OSINT
OSINT
OSINT is Open-Source INTelligence
Information in the public domain or accessible
from public sources.
[Link] 2
�OSINT
OSINT resources can be divided into the following
categories
• Internet resources which encompass most OSINT
resources. It includes discussion forums, blogs, social
media sites, all types of digital files (files, videos,
audio files, webpages, source code) available online
along with their associated metadata, IP addresses
and technical information
[Link] 3
�OSINT
OSINT resources can be divided into the following
categories
• Traditional media sources, such as TV, Radio
broadcast, newspapers, magazines, or books
• Scientific and academic publications, such as
research papers, review articles, technical white
papers, dissertations, academic journals, theses,
books, or grey literature
[Link] 4
�OSINT
OSINT resources can be divided into the following
categories
• Enterprise papers which include business profiles,
annual reports, conference proceedings, tax records,
and even immigration records
• Geospatial information, such as online maps,
commercial imagery satellites, and data generated
from GPS capable devices
[Link] 5
�OSINT
There are 3 types of OSINT
• Passive Collection
• Semi-passive Collection
• Active Collection
[Link] 6
�OSINT
Passive Collection
This is the most used type when collecting OSINT
intelligence, by default most OSINT gathering methods
should use passive collection because the main aim of
OSINT gathering is to collect information about the
target via publicly available resources.
[Link] 7
�OSINT
Semi-passive Collection
Sends internet traffic to target servers in order to acquire
general information about them.
This traffic should resemble typical internet traffic to avoid
drawing any attention to your reconnaissance activities.
In this way, you are not implementing in-depth investigation
of the target’s online resources, but only investigating
lightly without launching any alarm within the group you
are investigating.
[Link] 8
�OSINT
Active Collection
You interact directly with the system to gather intelligence about
it, but the target can become aware of the reconnaissance
process since the person/entity collecting information will use
advanced techniques to harvest technical data about the target
IT infrastructure such as accessing open ports, scanning
vulnerabilities (unpatched Windows systems), scanning web
server applications, and more.
This traffic will look like suspicious behavior and will more than
likely leave traces on the target’s intrusion detection system (IDS)
or intrusion prevention system (IPS).
[Link] 9
�OSINT
The Wayback Machine is a digital archive of the World
Wide Web that stores snapshots of websites at various
points in time over the course of history.
Attackers may use it to gather compromising
intelligence about an organization through earlier
versions of its websites.
• [Link]
[Link] 10
�OSINT
Robtex uses various sources to gather public
information about IP numbers, domain names, host
names, Autonomous systems, routes etc. It then
indexes the data in a big database and provide free
access to the data
• [Link]
[Link] 11
�OSINT
Shodan is a search engine that lets the user find
specific types of computers (webcams, routers, servers,
etc.) connected to the internet using a variety of filters
• [Link]
[Link] 12
�OSINT
Shodan also uses search filter, here're some of them:
Search for results in given country(s)
• country:DE,CH,FR
[Link] 13
�OSINT
Shodan also uses search filter, here're some of them:
Search for SSH on port 22 or 3333
• ssh port:22,3333
[Link] 14
�OSINT
Shodan also uses search filter, here're some of them:
Search for name of software identified in banner
• product:Apache
[Link] 15
�OSINT
Shodan also uses search filter, here're some of them:
Search for name of software identified in banner
• product:Apache
[Link] 16
�OSINT
Shodan also uses search filter, here're some of them:
Search for Siemens Industrial Automation
• "Siemens, SIMATIC" port:161
[Link] 17
�OSINT
Shodan also uses search filter, here're some of them:
Search Unprotected VNC services
• "authentication disabled" "RFB 003.008"
[Link] 18
�OSINT
Full list of filters available on following link
• [Link]
[Link] 19
�OSINT
Pastebin - is a website where you can store any text
online for easy sharing.
The website is mainly used by programmers to store
pieces of sources code or configuration information,
but there're also people who submit leaked password,
results of network scans etc.
• [Link]
[Link] 20
�OSINT
[Link] - certificate transparency project, which uses
historical SSL certificate information.
• [Link]
[Link] 21
�OSINT
Google has also certificate transparency site, which
uses historical SSL certificate information.
• [Link]
icates?hl=en
[Link] 22
�OSINT - google
Not a secret, that Google's search engine is very
powerful. It has billions of data in its search databases.
To get the best matching answers, you must know how
to write correct search query.
Google uses 'operator:search_term' approach.
