OSINT Tips for Penetration Testing

Cristian Cornea
4 min readFeb 1, 2022
(Photo by Markus Winkler on Unsplash)

In this article, we will discuss some of my favorite OSINT techniques that can help during your penetration testing activities.

What is OSINT?

OSINT stands for “Open Source Intelligence”, and as the name suggests, it is a collection of techniques used to find security flaws in publicly-available information about an organization.

This can help us while doing a penetration test. How? We will find below, describing some of the OSINT methods that I am personally using during a pentest.

Finding “juicy” Things in Public Code Repositories

There is a possibility to find interesting information within our target organization’s public repositories. Let’s see some scenarios.

  • Private Source Code: Let’s say we have a web application in-scope for our assessment, we can easily search pieces of front-end code of that application through GitHub, with the hope that we (maybe) discover the repository containing the its source code
  • Credentials/Tokens: Andrew is a developer working for the target company. Andrew commit files containing configuration details, connection strings, credentials, private tokens to the project he is assigned on. It is a common situation (you would be surprised actually). You can scan a repository with this magic tool over here for secrets disclosure: https://github.com/zricethezav/gitleaks
  • Interesting Endpoints: We can actually find interesting endpoints if we dig within repositories of our target organization. As a tip, try to search for “http://” or “https://”. By “interesting”, I mean admin panels, testing/development environments, endpoints without authentication, and so on.

Extracting Metadata of Organization’s Documents

This is very useful, because it will help us extracting the software used for documents processing and its version within the company.

Cristian Cornea

🇷🇴 Founder @ Zerotak Security & Cyber Security Training Centre of Excellence (CSTCE)