The organization's public website, usually used for marketing purposes, is a potential resource for OSINT. Most sites have an "About" page that can reveal more about the purpose, goals, and nature of an organization. Even if no overt "About" page exists, most public marketing sites still use other methods to inform the reader about the organization's products and services. In doing so, the organization may also reveal key information that could support your pen test.
Marketing websites commonly provide the following information that may be of use to a pen tester:
- A list of C-suite, upper-management, or other high-profile personnel in the organization.
- Upcoming events hosted by or attended by the organization.
- Forms to fill out to receive more information on products and services the organization offers.
- User forums and other community-driven content.
- Additional contact information beyond what you'd find in a Whois query.
- Links to the organization's social media profiles.
An organization's main public website will not necessary be a standard marketing site. For example, Amazon's most public-facing domain is an online storefront. Government organizations and educational institutions may host purely informational sites. What you'll glean from an organization's public site depends on what organization you're targeting, and you should never expect to learn everything possible from this one site alone.
An organization's primary website for public consumption is not the only website that might help you gather background information about the organization. The following are other potential sites that might reveal actionable information:
- Secondary sites, like those meant for use by employees or specific customers in a business-to-business sales scenario.
- Subdomains of primary sites that aren't directly linked or easily visible from the primary site, like administrative portals.
- Websites owned and/or operated by partner organizations, like a supplier that a retail vendor often contracts with.
- Websites of the target organization's subsidiaries; or, conversely, the target's parent organization.
- Social media profiles that are used as another (or perhaps, primary) marketing outlet for the organization.
While a related website might not provide you with the same level of OSINT as the primary site, it may still provide you with extra details that you wouldn't otherwise have obtained. A partner site might reveal more about the partner's relationship with the target organization, possibly enough for you to attempt to use the partner as a vector (assuming this is within scope). For example, the Target breach of 2014 was made possible because the attacker(s) stole network credentials from the retailer's third-party HVAC provider.