All about OSINT
In the world of hacking, when you’ve chosen a target to attack, there’s a crucial step you must perform before moving in with all guns blazing — Information Gathering, or Reconnaissance. It is necessary to gather as much knowledge about your target as possible before you start your attack. For example, if you’re targeting a software company, knowledge of the number of employees, scale of the company and strength of their security team could prove to be useful to carry out a more focused attack, and OSINT is the primary step you can take to start collecting this information.
Open Source Intelligence, also known as OSINT, is defined as the process of collecting information about your target from openly available sources. Some may think that OSINT is just a fancy word for “googling”, but there’s much more to OSINT than a simple Google search. You can get details about your target’s network, the IP addresses they’re using, and even their entire infrastructure when OSINT is done properly and extensively. Don’t limit yourself to Google while performing OSINT; check out anything and everything you can think of about your target. Don’t leave any stone unturned. You never know when something might be useful to you.
OSINT can be carried out in two ways; either active or passive. Active OSINT is the information you gather when you have direct contact with your target. Considering the example of the software company, going on an office tour to check out their infrastructure, noticing any security measures implemented and meeting their employees can be classified as active OSINT. Passive OSINT, on the other hand, is when you gather information about your target with no direct contact. Collecting contact information like phone numbers and email addresses from their website, or triggering error messages in their products to check for data leaks can be classified as passive OSINT.
The main objectives of OSINT are to know the security posture of your target, so that you get a fair understanding of how they’ll respond to an attack, to identify vulnerabilities in your target to get a pathway to compromise them and to draw a network map with all the information you’ve collected so that you get a broad idea of their infrastructure. If you’re lucky enough to get information such as IP addresses or network blocks, you can use this knowledge to carry out a more focused attack, saving you the time of trying to attack everything to see what clicks.
Security is just an illusion and privacy is a myth.
There are many tools available to help with OSINT. One among the most popular tools is archive.org, also known as the Wayback machine, which can be used to get older versions of websites to check for any revealed sensitive information patched recently. Another popular tool is Maltego, available for both Linux and Windows. It’s an advanced OSINT tool, with a wide array of features to collect various kinds of information. Netcraft is another popular website you can use to get a list of subdomains of a particular website.
Now that you know how OSINT works, and how you can gather tons of information about your target from various sources, how do you stop someone from doing the same to you? The simplest way is to limit the information you reveal about yourself on the internet. This can apply to both individuals as well as organizations. In case you do need to store sensitive information somewhere online, make sure it’s encrypted and password protected. Use pseudonyms on public forums and chat rooms, so that nobody can trace the username back to you. Make sure security awareness camps are conducted in your organization periodically so that employees know how to identify and protect sensitive information.
For more details on OSINT, and a demo of some interesting OSINT tools, you can check out my session on OSINT presented at EvilWeek by EvilHoursX here: https://bit.ly/3o7ywZq
