OSINT: Open-Source Intelligence

Gathering Information – Knowing One’s Own Public Attack Surface

Infrastructure is becoming ever more connected, be it your own website, integration into the cloud or newly implemented means of remote access into the internal network. With an extensive examination of the external attack surface, we identify IP addresses appealing to hackers, vulnerable login screens and long-forgotten applications. Apart from the name of the company, the red team is given no information whatsoever and, using its self-developed tools and many years of experience, scrutinizes the infrastructure that attackers are really interested in.

The information sought includes:

• Company structure
• Reserved IP addresses
• Registered domains and subdomains
• Name and user syntax of internal domain
• Known database leaks
• Employee names and e-mail addresses
• Published source code
• Internal documents

Lessons Learned

OSINT is the primary and one of the most important steps for target attacks. The information gathered can be used as a basis for further modules and helps to define the appropriate scope for additional analyses.

Project Scope

Depending on the objective, OSINT projects are carried out within a period of one day to two weeks and usually involve the following project phases:

• Kickoff
• Examination of company structure
• Defining of the scope
• Analysis of publicly accessible information
• Documentation