This document discusses leveraging open source intelligence (OSINT) for penetration testing. It defines OSINT as collecting publicly available information and analyzing it to produce actionable intelligence. The document outlines how OSINT can be used at different stages of a penetration test, including reconnaissance, vulnerability analysis, and social engineering. It provides examples of the types of information that can be obtained from OSINT, such as email addresses, passwords, and personal details. The document also lists specific tools and online resources that can be used to perform OSINT for purposes like passive reconnaissance, searching for vulnerabilities, and profiling individuals.

1. Leveraging OSINT
in
Penetration Testing
By: Ashish Mistry

2. #whoami
● Ashish Mistry
● Individual infosec researcher & trainer
● www.Hcon.in
● HconSTF open source security framework
● Hcon Library initiative
● Contact :
– Fb : Root.hcon
– Tw : @hconmedia

3. OSINT – Open Source
INTelligence
● It is NOT related to open source software
● It is NOT related to open source licenses
● It is NOT related to artificial intelligence

4. What Is OSINT ?
Wikipedia :
“Open-source intelligence (OSINT) is a
form of intelligence collection management
that involves finding, selecting, and
acquiring information from publicly
available sources and analyzing it to
produce actionable intelligence”

5. What is OSINT ?
Publicly available information
Select / Collecting and storing it
Analysis and relating and filtering it
More target specific information
ATTACKS

6. Why OSINT works ?

7. Humans are social beings
we love to share information

8. We share information that we are
not suppose to share

9. Sometime it is necessary to give out
that much information

10. So what is the problem ??

11. internet

12. Why OSINT for pentesting ?

13. Some things to consider
● Passive (most of it)
● Legally provides much larger and wider
view towards the target company / person
● Uncovers more attack surface
● Narrow downs many attack vectors
● Helps when you don't have 0days
● More specific social engineering attack
vector can be crafted
● Helps in other steps in a pentest

14. Leveraging OSINT
● Reconnaissance
● Vulnerability analysis
● Privilege escalation
● Social engineering/ profiling people

15. Reconnaissance
● We can have information like
– OS
– IP
– Software / Versions
– Geo location

16. From :
● Metadata :
– Foca , metagoofil , maltego, exiftool
● Online sites :
– Shodanhq, Serversniff, netcraft,centralops
● Dns/who is info
● FF extensions
– wappalyzer
– Passive recon

17. Vulnerability analysis
● Path discloser
● Footholds
● Web Server Detection
● Vulnerable Files
● Vulnerable Servers
● Error Messages
● Network or vulnerability data
● Various Online Devices
● Advisories and Vulnerabilities
● XSS / LFI / RFI

18. from
● Dorks : sitedigger , search diggity, seat
– GHDB
– BHDB
– FSHDB
– Web = sqli / Lfi / Rfi / Wordpress
● FF extension:
– Meta generator version check
● Metadata
● http://www.1337day.com/webapps

19. Privilege escalation
We can have potential
● User names
● Passwords
● Login panels
for more useful & accurate wordlist
generation

20. From ?
● Metadata :
– Foca , metagoofil , maltego
● Emails :
– Theharvester , esearchy
● Public profiling information
– Social media
● Phone numbers
● Family member names
● Birth dates

21. From cont..
● Dorks :
– Files containing usernames
– Files containing passwords
– Files containing juicy info
– Pages containing login portals
● Wordlist generation :
– wyd , cupp, crunch

22. Social engineering
/ profiling people
● All kind of personal and professional info
– Names - dob
– Residence address
– Phone no.
– Emails
– Close associates / friends
– Interest / hobbies
– Pictures

23. From ?
● People lookup databases
● Social networks
● Local yellow pages
● Mtnl / bsnl tele. Dir
● Public mobile info. services

24. What can we have from OSINT ?

25. ● Email addresses
● Phone numbers
● User names / password
● OS info
● IP info
● Softwares / version
● Geo location
● Personal details
● vulnerabilities

26. tools
● Foca , metagoofil, exiftool, wyd
● Theharvester, esearchy
● FF extentions
– Pasive recon, meta generator,
wappalyzer, exiftool
● Sitedigger, seat, search diggity
● Creepy, fbpwn
● Maltego , netglub

27. Online resources
● Netcraft, centralops, shodanhq, serversniff
● Ghdb
● foca online, regex.info/exif.cgi
● http://tineye.com , http://picfog.com
● https://twitpic.com/search ,http://www.pixsy.com/
● Flickr Photo Search
http://www.flickr.com/search/?
s=rec&w=all&q=comapny name&m=text

28. Online resources cont...
● document search:
– Docstoc http://www.docstoc.com/
– Scribd http://www.scribd.com/
– SlideShare http://www.slideshare.net/
– PDF Search Engine http://www.pdf-
search-engine.com/
– Toodoc http://www.toodoc.com/
– google filetype:

29. Online resources cont...
● Check Usernames:
– http://www.checkusernames.com/
– http://knowem.com/ ,www.namechk.com
– http://webmii.com/
● People search
– 123people
– Pipl
– openbook

30. Online resources cont...
● Geo location
– Infosnipper
– http://twittermap.appspot.com
– http://www.geobytes.com/iplocator.htm

31. Prevention / counter measures
● Policies for social networks
– Hr , pr , marketing
● Sanitize documents
– Remove metadata
● Metadata anonymizing toolkit – MAT
● Oometa extractor , Doc scrubber
● Exiftool
● openDLP , myDLP
● Websites
– Block UA , dir, custom error msg

32. Thank you
Questions ??