OSINT stands for Open Source Intelligence. In this article we cover the most important OSINT tools for a security researcher. Basically, OSINT tools are used in the reconnaissance phase to gather as much information about the target as possible. These tools have an artificial intelligence to mine data from the web about all possible matches to our target. This narrows down our reconnaissance process. We wouldn’t have a huge permutation and combination to do with respect to the information gathered. This leads to an effective combination of classical social engineering attack on the target which in turn can be used to harvest more information. This can also be used for effective target discovery and spear phishing attacks.
Maltego
Maltego is an extremely powerful OSINT framework. It’s broadly classified into Infrastructural reconnaissance and personal reconnaissance. In the infrastructural part, it lets us gather a lot of juicy data about the target organization, email ID of employees, confidential files which are handled carelessly, internal phone numbers, DNS records, IP address information, Geo location of the network, MX servers and so on. The transformations as it is called in maltego needs to be creative and thoughtful to get complete result. Personal reconnaissance on the other hand helps us harvest person specific information. Social networking activity, email ID, website related to a person, phone number associated etc. This happens with the use of search engines on the internet which maltego effectively communicates to gather these information.
Shodan
Shodan stands for Sentient Hyper Optimized Data Access Network. It was developed by John Matherly. Normally a search engine crawls the website to display results, whereas Shodan tried to grab data from the ports. It comes in two versions – free and paid. Free version gives 50 results. For more results we need to buy the subscription. Creative usage of this tool helps us to find the vulnerable services in a web server, which is a very important aspect of Vulnerability Assessment phase. Various filters like country, port, Operating system and host names are available with this tool.
Metagoofil
Metagoofil is a very powerful information gathering tool by Edge Security. It basically is used to extract meta data from the target. It supports various file types like pdf, doc, xls, ppt etc. This can also be used to extract MAC Address from these files, and thus it gives the attacker a fair idea, about what kind of network hardware is being used at the target. Based on the intuition of the attacker this tool can be used for guessing Operating system, network names etc. This can also be used to perform brute force attack by gathering enough data from the meta data of the files. With the meta data, its possible to extract various path information, which can be used to map the network. The results are displayed in HTML format.
GHDB
GHDB stands for Google Hacking DataBase. Google is the most powerful tool for a user to perform attacks. Using google, a sqli on a random website can be performed within 0.2 google seconds. Specially crafted words given as input to google are named as Dorks a.k.a google dorks. These dorks can be used to reveal vulnerable servers on the internet, it can be used to used to gather sensitive data, files that are uploaded, sub domains etc. Effective usage of GHDB can make half the hack easier. Exploit DB maintains a collection of google dorks under a section called as GHDB.
THE FOCA!
The FOCA is a network infrastructure mapping tool. It can analyse meta data from various files like doc, pdf, ppt etc . It can also enumerate users, folders, emails, software used, Operating system etc. There are customization options available in the tool too. For more juicy information and details about insercure methods, there is a crawl option provided. The meta data can be extracted from a single file or from multiple files. Thus FOCA is a great tool in the reconnaissance phase to extract information from the metadata.
EXIF Data viewers
Smartphones and digital cameras use a standard to specify formats for images and sounds that are recorded using them. This standard is called Exchangeable Image File Format. Various EXIF data viewers are available. They include details like type of camera, focal length, type lens etc. Most importantly, they contain the Geo location information within them. In fact, by default all smartphones have the GPS setting switched ON. So this can potentially leak your location where the image was taken. The accuracy is such that the latitude and longitude will be provided when extracting the EXIF data, thus leaking very private information.
Social Engineer Toolkit
Social Engineering Toolkit is an open source tool to perform online social engineering attacks. The tool can be used for various attack scenarios like spear phishing, website attack vectors. This tool works with integration to metasploit. It enables us to perform client side attacks and harvest credentials seamlessly. It also lets you backdoor an executable and send it to the victim. It creates fake login pages of a given website automatically and spawns a server to listen to coming back connections.
Cyberstalking tools for Reconnaisance
Lots of tools available online can be used to find the information that is available in public about a particular person. Peekyou and lullar sites helps us gather information about a person that is available on various social networking sites. Waybackmachine is another website, which can be used to find previous versions of the webpage, i.e. we get to see how a webpage looked n years ago. These come particularly handy to execute a social engineering attack. Edgar files is another website that allows us to see few not so common files and information corresponding to various organizations. We also have yougetsignal to check for phone numbers, IP addresses, who is data, geo location, tracing etc.
Passive Recon
Mozilla firefox has a lot of security add-ons in the form of plugins. One such powerful OSINT plugin is Passive Recon. As the name suggests, this tool does not query the domain directly. In fact it looks up all the look-ups and public databases for gathering as much information as possible about the target. It provides who-is information, MX records, DNS information etc passively. The best part is that the owner of the domain you are querying is not alerted due to its passive nature.
