Open Source Intelligence for Penetration Testers

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

What is OSINT?

OSINT stands for Open Source Intelligence. OSINT basically a practice that is used to gather
information that is publicly available about an individual or organization. Here publicly available
information means the information that can be collected from search engines (Yahoo, Google, Shodan,
Censys), social media, GitHub, books, articles etc.

How OSINT helpful in Penetration Testing

OSINT is a very good practice that penetration tester do these days to do recon on their targets.
Typically, an information security analyst examines an organization’s system and network to identify
security gaps and risks that could lead to unauthorized access. OSINT assists in identifying these five
major weaknesses:
• Sensitive Data Exposure
• Outdated Softwares
• Data Leaks
• Open Port with vulnerable service running on them
• Organisation using older version of CMS products
How we can make use of OSINT in Penetration Testing?

Infrastructure Mapping

One part of the companies is their infrastructure be it physical infrastructure or technical infrastructure.
OSINT can help us gather information about anything. Public sources like google maps, social media
posts can help us see our target live!

If it is a physical penetration test, we might ask ourselves questions likes Are there any exit doors?,
How many windows are there?, What kind of CCTV cameras are in use?.
The answers to all such questions helps penetration testers to provide appopriate advice on securing
the assets from a physical breach.

In cases of a technical penetration test, we consider factors like Internet connected devices, Public
facing login/control panels, Backend components in use by the company.
Such data can help an attacker to gain better understanding about the position of target and plan


OSINT through LinkedIn

LinkedIn is great for increasing reach and connections right?
It indeed is but the amount of data present of LinkedIn is HUGE!
Platforms like LinkedIn consists of data of companies, employees, freelancers, organisations etc.
Such data can also be used to identify the position of the company.
Let’s understand a scenario here:

If a company XYZ Tech posts a job requirement of SQL developer with specific needs then an attacker
can assume the weak points of a company at that particular time and also he can predict what kind of
people are can join the company in that position in the near future enabling the attacker to plan
everything accordingly.

There are tons of other aspects to see on LinkedIn in order to gain crucial information such as past
employees and their skillsets, perks which they offer can help in understanding capabilities and
infrastructure. Questions like What technology is at place? can be answered and amount of awareness
amongst employees can be calculated.

Finding Email Addresses

Emails can be really helpful for social engineering attacks. We can understand what kind of keywords
can be used by an individual when they are to create accounts online.
Companies have specific formats for emails for
e.g. [email protected]
Seeing the above examples we can say that first name and last name with a dot between are used to
create an email address, in this case if we are able to get a name of any other employee of the
company we can easily predict his/her email address.
Suppose employee’s name is Jai Rana then his email address would be [email protected]
One way of finding such email conventions is to use LinkedIn and one more interesting way to do the
same is using
Visit and enter the domain name of a company, if its in the records we might be able to
find a common pattern of their emails.
We have a live example of (
The common pattern here can be observed as {f}{lastname} so if the name of any google
employee is Jerry Phillips then we can just predict that his email would be [email protected]

Social Media

Social media sites opens a large amount of opportunities for gathering information about a target.
Social Media Intelligence (SOCMINT) sub-branch of Open Source Intelligence, refers to the information
collected from social media websites.These social media platforms are categorized as below:
Social Networking : Facebook, LinkedIn
Video Sharing : YouTube
Blogs : Medium, Blogger, WordPress
Forums : Reddit
Most of the time people think that social media doesn’t have a much importance in penetration testing
because of data privacy law (especially Europe GDPR) but believe me Social media intelligence give a
lot of information about a target which can be used later to perform penetration testing.
Suppose a security guy has to perform penetration testing on a organization say X for an example.
Let’s see how social media helps him to find crucial or sensitive information about the target :
Through company LinkedIn page, pentester can check the profile of all the employees. Sometime
employees leaked some information about their organisation. This information includes their company
email addresses, their GitHub profiles etc.

Metadata also holds most of the sensitive information which can be leaked through images that are
uploaded on blog post, on their social media handles.

OSINT through jobs portal
Job Portals

OSINT through job portals includes finding information :
The future requirements of the company ( the skills that they need in their employees)
The job posting also expose the details of their employees for example their contact information.
You may think about what is the importance of contact information of the organization’s employee,
Lemme tell you penetration testing sometime also includes testing the behavior and awareness of their
employees. These personal information can be used to perform social engineering attacks on their

Top 10 OSINT Tools

  • Harvester
  • Google dork
  • Maltego
  • recon-Ng
  • ZoomEye
  • Metagoofil
  • SpiderFoot
  • Sherlock
  • Exiftool


More To Explore

× How can I help you?