In this article, we will discuss some of my favorite OSINT techniques that can help during your penetration testing activities.
What is OSINT?
OSINT stands for “Open Source Intelligence”, and as the name suggests, it is a collection of techniques used to find security flaws in publicly-available information about an organization.
This can help us while doing a penetration test. How? We will find below, describing some of the OSINT methods that I am personally using during a pentest.
Finding “juicy” Things in Public Code Repositories
There is a possibility to find interesting information within our target organization’s public repositories. Let’s see some scenarios.
- Private Source Code: Let’s say we have a web application in-scope for our assessment, we can easily search pieces of front-end code of that application through GitHub, with the hope that we (maybe) discover the repository containing the its source code
- Credentials/Tokens: Andrew is a developer working for the target company. Andrew commit files containing configuration details, connection strings, credentials, private tokens to the project he is assigned on. It is a common situation (you would be surprised actually). You can scan a repository with this magic tool over here for secrets disclosure: https://github.com/zricethezav/gitleaks
GitHub - zricethezav/gitleaks: Scan git repos (or files) for secrets using regex and entropy 🔑
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git…
- Interesting Endpoints: We can actually find interesting endpoints if we dig within repositories of our target organization. As a tip, try to search for “http://” or “https://”. By “interesting”, I mean admin panels, testing/development environments, endpoints without authentication, and so on.
Extracting Metadata of Organization’s Documents
This is very useful, because it will help us extracting the software used for documents processing and its version within the company.