Open-Source Intelligence (OSINT) Techniques

Identifying and Surveying the Target

  1. Check for Autonomous System Numbers (ASNs) to see what IP addresses are accessible on a network.
  2. Use LinkedIn to identify software that might be used within the organization.
    1. .Joe Schmo from IT might know the web stack (i.e., HTML, CSS, JavaScript, PHP) and talk about what projects they are currently working on.
    2. .Jane Doe might know how to use certain human resource (HR) technology and collect resumes.
  3. Use ZoomInfo (if able to get an account) as this will provide a hierarchy of the organization.
  4. Use OSINT Framework for additional needs.
  5. Use certain websites such as TruePeopleSearch and ThatsThem to identify specific targets within the organization.
    1. This will divulge information about the target such as home addresses, phone numbers, email addresses, and known associates.
  6. Use Shodan and Censys to identify hosts that contain known vulnerabilities based on hostnames.
    1. Use Shodan filters to check hosts owned by the target (i.e.,
    2. Use Censysi filters the same way as Shodan (i.e.,
  7. Use the Wayback Machine to identify any interesting directories that might be archived.
  8. Check mobile application reviews on Google Play Store and Apple Store.
    1. Reviews might show bugs and bug fixes.
  9. Check DNS Dumpster to identify any interesting subdomains and hosts.
    1. One vulnerability that might be interesting to some is a subdomain takeover.
  10. Once identified, use Wappalyzer to check for the underlying technology stack and use GitHub to identify those technologies used.
  11. Utilize WiGLE to search for wireless networks on or near the target.
  12. Public Facebook profiles, Twitter profiles, or Instagram profiles may contain vital information about the organization (i.e., badges, holiday photos, etc.)

Leave a Reply

Your email address will not be published. Required fields are marked *