Tips for an Information Security Analyst/Pentester career - Episode 14: OSINT (pt 1)
Intro
Over this episode, we're going to cover open source intelligence (OSINT), aka passive reconnaissance.
I've dealt with active reconnaissance already, where the pentester/hacker interacts actively with the target. This is the case for tools like Nmap or HTTrack.
Active reconnaissance might not always feasible or allowed and might not be your best shot.
Depending on rule of engagement and, as a general consideration, you might want to start with OSINT, first.
According to Wikipedia, "Open Source Intelligence (OSINT) is a term used to refer to the data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources). It is not related to open-source software or public intelligence".
OSINT is a type of recon performed by retrieving information about the target company/person/organization based on public registries and public domain information, such as Internet domain registrars (Arin for North America), social media, job posting and other tools, without activating any interaction with the target whatsoever.
The information collected this way allows to perform a more targeted and spot-on pentest, reducing the "noise" level and keeping a lower profile with regard to the target.
If you need or want to move to active reconnaissance, you're gonna have more information on the target, increasing your potential success rate.
Brief hands-on overview
a) OSINT ON A DOMAIN
I performed a passive recon on scanme.nmap.org.
Whois command (OS X)
It doesn't return any information.
Nslookup command
Returns the 45.33.32.156 IP address for scanme.nmap.org.
This IP is confirmed by other commands, too.
Whois service on network-tools.com
It returns a bunch of useful information, including the name, email and address of the administrator.
b) OSINT ON SOCIAL MEDIA/SPECIALIZED SEARCH ENGINES
In this case, we can use both social media and specific search engines to look up information about a company or a specific person in that organization.
In the video, I show how LinkedIn can be used for OSINT. In fact, it doesn't only return valuable information about that target (such as education, interests, professional careers, network connections, etc.) but is a great tool to connect to other people in the same organization.
If I worked with a company, my LinkedIn profile would contain connections to other people in my organization, such as my supervisor, or the CEO of that company.
Additionally, going to one person's profile page, on the right there's an interesting section called People Also Viewed, that can contain other guys with alike interests, or belonging to your same LinkedIn group, or maybe former and current coworkers and/or supervisors, which allows us to "pivot" to them, as well.
It's worth stressing that a passive recon conducted through search engines becomes active when you click the links you found, such as corporate webpages.
Passive recon means you don't ever interact with the target in any way or form.
Episode 15
Episode 13
Episode 15
Episode 13
Comments
Post a Comment