OSINT or how to look at your network through the eyes of a hacker

Good day! Today I will tell you what information about an organization can be found in open sources and how a potential attacker can use it. Many of you have probably heard of OSINT (Open Source INTelligence, a list of activities aimed at collecting information from open sources), which is most often used to collect information about a specific person. But OSINT can also be used to find information about specific organizations to assess security. You must admit that it is useful to see what is publicly available about you and how you look from the side of a potential attacker.

Popular resources where information is collected

To conduct an active scan, it is necessary to sign an NDA and coordinate the work, which naturally takes time. In this regard, it is necessary to use only data that is in open sources, not to scan the IT infrastructure and, accordingly, not to spend man-hours on bureaucracy.

So what can be found in the public domain?

The most detailed answer to this question is osintframework.com, I recommend reading it to get a generalized answer to the question posed.

I will try to highlight the most interesting information for information security specialists from the vast amount of information. We will search:

  • Corporate mailing addresses
  • The facts of compromising postal addresses
  • Subdomains registered with the company
  • Company IP addresses and autonomous systems
  • Open ports and services located on them, as well as selection of vulnerabilities and exploits for discovered services
  • Hidden site directories
  • Confidential documents

What can you use to find this information?

There are a huge number of tools on the Internet for search for postal addresses companies by domain, for example:

hunter.io – until recently, the tool was completely free, but unfortunately times are changing.

Browser extension Email Finder from Snov.io – at the moment it has huge functionality in the free version and finds a huge number of domain accounts, but for how long? ..

theHarvester – collects both postal addresses and subdomains, open ports as well as data on virtual hosts. Preinstalled on Kali Linux.

There are both paid and free tools, the choice of use depends on the willingness / ability to pay for the improved functionality. It makes sense to use several tools at the same time as they produce different results. Ultimately, we have a large list of company mailing addresses that must be checked for compromised accounts.

To inspect can be on many well-known service haveibeenpwned.com.

At the output, the tool gives us information in which databases contain account mentions, whether these databases contain data on passwords, physical addresses, phone numbers, etc.

We will not get the passwords themselves here, but we will be able to divide email addresses into “clean” and potentially compromised ones.

It should be noted here that the tool has a paid API. Without it, of course, you can check all mailing addresses, but you will have to submit them to the entrance one by one, which will take a lot of time. When purchasing an API ($ 3.5 per month, purely symbolic fee), we will be able to use it in various scripts and, accordingly, significantly speed up and automate the analysis process.

In the future, you can use the bot in telegram @mailsearchbot

At the entrance we give him potentially compromised postal addresses, at the exit we get the passwords used in conjunction with this postal address. It is worth noting that it is not possible to find passwords for all accounts, but the detection rate is large. And again, if there is a desire / opportunity to financially support the developer, you can receive complete data, without symbols hidden by asterisks, but unfortunately here the price already bites.

The next step is to collect information about subdomains… There are a lot of tools to do this, for example:


dnsdumpster.com – knows how to draw beautiful graphs of relationships and export the results to Excel, but has a limitation on issuing only 100 subdomains.

pentest-tools.com – I advise you to familiarize yourself with the site in more detail, since here you can search not only for subdomains. In the lite version, it has a limit of 2 scans per day, but TOR is easy to get around)

It also makes sense to combine tools to determine the largest number of subdomains. Often paired with a subdomain is an IP address, which can later be fed to shodana (shodan.io) for get a list of open ports and servicessticking out on the Internet.

In the future, you can select vulnerabilities and exploits for specific versions of services using resources such as:

cvedetails.com – a large, updated CVE database of services and their versions. There may be some difficulties with finding the necessary services as they are repeated (for example, there are two different pages of the Microsoft IIS service with different vulnerabilities).

exploit-db.com – a large database of exploits. It is worth noting here that there are exploits confirmed by the site administration and not verified.

In the shodan data, we are also interested in the belonging of the ip-address of any autonomous system… The check is performed in various Whois services, of which there are also a large number. By and large, there is no difference with which tool to work, so I will demonstrate the ones on which I stopped:

bgp.he.net – looks clumsy, but shows data on any autonomous systems.

ididb.ru – to a greater extent focused on collecting information about the autonomous systems of the Runet.

If an autonomous system belonging to a company is found, it makes sense to run all ip through shodan and collect as much information as possible on service versions.

To analyze the definitions on which technologies built site a browser extension can be used Wappalyzer… Often the tool detects versions and, accordingly, you can also select vulnerabilities for them.

We pass to the final stage – search for hidden directories and site files… This is where:

  • Google dorks
  • DirBuster

Google Dork Queries Are tricky queries to search engines that help shed light on data that is publicly available, but hidden from prying eyes. On the Internet, there is enough information on how to “correctly” compose queries to a search engine to obtain the necessary information. Andrey Masalovich clearly showed how it’s done.

In its turn DirBuster it is a tool for finding hidden directories and files that you forgot to remove from public access or added there by mistake. It has several built-in dictionaries for searching. It is recommended to use the directory-list-2.3-medium dictionary to optimize the ratio of spent time to exhaust.

There is a lot of information to be analyzed when using these tools, but often the effort is rewarded.

Popular courses / books for teaching

  • Course OSINT introduction videos
  • Certified course OSINT and Competitive Intelligence
  • I advise you to watch on YouTube the recordings of the speeches of Masalovich Andrey Igorevich, the teacher of the previous course. He is a true professional in his field, he will tell a lot of interesting things. I also advise you to read it websitewhere you can find a large number of video materials and books on this subject

Top 5 problems we find with OSINT

In my practice, I succeeded:

  • Get the ability to manage the site on behalf of the administrator because there was an opportunity to fall into a directory that bypasses the administrator’s authorization. Naturally, I didn’t touch anything there, but if only it was not me, but a potential intruder? You need to close such directories.
  • Find databases sticking out on the Internet, which, moreover, were very ancient and extremely leaky. Finding an exploit for such databases is an extremely simple task. There is no need to pull the DB out.
  • Detect RDP, FTP, SSH and NTP services, access to which from an unlimited pool of addresses is undesirable. Here the problem of simple passwords for accounts looms, and brute force has not been canceled. There is no need to expose such services outside unless there is a clear need.
  • Detect confidential documents. For example, documents related to the organization of the on-site regime that are in the public domain are not a good idea.
  • Find up-to-date passwords from email addresses. I myself do not check the relevance of the detected passwords, but sometimes, after reading the report, company employees ask the question: what to do if the password is really valid? In such cases, it is naturally necessary to change it, as well as change passwords on all sites where registration took place from this mailbox and hope for the best. In general, change passwords more often.


So, we see that information in open sources can become a springboard for an attack on corporate infrastructure. It is necessary to periodically check how the organization looks from the side of a potential attacker and, if possible, hide this information.

What if you can’t do OSINT yourself?

We can conduct OSINT is completely free for your organization, please contact.
If this topic is interesting to you, then stay tuned in our channels (Telegram, Facebook, VK, TS Solution Blog)!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *