Tips for an Information Security Analyst/Pentester career - Episode 15: OSINT (pt 2)

Over this episode, we are going to delve deeper into open source intelligence by using two advanced tools, allowing to automate reconnaissance by sifting through websites, search engines, domains, social media and a lot of more sources.

A) recon-ng

This tool, developed by Black Hills Cyber Security, is very advanced and allows to automate reconnaissance by using a bunch of available bundled modules. This software comes preinstalled with Kali Linux, but is available for download for all platforms.

For the purposes of this tutorial, I only analyzed domains and companies.

Your first need to enter manually the domain or company you want to perform a search about.

For domains, you need to enter the command add domains, followed by the name of the domain you want to add, as shown below.

Similarly, in order to add a company, you need to use add companies, followed by the name of the company you want to add.

Entering search domains- in the command prompt, we can see all modules available for domains.

I'm going to analyze here a couple of specific domain modules. 

To use a module, alike Metasploit, you need to enter use, followed by the module name.

As a general rule, if we enter show info, we can see more information about the specific module we're using. If we enter show options, we can set up additional options to customize the way that specific module works.

 

Brief modules overview

1) recon/domains-contacts/pgp_search: 

According to the description given by show info command, the module: "searches the MIT public PGP key server for email addresses of the given domain. Updates the 'contacts' table with the results".

 By using it, I was able to retrieve several contacts.

2) recon/domains-hosts/bing_domain_web

According to the description given by show info command, the module: "harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the results". I found eight new hosts.

Create and export a report

In order to export the results of our research, we can look for reporting in the recon-ng command line. The tool allows to choose among several formats and creates a report file to your local system.

B) The Harvester

According to its official description, theharvester (now theHarvester) is a "tool for gathering e-mail accounts and subdomain names from public sources", already included with Kali Linux but also available here.

It's a simple command line tool but very powerful, as it can search through a bunch of different search engines and public sources.

In the example below, I performed a search based on 500 maximum results over my school's domain (starkstate.edu).

Wrap-up

Open source intelligence can be brought to the next level by using advanced tools, allowing for automation and enhanced search. 

I barely scratched the surface with this post, but there's a lot more out there to it. 

Another tool worth mentioning is the Lee Baird's Discover scripts kit, available here.

Episode 16

Episode 14

Stick around for more posts and feel free to leave a comment for feedback or for proposing additional topics. 

Thank you for your support!