OSINT

Gathering open-source intelligence is the process of acquiring information on the target in a non-intrusive manner, usually from sources other than the target itself. The goal of OSINT is to uncover the attack surface of the target and to provide for target-specific resources (e.g., organization-specific wordlists, see also cewl).

Resources

• Accessing website itself, look for PII, especially names and emails
• Look up organization on social media (e.g., LinkedIn), or use online tools
• Identify email patterns
• MattKeeley/Spoofy: check if email is spoofable
• Hunter.io - look up emails by organization domain name
• OSINT Framework
• Maltego
• whois <domain> (registration info) and whois <IP> (hosting info)
• Google Hacking Database
• Netcraft
• Shodan
• Security Headers
• SSL Server Test
• Dehashed
• Pastebin (use google site: since its search engine is gone)
• theHarvester (subdomains, IPs, emails)
• Social Searcher
• Twofi scans Twitter posts and compile them into a wordlist
• vysecurity/LinkedInt (use burner account for this)
• linkedin2username uses an existing connection the target organization to generate possible usernames.
• recon-ng (modules for DNS enumeration, personal information, companies, social media search, vulnerabilities, etc)
• See client fingerprinting