Open Source Intelligence (OSINT) are skills used for reconnaissance and data gathering using publicly available information (i.e,, search engines, public repositories, social media, etc.) to gain in-depth knowledge on a topic or target. When conducting an OSINT exercise in preparation for a penetration test, the testers may want operate in a clandestine manner so not to disclose their presence.

OSINT Process Steps:

• Source Id
• Harvesting (Active or Passive Reconnaissance)
• Data Analysis
• Processing
• Results Delivery

Types of Reconnaissance:

•  Passive reconnaissance  – attempt to gain information about targeted computers and networks, using publicly available resources, without actively engaging with the systems.  
• Active reconnaissance  – type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities.

Types of Data:

• Geo-location
• Technology infrastructure
  • IP, Hostnames, Services, Networks
  • Software / hardware versions, OS information
  • Network diagram
  • Databases
• Documentation
  • papers, articles, blogs, presentations, spreadsheets and configuration files
• Metadata –
• Personnel Info:
  • Employee data (Email and other personal information)
  • Social Media

Recommended Tools:

• Browser Tools:
  • Google Dorks – ways to query Google against certain information using operators that may be useful.
  • Google Maps  – Physical Location info
• Network Domain Info: 
  • whois.domaintools.com  – Website Domain ownership, name servers, IP address 
  • DomainDossier – Investigate domains and IP addresses
  • Robtex.com – Lookup Public Domain Info
  • Nslookup – command for querying the Domain Name System (DNS) to obtain the mapping with IP address and other DNS records.
• Social Media Lookups:
  • Who.Unfollowedme – Twitter follower information
• Web Site Archives: 
  • Waybackmachine ( – Old archive copies of web pages ; good for recon without being detected
  • web.archive.org – Company Info, Address, Key Contacts, email nomenclature
• Image Files:
  • Jeffrey’s Image Meta Data Viewer –  Image Meta Data info
  • Steganography Online – Picture Decode whois.domaintools.com  
  • ThisPersondoesnotexist –  AI generated faceshoots to use with dummy profiles
• Wifi & IOT Devices:
  • Wigle.net  – Wifi ID info
  • Shodan – network security monitor and search engine focused on the deep web & the internet of things. 

Scanning Tools:

• OSINT Framework – queries free search engines, resources, and tools for publicly available info. 
• Maltego – Included in Kali Linux ; collects footprints of any target
• Google Dorks – ways to query Google against certain information using operators that may be useful.
• Nmap  – open source utility utilized for security auditing and network exploration across local and remote hosts”.
• Recon-ng – built in the Kali Linux distribution; used to perform reconnaissance on remote targets.
• Shodan – network security monitor and search engine focused on the deep web & the internet of things. 
• OpenVAS (Open Vulnerability Assessment System) – open source version of Nessus used for vulnerability scanner & security manager
• Fierce  – IP and DNS recon tool written in PERL for finding target IPs associated with domain names.
• FOCA (Fingerprinting Organizations with Collected Archives) – analyze web servers and their hidden info. Collects data from MS Office, OpenOffice, PDF, as well as Adobe InDesign, SVG and GIF files. Works with Google, Bing and DuckDuckGo. 

Reference:

1. Youtube: ‘Solving CTF Challenges: Reconnaissance‘ (57:25)
2. Youtube: ‘Open Source Intelligence 101‘ (46:49)
3. Youtube: ‘HackMiami %27 – OSINT 101 with Buscador and Maltegock‘
4. YouTube: Information Gathering with Kali Linux : Use Maltego to Gather & Visualize Information|packtpub.com
5. How Can You Build Your Cyber Skills By Open Source Intelligence (Medium)
6. OSINT Treasure Trove