Data is key and it is everywhere
OSINT is using any tool to collect and analyze publicly accessible data. Sources can be divided into six categories:
- Media
newspapers, magazines, television, radio - Internet
blogs, user created content, social media websites, and message boards - Public Government Data
court documents, land deeds, census, press conferences, websites, and speeches - Professional and Academic Publications
journals, academic papers, symposia, and dissertations - Commercial Data
satellite imagery, financial and industrial assessments - Grey Literature
business documents, newsletters, technical reports, and patents
Record as much information about your target.
Use Google Earth and Maps to for physical recon.
Start a TECHNICAL map of systems/technologies/methodologies of target
ex Facebook, Twitter, LinkedIn, Google+, Instagram
LinkedIn gives real names to twitter accounts!
Search social networks, public sites, and visit the company websites. See if they leak information on what systems they are using. Search job boards for tech stacks.
Look for current projects, trips to conferences, phone numbers, and email addresses. Craft phishing and impersonation attacks.
Search for Company contracts with the US Government or other public entities.
Run whois and get
- Owner name
- Street addresses
- Email addresses
- Technical contacts
Double check target's sites
- Products
- Services
- Technologies
- Company culture
- Board members, profiles
- Current/future projects/products
- Suppliers
- Job Vacancies, etc
Look at target's email pattern and record points of contact
- name.surename@company.com
- surname.name@company.com
- [first letter of name]surenam@company.com
Send fake advertisement email for testing email formats
Google dork for leaked documents
References:
http://www.gsaelibrary.gsa.gov/
ElevenPaths
Tactical Tech