Open Source Intelligence (OSINT)
is defined as intelligence collected from publicly available sources. In the intelligence community, the term "open" refers to overt, publicly available sources; it is not related to open-source software or public intelligence. This form of gathering and analysis of information is crucial to understand for both cyber and physical security professionals. Today I want to look at some concepts and tools used in OSINT. I'd have to write a book to cover it all so I'll touch on some basics. First, being able to gain all the knowledge on a target or organization without having the daunting task of penetrating networks and finding vulnerabilities in the machines to then exploit those machines could prove to be priceless. Using OSINT and Social Engineering tactics
such as NLP
can literally give you any information desired. Mix in lock picking, disguise, and stealth; soon you're on the way to a road less traveled in the cyber security field. I mention Cyber Security because with The Internet of Things
and billions of devices online there are countless exploits and vulnerabilities. Companies hire technical auditors called Pentesters or Ethical Hackers
to find vulnerabilities within their intranet and networks, however, this only covers the technical aspect not the physical. Let's say for instance I was contracted to find the network vulnerabilities of the corporation. They are well secured with Web Application Firewalls, Mod_Security on their Apache servers to prevent SQL Injects, Reverse Proxies Load Balancers and it's just something on this given day I don't feel like spending my time on or getting the team together so what do I do? Well, using OSINT I join their LinkedIn group and find out they hire a Third Party overnight Security. I also find out that there is overnight construction tasked with the new building add-on set to complete next year BINGO! Now when I get to the gate I already know the names and details of the security team, their bosses, the construction crew and the foreman. "Hey sorry I'm not in the company truck today my wife is expecting any minute now, we're having a boy I'm so excited! So I'll need to be able to leave whenever. Mr. Smith (the construction foreman) is aware and they should be right behind me." This situation could have gone a million ways, I could have just used stealth and jumped the wall in a construction outfit disguise that matches the logo and design of the crew doing the work (which I found using OSINT). I could have called the Security Officer at the entrance gate on his cell phone with a spoofed number from his wife's cell phone all obtained online using OSINT told him I was a Doctor and she is critical condition and we need you to come to the hospital to sign off on surgery. Unethical, yes but you gotta be able to have the balls to do what needs to be done and a corporation like this should have protocols in place for any situation. Plus who knows once he leaves the entrance gate and finds out his wife is alive it might be the best day of his life! The point is I needed access to not only set up a router for a Man in The Middle attack(as Plan B) but because I know OSINT is greater than IT I just want to stick to my roots and dumpster dive(Plan A). Not only do I find their financial reports from last quarter. I also find the names of their internal staff, routers, ISP and other information that I'll use to eventually exploit their internal network. At the end of the day information like this can fetch a pretty penny to competitors or on the black market so don't call yourself a security professional if you only conduct audits behind a screen, you're far from it. Some basic technical skills are needed however to understand the concepts of footprinting
and fingerprinting. If a simple ancestry.com
search can find your mother's maiden name, your social media profile lists your favorite things, your birthday and your children's name one can probably deduce your credit card PIN, and passwords without having to spend days using a brute force attack. Instead, an attacker with this information could use a dictionary type attack giving the program being used clues and phrases that suit a specific target. These are all examples of using OSINT information that is readily available and in Open Sight. For the interest of time, I'll now bullet point a list of tools and resources and you can take it from there. Remember if your attack targets in the right area is executed properly a simple punch can be deadly. This is the power of OSINT
- Search Engines and Social Media: Sometimes a simple Google or Facebook search can give you all the information you need to hijack a company mixer and gain further intel.
- The Social Engineering Framework: Provides an outstanding collection of modern concepts and books and is really a one-stop shop for all the tools you need.
- Shodan: The Worlds first search engine that lets you find anything connected to the internet. Instead of searching for words or people you can basically search IP tables. This is an amazing resource but be warned you may be tempted by the dark side once you go there.
- Video: The basics of Locking Picking DEFCon 13
- Google Dorking: Inputting Commands into your search to reap its benefits
- Dradis Framework: Provides a centralized repository of info that you can use and share
- Maltego: Focuses on providing a library of transforms for the discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.
- Tineye: Reverse Image lookup that crawls the web to find all online locations of an image.