OSINT: Open Source Intelligence - Rohan Braganza

09/05/2018 1COPYRIGHT: NET SQUARE SOLUTIONS PVT. LTD.
OSINT:
Open Source Intelligence
By Rohan Braganza, Pradnya Karad and
Zubair Khan

09/05/2018 COPYRIGHT: NET SQUARE SOLUTIONS PVT. LTD. 2
Overview
-Introduction
-What is OSINT
-What can be gained from OSINT
-How are OSINT activities carried out
-What you need to know before starting out
-Introduction to IP addressing and networking
-DNS and whois
-Some tools we will look at:
- Kali linux
- OSINT Framework
- theHarvester
- Fierce
- dnsenum
- Censys
- shodan
- builtwith
- maltigo
- vortimo

The Internet today

Well known services on the
Internet

Knowledge is power
So much information is out there for the
taking:
• About people(names, contact info., addresses,
etc.)
• About companies
• About computers (the list is endless)
• About networks
• About mobile phone (phone numbers, device
information…)
• And many more

What is OSINT
§ The term OSINT stands for Open
Source Intelligence.
§ It originated from within the US military
agencies in the late 1980’s.
§ OSINT is all intelligence that is gathered
from public sources such as the Internet
but is not limited to digital sources.
§ It is intelligence that can be gathered for
free.
§ Examples of OSINT include:
- Asking questions on a search engine
- Researching on public forums on how to fix your
computer
- Using Youtube to lookup recipes.

What you can learn
- Collect employee full names, job roles as well as the software
they use.
- Review and monitor search engine information from Google
(especially using Google dorks), Bing, Yahoo, and others.
- Monitoring personal and corporate blogs, as well as review
user activity on digital forums.
- Identify all social networks used by the target user or
company.
- Review content available on social media like Facebook,
Twitter, Google Plus, or Linkedin.
- Use people data collection tools like Pipl, who will help you to
reveal a lot of information about people in one place.
- Access old cached data from Google – often reveal
interesting information.
- Exploring old versions of websites to reveal important
information using sites like the wayback machine (now
archive.org).
- Identify mobile phone numbers, as well as email addresses
from social networks, or google results.
- Search for photos and videos on common social photo
sharing sites.
- Use google maps and other open satellite imagery sources to
retrieve images of user’s geographic location.
- Use tools like GeoCreepy to track down geographic location
information to have a clear picture of the users' current
locations

Questions to ask yourself before
you begin
• What are you looking for?
• What is your main research
goal?
• What or who is your target?
• How are you going to
conduct your research?

IP addressing, DNS and WhoIs.

Introduction to…

• Kali is Debain based Linux distribution that
is designed for digital forensics and
penetration testing.
• It is maintained and funded by Offensive
Security.
• The benefit is that all tools come installed
and configured.
• It contains over 600 preinstalled
penetration testing programs.
Kali Linux

OSINT framework

OSINT framework
• OSINT Framework is a cybersecurity framework which is a collection of
OSINT tools to simplify intel and data collection tasks.
• This tool is mostly used by security researchers and penetration testers for
digital footprinting, OSINT research, intelligence gathering, and
reconnaissance.
• It provides a simple web-based interface that allows you to browse
different OSINT tools filtered by categories.
• It also provides an excellent classification of all existing intel sources,
making it a great resource for knowing what infosec areas you are
neglecting to explore, or what will be the next suggested OSINT steps for
your investigation.
• OSINT Framework is classified based on different topics and goals. This can
be easily seen while taking a look at the OSINT tree available through the
web interface.

Gathering Email Addresses
*******************************************************************
* _ _ _ *
* | |_| |__ ___ / /__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ / _ / /_/ / _` | '__ / / _ / __| __/ _ '__| *
* | |_| | | | __/ / __ / (_| | | V / __/__ || __/ | *
* __|_| |_|___| / /_/ __,_|_| _/ ___||___/_____|_| *
* *
* theHarvester 3.1.0 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
* *
*******************************************************************
• theHarvester is a program that is
designed to retrieve information
such as email addresses,
subdomains, hosts, employee
names, open ports and banners
from different public sources
such as search engines and
Shodan computer database.
• It is intended to help penetration
testers during the early stages of
the test to understand the
footprint of the customer on the
Internet.
• It is also helpful to anyone who
wants to know what an attacker
can see about their organization.

Fierce
• Fierce is a semi-lightweight scanner that helps locate
non-contiguous
IP space and hostnames against specified domains.
• It is meant specifically to locate likely targets both inside
and outside a corporate network.
• Because it uses DNS primarily you will often find mis-
configured networks that leak internal address space.
That's especially useful in targeted malware.

Getting DNS information:
DNSEnum
• DNSEnum is a
multithreaded pearl script
to enumerate DNS
information of a domain
and to discover non-
contiguous IP blocks.

Censys
• Censys is a search engine that allows
researchers to quickly get answers to
questions about the hosts that
compose the Internet.
• Censys was created by a team of
security researchers.
• The goal of this project is to be able to
measure if Internet security was
improving.
• The project aims to track every
reachable host on the internet and
collect as much information as
possible about that host.

Shodan
• Shodan is the
world’s first search
engine for Internet-
connected devices.
• Shodan can be used
to discover

What is BuiltWith
• BuiltWith is a database that
provides a way to detect
technologies that a site is
buit on.
• It includes full detailed
information about CMS such
as WordPress, Joomla, and
Drupal as well as full
detailed Javascript and CSS
libraries like jquery,
bootstrap/foundation,
esternal fonts, server types
such as Nginx, Apache, IIS,
SSL provider as well as web
hosting provider used.

Maltego
• Maltego is an amazing tool that is used
to track down footprints of any target
you may need to track.
• Maltego allows you to launch
reconnaissance tests against specific
targets.
• One of the best features of the product
is transforms. This allows you to run
different kinds of tests and data
integration with external applications.
• Finally, Maltigo shows you the results of
specific targets, like IP, domains, AS
numbers, and much more.

Vortimo
• Vortimo is a software that
records information on
webpages you visit.
• It records pages as you go,
extracts data from it and
enriches the extracted data.
• It allows you to tag objects
of interest as well as
decorating objects that it
deems important.
• The data is then arranged
in a UI for easy review.

OSINT: Open Source Intelligence - Rohan Braganza

More Related Content

What's hot

Similar to OSINT: Open Source Intelligence - Rohan Braganza

More from NSConclave

Recently uploaded

OSINT: Open Source Intelligence - Rohan Braganza