What is OSINT?

Open Source Intelligence (OSINT) refers to a collection of data from public sources to be used in an
intelligence context, and this type of information is often missed by link crawling search engines
such as Google. Also, as per DoD, OSINT is “produced from publicly available information that is
collected, exploited, and disseminated in a timely manner to an appropriate audience for
addressing a specific intelligence requirement.”

Top 5 OSINT Tools

Below are the tools which are more often used by penetration testers and even malware actors
than others to gather information about the specified target. Information gathering plays an
essential part in any penetration activity. The data that we get from information gathering phase
reveals a lot about the target, and in the digital world, there are huge footprints of assets exposed
to the outside world. Challenge for Penetration testers and malware actors is to make sense of this
humongous chunks of data to know all the possible traits of intended targets. Below are some of
the common OSINT tools often used by malware actors and penetrations testers.

Note: We will only see one or two features for each tool mentioned below to see how much value
they can bring in during reconnaissance phase.

Maltego

Maltego is developed by Paterva and is an inbuilt tool in Kali Linux (ships with community edition).
Maltego helps to perform a significant reconnaissance against targets with the help of several
built-in transforms (as well as gives the capability to write custom ones). To use Maltego first, the
user should be registered on the Paterva site.

After registering, the user can create a new machine OR user can run machines to run transforms
on the target. After configuring that configured machines needs to be started. There are various
footprints built-in inside Maltego which can be run against the target. Maltego will start to run all
the transforms with the Maltego servers.

Expected results might be Domain to IP conversion has happened, netblock will be identified, AS
number is also identified, locations and other phrases as well. These are all icons in Maltego, and it
gives detail view about all these icons. Researchers can continue this process to dig more
information about the target. Absolutely fantastic tool to track the footprints of a single entity
over the internet.
Recon-Ng

Recon-Ng is another useful tool to perform reconnaissance on the target and is also built into Kali
Linux. Recon-ng has various modules inbuilt, and its usage somewhat resembles to that of
Metasploit. Below is the welcome screen of Recon-ng on Kali Linux.

As mentioned above, recon-ng has various inbuilt modules. A snippet of that is shown below.

Workspaces can be created to carry out all operation inside that. As soon as the workspace is
created user will be redirected to that workspace. Once inside the workspace, then the domain
can be specified using add domain <domainname>. After the domains is added into the recon-ng,
recon-ng modules can be used to extract information about this domain. There are some excellent
modules like bing_domain_Web and google_site_web to find additional domain related to the
initial target domain. The output of these domains will be all indexed domains to these search
engines. Another handy module is bing_linkedin_cache which can be used to fetch the email
addresses related to the domain which can further be leveraged to perform social engineering. So,
with other modules, we can get additional information regarding targets. Thus recon-ng is a great
tool and must be in the toolkit of researchers.

theHarvester

theHarvester is again an excellent tool for collecting info from the specified target. The Harvester
is inbuilt into Kali, is very fast and is much simpler to use than Recon-ng to collect basic
information. Below is the welcome screen of the Harvester in Kali Linux.

We can see it trying to fetch results from Google, Bing, PGP key servers, etc. These parameters
(and others) are explained in below figure.

Below are the details that we can get from theHarvester:

Email Address related to the domain.

Results of hosts and virtual hosts which are found in search engines.

So, we can see that theHarvester is also very useful to extract information from the specified
targets and is very useful with all its features.
Shodan

Shodan is touted as the ‘Search Engine for Hackers’ because it gives a huge footprint of devices
which are connected online. It is a gold mine for researchers to see the exposed assets.

Shodan also gives the top most used searches by the community like below:

For example, one can see the connected webcams, netcams, traffic lights, etc. Below are some of
the use cases from Shodan:

Testing of Available assets with RDP port open.

Testing of “Default Passwords.”

Assets with VNC viewer

So Shodan is an excellent tool for finding the fingerprint of connected assets; their details; their
vulnerabilities etc. Researchers can easily imagine how much they can push boundaries of this to
gather the deep level of information.

Google Dorks

Search engines do provide us much information, and they index much information, too, which can
be used to gather information about a target. Google dorks provide such information through the
usage of some operators which are otherwise difficult to extract using simple searches. Below are
some of the operators used in Google Dorking:

Intitle: Looks out for mentioned words in the Page title

Inurl: Looks out for mentioned words in the URL.

Filetype: This is used to find filetypes.

Ext: This is used to identify files with specific extensions. Think of using it for finding such files
like .log which are not supposed to be indexed.

Intext: This helps to search for specific text on the page.

Below is an example of finding all indexed PDF files

Google dorks have been in place since 2002, and they still give good results and can prove very
handy very performing reconnaissance.

So, in this article, we have investigated some of the most common OSINT tools used by
researchers. Their tools are very powerful when used alone but can be very lethal when used with
each other.