From the Archive of 2015: Open Source Intelligence (OSINT)

Introduction:

For my second blog post, I decided I would write something about OSINT.

Before getting into OSINT, however, I feel that it’s important for a brief understanding of how it is utilized to assist attackers in completing whatever attack they’re going to carry out against their target. In order to assist your understanding, I’m going to quickly cover the theoretical approach that most attackers will follow, when attacking a target. This approach will consist of five phases; as ethical hackers, we refer to these phases as the “Five Steps to Ethical Hacking.” The following steps are the path that an attacker will likely follow, when attacking you (or their target.):

  1. Reconnaissance.
  2. Enumeration.
  3. Privilege Escalation.
  4. Maintaining Access.
  5. Covering Their Tracks.

In today’s day and age, I believe that a lot of potential attackers skip step one entirely. Typically, the more skilled attackers will not; with that said, however, the art of proper penetration testing is something that is dying out to automation and script children (but that’s another story for another time.) The act of reconnaissance is actually incredible useful for a number of reasons; most importantly of which involves knowing how to actually proceed forward with attacking your target. And, as you’ve probably figured out by this point, Open-Source Intelligence (OSINT) gathering falls directly within phase one. Now, let’s take a look at what OSINT actually is.


Open-Source Intelligence:

First and foremost, it’s probably important to fully understand what OSINT actually is:

Simply put, Open-Source Intelligence gathering is the act of gathering overt data from public sources. Now, before we go any further, let’s take a quick look at the exact definition of ‘overt’, so there’s no misunderstanding here.

define:overt – Google
o·vert
adjective

“Done or shown openly; plainly or readily apparent, not secret or hidden.”

Now, many of you out there are probably familiar with the phrase “Open-Source Software”. Remember, for this phase, we’re dealing with the Intelligence Community (IC), not Computer Science (CS) specifically. Therefore, in the Intelligence Community, ‘open‘ refers to ‘publicly available’; it is in no way related to open-source software.

Sources

Now, as one might image, there’s actually a vast myriad of resources available to gather from, when it comes to open-source intelligence. For instance, an attacker might want to find out some key friends and relations that belong to a target. One way they could do that is find their target on a social media website, and stalk their profile. Look at the pictures the target is posting; if the status updates are public, get an idea of who comments more frequently than others, and how the target responds to the comments. You can normally quickly put together a list of friends and family, to later be exploited to further your attack against the target.

Another source: Search engines. Search engines can be incredibly useful for finding out all kinds of information about a target. A lot of people don’t realize that you can do more than enter a string into Google and search for that string. Google has some incredibly powerful abilities, outside of simple string searches. If you know what you’re doing with it, you can build queries using Boolean operators to perform more advanced and specific searches. With this knowledge, using sites like Google or Bing make it incredibly easy to find out names, addresses, phone numbers, and email addresses amongst other information about your target.

Searching is not the only thing Google can do for you, however. You can also configure it to send you alerts anytime a specific term (based on your configuration) is added to its index. This is called Google Alerts. You can also use it to specifically search down blog posts (like this one,) and patent information. It truly can return an awesome amount of information that can be gathered and collected together into an archive that you can build against your target.

Earlier, we mentioned how Facebook can be used to stalk down family and friends of a potential mark. However, this is just one of the many functions that social media can be used for. For instance, with the help of a little URL play, we can use Facebook to trace back images to a person based on the image ID. Using something along the lines of “photo.php?fbid=PHOTO-ID-HERE” is one way you can do that. Twitter also has many interesting methods for gathering information.

When it comes to Twitter, it’s often overlooked. However, using Twitter’s Location Search, you can find geographical location data of a mark. For instance, this could come in handy if you want to wait for your target at their favorite coffee house, so you can follow them around physically, or put up a network sniffer on the public network offered by the coffee house, to get further information or perform session hijacking attacks against the mark. Once you’ve tracked him down physically, with just a bit of leg work, you can follow him home, find his address, his place of employment, and other information that might be useful to your attack. You can see where I’m going with this.

Of course, there are many more resources that can be utilized for this phase. The imagination is truly the limit when it comes down to what kind of information you can gather with all the publicly available information that is available to just be picked right out of the Interwebs. That’s why you’ll frequently hear “nothing is private on the Internet.” And this is very true fact. If a normal person can perform this kind of gathering, image what an employer can find out about you.

Unfortunately, when it comes to OSINT, there’s a lot that can be discussed. Each one of the individual topics covered here, such as search engines and social media gathering could have entire articles made specifically for them. And more than that, there are further topics that I will revisit in a later posting. Topics such as metadata, which has been the downfall of many hackers, and also WHOIS information, and other methods of OSINT. Too much to write in one blog post. But, keep your eye out for more on this subject. OSINT is something that I am very passionate about. I’ll likely write many more articles to come, involving it. There’ll even be discussions on how to use Kali Linux, and tools such as Metagoofil and The Harvester to further your OSINT gathering, in the future. See y’all soon… maybe, even, at your favorite coffee shop.

Tyler
Written by Tyler