Mastodon Hillbilly StoryTime: Internet Footprinting (aka OSINT – Open Source Intelligence)

Saturday, October 12, 2013

Internet Footprinting (aka OSINT – Open Source Intelligence)

What is OSINT? Well, according to Wikipedia it is:
“Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.”
In general, OSINT is simply the identifying, collecting, and analysis of publicly available data about a person, place, or thing.

OSINT is NOT merely used for cyber stalking or DOXing. (DOXing is the act of gathering personal information about people on the Internet, often including real name, known aliases, address, phone number, SSN, credit card number, etc. typically for the sole purpose of causing embarrassment, mischief, and/or harm to the targeted person.)

OSINT has many valid/beneficial uses. These include (but are not limited to):

  • identifying information about yourself (or your own company) that may be available on the internet
  • part of a network penetration (or social engineering) exercise
  • perform additional/extended background check on potential corporate partners or employees
  • identifying possible information leakage from your company

There a few typical types of OSINT, each with their own PROs/CONs:

  • Purely Passive
    • PRO - no traffic directed toward the target (i.e. no evidence in server logs)
    • CON - only relying on second hand data at best
    • Examples
      • search engine cached pages
      • archive.org saved pages
      • searching across pastebin (and similar sites)
      • searching social media sites
      • browsing Shodan for ports, systems, and service banners
  • Typical Internet Traffic
    • PRO – gaining data directly from target’s websites and systems
    • CON - traffic is being sent directly toward the target thus showing up in server/system logs
    • Examples
      • DNS queries
      • Visiting web pages owned by the target
      • downloading documents from websites
  • Checking Locks and Doors
    • PRO - possibly gaining amazing amounts of data about types of system, websites on odd ports, and other services such as ftp, vnc, etc…
    • CON - lots of traffic sent to target and chance of eing detected is considerably higher
    • Examples
      • perform DNS brute forcing
      • perform ip scans across the target’s ip space to identify active systems
      • perform port scanning to identify open ports and gather banners

There are numerous commercial/free tools/websites that can be used to perform or assist in OSINT gathering. In future posts, I will be covering many of these tools and websites and discussing how they can be used to perform OSINT.

What are a few sources of data of OSINT: (more will be discussed in future posts)

  • Pastebin (an similar sites)
  • DNS (zone transfers, txt, hinfo, etc… records)
  • Websites (email addresses, org charts, documents, addresses, phone numbers, etc…)
  • Search engines (google, bing, etc…)
  • Social networks (linkedin, twitter, facebook, etc…)

    No comments: