Author Britton White
Open Source Intelligence (OSINT) reconnaissance involves using publicly available resources to passively gather information on a target (a person or organization).
To best protect your organization, take the mindset of a threat actor. Ask yourself these questions and perform some OSINT reconnaissance to get the answers.
What information is available on the web which can be used to target your organization?
How can they break in, or otherwise gather enough information for a Phishing/Vishing (Social Engineering) attack?
Think about how your current policies and procedures may help protect against these types of attacks, or if your policies and procedures are weak and need revising. From there, ask yourself, do employees know/understand what our security policies and procedures are? Understanding is the key word here.
Don’t forget about your third-party vendors, business associates, etc. You can perform this same reconnaissance on them. Just don’t try to log in anywhere unless you’re authorized to do so.
OSINT Reconnaissance Tools
I use the following sites extensively for OSINT reconnaissance. There are automated tools that many use for a quick snapshot of information that I choose to look for manually.
VirusTotal - Analyzes suspicious files, URLs and hashes. Reports on possible malicious reputation.
Sub Domain Finder - Locates subdomains tied to a domain.
Censys.io - Reports on devices that are accessible from the Internet.
Shodan.io - Reports on devices that are accessible from the Internet.
For the sites like censys.io and shodan.io, one is able to enter specific search strings via specific query syntax for refined recon. As an example for shodan, you can enter “ip:x.x.x.0/24” to find all IPs in that range that are externally facing. Another is “country:us state:NY org:medical”. Be creative and search for vendors like vmware. Another shodan search example is “country:us vmware”.
Zenmap - This is the NMAP security scanner graphic user interface. If I find open ports in Censys or Shodan (for a specfic IP address), I then run a scan in Zenmap to confirm that the information is correct.
Dnsdumpster.com - A DNS lookup which enables researchers to find hosts related to a domain.
Reversewhois.io – Locates all domains owned by individuals and companies. Uses names or email addresses for the lookup.
Security Trails – Reports on current and historical information for IP addresses, domain names, DNS.
Cisco Talos – Offers reputation reporting on domains and IP addresses. Also includes blogs and IOCs.
Certificate Search – CRT.sh Reports on certificates by domain.
Google Dorking
Wikipedia.com defines Google Dorking as “A hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.”
Google Dorking can also provide valuable insight into various areas, documents, etc. that are publicly available, but difficult to find. Search strings can be a simple as “site:yourdomainhere.com filetype:pdf”, or “site:yourdomainhere.com files”.
Complete Google Dorks List in 2020 For Ethical Hacking and Penetration Testing has some great examples and lists that can be utilized in your reconnaissance.
Information Gathering and Documentation
By gathering this information about your organization and documenting the data in a spreadsheet, you’ll have a much better handle on your overall external footprint. These tools, while similar, may very well yield different results based on their algorithms and search functionality. If you take an investigative mindset you’ll likely have better results.
Using the findings to correct any holes in your external footprint will help to strengthen the security of your organization.
About the Author: Britton White is a Cybersecurity & HIPAA Compliance Advisor who works diligently to assure his clients and associates are informed of security risks and vulnerabilities. He is continuously working to find better ways to assure security controls are in place.