Mutt
Professional
- Messages
- 1,458
- Reaction score
- 1,299
- Points
- 113
Often you don't need to break anything to find sensitive information. OSINT training does not take much time, but it will optimize your work in information security.
OSINT (Open Source Intelligence) - collection and analysis of information from publicly available sources. In the current realities, we are talking mainly about Internet sources. From Russian-speaking experts, you can hear the term "Internet intelligence", which in its meaning is equivalent to OSINT.
As part of cybersecurity, OSINT is used for penetration testing, forensics, reverse engineering and social engineering. Information security training often includes a section on OSINT techniques and tools.
Pentesters use OSINT to optimize the first stage of work: intelligence and gathering information about a specific online object or subject. In this case, OSINT is necessary in order to outline the targets that need to be attacked, or to understand that nothing needs to be broken - it is already available to everyone.
OSINT is convenient because:
There are two main methods of collecting information:
1. Passive. In this case, you do not give yourself away and what you are looking for. Search is limited to content on the site of the research object, archived or cached information, unprotected files.
2. Active. This method is used much less frequently for Internet reconnaissance. To obtain information, you research the company's IT infrastructure, actively interact with computers and machines. It uses advanced techniques to gain access to open ports, scan for vulnerabilities and web server applications. In this case, your intelligence can be easily recognized. Social engineering also belongs here.
The method you choose depends on the conditions under which you collect the information, as well as what kind of data you need. Do you analyze the security of the company, have signed an NDA and you can climb wherever you want? Or have you been asked to get information about competitors?
It is important to understand that not always what you can easily access is legal.
For example, through Shodan (a search engine on the Internet of Things), it is not difficult to gain access to the management of any of the systems, both personal and corporate. This can be done in a few clicks. However, if you start to somehow interact with her, try to enter different passwords - this can already be counted as an attempt to hack and goes into active information gathering, where the permission of the system owner is needed.
You can read more about the legal framework and legislation of Russia and foreign countries here.
The main sources of OSINT used in information security
Any information in the public domain can be dangerous. Social media, photos, data from third party profiles and sites, public records, etc. Indeed, in combination with other data, it can tell hackers what they are looking for.
Let us dwell on the main areas that information security specialists study on a regular basis.
1. File metadata.
They contain the date the document was created, usernames, printer models, software installed on computers, and sometimes geolocation. Information about installed programs and their versions, for example, will make it possible to select the most vulnerable and select exploits. Usernames, in turn, will become potential logins to personal or corporate systems.
2. Confidential Documentation.
Even in the most advanced companies and serious government agencies, some classified document may accidentally appear in the public domain. Examples of how to search for such documents can be found in the lectures of Andrey Masalovich. Confidential information may include the password creation policy, as well as the software and services used.
3. Domain information.
There are many tools that help collect all the data from the site (including those that are not visible to ordinary users). For example:
4. Server web applications, Internet of things. Servers, routers, CCTV cameras, webcams, online drives, etc. can be indexed. In addition to the fact that some can be accessed simply by clicking on the link, these devices contain technical information. Geolocation, open ports, running services, domain name associated with the device, internet service provider, web technologies.
OSINT training for use in information security
To learn OSINT at a basic level and start doing small research, a couple of days will be enough for you.
To immerse yourself in the topic and study individual aspects, it is worth reading the following books:
Development in OSINT is divided into approximately the following stages:
Mastering basic techniques like Google dorks (advanced Google search). To do this, read the blogs of specialists or specialized companies. For example:
2. Begin to apply knowledge in practice. Look for interesting approaches to using tools and techniques and try writing small reports about it with visualization of the results. Share your insights on Twitter by adding relevant hashtags or in the community on Reddit.
The tools necessary for exploration are in the collections:
3. Become as anonymous as possible. When learning OSINT, a significant amount of time is devoted to ensuring your search security. This is necessary so that the company or person cannot recognize that you are collecting some information. Here are some practices:
A lot of materials on this subject can be found in the blogs and books described above. Here is one of them.
4. Explore more advanced tools that require knowledge:
OSINT tools in information security
3. Google Dorks are queries to Google using special operators. You've probably heard that to search for the exact phrase, you need to put words in quotation marks, and to exclude a word from the search results, you need to put "-" in front of it. This is just about Google Dorking. Here you will find the basic operators, and here you will find a huge number of dorks for finding vulnerabilities.
4. Foca is a program that helps with uploading, classifying and analyzing files on a remote web server. To do this, she crawls a specific domain using the search engines Google, Bing, DuckDuckGo. The software is free and quick to install. In this material you can find a small instruction on how to use the program.
5. Spyse is a search engine for technical information of websites. With it, you can find a variety of data such as vulnerabilities, IP addresses, subdomains, and SSL / TLS.
Conclusion
OSINT will help you save time and money when searching for information, and the tools and techniques learned will be useful outside of professional activities.
OSINT (Open Source Intelligence) - collection and analysis of information from publicly available sources. In the current realities, we are talking mainly about Internet sources. From Russian-speaking experts, you can hear the term "Internet intelligence", which in its meaning is equivalent to OSINT.
As part of cybersecurity, OSINT is used for penetration testing, forensics, reverse engineering and social engineering. Information security training often includes a section on OSINT techniques and tools.
Pentesters use OSINT to optimize the first stage of work: intelligence and gathering information about a specific online object or subject. In this case, OSINT is necessary in order to outline the targets that need to be attacked, or to understand that nothing needs to be broken - it is already available to everyone.
