Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Reconnaissance Glossary

OSINT (Open Source Intelligence)

Intelligence gathering methods using publicly available sources: social media, business directories, DNS, Shodan, job postings. Used by attackers for reconnaissance and by defenders for vulnerability analysis.

OSINT—Open Source Intelligence—refers to the systematic gathering of intelligence from publicly available sources. The term originates from the intelligence community and describes any information that can be obtained without access to classified or private systems.

Why OSINT Is Relevant to Cybersecurity

From an attacker’s perspective: Before an attacker sends a single packet, they spend hours or days conducting OSINT to identify attack surfaces, employee names, email patterns, technology stacks, and vulnerabilities.

From the defender’s perspective: Organizations can use OSINT to understand what an attacker would discover about them—and to close those gaps.

OSINT Categories and Tools

Passive DNS and Domain Analysis

# Subdomain enumeration
subfinder -d company.de -silent
amass enum -passive -d company.de

# DNS Analysis
dig TXT company.de          # SPF, DMARC, Domain Ownership
dig MX company.de           # Which email provider?
dig NS company.de           # DNS provider

# WHOIS (registration data)
whois company.de

# Historical DNS records
# Tools: SecurityTrails, DNSdumpster, VirusTotal

Shodan and Censys - "Google for Systems"

Shodan indexes publicly accessible systems and their banners:

Shodan search: org:"Company GmbH" country:"DE" typically returns:

  • VPN gateway: Fortinet FortiGate 6.2.0 (EOL, known CVEs)
  • Web server: Apache 2.4.29 (several known vulnerabilities)
  • RDP open: Windows Server 2019 on port 3389
  • Camera system: Hikvision DVR (default credentials)

Google Dorks - Targeted Search

site:company.de filetype:pdf         # All PDFs on the domain
site:company.de inurl:admin          # Admin areas
"@company.de" filetype:xlsx site:*   # Excel files containing emails
"company.de" "password" site:pastebin.com  # Data breaches
company.de ext:env OR ext:config     # Configuration files

Social Media and LinkedIn

LinkedIn is a goldmine for attackers:

  • Organizational chart and hierarchy (who to target for spear phishing?)
  • Email patterns (firstname.lastname@company.de?)
  • Technology stack (job postings: "Experience with SAP, VMware, Fortinet")
  • Current IT projects (Security awareness is very current → likely currently implemented)

Tools: LinkedIn Sales Navigator, TheHarvester, Hunter.io (email patterns)

Certificate Transparency Logs

Every TLS certificate is logged in public CT logs:

# Find all subdomains via CT logs (without a DNS scan)
curl "https://crt.sh/?q=%.company.de&output;=json" | jq '.[].name_value'

# Result: intranet.company.de, vpn.company.de, dev.company.de,
#           staging.company.de, old.company.de (possibly unpatched systems)

Data Breach Research

# Have I Been Pwned (domain check for companies)
curl "https://haveibeenpwned.com/api/v3/breacheddomain/company.de" \
  -H "hibp-api-key: KEY"

# DeHashed (paid service, very up-to-date)
# IntelligenceX
# Snusbase

OSINT Frameworks

Maltego: Graphical OSINT platform—visualizes connections between entities (domains, people, emails, IP addresses).

Recon-ng: Python framework similar to Metasploit, but for OSINT – modules for various sources.

SpiderFoot: Automated OSINT tool that queries 200+ sources and identifies connections.

theHarvester: Collects emails, subdomains, IPs, and URLs from various sources.

Defensive OSINT: Know Your Own Attack Surface

Companies should regularly conduct OSINT on themselves:

Quarterly OSINT Checklist:

  • Shodan scan of your own IP ranges: Unexpected open ports?
  • Subdomain enumeration: Forgotten dev/staging systems?
  • CT log analysis: Third-party certificates on our domain (compromise)?
  • Data breach check: Employee emails in leaks?
  • Social media scan: Critical information publicly available?
  • Google Dorks: Accidentally published documents?
  • Job posting review: Are we revealing too much technical information?

OSINT and the Law

OSINT uses only publicly available information—legally unproblematic as long as:

  • No circumvention of access restrictions (Section 202a of the German Criminal Code)
  • No violation of data protection law (GDPR: profiling without a legal basis)
  • Within the context of an authorized penetration test

Red teams and penetration testers always conduct OSINT within the framework of a written engagement letter.

AWARE7 Services on This Topic

Penetrationstest Security Awareness Training
Back to Glossary Book a free consultation