5/5 - (1 vote)

Today I will tell you what information about an organization can be found in open sources and how a potential attacker can use it. Many of you have probably heard about OSINT (Open Source INTelligence, a list of activities aimed at collecting information from open sources), which is most often used to collect information about a specific person. But OSINT can also be used to find information about specific organizations to assess security. After all, you must admit that it is useful to see what is publicly available about you and how you look from the side of a potential attacker.

Popular resources where information is collected

To carry out an active scan, it is necessary to sign an NDA and agree on the work tasks, which naturally takes time. In this case, it is necessary to use only data that is in open sources, not to scan the IT infrastructure and, accordingly, not to spend hours on bureaucracy.

So what can be found in the public domain?

The most detailed answer to this question is osintframework.com, I recommend that you familiarize yourself with a generalized answer to the question posed.

I will try to highlight the most interesting information for information security specialists from the vast amount of information. We will search:

  • Corporate mailing addresses
  • The facts of compromising postal addresses
  • Subdomains registered on the company name
  • Company IP addresses and autonomous systems
  • Open ports and services located on them, as well as selection of vulnerabilities and exploits for discovered services
  • Hidden site directories
  • Confidential documents

What can you use to find this information?

There are a huge number of tools on the Internet for searching a company’s mailing addresses by domain, for example:

  • hunter.io
  • Email Finder
  • theHarvester

hunter.io – until recently, the tool was completely free, but unfortunately times are changing.

Snov.io’s Email Finder browser extension – currently has huge functionality in the free version and finds a huge number of domain accounts, but for how long?

theHarvester – collects both email addresses and subdomains, open ports and virtual host data. Preinstalled on Kali Linux.

There are both paid and free tools, the choice of use depends on the willingness / ability to pay for the improved functionality. It makes sense to use several tools at the same time as they produce different results. Ultimately, we have a large list of company mailing addresses that must be checked for compromised accounts.

You can check it on many well-known service haveibeenpwned.com.

At the output, the tool gives us information in which databases contain account mentions, whether these databases contain data on passwords, physical addresses, phone numbers, etc.

We will not get the passwords themselves here, but we will be able to divide email addresses into “clean” and potentially compromised ones.

It should be noted here that the tool has a paid API. Without it, of course, you can check all mailing addresses, but you will have to submit them to the entrance one by one, which will take a lot of time. When purchasing an API ($ 3.5 per month, purely symbolic fee), we will be able to use it in various scripts and, accordingly, significantly speed up and automate the analysis process.

In the future, you can use the bot in telegram @mailsearchbot.

At the beginning we give it potentially compromised mail addresses, at the output we get the passwords that were used in conjunction with this mail address. It is worth noting that it is not possible to find passwords for all accounts, but the detection rate is large. And again, if there is a desire / opportunity to financially support the developer, you can receive complete data, without symbols hidden by asterisks, but unfortunately here the price already increases.

The next step is to collect information about subdomains. There are a lot of tools to do this, for example:

  • theHarvester
  • dnsdumpster.com
  • pentest-tools.com

dnsdumpster.com – can draw beautiful graphs of relations and export the results to Excel, but has a limit on the output of only 100 subdomains.

pentest-tools.com – I advise you to familiarize yourself with the site in more detail, since here you can search not only for subdomains. In the lite version, it has a limit of 2 scans per day, but it is easily bypassed by TOR)

It also makes sense to combine tools to determine the largest number of subdomains. Often, an IP address is paired with a subdomain, which can later be transferred to shodan (shodan.io) to get a list of open ports and services that are sticking out on the Internet.

In the future, you can select vulnerabilities and exploits for specific versions of services using resources such as:

  • cvedetails.com
  • exploit-db.com

cvedetails.com – a large CVE database of services and their versions. There may be some difficulties with finding the necessary services as they are repeated (for example, there are two different pages of the Microsoft IIS service with different vulnerabilities).

exploit-db.com is a large, growing database of exploits. It is worth noting that there are exploits confirmed by the site administration and not verified.

In the shodan data, we are also interested in the belonging of the ip-address to an autonomous system. The check is performed in various Whois services, of which there are also a large number. By and large, there is no difference with which tool to work, so I will demonstrate the ones on which I stopped:

  • bgp.he.net
  • www.ididb.ru

bgp.he.net – looks ,stange, but shows data on any autonomous systems.

ididb.ru is mostly focused on collecting information about the autonomous systems of the Runet.

If an autonomous system belonging to a company is found, it makes sense to run all ip through shodan and collect as much information as possible on service versions.

To analyze the definitions on which technologies the site is built, you can use the Wappalyzer browser extension. Often the tool detects versions and, accordingly, you can also select vulnerabilities for them.

We pass to the final stage – search for hidden directories and site files. Here we need:

  • Google dorks
  • DirBuster

Google Dork Queries are tricky queries to search engines that help shed light on public data, but hidden from prying eyes. On the Internet, there is enough information on how to “correctly” compose queries to a search engine to obtain the necessary information.

In turn, DirBuster is a tool for finding hidden directories and files that you forgot to remove from public access or added there by mistake. It has several built-in dictionaries for searching. It is recommended to use the directory-list-2.3-medium dictionary to optimize the ratio of spent time to exhaust.

There is a lot of information to analyze when using these tools, but often the effort is rewarded.

Popular courses / books to study

  • OSINT Introduction Video Course
  • OSINT and Competitive Intelligence Certified Course

Top 5 problems we can solve with the use of OSINT

In my practice, I succeeded:

  • To be able to manage the site on behalf of the administrator because there was an opportunity to fall into a directory that bypasses the administrator’s authorization. Naturally, I didn’t touch anything there, but if only it was not me, but a potential hacker? You need to close such directories.
    Find databases sticking out on the Internet, which, moreover, were very ancient and extremely “leaky”. Finding an exploit for such databases is an extremely simple task. There is no need to pull the DB out.
  • Detect RDP, FTP, SSH and NTP services, access to which from an unlimited pool of addresses is undesirable. Here the problem of simple passwords for accounts looms, and nobody canceled brute force. There is no need to expose such services outside unless there is a clear need.
  • Detect confidential documents. For example, documents related to the organization of the on-site regime that are in the public domain are not a good idea.
  • Find up-to-date passwords from email addresses. I myself do not check the relevance of the detected passwords, but sometimes, after reading the report, company employees ask the question: what to do if the password is really valid? In such cases, it is naturally necessary to change it, as well as change passwords on all sites where registration took place from this mailbox and hope for the best. In general, change passwords more often.


So, as we can see – the information in open sources can become a springboard for an attack on corporate infrastructure. It is necessary to periodically check how the organization looks from the side of a potential attacker and, if possible, hide this information.

What if you can’t do OSINT yourself?

We can carry out OSINT for your organization any time, please contact us.