There are so many articles about OSINT methodology. Although I have my personal one, I still find others beneficial and I hope this one will be beneficial too for you, dear reader. This is my very first article here, so I need your support :) Let’s start.
First, we get a name of the company to conduct OSINT for. So, we already have information to work with.
Before actually starting, it is important to know that despite the fact that OSINT is completely legal because it only uses information that is available through “open sources” (except Data Breaches), you still need to be careful with the information you find. This means even if OSINT doesn’t include information that is kept within your organization’s database, you should NEVER use found information against that company in any way. For example, finding employee’s email address that is published - is legal but using that information to perform phishing campaign is clearly illegal.
My OSINT methodology is divided into 5 big categories:
- General info
- Network
- Employees
- Resources
- Data breach
We don’t have a specific OSINT target because my goal here is to present methodology and not to perform free OSINT for any company :) So, I am going to vary companies between each category.
General Info
First, we need to gather as much information about the company as possible. This only includes information that is not related to Internet, such as company name, category of business, founders, HQ, Subsidiaries, CEO, Registration number, branch locations, contacts (mobile numbers, info email) etc.
During this step, we will OSINT KFC company using Google and more specifically, Google Search Operator — info:
info:kfc
Here we got information including a brief description, founders, founding date and location, headquarters, number of locations, social media and parent company — Yum! Brands.
The last one is more important, as it will show us more information, such as subsidiary companies, CEO, CFO, CMO, COO, CTO and founder.
Besides this, we can gather public information from RN Database (Registered Identification Numbers) https://rn.ftc.gov/Account/BasicSearch
Here we searched Samsung and got 5 records related to it, one of the results is SAMSUNG C&T AMERICA, INC. with RN 74299, including information such as physical and mail addresses (state, city, street, building, floor, ZIP code), website/domain name.
There is also website and domain name information, which is another information gathered and potentially it can be used for the further steps.
As we already mentioned website and domain, we can smoothly go to the second category of our OSINT methodology— Network.
Network
Network OSINT phase include gathering information such as ASN (autonomous system number), DNS records, company related subdomains, ports and services running on servers of the company, certificates issued for the company, WHOIS information and historical data of WHOIS.
Before actually looking up ASN, first we need to find company-associated ASN. This is possible using https://bgp.he.net/dns/DOMAIN_NAME#_ipinfo. In our case, we got facebook.com ASN — AS32934. This ASN includes IP range 157.240.22.0/24.
Now it is time to get more information from the AS number using https://asnlookup.com/: This is the online ASN lookup engine. But what kind of information does ASN contain exactly? It contains CIDRs - Classless Inter-Domain Routing, which is a collection of IP standards designed to optimize the process of allocating IP addresses by forming unique identifiers. This means that we discovered IP addresses that are related to the targeted company.
The list of IP addresses and IP ranges can be used for the further steps of OSINT, such as identifying Ports and Services running under these IPs. This can be done using a powerful and famous tool for OSINT — https://www.shodan.io/.
In this step, we have to gather open ports and running services for a company. This time the target is scanme.nmap.org. But we can’t search ports and services using domain, so we need to find related IP address. This can be done with https://toolbox.googleapps.com/apps/dig/#A and we see that related IP is 45.33.32.156. Let’s put it in Shodan:
Here we see information such as Domain with related info, open ports with the running services/versions, and potential vulnerabilities.
There is Shodan’s sister — Censys.io, which gives useful information such as DNS, Routing, OS, Ports and Services information.
Also, as you can see there is Fingerprint string, which is related to SSH server host key specifically for this host, and if you click it, you will find related address for this service host:
Censys.io has another useful function, discovering servers with a specific certificate fingerprint. To present it, we can target example.com.
We can use this fingerprint to find if any other host uses it.
This reveals other domains, because of different TLDs (.edu, .net, etc.), which means there could be different subdomains and under it, running different services:
As we mentioned subdomains, we have more effective ways of doing it. We start with crt.sh. Yes, it is a website with the record of certificates.
In our example we betrayed shodan.io :’( And discovered certificates that were issued for different subdomains. In this case, as we already mentioned, we are more focused to the subdomains. After gathering information about subdomains, we can analyze them later for the further OSINT steps.
Also, you can use https://otx.alienvault.com/indicator/domain/DOMAIN.TLD to discover more subdomains:
Besides, we are free to go back and use Google for subdomain enumeration by using Google dorking, and more specifically, we can use Google search operator:
site:*.DOMAIN.TLD
And as you can see below, we betrayed censys.io too :’( revealing some interesting subdomains.
This isn’t everything. We can use https://securitytrails.com which has more features than just finding subdomains, but still…
And we betrayed SecuirtyTrails.com using itself :’( discovering subdomains. But who is behind all these Network and DNS stuff? Hey? Anybody? Heya!
Using https://www.whoxy.com/ we can see current and historical WHOIS database. In our case, we searched for Uber.com.
This is the current info, but if we look at historical WHOIS, we will see Who owned this domain in the past:
Let’s see these 2 domains related to UberCab, Inc:
Most probably, uberinternal.com is no more accessib… O_O Okay, that was not the case. Here I am just presenting the OSINT methodology.
That’s all for the PART 1. See you in the next one :)
Thank you for reading :) You can find me on LinkedIn :)
