2. WHAT IS OSINT?
Publicly available (valuable)
information that is gathered
through open source tools
This information can be used for
targeted attacks
3. END GOAL OF OSINT PHASE
• Collected information on usernames, passwords, emails, and
subdomains
• Passive reconnaissance – target/victim should never see it
coming
• Enough to move on to get an initial foothold for a targeted
attack
4. SHODAN
• Searches for publicly connected
devices
• Routers, servers, firewalls, SCADA
• Can be searched by IP
• Finds open ports
• Includes Hostname, OS, Geo-location
5. SHODAN FOR TARGETED ATTACKS
• Simple query will show
everything seen by Shodan in
the US
• Can identify their external
infrastructure without ever
sending a packet
• Use ms17-010 (EternalBLUE)
to exploit SMB on port 445
7. MALTEGO (DEVELOPED BY PATERVA)
• Used for OSINT/Digital Forensics
• Paid/licensed tool, but free community edition on Kali Linux
• Focuses on data discovery, visualization, link analysis, and data
mining
• Also…really good for stalking people!
• (Disclaimer: Don’t do it though. Please. You didn’t hear it from
me.)
9. PIPL
• “The world’s largest people search engine”
• Can be used to find emails, usernames, phone numbers,
addresses, etc.
• Simplifies the whole process of googling a person
10. PIPL DEMO
• Let’s try to find out some “pipl’s” email addresses, phone
numbers, usernames
11. GOOGLE DORKING
• Technique that uses Google
Search filters to find specific
information
• Filters reveal security holes:
publicly facing domains that
contain sensitive information
12.
13. GOOGLE DORKING DEMO
• Let’s get hands on… (P.S Sorry for all the “dork”y puns!”)
• https://www.exploit-db.com/google-hacking-database/
• inurl:”/adfs/ls/” intitle:”Sign In”
• inurl:pastebin.com AND intext:@gmail.com AND intext:password
14. DATA DUMPS
• With Google Dorking, you can find lots of password dumps
• There are multiple other sources for data dumps at an attacker’s
disposal:
• Live dumps - https://twitter.com/dumpmon?lang=en
• Pastebin dumps - https://psbdmp.ws/dumps
• Data breach search engine - https://weleakinfo.com/
• (Disclaimer: ONLY USE THIS FOR RESEARCH!)
• Passwords are hard to remember
• Many people use the same password for multiple accounts
15. LINKEDIN
• Not just a professional networking website
• We can utilize LinkedIn to research individuals, and specifically
those who work at a specific company
• Can be used further for spear phishing attacks
16. EMAIL GATHERING
• Let’s say you found a target on LinkedIn
• We need to figure out the naming convention/structure of
email addresses of your targeted company
• https://hunter.io/
17. WHAT’S NEXT?
• During our OSINT phase, we were able to gather information about
users, passwords, emails, and subdomains without ever directly
touching their network
• Now, we can move on to Active Reconnaissance
• Active Reconnaissance – subdomain/directory bruteforcing, nmap scans
• OR we can move on to the actual targeted attack – without ever making
any “noise” on their network beforehand
18. TARGETED ATTACKS
• Spearphishing
• Typosquatting a similar domain (Microsoft.com -> Mircosoft.com)
• Social Engineering Toolkit
• Credential Harvesting
• Password spraying
• Trying one password on multiple emails
• Example: Fall2018!
19. PUTTING IT ALL TOGETHER – TARGETING A
PERSON
• Let’s hypothetically target Angelo Alviar
20. PUTTING IT ALL TOGETHER – TARGETING A
COMPANY
• Let’s hypothetically target example.com