Professional Documents
Culture Documents
2.0 Passive
Reconnaissance
• 2.1 OSINT
• Information Gathering
• Open source intelligence
• Whois
• The Organization's Website
2.1 OSINT • Related Websites
• Social Media
• Job Boards
• Google Hacking
• Online Articles and News
• DNS Querying
• Email
• SSL/TLS Certificates
• Shodan
2.1 OSINT • theHarvester
(cont’d) • Recon-ng
• Maltego
• FOCA
• Findings Analysis and Weaponization
• Content of Interest
2.1 OSINT •
•
IP Addresses and Subdomains
External and Third-Party Sites
(cont’d) • People
• Social Engineering
• Technologies
Information gathering is the process of identifying, discovering,
and obtaining information that may have relevance to the pen
test
Covers a variety of tasks, goals, and outcomes
Information
Gathering Provides tester with actionable data; based on attacks; new
strategy
Not all gathered info will be useful; not all useful or relevant
Open Source
Intelligence (OSINT)
• Open source intelligence defines actionable information
that has been gathered from publicly available sources
• Information that is not private
• Anyone can obtain without breaking laws
• Valuable to preliminary pen test phases; skilled attackers
need to be discreet
• Sources include:
• Whois registration information; target organization's
public site; additional related sites; social media
profiles of organization/people; public job postings;
Google search results; online blogs, news articles,
etc.; and info gathered from DNS, mail records, and
SSL/TLS certs
Whois
• Whois is a protocol that supports querying of data
related to entities who register public domains and
other Internet resources
• Info is available to anyone who queries databases
• Query can be executed at command line or through a
web app
• Queries conducted on public domains to reveal
information about them
• Information such as: Name of registrant; name of
organization; mailing address, phone number, email,
etc., of organization; administrative and technical
contact info; registrar info; domain status; and name
servers used by domain
• A great tool for identifying details about target
organization
WHOIS Example
Activity: WHOIS
Organization's Website
• Marketing sites have the potential to be OSINT
• Most sites have an "About" page
• Reveals purpose, goals, and nature of organization
• Information is generally on the site in another location
• Can disclose key information about the organization
that is useful to pen testing
• Marketing sites provide the following useful info:
• Executive or other high-profile personnel
• Upcoming events
• Forms to fill out for more info
• User forums
• Additional contact info
• Links to social media profiles
• Sites can also be storefronts, informational, etc.
• Can’t expect to learn everything there is from one site
• Secondary sites meant for specific
Other sites purposes, like B2B operations
can • Subdomains of primary site, like
administrative portals
contribute • Sites owned/operated by partner
organizations
to your • Sites of organization’s subsidiaries or
OSINT parent organization
• Social media profiles
Related
Websites May
provide
details • Partner site might reveal info about
beyond relationship with current site
primary
site
Social Media