[Link] 23
�OSINT - google
To search for exact phrases, use double quotes
• "Hello world"
To exclude specific words from search results, use '-'
sign followed by excluded word
• linux distributions -ubuntu
[Link] 24
�OSINT - google
Search for pages, which has searched text in its titles
• intitle:"login page"
Search for specific filenames in URL
• inurl:"[Link]"
[Link] 25
�OSINT - google
Limit search results to specific site
• site:[Link]
List pages, which has links to search query
• link:[Link]
[Link] 26
�OSINT - google
Search for specified file extension
• filetype:txt password
List pages, which has links to search query
• link:[Link]
[Link] 27
�OSINT - google
Several examples of 'hacking' search queries
• allintext:username filetype:log site:id
• intitle:"index of" filetype:txt
• inurl:[Link] inurl:currenttime
• intitle:"live view" intitle:axis
[Link] 28
�OSINT - whois
'Whois' is a widely used Internet record listing that
identifies who owns a domain/IP and how to get in
contact with them.
Whois - one of the main tools that IT people use on
Unix, Linux and Mac systems to look up the registration
information about a domain.
[Link] 29
�OSINT - whois
To get 'whois' information for site, type in Linux
terminal 'whois' followed by domain name
• whois [Link]
[Link] 30
�OSINT - whois
To get detailed information about network owner of
the site, first you need get IP address from hostname.
In terminal windows type command 'host', 'nslookup'
or 'dig' followed by hostname.
All three commands will run DNS query against DNS
servers and give back IP address(s) of hostname.
Output will be different.
[Link] 31
�OSINT - whois
• host [Link]
• nslookup [Link]
[Link] 32
�OSINT - whois
• dig [Link]
[Link] 33
�OSINT - whois
To get authoritative DNS server(s) for specific domain
• dig [Link] NS
To get mail server(s) for specific domain
• dig [Link] MX
[Link] 34
�OSINT - whois
Once you have identified IP address of hostname, run
again 'whois' command, but against IP address, not
hostname
• whois [Link]
[Link] 35
�OSINT - whois
'Whois' information can be also viewed from several
web resources. Here is an example of such sites:
[Link]
[Link]
[Link]
Enter IP address of the site and view the 'whois'
information.
[Link] 36
�OSINT - OSRFramework
Open Sources Research Framework - OSRFramework
Software has different applications related to username
checking, DNS lookups, information leaks research,
deep web search, regular expressions extraction and
many others.
[Link] 37
�OSINT - OSRFramework
'OSRFramework' present in Kali's repository. Let's
install it, type in terminal window following command
• apt-get install osrframework
[Link] 38
�OSINT - OSRFramework
You can also install 'OSRFramework' from Python
repository. To install it, type in terminal window
following command
• apt-get install python3-pip
[Link] 39
�OSINT - OSRFramework
Let's install it using Python software installer 'pip3'
• pip3 install osrframework
[Link] 40
�OSINT - OSRFramework
'OSRFramework' install following components
mailfy - find information about emails taken as a
reference nickname or email list
searchfy - find profiles linked to a full name
usufy - identify social media profiles using a given
nickname
checkfy - guesses possible emails based on a list of
candidate nicknames and a pattern
[Link] 41
�OSINT - OSRFramework
Let's search for username profiles in different social
media networks. Since search can take very long time,
press 'Ctrl+c' after 10-15 seconds
• usufy -n 'billgates'
[Link] 42
�OSINT - OSRFramework
Output of username 'billgates' search
[Link] 43
�OSINT - OSRFramework
You can supply several usernames to search for
• usufy -n billgates jeffbezos
[Link] 44
�OSINT - OSRFramework
By default, all social media platforms are searched. To
limit search to specific platform names, use '-p' option
followed by platform name
• usufy -n billgates jeffbezos -p facebook twitter
[Link] 45
�OSINT - OSRFramework
To check for registered domains in different zones, use
command 'domainfy'
• domainfy -n google -t all
[Link] 46
�OSINT - OSRFramework
To search for profiles by full names, use command
'searchfy'
• searchfy -q "Bill Gates"
[Link] 47
�OSINT - UserRecon
'UserRecon' allows to find usernames across over 75
social networks. This program is not in the Kali
repository, so we need to clone it from GitHub
• cd /opt/
• git clone [Link]
[Link] 48
�OSINT - UserRecon
Let's move to newly created folder and make
'[Link]' file executable
• cd userrecon/
• chmod a+x [Link]
• ls -la [Link]
[Link] 49
�OSINT - UserRecon
Now we can start search for usernames from social
media networks. Type in following command and then
enter desired username at 'Input Username' prompt
• ./[Link]
[Link] 50
�OSINT - UserRecon
The results of findings will be appearing line by line on
your screen
[Link] 51
�OSINT - DNS
DNS enumeration is the process of locating all the DNS
servers and their corresponding records for an
organization.
