Open-Source Intelligence (OSINT)
Publicly available information used to gather insights about targets in penetration testing.
- Purpose: Identify company structure, employee details, security weaknesses
- Key Role: Guides planning and prioritization of deeper tests
Social Media & Job Boards
- Platforms: LinkedIn, Facebook, X (Twitter), Instagram, Indeed, Glassdoor
- Insights Gained:
- Organizational structure & key personnel (new hires, roles)
- Technology stack & upcoming projects (from job descriptions)
- Cultural/operational clues (budget cuts, rapid remote-work shifts)
- Insider threats via disgruntled employees’ posts
- Examples:
- LinkedIn posting for “Network Engineer” mentioning Fortinet & Azure → infer tools in use
- Employee tweet about system upgrade → ideal testing window
Information Disclosures
Unintended exposure of sensitive data online.
- Vectors:
- Misconfigured servers (directory listings, status pages)
- Insecure data storage (public S3 buckets)
- Faulty application code (verbose errors/logs)
- Sources: Web apps, APIs, server headers
- Real Examples:
- AWS S3 misconfig → 540 M records exposed
- Error page revealing SQL queries & API keys
- Mitigations:
- Use generic error messages, secure log storage
- Disable directory listing; patch software
- Harden APIs: enforce auth, sanitize inputs
Cryptographic Flaws
Weaknesses in encryption identified via OSINT.
- Common Issues:
- Expired certificates → MITM risk
- Weak algorithms (e.g., SHA-1) → collision attacks
- Improper issuance → rogue certificates
- Tools: OpenSSL, SSL checkers, Certificate Transparency (CT) logs
- Notable Cases:
- Symantec misissuance (2013)
- Egyptian gov’t rogue certs (2017)
- Apple macOS intermediate CA misconfig (2019)
DNS Lookups
Use dig / nslookup to harvest DNS records (A, CNAME, NS, PTR).
- Purpose: Map domains ↔ IPs, discover subdomains and hidden hosts
- Reverse DNS: Verify source of IP traffic (
dig -x 8.8.8.8) - Attacks:
- DNS Flood/Amplification (Mirai 2016)
- Cache Poisoning (Kaminsky 2008)
- Unauthorized Zone Transfers
- Defenses: Randomize transaction IDs/ports; restrict AXFR
Certificate Transparency Logs
Public, auditable logs of SSL/TLS certificates (Google initiative).
- Components:
- Monitors: detect suspicious certificates
- Auditors: verify log integrity
- Benefits:
- Reveal misissuance & rogue certs
- Uncover hidden subdomains (e.g.,
dev.example.com)
- Revocation Mechanisms: OCSP, CRL, OCSP Stapling
Search Engine Analysis
Leverage advanced operators to pinpoint data.
- Operators:
""(exact phrase),-(exclude),AND/OR(Boolean)site:,intitle:,inurl:,filetype:
- Use Cases:
- Locate sensitive PDFs:
site:example.com filetype:pdf "confidential" - Exclude drafts:
"security report" -draft
- Locate sensitive PDFs:
- Additional Tools:
- Reverse image search (TinEye, Google Images)
- Google Alerts: continuous monitoring of keywords
Summary: OSINT combines social platforms, web archives, DNS enumeration, certificate transparency, and search-engine techniques to build a stealthy, comprehensive target profile and inform a focused penetration testing strategy.