OSINT is convenient because:
- involves much fewer risks: you do not violate someone's privacy and laws;
- cheaper - no additional equipment or expensive software is needed;
- such information is easy to access (go to the Internet), and most often it is always fresh.
There are two main methods of collecting information:
1. Passive. In this case, you do not give yourself away and what you are looking for. Search is limited to content on the site of the research object, archived or cached information, unprotected files.
2. Active. This method is used much less frequently for Internet reconnaissance. To obtain information, you research the company's IT infrastructure, actively interact with computers and machines. It uses advanced techniques to gain access to open ports, scan for vulnerabilities and web server applications. In this case, your intelligence can be easily recognized. Social engineering also belongs here.
The method you choose depends on the conditions under which you collect the information, as well as what kind of data you need. Do you analyze the security of the company, have signed an NDA and you can climb wherever you want? Or have you been asked to get information about competitors?
It is important to understand that not always what you can easily access is legal.
For example, through Shodan (a search engine on the Internet of Things), it is not difficult to gain access to the management of any of the systems, both personal and corporate. This can be done in a few clicks. However, if you start to somehow interact with her, try to enter different passwords - this can already be counted as an attempt to hack and goes into active information gathering, where the permission of the system owner is needed.
You can read more about the legal framework and legislation of Russia and foreign countries here.
The main sources of OSINT used in information security
Any information in the public domain can be dangerous. Social media, photos, data from third party profiles and sites, public records, etc. Indeed, in combination with other data, it can tell hackers what they are looking for.
Let us dwell on the main areas that information security specialists study on a regular basis.
1. File metadata.
They contain the date the document was created, usernames, printer models, software installed on computers, and sometimes geolocation. Information about installed programs and their versions, for example, will make it possible to select the most vulnerable and select exploits. Usernames, in turn, will become potential logins to personal or corporate systems.
2. Confidential Documentation.
Even in the most advanced companies and serious government agencies, some classified document may accidentally appear in the public domain. Examples of how to search for such documents can be found in the lectures of Andrey Masalovich. Confidential information may include the password creation policy, as well as the software and services used.
3. Domain information.
There are many tools that help collect all the data from the site (including those that are not visible to ordinary users). For example:
- e-mails,
- telephones,
- faxes,
- technologies on which the site is built,
- cryptographic certificates that are used on a specific domain.
4. Server web applications, Internet of things. Servers, routers, CCTV cameras, webcams, online drives, etc. can be indexed. In addition to the fact that some can be accessed simply by clicking on the link, these devices contain technical information. Geolocation, open ports, running services, domain name associated with the device, internet service provider, web technologies.
OSINT training for use in information security
To learn OSINT at a basic level and start doing small research, a couple of days will be enough for you.
To immerse yourself in the topic and study individual aspects, it is worth reading the following books:
- Business Intelligence, Alexander Doronin;
- Open Source Intelligence Techniques, Michael Bazzell;
Development in OSINT is divided into approximately the following stages:
Mastering basic techniques like Google dorks (advanced Google search). To do this, read the blogs of specialists or specialized companies. For example:
- Hrazvedka - in the "Explore" section you can find a selection of different tools. In addition, the blog collects videos, articles, books, films on the topic in Russian;
- Sector035 - weekly selections with new techniques and tools;
- OSINT Curious - in addition to a blog, they have a webcast where they invite guests and discuss news;
- Aware Online;
- significant crowd gathering on Twitter: i-intelligence, Dutch OSINT Guy, Henk van Ess. In this collection, you can find other figures to whom it will be interesting to subscribe.
2. Begin to apply knowledge in practice. Look for interesting approaches to using tools and techniques and try writing small reports about it with visualization of the results. Share your insights on Twitter by adding relevant hashtags or in the community on Reddit.
The tools necessary for exploration are in the collections:
- Bot in Telegram: @HowToFind_RU_bot;
- OSINT Framework;
- OSINT Essentials;
- Toddington;
- Technisette.
3. Become as anonymous as possible. When learning OSINT, a significant amount of time is devoted to ensuring your search security. This is necessary so that the company or person cannot recognize that you are collecting some information. Here are some practices:
- creation of fake profiles;
- using android emulators (you enter mobile applications through a special program on your computer);
- VPN;
- Tor browser;
- rules such as not scouting at the same time of day. This can betray even the most skilled hackers.
A lot of materials on this subject can be found in the blogs and books described above. Here is one of them.
4. Explore more advanced tools that require knowledge:
- Kali Linux. There are many OSINT tools that only work on this operating system.
- Python - working with some tools requires knowledge of the syntax of the language.
OSINT tools in information security
- Shodan is a search engine for devices connected to the network (including the Internet of Things and web applications). The "Explore" section will help you start your searches, as this is where user requests are collected. To access the advanced search, you need to register. In the paid versions, you will have access to more devices, as well as an unlimited number of searches per day.
3. Google Dorks are queries to Google using special operators. You've probably heard that to search for the exact phrase, you need to put words in quotation marks, and to exclude a word from the search results, you need to put "-" in front of it. This is just about Google Dorking. Here you will find the basic operators, and here you will find a huge number of dorks for finding vulnerabilities.
4. Foca is a program that helps with uploading, classifying and analyzing files on a remote web server. To do this, she crawls a specific domain using the search engines Google, Bing, DuckDuckGo. The software is free and quick to install. In this material you can find a small instruction on how to use the program.
5. Spyse is a search engine for technical information of websites. With it, you can find a variety of data such as vulnerabilities, IP addresses, subdomains, and SSL / TLS.
Conclusion
OSINT will help you save time and money when searching for information, and the tools and techniques learned will be useful outside of professional activities.
