🟥
LSWSec - Offensive
  • Introduction
  • File transfer
    • Transferring Files
      • Transferring Files - Linux
      • Transferring Files - Windows
  • Recon
    • Passive information Gathering
      • Website
      • Finding SubDomains
        • DNS
        • DNS Zone Transfer
    • Subdomain Enumeration
    • OSINT
      • Email
      • People
      • Social Media
      • Username and Accounts
      • Passwords
      • Business
      • Image and Location
    • Active Information Gathering
      • Nmap
      • Netcat
      • ss
      • Unknown Port Scanning
      • Footprinting
        • FTP
        • SMB
        • NFS
        • DNS
    • Vulnerability Searching
  • Ports
    • 21 - FTP
    • 22 - SSH
    • 23 - Telnet
    • 25 - SMTP
    • 69 - TFTP
    • 80 - HTTP
    • 88 - Kerberos
    • 110 - Pop3
    • 111 - RPCBind
    • 119 - NNTP
    • 135 - MSRPC
    • 139/445 - SMB
      • PSExec
      • Nmap
      • Other tools
    • 143/993 - IMAP
    • 161/162 - SNMP
    • 389/636 - LDAP
    • 443 - HTTPS
    • 554 - RTSP
    • 587 - Submission
    • 631 - Cups
    • 1433 - MsSQL
    • 2049 - NFS
    • 3306 - MySQL
    • 3389 - RDP
  • Web
    • useful information
    • Web Proxy
      • Burp
    • Web Content Discovery
    • SQL
    • Web Fuzzing with FFUF
      • Directory Fuzzing
      • Domain Fuzzing
      • Paramater fuzzing
    • Local File Inclusion
      • LFI
      • Basic Bypass
    • Authentication Bypass
    • IDOR
  • Priv-esc
    • Windows
      • mimikatz
  • Pivoting
    • Info
    • Locating other machines
    • proxy
    • SSH tunneling/port forwarding
    • plink
    • socat
    • chisel
    • sshuttle
    • connecting to windows environments with a user account
  • Command and Control
    • powershell empire
    • Armitage
  • Active Directory
    • Debugging DNS
    • NTLM Authenticated Services
    • LDAP Bind Credentials
Powered by GitBook
On this page
  • Search Engines
  • Google Hacking
  • TheHarvester
  • Resources
  1. Recon

OSINT

PreviousSubdomain EnumerationNextEmail

Last updated 2 years ago

The first thing to do when starting OSINT collection on an organisation is to do an internet and social media search. This inlcudes creating a list of individuals who work for the company. If the individual is high value (C-level or or IT related) an attacker would look into them specifically aswell.

Social media profiles can contain loads of information. This includes locations the target frequently goes to or confidential information in the backgroud. Make note of any information you notice especially passwords stuck to pc monitors.

Starting automated searches first can speed up the process. This is since you can have them running in the background while looking at other sources. Also all the easy to get information can help define your search and give ideas of what to look for.

Search Engines

  • Google -

  • Google Advanced Search -

  • Google Search Guide -

  • Bing -

  • Bing Search Guide -

  • Yandex -

  • DuckDuckGo -

  • DuckDuckGo Search Guide -

  • Baidu -

Google Hacking

Google and other web browsers can be manipulated to find out specific information like hidden files or passwords. These are some good example searches.

site:twitter.com companyname
site:linkedin.com companyname
site:facebook.com companyname
site:example.com filetype:pdf    (looks for pdf documents also try docx, xlsx, ect)
Site:website.com password filetype:pdf    
Site:website.com intext:password    (looks for the word password in website text)
site:website.com inurl:dev    (looks for dev sites)
site:website.com -www    (brings back every subdomain which does not include www)

TheHarvester 

theharvester -d example.com -l 500 -b all

TheHarvester works best with as many APIs as you have.

edit /etc/theHarvester/api-keys.yaml to add new api keys.

Resources

  • Hunter.io – https://hunter.io/

  • Phonebook.cz – https://phonebook.cz/

  • VoilaNorbert – https://www.voilanorbert.com/

  • Email Hippo – https://tools.verifyemailaddress.io/

  • Email Checker – https://email-checker.net/validate

  • Clearbit Connect – https://chrome.google.com/webstore/detail/clearbit-connect-supercha/pmnhcgfcafcnkbengdcanjablaabjplo?hl=en

  • Email and breached data OSINT

  • breach-parse – https://github.com/hmaverickadams/breach-parse

https://www.google.com/
https://www.google.com/advanced_search
http://www.googleguide.com/print/adv_op_ref.pdf
https://www.bing.com/
https://www.bruceclay.com/blog/bing-google-advanced-search-operators/
https://yandex.com/
https://duckduckgo.com/
https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/
http://www.baidu.com/