Just finished watching Die Hard 4, an entertaining yet exaggerated dive into hacker culture. Computer professionals, especially real hackers may roll eyes on it especially on how fast the antagonists manage to get things done and how they manage to ‘pull things up’ like in most hacker films. They seem to manage to pull up stuff about people and organizations in an instant. Like John McClane’s dossier or an F-35 jet’s go codes. As pros, we can chalk things up to advanced information gathering or OSINT tools. What’s OSINT again?
What is OSINT?
OSINT stands for Open-source Intelligence. It refers to the collection and analysis of publicly available information about persons, organizations or other topics. The information gathered is mostly from online sources using various tools (mostly automated) to gather information. The open-source bit refers to the fact that the information gathered is already open to the public, for example a company address where the gatherer does not need to get permission.
There are many methods and tools available when performing OSINT. First thing that comes to mind is doing a Google search or searching through social media for information about a person or organization. It’s a slow process as yours truly can attest after having to pull up email contacts for certain persons of an obscure company. But there’s a wealth of publicly available information out there that search engines can’t easily spider though, and there are many available OSINT tools that are able to gather that information in a matter of minutes.
Who and what is OSINT for?
As mentioned, OSINT is a plethora of methods to quickly gather publicly available information mostly from online. The same information can also be gathered from print media, television and radio but that is when the researcher wants to get ridiculously comprehensive.
OSINT is mainly used by organizations such as law firms in order to gather subject information, and government law enforcement when they want info about persons of interest to fight crime and terrorism. OSINT would be the first stage done in order to pull up basic information. Advanced information can be pulled up either by requesting permission from other agencies or paying for the data from information sellers. The same goes for companies who want to get information about their competitors in order to quickly make informed decisions about their respective markets.
Hackers and cybersecurity/infosec experts also use OSINT to gather information about their targets. White hats mostly use OSINT tools to check if data which is supposed to be sensitive has somehow leaked into the visible internet. Positive findings indicate data breaches.
OSINT has several advantages such as being cost-effective compared to the manual aforementioned Google search. OSINT can gather much more data compared to the surface information indexed by search engines and that OSINT can be also used to determine vulnerabilities in IT systems. How? IP Addresses, open ports, domain names and DNS names are considered publicly available for those who know how to look for them in a process called technical footprinting or cyber reconnaissance.
Speaking of vulnerabilities, back to hacker films. All those colorful text-filled scrolling screens in the background are assumed to be system statuses or flowing information from advanced OSINT tools. Tools such as:
BuiltWith – while the technology of some websites can be determined through browser web developer tools, Builtwith will provide a more comprehensive look at the components that makes certain websites tick. Knowing those is the first step in knowing their vulnerabilities. Another such tool is Wappalyzer, which also says that knowing what websites are built with can improve marketing lead generation. What does website vulnerabilities have to do with OSINT? Certain companies would like to research whether potential partners are secure before making any deals. Knowing what company websites are built with and how secure they are matter greatly.
Maltego – is a popular multi-platform OSINT tool that can gather information on and discover relationships between persons, companies and domains. The data gathering process is mostly automated and can result in organized and easy to read charts and graphs. It has free, individual and corporate licenses.
thHarvester – is an easy-to-use OSINT tool that’s able to gather and compile information from various search engines and data mining engines such as Exalead meta data engine, Netcraft Data Mining, AlienVault Open Threat Exchange and the device search engine Shodan.
Shodan – is a paid search engine to get intelligence on non-searchable devices such as IoTs. It’s also able to find vast amounts of information on target systems and can even determine operational technologies in industrial organizations. If a device is connected and can be publicly accessed, Shodan will see it, their open ports and vulnerabilities. Shodan can also detect gaming servers in organizations where they shouldn’t be.
Searchcode – is an OSINT tool that specializes in finding information in source codes. Treasures sometimes lurk within developers’ remarks lines as well as in variable and constant declarations. It’s a good tool to find such careless vulnerabilities.
Metagoofil – specializes in public digital documents and discover important information about targets contained within them such as usernames and other credentials. It’s a useful hacker’s tool to find carelessly documented system credentials in publicly accessible documents.
Babel X – is a multilingual OSINT tool because information is not limited to the English language. English language websites are just a little over 50% and that leaves a lot more to be searched. Babel X can even search the dark web, technically still publicly accessible. A good use for Babel X would be searching though foreign language websites for foreign insights on news and current trends, as well as find persons of interest in non-English message boards and determine if sensitive IP are exposed in foreign places.
SpiderFoot – is another popular and powerful OSINT tool which can grab any username, IP address, domain name and email from over 200 other OSINT sources. The tool is of the freemium type so prepare to invest if the searches are critical. It also offers quick data compilation, visualization and the data is exportable in various formats.