Notes from the OSINT workshop at HOPE

Here are my unedited notes from the OSINT (open source intelligence) workshop at HOPE:

OSINT notes

Resources: https://drive.google.com/drive/folders/1x0mBi1lIy7gWRt3wfQ2LhohiEBZdaCAG

Kali linux, encrypted VMs, destroy after use, delete data when not in use

OSINT heartbeat: four chambers

  • check for fidelity – quality of data, corroberated by a few sources
  • assess the intelligence context
  • is this logical?
  • prune for valid info – remove all OSINF that isn’t OSINT

Technique

  • it’s a lot more than just snooping social media
  • you need the intelligence context
    – common commenters, tags, likes, pics, hidden messages
  • some things external to the subject can provide invaluable intelligence context
  • process, not a cycle – no defined start or stop point – several interconnected processes with defined start and stop points that produce outputs given inputs to the process

GEOINT: geospatial intel
SOCMINT: subset of OSINT, social media specific
HUMINT: social engineering!!!

Imagga: image recognition tool

reverse image search in yandex

exif data if you can get a hold of it

Legal and ethical

  • there aren’t laws governing collection but you can get burned with what you store and who its about
  • if the data gets breached you could be in legal trouble or be responsible for harm coming to them

Business OSINT

specific to businesses

passive reconnaissance phase of an adversary emulation exercise

where to collect

  • career pages
  • instagram
  • other social media
  • SEC filings
  • employees
  • professional associations
  • review sites eg glassdoor, tripadvisor
  • maps
  • resumes
  • donations, chamber of commerce, infraguard

OSINT considerations

  • what do we want to know?
  • how would the target mitigate or protect what we want to know?
  • what do we already know about the target? age? occupation? etc

where to collect

  • social media, instagram has corporate badges etc
  • job boards, resume sites, linkedin majorly
  • public records
  • DNS

DNS dumpster (.com)

  • give it the domain, shows where IPs are connecting from, cloudflare info, etc

MXtoolbox (.com)

  • MX lookup, email info

TXT records (vendors and srvices used)
host (a or aaaa) address mapping – host and IP ranges

CNAME - hosts, sites, domains

RECON-NG TOOL --snooping on dns and more – tons and tons of modules for searching different kinds of records

recon-NG command line tool – SPF records – associated accounts with website and email

metacrawler (within recon-NG) looking for filetypes within google (might need google api to make it work)

hunter.io, look up domain and fine associated email addresses!

INSTAGRAM GEOLOCATION

  • look up address with a burner insta
  • corporate locations
  • police departments? police baseball team for example, where do they practice
  • contact us page, SEC form, type in the exact address
  • time consuming but very rich

Linkedin/career websites/career page

  • skim for what they’re doing – eg linkedin intelligence officer pages that name the programs they’re working on
  • especially look at security engineer jobs! what security tech they’re using

PEOPLE OSINT
sifting through internet trash – social media, public record, dating apps, company websites, ancestry etc

HOW
maintain a dossier – what are you seeking to collect, what have you found, conclusions you’ve drawn from the data
record what you view and what you see (hunch.ly can help)

coggle.it for mapping (example https://coggle.it/diagram/XCRb5uCE6qnmMFWh/t/cognitive-bias-cheat-sheet-every-cognitive-cognitive_biases)

WHAT ARE THIS PERSONS PATTERNS
where do they go every day
what are the absences to their patterns
this person posts 3-5 times a day every day, but have been silent for weeks now, etc

whatsmyname.app – enumerate usernames across many websites

recon-ng module: profiler…looking up usernames across accounts!
pornhub and redtube is very important!

recon-ng gives access to some of these other sites eg whatsmyname.app. look through modules

FEC filings

specific contributions

filter based on employer

lists zip+4 data

melissa data property viewer – now we can narrow down the zip area and click around to get property owner and resident info

truepeoplesearch.com – social network, other people at the residence, phone numbers, email

also - familytreenow, fastpeoplesearch, etc pulling from same databases

OPSEC
privacy workbook – how to opt out of many sites https://inteltechniques.com/data/workbook.pdf

you may need to spider out – family, friends, threat profile

2 Likes