OSINT or how to look at your network through the eyes of a hacker





Good afternoon! Today I will tell you what information about an organization can be found in open sources and how a potential attacker can use it. Many of you have probably heard about OSINT (Open Source INTelligence, a list of activities aimed at collecting information from open sources), which is most often used to collect information about a specific person. But OSINT can also be used to find information about specific organizations to assess security. You must admit that it is useful to see what is publicly available about you and how you look from the side of a potential attacker.



Popular resources where information is collected



To carry out an active scan, it is necessary to sign an NDA and agree on the work, which naturally takes time. In this regard, it is necessary to use only data that is in open sources, not to scan the IT infrastructure and, accordingly, not to spend man-hours on bureaucracy.





So what can be found in the public domain?



The most detailed answer to this question is osintframework.com , I recommend reading it to get a generalized answer to the question posed.







I will try to single out the most interesting information for information security specialists from the vast amount of information. We will search:



  • Corporate mailing addresses
  • The facts of compromising postal addresses
  • Subdomains registered with the company
  • Company IP addresses and autonomous systems
  • Open ports and services located on them, as well as selection of vulnerabilities and exploits for discovered services
  • Hidden site directories
  • Confidential documents


What can you use to find this information?



There are a huge number of tools on the Internet for searching a company's mailing addresses by domain, for example:





hunter.io - until recently, the tool was completely free, but unfortunately times are changing. Snov.io's Email Finder







browser extension - currently has huge functionality in the free version and finds a huge number of domain accounts, but for how long? .. theHarvester - collects both email addresses and subdomains, open ports and data about virtual hosts. Preinstalled on Kali Linux.















There are both paid and free tools, the choice of use depends on the willingness / ability to pay for the improved functionality. It makes sense to use several tools at the same time as they produce different results. Ultimately, we have a large list of company postal addresses, which must be checked for compromised accounts.



You can check it on many well-known service haveibeenpwned.com.







At the output, the tool gives us information in which databases contain account mentions, whether these databases contain data on passwords, physical addresses, phone numbers, etc.







We will not get the passwords themselves here, but we will be able to divide email addresses into โ€œcleanโ€ and potentially compromised ones.



It should be noted here that the tool has a paid API. Without it, of course, you can check all email addresses, but you will have to submit them to the entrance one by one, which will take a lot of time. When purchasing an API ($ 3.5 per month, purely symbolic fee), we will be able to use it in various scripts and, accordingly, significantly speed up and automate the analysis process.



In the future, you can use the bot in telegram @mailsearchbot .







At the entrance we give him potentially compromised postal addresses, at the exit we get the passwords used in conjunction with this postal address. It is worth noting that it is not possible to find passwords for all accounts, but the detection rate is large. And again, if there is a desire / opportunity to financially support the developer, you can receive complete data, without symbols hidden by asterisks, but unfortunately here the price already bites.



The next step is to collect information about subdomains . There are a lot of tools to do this, for example:





theHarvester







dnsdumpster.com - can draw beautiful relationship graphs and export the results to Excel, but has a limitation on displaying only 100 subdomains.







pentest-tools.com - I advise you to familiarize yourself with the site in more detail, since here you can search not only for subdomains. In the lite version, it has a limit of 2 scans per day, but it is easy to get by with TOR)







It also makes sense to combine tools to determine the largest number of subdomains. Often, an IP address is paired with a subdomain, which can then be fed to shodan ( shodan.io ) to get a list of open ports and services that are sticking out on the Internet.







In the future, you can select vulnerabilities and exploits for specific versions of services using resources such as:





cvedetails.com - a large CVE database of services and their versions. There may be some difficulties with finding the necessary services as they are repeated (for example, there are two different pages of the Microsoft IIS service with different vulnerabilities).







exploit-db.com is a large, growing database of exploits. It is worth noting here that there are exploits confirmed by the site administration and not verified.







In the shodan data, we are also interested in the belonging of the ip-address to an autonomous system . The check is performed in various Whois services, of which there are also a large number. By and large, there is no difference with which tool to work, so I will demonstrate the ones on which I stopped:





bgp.he.net - looks clumsy, but shows data on any autonomous systems.







ididb.ru is mostly focused on collecting information about the autonomous systems of the Runet.







If an autonomous system belonging to a company is found, it makes sense to run all ip through shodan and collect as much information as possible on service versions.



To analyze the definitions on which technologies the site is built, you can use the Wappalyzer browser extension . Often the tool detects versions and, accordingly, you can also select vulnerabilities for them.







We pass to the final stage - search for hidden directories and site files . This is where:



  • Google dorks
  • DirBuster


Google Dork Queries are tricky queries to search engines that help shed light on data that is publicly available but hidden from prying eyes. In the vastness of the Internet, there is enough information on how to โ€œcorrectlyโ€ compose queries to a search engine to obtain the necessary information. Andrey Masalovich clearly showed how this is done.







In turn, DirBuster is a tool for finding hidden directories and files that you forgot to remove from public access or added there by mistake. It has several built-in dictionaries for searching. It is recommended to use the directory-list-2.3-medium dictionary to optimize the ratio of spent time to exhaust.







There is a lot of information to analyze when using these tools, but often the effort is rewarded.



Popular courses / books for teaching



  • OSINT Introduction Video Course
  • OSINT and Competitive Intelligence Certified Course
  • I advise you to watch on YouTube the recordings of the speeches of Masalovich Andrey Igorevich, the teacher of the previous course. He is a true professional in his field, he will tell a lot of interesting things. I also advise you to familiarize yourself with his website , where you can find a large number of videos and books on this topic.


Top 5 problems we find with OSINT



In my practice, I succeeded:



  • , . , , ? .
  • , โ€œโ€. โ€” . .
  • RDP, FTP, SSH NTP , . , brute force . , ..
  • . , , โ€” .
  • . , : , ? , , . .




So, we see that information in open sources can become a springboard for an attack on corporate infrastructure. It is necessary to periodically check how the organization looks from the side of a potential attacker and, if possible, hide this information.



What if you can't do OSINT yourself?



We can carry out OSINT for your organization for free, please contact.

If this topic is interesting to you, then stay tuned in our channels ( Telegram , Facebook , VK , TS Solution Blog )!



All Articles