Open Source Intelligence Techniques


Reconnaissance is considered the first stage in any cybersecurity activity, if you are a red-teamer you will first identify your target, gather information about the target’s history, services, activities, and will try to know the people who work there. 


Also, if you are a blue team player and investigating after a cyber attack you will first try to gather information to know what this cyber attack was targeting and will try to gather the leads to find who was behind it. 


The two previous examples show the importance of information and confirm that “Knowledge is Power”.


Reconnaissance can take many formats but it can be classified into active and passive information gathering, active means you are interacting with the target, if the target is a person then you may talk to him, if the target is a device you are scanning it, etc. 


Passive information gathering is gathering public information about a target, the target will not know you are targeting it. 


We can say you are collecting data from open sources then perform your analysis to figure out new facts about the target and that is known as “OSINT” the open-source intelligence which is used by national security, law enforcement, and business intelligence functions.


In this article, we will discuss what open-source intelligence is, what it is used for, the most famous tools and techniques, and how it can help in a cyberattack. We will also showcase an example from a challenge on our platform.

What is Open Source Intelligence? 

According to the U.S Department of Defense and the U.S Director of National Intelligence, OSINT is defined as “Intelligence produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement."


As we have mentioned earlier, it depends in most cases on Publicly shared information, collecting the data can be useless if the one who is performing this operation is not smart enough to gather the leads together and have a better understanding of the full picture. He can deduce things depending on what we have and it will probably be true. 


For example: If the attacker knows that the target loves coffee too much, he knows where the target lives as he shared it before on social media. The attacker searched for the target’s home location and found out it is near Starbucks. So although the target didn’t share about Starbucks before, the attacker concluded this and started building a plan to perform a social-engineering attack against him at the planned place. 


This was just a simple example of what can an attacker find out about you from the information you have shared on purpose publicly.


According to OWASP, the OSINT process can have the following components:

1- Identifying the source 

Where you can find the information, which means for example identifying a company's websites and domains.

2- Harvesting

It's time to get relevant data from the identified source.

3- Data processing 

Process the acquired data and get meaningful information.

4- Data analysis

Connect data acquired from multiple sources. This is the most important step in the process and what can lead to different results from one team to another depending on their analysis skills.

5- Reporting 

Create a final report to document all you have found out about the target.

What is Open Source Intelligence used for? 

OSINT is used by a lot of authorities to perform investigations on targets like criminals, they can track them and keep following the leads until they find the truth.  


OSINT is also used by the cybersecurity community by attackers and defenders


Attackers can use it to gather information about the target and identify weaknesses so they can drive a plan to exploit it. 


Defenders can use OSINT to see what is exposed online and can be abused by bad guys so they can fix it.

We can mention some examples here:

  • You capture an image by your personal mobile phone and you don't reveal some information like mobile type, date captured, and other metadata.
  • You upload something personal online for a while then when you realize it, you delete it. You don’t know that the Wayback machine can already have snapshots of it.
  • You share your birthday and birthplace publicly and that can also be the answer to verification at your bank.


You can try this challenge as a practice to showcase what we know from just a username.  A simple tool called sherlock can help us hunt this username on social media platforms.

What are Open Source Intelligence Tools?

In the following section, we will discuss the most famous OSINT tools used by the cybersecurity community:

1- The OSINT framework

One of the most famous frameworks that contain a collection of tools to perform OSINT for usernames, emails, websites, networks and more is The OSINT framework.

2- HaveIbeenPwned

This website contains many breached databases so people can add their email/phone to see if they had appeared in a breach or not. Also, attackers can use it to find if the target information has been breached before or not. If the answer is yes, he may try to access the user accounts if the breached password is still valid.

3- Maltego

One of the most used tools to perform OSINT is Maltego. It searches thousands of online data sources, and uses extremely clever “transforms” to convert one piece of information into another.


For example, if we are performing a user information gathering campaign, we could submit an email address, and through various automated searches, “transform” that into an associated phone number or street address. 


During an organizational information gathering exercise, we could submit a domain name and “transform” that into a web server, then a list of email addresses, then a list of associated social media accounts, and then into a potential password list for that email account. The combinations are endless.

4- Recon-ng

Recon-ng is a featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly. 


Recon-ng displays the results of a module to the terminal but it also stores them in a database. Much of the power of recon-ng lies in feeding the results of one module into another, allowing us to quickly expand the scope of our information gathering.

5- the Harvester

theHarvester tool is used to gather email addresses from a given domain using a given search engine.

6- Shodan

Shodan is a great website to see what assets are exposed online, it is a network security monitor and search engine focused on the deep web and the internet of things(IoT). You can find public cameras, vulnerable servers, exposed services, and much more. It is one of the primary things in a hacker quiver. You can read more about it here

7- Spyse

Spyse works like shodan, it is a cybersecurity search engine for obtaining technical information that can also be used by hackers in the cyber reconnaissance phase.

8- Intelligence X

Intelligence X is a search engine and data archive. Search Tor, I2P, data leaks, and the public web by email, domain, IP, CIDR, Bitcoin address, and more.

9- SpiderFoot

Spiderfoot uses many OSINT resources to grab emails, names, IP addresses, and other information then will try to link them together to get the relations between them.


And according to the documentation, SpiderFoot can be used :

- Offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target 

- Defensively to gather information about what you or your organization might have exposed over the Internet

10- Creepy

According to the official site, Creepy is a geolocation OSINT Tool that gathers geolocation related information from online sources and allows for presentation on the map, search filtering based on the exact location and/or date, export in CSV format or kml for further analysis in Google Maps

11- Holehe

Holehe is a tool used to check if an email is attached to an account on sites like Twitter, Instagram, Imgur, and more than 120 others.

12- GHunt

Ghunt is a tool that can be used to investigate google accounts, documents, Youtube channels, and other google related objects.

How can OSINT help in Launching a Cyber-attack? 

As OSINT involves the retrieval of publicly available information, sometimes the attackers also look for the unintentionally disclosed sensitive data that may help in starting an attack. So, once the attacker has collected enough information about a target, he can start creating his plan to interact with the target. After Collecting this data, attackers can use it in many ways like:

Social Engineering Attacks

He knows the target’s interests, personal information like birthdays and birthplace, some hobbies shared on Facebook, where the target works on LinkedIn, what are his favorite places on Instagram, and so on.


It depends on the data he has so for example if the target is a software developer and an employee at the same place asked security-related questions about a technology his company uses, an attacker can start the conversation and end it having a lot of information about the target.


An attacker can also have some understanding of the target’s personality so he can kind of predict his responses to some actions. For example, if the target shared before he hated dogs so if someone walks near him with a dog he will walk away from it. 


The plan may need the attacker to speak to the target in person, that’s why the previous point is very important. Occupying with the target’s information, the attacker can lead the conversation achieving his goals and maybe even more.

Phishing attacks

If the attacker knows your interests then he can easily determine how he can plan a phishing attack against you. For example, if the target is a football geek then receiving a well-formatted mail asking to click this link and predict the result of an upcoming match and win a money prize will probably trigger the victim to press the link and answer questions that the attacker has added to make it look legitimate. 


Clicking on that link has already achieved the attacker's goal to install malware or a malicious program or collect data from a device and send it to a remote server. And of course, if the target has installed this program on the work’s device that will cause more damage.


Phishing attacks can be avoided by performing awareness sessions for the company employees so they can make the right call when they are against a phishing email. Check companies training here provided by CyberTalents.


In the end, you can avoid being a victim of your publicly shared information by being careful about what are you posting and who you are sharing this stuff with.


Learn more about cybersecurity by exploring more articles here.