Conducting OSINT, or open source intelligence, operations refers to the act of gaining information about a target through “open sources.” This is data that is freely available on the Internet through things like search engines. Open source reconnaissance is a key part of any good penetration test, as it can provide useful information that is used as a part of other attacks and/or future stages of the assessment. Today, we’ll further introduce OSINT and target reconnaissance to give you a better idea of what this process entails and what its benefits are.
OSINT generally occurs at the very beginning of a penetration test or an actual attack. This is because it is not really an attack on a target, it’s just information gathering. While OSINT can be passive, semi-passive, or active, technically, these phases typically blend together throughout the process, gathering anything that may be useful throughout the future phases of the attack. This isn’t a scan conducted against a target either, although you may browse their websites as an actual user would. This is more in line with asking other websites for information they have about a target network or organization. Through this process, an attacker can get a variety of different information, such as:
- IP Addresses/IP Ranges
- Hosting Providers
- Company Background Information
- Types of Technology Employed
- Partner Organizations/Vendors
- Employee Names and Email Addresses
- Documents with Potentially Sensitive Information
- Document Metadata
- And a lot more!
So What? Why Do OSINT?
For penetration testers, this is one of the most often overlooked parts of a penetration test, probably because it can be time-consuming and it doesn’t involve any sexy exploits. But it is incredibly important for conducting a good test and you can bet that attackers specifically targeting an organization aren’t going to overlook it. Through OSINT, you can accomplish so many things, including:
- Confirm scope – Are the targets this org gave me systems that they actually own?
- Find hosts the organization might not know about that weren’t included in scope – Do you know this system exists? Did you purposefully exclude it?
- Identify what types of exploits are more likely to work – e.g. I know they are a primarily Windows shop
- Identify potential security controls that are in place – firewall types, IDS/IPS, WAF, etc.
- Create username lists to conduct password attacks (thanks, LinkedIn)
- Physical locations of offices
- Organization charts and employee lists
- Email address formats – usually these are going to correspond to username formats
All of that listed above is just organization-level information that is often freely available on the web. But in the eyes of an attacker, this can be a great resource for conducting better attack chains or crafting more successful exploits. We didn’t even get into the massive data sets that can be scraped for individual employees off of things like social media, which can be wonderful for social engineering attacks or physical attacks.
So at this point, it should be pretty easy to see why OSINT can be valuable as a penetration tester and why organizations should be aware of what kind of data is out there that attackers can put together. In this context, information about companies available just through a quick Google search can be eye-opening and an absolute gold mine for attackers. We’ll cover some of the most common OSINT techniques in a follow-up post so you can either expand your skill-set as a penetration tester or keep your eyes open as a network defender.