A company may have both internal and external DNS
servers that can yield information such as usernames,
computer names, and IP addresses of potential target
systems.
[Link] 52
�OSINT - DNS
'fierce' - command line DNS enumeration tool. Default
dictionary contains 1594 records.
• fierce --domain [Link]
[Link] 53
�OSINT - DNS
To use custom wordlist, append option '--subdomain-
file' followed by path to the file
• fierce --domain [Link] --subdomain-file ./[Link]
[Link] 54
�OSINT - DNS
'DNSenum' - a script, which enumerates sub-domains
records for specified domain with use of dictionary file.
Let's install 'DNSenum'. First, we move to '/opt' folder
and clone program from GitHub
• cd /opt
• git clone
[Link]
[Link] 55
�OSINT - DNS
'DNSenum' already comes with 3 different dictionary
files, which can be used for DNS enumeration
• cd DNSenum/
• ls -la wordlist/
[Link] 56
�OSINT - DNS
Now let's run DNS sub-domain enumeration
• ./[Link] -d [Link] -f ./wordlist/subdomains-
[Link]
[Link] 57
�OSINT - DNS
Another type of DNS enumeration is reverse DNS
enumeration. This approach is resolving all IP address
from specific network range
• for i in {1..255} ; do host 13.234.210.$i | grep -v
NXDOMAIN ; done
[Link] 58
�OSINT - wordlists
Very important for all types of enumerations (DNS,
users, HTTP, SMTP etc.) is to use proper dictionary file.
There're a lot of resources with different wordlists.
One good example is 'SecLists' on GitHub
• [Link]
[Link] 59
�OSINT - wordlists
For installation from Kali Linux repository, run following
command
• apt-get -y install seclists
[Link] 60
�OSINT - wordlists
All 'seclists' dictionary files will be installed in
'/usr/share/seclists' folder
• ls -la /usr/share/seclists
[Link] 61
�OSINT - metadata
Metadata is, information about other data.
Many files contain extra or even hidden data other than
the visual data you see at first glance. E-books,
photographs, movies, music and even documents can
contain data that you don’t see at first glance.
[Link] 62
�OSINT - metadata
Metadata From Photos
Photos contain 'exif' data that can give you useful
information about the picture. Information such as
shutter speed and focal length are stored inside an
image. Likewise, you can find out where the photo was
taken by looking at the location information.
[Link] 63
�OSINT - metadata
Video Metadata
Similar to photos, videos contain metadata info about
the location where the video was shot. Likewise,
container formats like AVI and MP4 contain meta
information about codecs, video and audio streams and
more.
[Link] 64
�OSINT - metadata
Hidden Data In Documents
Documents can contain metadata too. They include
information such as file size and date of creation, but
also information about the author of a document and
the software used to create it.
[Link] 65
�OSINT - exiftool
How to view 'exif' data in images?
Kali Linux has command line tool called 'exiftool'.
Let's install it from repository
• apt-get -y install exiftool
[Link] 66
�OSINT - exiftool
Let's download sample image file
• wget [Link] -O
[Link]
[Link] 67
�OSINT - exiftool
To view 'exif' information from the image, run 'exiftool'
command followed by image name
• exiftool [Link]
[Link] 68
�OSINT - exiftool
'exiftool' shows a lot of information embedded into
image. Here's information about the device/camera,
which was used to take the photo
On some images, you may see geo location data
[Link] 69
�OSINT - exiftool
By default, 'exiftool' show GPS coordinates in human
readable format, Google maps do not understand this
format.
Let's print Google-maps friendly GPS data from photo
• exiftool -gpslatitude -gpslongitude -n [Link]
[Link] 70
�OSINT - exiftool
Now, in your browser open Google maps
'[Link]' and enter retrieved GPS coordinates
[Link] 71
�OSINT - exiftool
The '-c' option allows you to set the format of the
displayed coordinates. For example, if you have too
many (or too few) digits after the decimal point, then
their quantity can be changed with this option.
• exiftool -gpslatitude -gpslongitude -c '%+.6f'
[Link]
[Link] 72
�OSINT - exiftool
'exiftool' is also available for Windows and MAC
operating systems. Visit site '[Link] and
download the "Windows Executable" archive or
'MacOS Package'.
