blog.smigiel.dev

Oct 07, 2020

OSINT

Information gathering

First and the most crucial phase of an engagement is information gathering. It helps to broaden surface of attack, and prepare for successful method of breaking into company. Usually, people leave a lot of breadcrumbs around the Internet. Thanks to meticulous look up of the information, a lot of interesting details can be found.

Interesting databases

Given the vast array of social networks, it shouldn't be difficult to find interesting information. For example, user can create account on Twitter, point to Linkedin, Google and Facebook.

To find generic information, one might refer to twitter or google. For more work related information, usually better is Linkedin.

Crunchbase

Crunchbase is a platform for finding business information about private and public companies. It is a platform for finding business information about private and public companies. Additionally it contains useful information to match profiles.

Government websites

Some information can be found on official government websites. If a company is awarded contract.

Whois

whois is command line tool, as well as website. It allows to query the database of Internet addresses to get information about registrants of those addresses.

Company website

Oftentimes, interesting information can be found on company websites. We can find there information about products, customers, services, etc. Usually, there could be also find

Email pattern

Many companies have common email pattern. It usually means, that all employees, can be reached by some variation of email:

  • first_name.last_name@company.com
  • last_name.first_name@company.com
  • first_letter__nameLast_name@company.com

By accessing at least one of employees emails, you basically obtained all of them, as long as you know employee name.

To verify if chosen email is valid, one can send email and wait for response. Many email servers return message in the case of non-existing user.

Subdomain enumeration

It is common for a company, to have multiple different subdomains, like email.company.com, blog.company.com, careers.company.com. Sometimes, companies leave running vulnerable services. In that case, it could be much easier to exploit a bug on some outdated subdomain, than main domain. There are several ways of achieving that goal.

Google

One of the simplest ways is to search a Google! By issuing query to search engine like below, we can receive responses focused around particular company website.

site: company.com

dnsdumpster

DNSDumpster.com is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

CLI Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

Additional resources