Logo
Logo
Logo