OSINT
Testcases for Pentesters
@upgoingstar | shubham@shubhammittal.net

Who Am I?
• Shubham Mittal
• 4+ years of experience ~ Offensive & Defensive roles.
• InfoSec Consultant. Trainer @ Nullcon.
• Interests in PT, OSINT, Infrastructure Security.
• Projects: Datasploit
• Biker, Beat Boxer, Blogger.
@upgoingstar | shubhammittal.net | shubham@shubhammittal.net

Internet gives you RAW Data. Harvest it.
OSINT – Open Source Intelligence
(Intelligence on Information publicly available)

WhoIs Records – First things first.
• Reveals Email ID
• Reveals Contact Person
• Some Other Basic information.

DNS Records
• CNAME Records – Gives you subdomains
• MX Records – Check for attacks on Mail Server.
• A records – IP Addresses

Domain History
• Abc.com uses Cloudflare / Incapsula / Sucuri.
• All DNS Traffic is routed.
• Domain History reveals earlier IP Addresses.
• If IP still hosts the website, Bypass all rate limiting, firewall rules, etc.

Wappalyzer
• Profiles the technologies a website is using.
• Vulnerabilities associated with these technologies can also be listed
via CVEDetails.com.
• Have fun. ;)
• Buildwith is also a good option, though automating Wappalyzer is
easy.
• Both available as Firefox Addons as well.

PunkSpider, OpenVuln, SSl labs, etc.
• Pass domain and check for vulnerabilities found by scanners / other
researchers.
• SSL Labs scans all the SSL / TLS related issue. You get niche testing
done without hitting from your own IP.

Search Engines
• Shodan | Censys | ZoomEye – Computer Search Engines
• NerdyData | GitRob | MeanPath – Code Search Engines
• Pipl | Yasni – People Search Engines
• TrueCaller - Phone number Search Engine
• Google | Yandex | Bing – General Search Engines
• DuckDuckGo – Combines multiple search engine
• WolfRamAlpha – Computational Search Engine

• Computer Search Engine
• Locate exposed portals / legacy dashboards.
• Code Search Engines
• Look for vulnerable codes. Juicy targets. Wow.
• People Search Engines
• Profiling specific User
• TrueCaller / ThatsThem
• Phone number lookup.

Enumerate Subdomains
• Trickiest part.
• Knock.py type scripts available for brute-forcing the subdomains.
• Too much noise, not that effective. Can’t brute force longer
subdomain names.
• WolfRamAlpha - Advanced Data
• DNSDumpster
• Netcraft
• Automate! Hit It!

Extract files, Extract meta data from them.
• Filetype search via Google /
Yandex / Bing / etc.
• Spider the site.
• Extract all files, eg. PDF, SWF, etc.
• Extract Metadata
• Run Exif Tool ~ Application
version, author, etc.

Enumerate Emails Associated.
• Emailhunter
• SimplyEmail.py

Breach Status?
• Have I Been Pwned?
• Breach or Clear?
• If email is found to be a part of breach? Is the breach data public?
• Quite often, people use same password for more than one account.

Osint on Email
• Find Gravatar
• Tinyeye.com / Google Reverse Image Search / FindFace
• Information from Facebook / Google Plus / Blog / Linkedin
• Harvest username.
• ClearBit

Osint on Username
• UserSherlock / NameCheck / Knowem
• Tweets. Woah! Woah! Woah!
• Instagram Check-ins / Facebook Check-ins
• Github repos > Employees don’t give a shit to Security.
• ApiKeys? Access Tokens? Passwords? DB Creds? What not?
• Secret keys once committed, cannot be deleted, Unless the whole repo is
deleted.
• Gravatar / Profile Image > Reverse Image Search.

Create list of targeted passwords ~ username

Search domain in Github
• https://github.com/search?q=“example.com”&type=Code
• Specifically check Server side codes, .php, .py, .asp, .jsp, etc.
• No High Sev bug > Get creds from Git. w00t w00t. :D

Trace check-ins from Instagram / Facebook

Facebook Stuff.
• http://graph.tips/
• https://inteltechniques.com/intel/OSINT/facebook.html

Check S3 buckets / Windows blobs for access
controls.
• bucketfinder.rb < searches s3 buckets based on keywords.
• Bucket name nomenclature:
• https://bucketname.s3.amazonaws.com
• https://s3.amazonaws.com/bucketname
• Install aws-cli, configure it. Free credits from AWS will get you aws secret keys and api keys.
• By default AWS buckets are private. But devs are too smart sometimes ;)
• Simple checks
• aws s3 ls s3://bucketname
• aws s3 mv ../../Downloads/filename.txt s3://bucketname

Obtain Government Data [Pan Card / Voter
Card Information]
• Name + DoB = Pan Card Information
• Name + DoB + Native Place = Voter card Information
• http://electoralsearch.in/##resultArea
• DoB : Username Osint / Social media.
• DD/MM is public. YYYY can be enumerated from Linkedin profile.

Visualize Data
• Maltego
• Various python Libraries
• Lumio
• ElasticSearch / Kibana

Monitoring and Alerting
• Use streaming APIs if possible
• Dump data in ES / MongoDb / Db of your choice.
• Calculates hashes. Alerting on top of it.
• For Elasticsearch, ElastAlert is cool. (Frequency / Spike / Negation /
etc.) http://nullcon.net/website/nullcon-2016/training/attack-monitoring-using-elasticsearch-logstash-kibana.php
• Facilitates alerts on Jira, Hipcha, Slack, Email, Bash Commands ~
(Perform an action).

Null Humla on OSINT
https://bitbucket.org/null0x00/null-blr-humla-osint-
dec-
2015/src/5fdef0599552b46d632e57a7c2dc00d65e27d
613/HumlaSummary.txt?at=master&fileviewer=file-
view-default

Quick Basic Demo?
https://github.com/upgoingstar/datasploit