Open-source intelligence (OSINT) is a critical component of reconnaissance. OSINT involves gathering information from publicly available sources, such as social media, news articles, and company websites. It can be used to gather information about the target's employees, partners, and vendors. It also helps Red Teamers to understand the target's business model, organizational structure, and security posture.

OSINT can provide Red Teamers with a wealth of information that is not available through other reconnaissance methods. It can help to identify potential attack vectors and vulnerabilities that may be exploited during a Red Teaming exercise. OSINT also helps to provide context for the target's digital footprint, making it easier to plan and execute successful attacks.

Benefits of OSINT gathering

The benefits of OSINT gathering for Red Teaming include:

• Identifying potential attack vectors and vulnerabilities.

• Providing context for the target's digital footprint.

• Understanding the target's business model and organizational structure.

• Gathering information about the target's employees, partners, and vendors.

• Enhancing the overall effectiveness of the Red Teaming exercise.

Sources of OSINT

OSINT can be gathered from a wide range of sources, including:

Cyber security search engines: Cyber security search engines are a valuable source of information for Red Teamers during the reconnaissance phase. These search engines are specifically designed to search the internet for sensitive and confidential information that may have been leaked or exposed. The information gathered through these search engines can be used to identify potential attack vectors and vulnerabilities that may be exploited during a Red Teaming exercise.

Examples of cyber security search engines include:

• Dehashed.com: Dehashed.com is a popular cyber security search engine that allows users to search for leaked credentials, email addresses, and other sensitive information. The platform uses a combination of data breaches and other publicly available sources to build its database.

• Intelx.io: Intelx.io is a comprehensive cyber security search engine that allows users to search for a wide range of information, including domain names, email addresses, IP addresses, and leaked credentials. The platform uses a combination of data breaches, dark web sources, and other publicly available sources to build its database.

• Shodan.io: Shodan.io is a search engine designed specifically for internet-connected devices. The platform allows users to search for a wide range of devices, including routers, cameras, and IoT devices. Shodan.io can be used to identify vulnerable devices and services that may be exploited during a Red Teaming exercise.

• Censys.io: Censys.io is another search engine designed specifically for internet-connected devices. The platform allows users to search for a wide range of devices, including web servers, databases, and IoT devices. Censys.io can be used to identify potential vulnerabilities and misconfigurations that may be exploited during a Red Teaming exercise.

Cyber security search engines can be a valuable source of information for Red Teamers during the reconnaissance phase. Some of them are free whereas some are paid and play a crucial role in the OSINT process. However, it is important to note that the use of these search engines must be done by ethical standards and the law. It is important to obtain proper authorization and ensure that the information gathered is used solely for the Red Teaming exercise.

Open-Source Intelligence Tools: Open-source intelligence tools like Maltego, SpiderFoot, and Recon-ng can be used to gather information from a wide range of sources. These tools can automate the OSINT gathering process and provide Red Teamers with a comprehensive view of the target's digital footprint.

Some Free and Paid Tools

Open-source intelligence (OSINT) plays a crucial role in reconnaissance, providing valuable insights and information about the target organization. In the world of Red Teaming, a wide range of both free and paid OSINT tools are available, empowering Red Teamers to gather actionable intelligence and enhance their reconnaissance capabilities. Let's explore a selection of these tools, encompassing both freely accessible options and robust paid solutions, that enable Red Teamers to harness the power of OSINT in their operations.

Maltego: Maltego is a popular open-source intelligence tool used for OSINT gathering. The platform provides a range of tools and features for gathering information about the target, including domain names, IP addresses, social media profiles, and email addresses. Maltego uses a variety of sources to gather information, including search engines, social media platforms, and public databases. The platform also provides a range of visualizations and analysis tools to help Red Teamers identify potential vulnerabilities and attack vectors. Maltego is available in both free and paid versions.

SpiderFoot: SpiderFoot is another popular open-source intelligence tool used for OSINT gathering. The platform is designed to automate the process of gathering information from a wide range of sources, including search engines, social media platforms, and public databases. SpiderFoot can be used to gather information about the target's domain names, IP addresses, email addresses, and social media profiles. The platform also provides a range of analysis and visualization tools to help Red Teamers identify potential vulnerabilities and attack vectors. SpiderFoot is available as a free, open-source tool.

Both Maltego and SpiderFoot are valuable tools for Red Teamers during the reconnaissance phase. They can automate the process of gathering OSINT and provide Red Teamers with a comprehensive view of the target's digital footprint. However, it is important to note that the use of these tools must be done by ethical standards and the law. It is important to obtain proper authorization and ensure that the information gathered is used solely for the Red Teaming exercise.

Screenshots of some of these tools:

Maltego:

SpiferFoot:

Social media platforms: Social media platforms like LinkedIn, Facebook, and Twitter are valuable sources of information about the target's employees, partners, and customers. These platforms can be used to gather information about the target's organizational structure, business model, and critical assets.

News articles: News articles can provide valuable information about the target's business activities, partnerships, and vulnerabilities. News articles can be found using search engines like Google and Bing, and news aggregators like Feedly and Flipboard.

Company websites: Company websites can provide detailed information about the target's organizational structure, products, services, and partners. Company websites can be used to identify potential vulnerabilities in the target's web applications and systems.

Government websites: Government websites can provide information about the target's regulatory and compliance requirements, as well as any vulnerabilities that may be exploited.

Google Dorking: Google Dorking is the process of using advanced search operators to find specific information on the Internet. Google Dorking can be used to find vulnerable web applications, login pages, and database files.

Social engineering: Social engineering techniques like phishing and pretexting can be used to gather sensitive information from employees and partners. These techniques involve creating fake emails, websites, and phone calls to trick individuals into providing sensitive information.

Passive DNS: Passive DNS involves collecting and analyzing DNS data to identify patterns and relationships between domains and IP addresses. Passive DNS can be used to identify potential entry points into the target's network.

Domain Name System (DNS) enumeration: DNS enumeration involves gathering information about the target's DNS servers and domain names. This information can be used to identify potential entry points into the target's network.

Shodan example: