In this OSINT mini course, I tried to cover the basic subjects of open source intelligence. This mini course is a curated and tailored collection of previously published videos about OSINT on my channel. We discussed gathering information and intelligence about domains, IP addresses, Images, Videos and online accounts such as Reddit and Twitter. We also covered popular tools in the area of open source intelligence such as Maltego, Recon-ng and Shodan search engine.
Web Hacking & Pentesting Study Notes
Contents of this Course
- Introduction to OSINT
- Domain OSINT
- Gathering Intelligence from Online Accounts
- Reddit OSINT
- IP & Web History OSINT
- Image OSINT
- Extracting GEO Locations from Images & Videos.
- OSINT with Recon-ng
- OSINT with Maltego
- OSINT with Shodan Search Engine.
What is OSINT
OSINT stands for open source intelligence and it’s the process of gathering information about the target’s system, network and defenses without engaging it directly. In other instances, the target may be an individual or a group of individuals.
OSINT includes data from publicly available sources, such as DNS registrars, web searches, social media, security-centric search engines like Shodan and Censys.
Another type of open source intelligence is information about vulnerabilities and other security flaws, including sources like the Common Vulnerabilities and Exposures (CVE) and
Common Weakness Enumeration (CWE) resources
Examples of information that can be gathered during an OSINT engagement
- Domain names and subdomains
- IP Address ranges
- Email addresses
- Physical locations
- Staff list and organization chart.
- Documents’ meta data.
- Social media information
- Technologies and infrastructure.
OSINT Planning
An analyst should identify their investigative needs, lay out the questions they are trying to answer, and note any unique circumstances that may arise because of the target, the situation, or the platforms that might be used during the planning and direction phase of the OSINT intelligence cycle.
What question(s) need to be answered?
As part of the investigation, write down any questions that need to be answered. Refrain from deviating from the main topic in order to prevent spending unnecessary time on side projects.
Sub-questions like “What is their name?,” “What country are they in?,” “What is their approximate age?,” and “Are they on any other platforms?” could be included in the main inquiry of “Who is behind this account?”
What platform(s) that need to be accessed?
Before starting the investigation, make sure you purchase any additional software or hardware and set up any necessary online accounts.
It might not be feasible to ascertain a target’s preferred platforms at first. On the other hand, based on the target’s currently available information, it is usually a good idea to try and discover potential platforms and any requirements needed to access them.
The majority of popular social media sites will have similar requirements, which typically include an account and sometimes an email or phone number for validation. But, if you’re looking at a platform where there’s a small, close-knit community that keeps to themselves and is wary of outsiders, they can have higher standards for new members.
Before enabling new members to join, certain groups require new members to be vetted by an existing member, which will need more setup and preparation.
Know your target
It’s critical to evaluate a target’s technical capabilities and whether this could make you more likely to be discovered throughout the course of the investigation.
A target’s likelihood of making technical errors may also be inferred from their level of technology competence. Answers to questions like these aren’t always available at the planning phase, but they might become more apparent as the intelligence cycle progresses.
Although it never hurts to assume that a target possesses sophisticated technological abilities, not every analyst will be able to take state actor level security measures for every target. Generally speaking, I advise being more cautious than a target seems to be technically capable of being.
Have your goals set-up
Write down your realistic expectations and goals for the investigations. What is the investigation’s anticipated conclusion? Will it lead to a formal report, a notification to the authorities, or another outcome? The OSINT inquiry will be guided more effectively if the end goal is known in advance. Determining the final objective or goals helps steer an investigation in the right direction and will aid with decision-making in subsequent phases where the investigation may depend on the end goals.
Example Goals of an OSINT case include full profile, locate for apprehension, identify associates, collect digital evidence, etc. (are you collecting intel or evidence for court?).