Primer - OSINT Guide
**The OSINT Guide for Penetration Testers:
Mapping ACME Corporation
Table of Contents
- **The OSINT Guide for Penetration Testers:
1. Introduction
Open-Source Intelligence (OSINT) is the foundation of effective penetration testing, red teaming, and vulnerability assessments. This guide demonstrates how to use Kali Linux, Parrot OS, and the OSINT Framework to gather intelligence on ACME Corporation (www.acme.io), a fictional company with:
- 100 employees (LinkedIn, Facebook, Instagram, X/Twitter, Bluesky, TikTok)
- Multiple products & web services
- Public cloud infrastructure
Weβll cover:
β Corporate reconnaissance (domains, IPs, cloud assets)
β People discovery (employees, credentials, social media)
β Technology stack analysis (CMS, APIs, CVEs)
β Automation with OSINT frameworks (SpiderFoot, recon-ng, Maltego)
β Commercial OSINT tools (Recorded Future, ZeroFOX)
2. Corporate Reconnaissance
a) Domain & Subdomain Enumeration
Tools: theHarvester, Amass, gobuster
Example: Passive Enumeration (theHarvester)
theHarvester -d acme.io -b google,linkedin,duckduckgo -l 1000 -f acme_report.html
Output:
[*] Emails found: admin@acme.io, j.doe@acme.io
[*] Subdomains: dev.acme.io, vpn.acme.io
Example: Active Bruteforcing (Amass)
amass enum -d acme.io -brute -w /usr/share/wordlists/dns/all.txt
Findings:
legacy.acme.ioβ Outdated web app (potential XSS)staging.acme.ioβ Pre-production credentials
b) Shodan for Exposed Services
Tool: shodan-cli
shodan search org:"ACME Corporation" http.title:"login"
Findings:
104.21.33.72β Exposed Admin Panel172.67.141.89β Jenkins CI (default creds?)
3. People Discovery
a) LinkedIn Scraping
Tool: linkedin2username
python3 linkedin2username.py -c "ACME Corporation" -o employees.txt
Output (employees.txt):
jdoe
ssmith
b) Email Verification (holehe)
holehe j.doe@acme.io
Findings:
j.doe@acme.ioleaked in LinkedIn breach (Password:P@ssw0rd2021)
4. Product & Technology Intelligence
a) Wappalyzer & BuiltWith
Findings:
www.acme.ioβ WordPress 6.2 (CVE-2023-1234)api.acme.ioβ Node.js/Express
b) CVE Search (searchsploit)
searchsploit "WordPress 6.2"
Output:
WordPress 6.2 - XSS (CVE-2023-1234)
5. Social Media & Customer Intelligence
a) Twitter/X Scraping (twint)
twint -u @ACME_Corp --since 2024-01-01 -o tweets.csv
Findings:
- Employee tweet: βNew API at
api.acme.io/v2β β Attack surface
b) Instagram OSINT (Osintgram)
python3 osintgram.py jdoe
Findings:
- Employee posts work laptop model (
Dell XPS 13) β Spear phishing bait
6. Automating OSINT with Frameworks
a) SpiderFoot
spiderfoot -l 127.0.0.1:5001 # Web UI scan for acme.io
Findings:
- Subdomains, emails, IP ranges
b) recon-ng
recon-ng
use recon/profiles-profiles/linkedin
set SOURCE acme.io
run
Output:
[*] j.doe - Software Engineer @ ACME
c) Maltego
- Visual link analysis between domains, IPs, employees
7. Commercial OSINT Providers
| Tool | Use Case |
|---|---|
| Recorded Future | Real-time threat intelligence |
| ZeroFOX | Social media threat detection |
| Intelligence X | Archived/deep web data |
8. OSINT Framework Categories
| Category | Tools | Example Use |
|---|---|---|
| Email & Usernames | holehe, hunter.io | Find breached creds |
| Social Media | sherlock, twint | Scrape employee profiles |
9. Conclusion
This guide covered:
- Corporate footprinting (domains, IPs, cloud)
- People discovery (emails, social media, credentials)
- Automation with SpiderFoot/recon-ng/Maltego
- Commercial tools (Recorded Future, ZeroFOX)
Next Steps:
- Automate scans with cron jobs.
- Correlate data in Maltego for attack paths.
This document will be expanded in subsequent posts to provide detailed demonstrations of OSINT data collection using open-source tools. It will also evaluate the effectiveness of various tools within the OSINT Framework.