[Link] 73
�OSINT - exiftool
With 'exiftool' you can remove all GPS related data
from image. Let's first check all GPS metadata.
• exiftool -G [Link] | grep -i gps
[Link] 74
�OSINT - exiftool
With 'exiftool' you can remove all GPS related data
from image. Let's first check all GPS metadata.
• exiftool -gps:all= [Link] -o
opsecfail_nogps.jpg
[Link] 75
�OSINT - exiftool
Now, let's check GPS metadata from new image
• exiftool -G opsecfail_nogps.jpg | grep -i gps
As you can see, all GPS related data is removed from
new image.
[Link] 76
�OSINT - exiftool
'exiftool' is very powerful program for displaying and
manipulating metadata of images. In additions to
showing meta information, it allows to modify existing
data. Let's check original's image metadata
• exiftool -G [Link] | grep -i -E '(Make
)|(Model)|(Software)|(Device)|(Lens)'
[Link] 77
�OSINT - exiftool
Now, lets modify camera's data and save to new file
• exiftool -Make='Samsung' -Model='Galaxy s40
Ultra' -Software='G988BXXU5CTKG' -
lensmake='Samsung Lens' -lensmodel='Samsung
Lens X40s' -makernotes:all= [Link] -o
opsecfail_new_camera.jpg
[Link] 78
�OSINT - exiftool
Now, let's check new file metadata
• exiftool -G opsecfail_new_camera.jpg | grep -i -E
'(Make )|(Model)|(Software)|(Device)|(Lens)'
[Link] 79
�OSINT - exiftool
With 'exiftool' you can modify/spoof GPS coordinates in
the image. Let's change GPS location in image metadata
to 'Area 51'. According to Google maps, location of
'Area 51' is - 37.2431° N, 115.7930° W.
• exiftool -GPSLatitude='37.2431' -
GPSLongitude='115.7930' -GPSLatitudeRef='N' -
GPSLongitudeRef='W' [Link] -o
opsecfail_new_gps.jpg
[Link] 80
�OSINT - exiftool
Let's print Google-maps friendly GPS data from photo
with new GPS coordinates
• exiftool -gpslatitude -gpslongitude -n
opsecfail_new_gps.jpg
[Link] 81
�OSINT - exiftool
Now, in your browser open Google maps
'[Link]' and enter retrieved GPS coordinates
from new image
[Link] 82
�OSINT - exiftool
With 'exiftool' you can modify any meta information in the
image. Here's example of changing additional data
• exiftool -DateTime='[Link] [Link]' -
DateTimeOriginal='[Link] [Link]' -
DateTimeDigitized='[Link] [Link]' -
ModifyDate='[Link] [Link]' -
CreateDate='[Link] [Link]' -
GPSTimeStamp='[Link]' -GPSDateStamp='[Link]'
-UserComment='Holidays' -LocationName='Bali' -Sub-
location='Beach' -City='Denpasar' -Province-State='BALI'
-Country-PrimaryLocationName='Indonesia'
[Link] -o opsecfail_new_data.jpg
[Link] 83
�OSINT - exiftool
It is often needed, to remove all meta information from
the image. Let's do so
• exiftool -all= [Link] -o opsecfail_nometa.jpg
[Link] 84
�OSINT - exiftool
Now let's view meta information in the new image
• exiftool opsecfail_nometa.jpg
[Link] 85
�OSINT - mat2
Another software, which allows to remove meta
information from different files (jpg, docx, xls, pdf etc.) is
MAT2 - Metadata Anonymisation Toolkit v2.
MAT2 only removes metadata from your files, it does not
anonymise their content, nor can it handle watermarking,
steganography, or any too custom metadata field/system.
If you really want to be anonymous, use file formats that do
not contain any metadata, or better: use plain-text.
[Link] 86
�OSINT - mat2
Let's install MAT2 on your Kali machine
• apt-get -y install mat2
[Link] 87
� OSINT - mat2
To view meta information from image, run 'mat2'
program, followed by '-s' option and file name at the
end
• mat2 -s [Link]
[Link] 88
� OSINT - mat2
To remove all meta information from image, run 'mat2',
followed by image name. New file
'[Link]' will be created.
• mat2 [Link]
Now check meta information in new file
• mat2 -s [Link]
[Link] 89
� OSINT - mat2
To remove all metadata without creating backup files
(will overwrite existing files), use '--inplace' option.
For cleaning meta data from all files in current folder,
use '*.jpg'
• mat2 --inplace *.jpg
Same approach is used for other files - *.pptx, *.pdf,
*.docx etc.
[Link] 90
