Scribd
Upload
169 views52 pages

Offensive OSINT Techniques and Tools

Uploaded by

ahgpocshv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
169 views52 pages

Offensive OSINT Techniques and Tools

Uploaded by

ahgpocshv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

«Offensive OSINT»

Aleksandr Goncharov
WHOAMI?
• OSINT specialist at
Innostage
• PHDays, OffZone, Codeby,
OSINT Mindset speaker
• sOSINT specialist
Notes
OSINT is dead?
Yet Another OSINT report?

o Let’s take a look what other sources offers


OSINT Framework / awesome-osint
Top Sheets……
Red Team understanding of OSINT

o Creating Significant Traffic != OSINT


o Simulation of regular user traffic = OSINT
What we looking for

• Network assets Employee information Company info

• IP • Full name • Addresses


• Domain • Email • Internal docs
• Subdomains • Logins • Internal Information
• Services • Creds/Secrets
• Version • Numbers
• Personal data
Network assets

Wildcard scope Just a name


[Link]/24 Horns & Hooves
*.[Link]
Where subdomains are born?

o DNS
o Certificates
o Web Scraping/Dorks
o Public repositories
Most useful subdomain search tools

o Sudomy
o amass
o BBOT
o SpiderFoot/theHarvester

o Running without API = waste of time


Most useful TI systems for searching subdomains

o [Link] (ex RiskIQ)


o [Link]
o [Link]
o [Link]
o [Link]
Difference
Think, Mark!
In/De-crementing
o [Link] -> atm41
o [Link] -> s6
o [Link] -> 2021s
o [Link] - > vpn1
Software domains
o Skype | meet.* dialin.* schedule.*
o Outlook |owa.* autodiscover.*
o Kaspersky Secure Mail Gateway | ksmg.*
o etc…

o GitHub Dorks
Permutations

o alterx
o dnsgen
o altdns
o goaltdns
o gotator

* Approximately 3-10% generated


alterx domains are detected on
retesting
AI come’s to help
No IP/domain?
No IP/domain?

o Ripe DB
o [Link]
o Resolutions check
o Hosts certificate
How to verify?

Passive
o VirusTotal API
o SecurityTrails API
o ViewDNS API

Active
o Anything proxy, API, etc…
BUT only if the NS records point to the
DNS server of the hosting/DNS provider
Search engines
Search engines

oCensys oFullHunt
oShodan oNetlas
oZoomEye oQuake360
[Link] oCriminalip
oOnyphe oSynapsint
oFofa oNatlas
oBinaryedge oLeakix
Search engines – Scanned ports

• Censys - ~3,592 (Official)


• Shodan - ~1400 (Shodan Twitter)
• ZoomEye – No info
• Binaryedge - No info
• Netlas - No info
• [Link] - No info
Search engines

o Has the most up-to-date data available: Censys


o Has the largest amount of data:
BinaryEdge / ZoomEye
o Best for finding vulnerabilities: Netlas
Old But Gold
Any parameter can be a source of info
URLs

o Potentially vulnerable parameters


o Sensitive information
o Directory information
o Subdomains
o And a lot of other things.
URLs - Tools

o Gau
o Xurlfind3r
o Unja
o Waymore
o Spiderfoot/theHarvester
o GooFuzz
o [Link]/
Intelligence systems

▪ Helpful in:
o In a detailed analysis of the
infrastructure;
o Collecting subdomains;
o Searching for Domain resolutions IP
o Collecting trackers and components
Intelligence systems
Hacktricks
NO NMAP!
HackTricks or Luck?

One of the largest stock exchanges in the


world:
o 3 internal domains/subdomains,
o internal information
o 4 external subdomains of development
department
o Account for logging in to the administrative
panel of the site development
Looking for

o Full name
o Emails / Logins
o Passwords
o Phone number
o Personal data (everything else)
Main sources of info
5%
10%

Leaks

Social Media
40%
Google Dorks

Metadata

Other things
20%

30%
Leaks

o Rostelecom o Tele2 o Avito


o Яндекс Еда o Twitter o Гемотест
o 2 Berega o Facebook o CDEK v2.0
o Delivery Club o Онлайн Трейдo Почта
России
o Умный дом o CDEK
o Kari
o Яндекс o Wildberries
Практикум o DNS
o Pikabu
o Oriflame o ВкусВилл

o Туту.ру
Public(?) Leaks
Public(?) Leaks

• 2+2 = + 5 000 000 GitHub users emails


• Company emails, names
Company’s social networks

o Posts mentioning employees/positions/events


o Analyzing the drafting of messages
o Collection of employee social media accounts
o Partner analysis
Company’s social networks
Employee’s social networks

o Workplace
o #Hashtags / Photo Mentions
o Geolocation on photo
o Geolocation spoofing
#Hashtags / Photo Mentions
Employee's social networks
Geolocation spoofing

o Geolocation spoofing
o Detects People Nearby
o Works in Telegram and VK
o Verification can be done by common
groups
Job aggregators

o VK, FB, etc…


o [Link], Habr page
o LinkedIn page
([Link], [Link])
Positions in company
GitHub Dorks

o Looking for additional emails


o <company> login/user/pass/password
o <company> ldap
o <company> wiki
o <company> connectionstrings
o Subdomains

o Emails

o Juicy files/hosts
o GitHub/GitLab/Pastebin
/etc mentions
Practice time

o TryHackMe
o seargoogledorking
o chlightosint
o shodan
o geolocatingimages
o somesint
o Sakura
o Redteamrecon
o CTF
o Just pick a company and start Recon
Questions?

You might also like