OSInt Tips

21st June 2023

OSInt; Operational Security Intelligence refers to limiting the amount of information that a company makes known on the internet. You likely arn’t aware of the amount of info anyone tech savvy can gather about your organization. whois gives domain registrar and name servers. SOA gives their start of authority and responsible email address.

A lot of info can be found using mxtoolbox.com MX records lists their mail server and possibly their spam filter. SPF record gives clues as to spam filtering and public IP addresses.

Google search to find the company website and the domain name (the part after www). we will use this later. Record their Facebook and LinkedIn profile names, Street Address, any email addresses, News report with a CEO name.

Visit their website, record “Contact Us” info, employee names

pentest-tools.com
use “Discover Attack Surface” to find endpoints
use “website scanner” on their public website, and their firewall if you know the ip already.

shodan.io
enter each unique IP Addresses from “Discover Attack Surface” (above) and record the results

Social Media:
visit Facebook.com and LinkedIn.com and record names of C level management and any email addresses.

External IP of office;
This is a little intrusive so make sure you have a written agreement from management. use CanaryTools to generate a Canary Web token. Generate an email to someone that is in the office with the canary token link. Make up a juicy reason to click the link. It may be possible to embed an image in an email with a webbug image, but I havent’ found a site that will do this for free.

dnsdumpster.com find subdomains, and nice diagram of how dns and sites fit together

dnsspy.io