OSINT or how to look at your network through the eyes of a hacker

OSINT or how to look at your network through the eyes of a hacker

Today I will tell you what information about the organization can be found in public sources and how it can be used by a potential attacker. Many of you have probably heard of OSINT (Open Source INTelligence, a list of open source activities), which is most commonly used to gather information about a specific individual. But OSINT can also be used to find information about specific organizations for security assessments. After all, agree, it is useful to see what is in the public domain about you and what you look like from a potential attacker.

Popular resources where information is collected

Active scanning requires an NDA signature and work approval, which naturally takes time. In this regard, it is necessary to use only data from public sources, do not scan the IT infrastructure and, accordingly, do not spend man-hours on bureaucracy.

So what can be found in free access?

The most detailed answer to this question is osintframework.com, I recommend that you look at this question for a summary answer.

I will try to single out the most interesting for IS specialists from the vast amount of information. We will look for it:

  • Corporate mail addresses
  • Email Address Compromization Facts
  • Subdomains registered for company
  • IP addresses and offline company systems
  • Open ports and services on them, and selection of vulnerabilities and exploits for detected services
  • Hidden site directories
  • Confidential documents

What can I use to find this information?

There are a lot of tools on the Internet for search for mail addresses company by domain, for example:

hunter.io – until recently the tool was completely free, but unfortunately times are changing.

Browser Extension Email Finder from Snov.io – currently has great functionality in the free version and finds a huge number of domain accounts, but for how long?

theHarvester – collects both email addresses and subdomains, open ports and virtual host data. Pre-installed in Kali Linux.

Tools are both paid and free of charge, the choice of use depends on the desire / ability to pay for improved functionality. It makes sense to use several tools at the same time, as they produce different results. As a result we have the big list of post addresses of the company which it is necessary to check up for presence of the compromised accounts.

This check can be done on many well-known services haveibeenpwned.com..

At the exit, the tool gives us information about which databases contain account references, whether these databases contain data on passwords, physical addresses, phone numbers, etc.

We won’t get the passwords ourselves, but we can divide the mail addresses into “clean” and potentially compromised ones.

It should be noted here that the tool has a paid API. Without it, of course, you can check all email addresses, but you will have to submit them one by one, which will take a lot of time. If you buy the API (3.5$ per month, pure symbolic fee) you will be able to use it in different scripts and thus significantly speed up and automate the analysis process.

You can then use the bot in telegram @mailsearchbot.

We give him potentially compromised email addresses to login, and at the exit we get passwords used in connection with this email address. It should be noted that not all users can find passwords, but the detection rate is high. And again, if there is a desire/opportunity to financially support the developer, it is possible to receive full data, without symbols hidden by asterisks, but unfortunately here the price already bites.

The next step is to gather information about subdomains. There are a lot of tools to do this, for example:

dnsdumpster.com – knows how to draw beautiful correlation graphs and upload results in Excel, but has a limit of 100 subdomains only.

pentest-tools.com – I advise you to get acquainted with the site in detail, because it is not only possible to look for subdomains here. The lite version has a limit of 2 scans per day, but is easy to do with TOR).

It also makes sense to combine the tools to determine the largest number of subdomains. Often the subdomain is paired with an IP address that can be fed to the shodan (shodan.io) to get a list of open ports and services that are stuck on the Internet.

Further on it is possible to select vulnerabilities and exploits for certain versions of services using such resources as:

cvedetails.com is a large rechargeable CVE base for services and their versions. There may be some difficulties in finding the necessary services in the way they are repeated (for example, there are two different pages of Microsoft IIS service with different vulnerabilities).

exploit-db.com – large replenishable exploits database. It should be noted here that there are exploits confirmed by the site administration and not verified.

We are also curious about the ip address of a autonomous system. Checking is done on various Whois services, of which there are also many. By and large, it doesn’t make any difference what tool to work with, so I’ll show you where I left off:

bgp.he.net – looks clumsy but shows data for any offline systems.

ididb.ru – more focused on collecting information about Runet’s autonomous systems.

If an offline system belonging to a company is detected, it makes sense to run all ip through shodan and collect as much information as possible on service versions.

You can use the browser extension Wappalyzer to analyze definitions of what technologies the site is built on. Often, the tool defines versions and you can also find vulnerabilities for them.

Let’s proceed to the final stage – finding hidden directories and site files. This is where we can use them:

  • Google Dorks
  • DirBuster

Google Dork Queries are tricky search engine queries that help shed light on publicly available but hidden data. In the vast expanses of the Internet, there’s enough information on how to “properly” compose search engine queries to get the information you need. Andrey Masalovich visually showed how to do it.

In turn, DirBuster is a tool to find hidden directories and files that you forgot to delete from the public or added there by mistake. It has several built-in dictionaries to perform the search. It is recommended to use the directory-list-2.3-medium dictionary to optimize the time to output ratio.

When using these tools, you will have to analyze a lot of information, but often efforts are rewarded.

Popular courses/books for learning

  • Cursus for OSINT videos.
  • Certified OSINT and competitive intelligence course
  • I advise to look at YouTube records of performances of Andrey Igorevich Masalovich, the teacher of the previous course. He is a real professional, will tell a lot of interesting things. Also, I advise you to read his site, where you can find a lot of Video and Book on the subject


Top 5 problems that we manage to find within OSINT a

In my practice, I managed:

  • Get the ability to manage the site on behalf of an administrator because there was a chance to crash into a directory that would bypass administrator authorization. Of course, I did not touch anything there, but if it was not me, but a potential attacker? Such directories have to be closed.
  • Detect databases sticking to the Internet, which in addition were very old and extremely “holey”. Selecting an exploit for such databases is a very simple task. There is no need to pull the database out.
  • Detect RDP, FTP, SSH and NTP services that are not accessible from an unlimited address pool. Here the problem of simple passwords for accounts appears and brute force has not been cancelled. There is no need to put these services outside unless explicitly required…
  • Detect confidential documents. For example, documents related to an intranet regime organization that are in the public domain are not a good idea.
  • Find current passwords from email addresses. I myself do not check the relevance of the found passwords, but sometimes after reading the report the company’s employees ask: what to do if the password is really up to date? In such cases, you naturally need to change it, as well as change passwords on all sites where registration was carried out from this mailbox and hope for the best. And in general change passwords more often.



So, we see that the information in open sources can become a springboard for an attack on the corporate infrastructure. It is necessary to periodically check how the organization looks like from the perspective of a potential attacker and hide this information if possible.


Source – HABR.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: