Open-source intelligence, or OSINT, is the collection and analysis of information gathered from public or open sources. OSINT stands for Open Source Intelligence and is one of the key elements in understanding the cybersecurity that governs the Internet these days. The term OSINT began using the term OSINT in the late 1980s as US military agencies reassessed the nature of information requirements at the tactical level on the battlefield. Later in 1992, the Intelligence Reorganization Act set the main objectives of intelligence gathering basic concepts such as:
Should be unbiased and objective
Data must be available in publicly available sources
Target and Source Identification
Firstly, the target is set, and in this first step, the researcher identifies potential sources from which information can be gathered. Resources are documented and stored continuously throughout the process
In this step, the researcher gathers information from the selected resources and other resources gathered during this process.
Data Processing and Integration
In this step, the researcher processes the collectible information by looking for information that can help with enumeration.
In the final step, the OSINT analysis is completed and reported.
OSINT Framework, as the name suggests, is a collection of OSINT tools to ease your intelligence and data collection tasks.
This tool is mostly used by security researchers and penetration testing personnel for the intelligence gathering or reconnaissance phase. Framework Includes almost all Osint tools.
It is a popular extension that allows you to analyze how a website has looked in the past. Its original site is archive.org. This plugin allows you to discover the old look and contents of a web page and explore the images and text as if they were still there. This service is highly effective for OSINT research as it can reveal sensitive data about products, companies, networks, domains, and IP addresses on any old version of any page.
Here we see one of the early versions of securityforeveryone.com as an example.
Obtaining IP address, domain, and web hosting information is a priority for any security researcher investigating an organization. Therefore, the IP Address and Domain Information plugin developed by Dnslytics meets all needs.
It is a search engine that stores the majority of data leaks shared on the Internet. Additionally, it allows for username lookup, reverse phone number query, and crypto wallet addresses queries.
This tool allows all online services on Hackertarget.com to be used on a single plugin. In the example below, you can see the ReverseIP query and the Nmap query of the securityforeveryone.com site.
Shodan is a search engine for all internet-connected devices in the world. Its primary purpose is like Google, Yandex, and DuckduckGo, but it indexes IoT devices instead of websites. Examples of these IoT devices are Servers, ICS/SCADA systems, Databases, and IP cameras. Using the attackers' search engine, unauthorized access to systems with a default username and password information can be obtained.
Google Dorking is one of the important resources for security researchers. It is used to detect sensitive data and vulnerabilities that the Google search engine records. All dorks on Google can be accessed through the Google Hacking Database (GHDB). With the help of these dorks, you can detect vulnerable server pages, misconfigured or left default server pages, and sensitive data. Major Google Dorks:
- cache: This dork will show you the cached version of any website, eg. cache: yok.gov.tr
- allintext: searches for specific text found on any web page, eg: allintext: ID no
- allintitle: exactly the same as allintext, but “X” characters indicate pages with titles, e.g. allintitle:"credit debts"
- filetype: used to search all kinds of file extensions, for example if you just want to search pdf files you can use: like filetype:pdf
- inurl: same as allinurl but better suited for targeted searches, eg: inurl: mail.google.com
- intitle: used to search for specific words in the page title. For example intitle:"index of" will find us the page with the files uploaded on the site. If it is not configured correctly, it allows access to sensitive data.
Google Dorking is a tool that automates processes and can quickly search for your own dorks. Dork can update its list automatically via GHDB continuously.
It has almost the same features as Pagodo. However, no transactions can be made with dork lists. This tool, which only works with the domain name, allows you to access sensitive data simply and quickly.
It is used to determine the e-mail address of any institution or person. The main purpose of the site is CRM, that is, a customer relationship management system. It works on a database logic collected from open sources. It is possible to find almost all employee e-mail addresses of that institution by just giving a domain name.
The Truecaller is an essential tool that allows us to find out who owns phone numbers by doing reverse query.
Sherlock queries a specific username on more than 30 platforms and allows us to learn the profile address of all accounts belonging to the given username.
The OSINT-SAN framework tool is a versatile OSINT tool that works with API help with 45 functions. You can use IP queries, domain information, Shodan, and other search engines through this tool. It is possible to access the product for free, but several functions will be available with the PRO version. In short, it can be called a command-line application of all the tools mentioned above.