Employees of an organization often leak too much information about themselves and their company. While many employees are very happy to be working in their organizations, sometimes, they share information that can be used during cyberattacks by a threat actor. As an aspiring penetration tester, this information can also be leveraged during a penetration test on the target organization.

The following is some information that’s commonly leaked:

  • Employee contact information, such as telephone numbers and email addresses, that can be used during social engineering and account takeover attacks.
  • Sharing photos with their employee badges, which can be used by a threat actor to create a fake ID for impersonation.
  • Pictures of an employee’s computing systems and desktop, which can inform a threat actor about the available device vendors and operating systems.
  • Projects that have been completed by the employee may contain specific technical details, which can allow a threat actor to profile the internal network infrastructure.

Gathering information from instagram:

  1. Using sherlock scm_1
  2. --timeout command ensures that sherlock doesn’t spend more than 5 seconds on a site.

Gathering company’s infra data:

  1. we can use tools like wappalyzer to see what kind of tech a target website is using: scm_2
  2. We can also utilize a website called built-with for getting the technology profile of a target website. scm_3

Shodan:

Shodan is a search engine for Internet of Things (IoT), systems, and networks that are directly connected to the internet. Ethical hackers, penetration testers, and even threat actors use Shodan to identify their organization’s or target’s assets, and they check whether they have been publicly exposed on the internet.

  1. Go to https://www.shodan.io
  2. Make an account and login first.
  3. Once logged in search for windows sevrer 2008 scm_4
  4. Then click one of those , this will provide additional information: scm_5

Some port numbers for identification:

  • Port 21: There’s a File Transfer Protocol (FTP) server.
  • Port 53: This system is providing Domain Name System (DNS) services
  • Port 80: There’s a web server on this device.
  • Port 110: This device is providing Post Office Protocol 3 (POP3) services for email clients.
  • Port 143: This system is running Internet Message Access Protocol 4 (IMAP4) services for email clients.
  • Port 3389: Microsoft Remote Desktop Protocol (RDP) operates on this port by default, which means RDP is currently active.
  • Port 8181: Provides email services over this port.
Tip

Sometimes shodan provides us with CVE(Common Vulnerabilities and Exposure) for particular machines that is connected through internet. It can be very helpful for penetration testers.

Censys:

Censys can gather intelligence on any publicly accessible system or network on the internet. To start gathering data about a target follow these steps:

  1. Register on https://search.censys.io
  2. Then login
  3. Search for any query you need : scm_6
  4. I went to one of the machines and this provides me additional information : scm_7

Maltego:

Maltego is a graphical open source intelligence tool that was created by Paterva and is now maintained by Maltego Technologies. This tool helps ethical hackers and penetration testers quickly gather an organization’s infrastructure data by using a graphical interactive data mining application. This application can query and gather information from various sources on the internet and present data in easy-to-read graphs. These graphs provide visualizations of the relationships between each entity and the target.

  1. Sign in to https://maltego.com
  2. Complete the whole form, after completion come to the kali desktop.
  3. Then search for maltego scm_8
  4. From the installer install maltego
  5. Then again search for maltego on the kali search bar, and open it.
  6. Your maltego setup wizard will open up. Log in with your maltego ID you setup onto the browser. scm_9
  7. After the setup, click on New button on the left corner: scm_10
  8. Entity palette: scm_11
  9. Onto the search bar search for Domain and drag and drop the Domain entity inside the graph: scm_12
  10. Double click on the dragged Domain entity and set your target domain name : scm_13
  11. To gather the Domain Name System (DNS) information about the domain, right-click on Domain entity and select DNS from Domain > To DNS Name – MX (mail server). scm_14 scm_15
  12. Now maltego will find microsoft’s email server. scm_16
  13. To get the IP addresses of an object, such as the email server, right-click on the email server entity and select Resolve to IP. scm_17 scm_18
  14. To discover the Name Server (NS) of a target domain, right-click on Domain Entity > DNS from domain > To DNS Name – NS (name server). scm_19 scm_20
  15. To gather website information about the target domain, right-click on the Domain entity and select DNS from domain > To Website (Quick lookup). This will allow you to discover the target’s website address. scm_21
  16. To get a list of all the web links for the target’s website, right-click on the Website entity and select Links in and out of site. scm_22
  17. To get a list of publicly available email addresses that are associated with the target’s domain name, right-click on the Domain entity and select Email addresses from Domain. scm_23
  18. DONE

Netcraft:

Netcraft allows you to gather information about a target domain, such as network block information, registrar information, email contacts, the operating system of the hosting server, and the web platform.

  1. Go to https://searchdns.netcraft.com scm_24
  2. Search for the DNS you need. scm_25
  3. Click one of those onto the site report: scm_26

More reading on OSINT: OSINT


OSINT using perl:

COMING SOON

Google dorks:

A list of well-known exploited Google dorks for information gathering can be found in a Google hacker’s database at http://www.exploit-db.com/google-dorks/.