Gathering open-source intelligence is the process of acquiring information on the target in a non-intrusive manner, usually from sources other than the target itself. The goal of OSINT is to uncover the attack surface of the target and to provide for target-specific resources (e.g., organization-specific wordlists, see also cewl).
Resources
- Accessing website itself, look for PII, especially names and emails
- Look up organization on social media (e.g., LinkedIn), or use online tools
- Identify email patterns
- MattKeeley/Spoofy: check if email is spoofable
- Hunter.io - look up emails by organization domain name
- OSINT Framework
- Maltego
whois <domain>
(registration info) andwhois <IP>
(hosting info)- Google Hacking Database
- Netcraft
- Shodan
- Security Headers
- SSL Server Test
- Dehashed
- Pastebin (use google
site:
since its search engine is gone) theHarvester
(subdomains, IPs, emails)- Social Searcher
- Twofi scans Twitter posts and compile them into a wordlist
- vysecurity/LinkedInt (use burner account for this)
- linkedin2username uses an existing connection the target organization to generate possible usernames.
recon-ng
(modules for DNS enumeration, personal information, companies, social media search, vulnerabilities, etc)- See client fingerprinting