OSINT
Objectives: By the end of this topic, you will be able to…
- Collect publicly available information useful for a security assessment
- Use OSINT tools included in Kali Linux
- Recognize the legal and ethical limits of using these tools
What is OSINT
OSINT (Open Source Intelligence) refers to the process of collecting and analyzing publicly available information to obtain useful intelligence.
Key characteristics:
- Based on accessible sources without the need for invasive techniques
- Legal when performed without violating privacy policies or terms of service
- Used in both defensive contexts (audits, threat hunting) and offensive contexts (red teaming, cybercrime)
Main OSINT sources:
- Search engines (Google, Bing, Yandex)
- Social media (LinkedIn, Facebook, Twitter, Instagram)
- Public records (government databases, WHOIS)
- Metadata in documents or images
- Forums, blogs, paste sites (Pastebin, Reddit)
- Domains and exposed web services
Importance of OSINT in cybersecurity
OSINT is the first phase of an attack chain (Kill Chain), specifically in the reconnaissance stage.
Passive vs active reconnaissance
- Passive: information is collected without directly interacting with the target (more stealthy)
- Active: interaction with the target’s infrastructure or services (higher risk)
Advantages of passive reconnaissance:
- Low risk of detection
- Large volume of information
- Allows building a complete profile of a person or organization
Examples of use:
- Attackers use it to select vulnerable targets or for social engineering
- Security teams use it to identify unintentional public exposures (shadow IT, data leaks, poor staff practices)
OSINT tools in Kali Linux
| Tool | Description |
|---|---|
theHarvester | Collects email addresses, usernames, hosts, and subdomains |
Maltego CE | Visualizes relationships between entities such as people, domains, IPs |
whois | Displays domain owner information |
dig | Queries DNS records for a domain |
dnsrecon | Automates DNS information gathering |
ExifTool | Extracts metadata from images and documents |
| Google Dorks | Advanced use of search engine operators to find sensitive data |
Although these tools automate processes, human analysis remains key for interpreting results.
OSINT techniques by target type
Gathering on people
Goal: obtain data to identify, locate, or profile a person.
Information sought: social media profiles, email addresses, resumes, photographs with metadata, forum participation.
Common techniques:
- Advanced search with Google operators (Google Dorks)
- Queries on sites like Hunter.io, HaveIBeenPwned
- Image analysis with metadata tools
- Reverse image search (Google, Yandex)
Gathering on infrastructure
Goal: understand an organization’s digital infrastructure and its public exposure.
Typical data: WHOIS information, DNS and subdomains, IP addresses, public emails, exposed services.
Common techniques:
- WHOIS and DNS queries (
dig,dnsrecon) - Email enumeration with
theHarvester - Visualization in Maltego
- Use of search engines like Shodan or Censys
Ethical and legal considerations
Although OSINT is based on public sources, not everything accessible is legal to use:
- Consent and context: posting something on social media does not imply consent for automated collection
- Legitimate purpose: in audits, authorization from the client or simulated environment must exist
- Terms of service: many platforms explicitly prohibit scraping
- Avoid harm: the privacy and security of third parties must be respected
In professional cybersecurity, ethics and legality are as important as technical knowledge.
Hands-on lab
Requirements: Kali Linux, internet access, Maltego CE
Part 1: Passive reconnaissance on a domain
Each pair will receive an assigned domain or identity.
- Use
whois,nslookup, anddigto profile the domain - Run
theHarvesterto search for emails, hosts, and social media:
theHarvester -d example.com -b google,bing- Optional: use
crt.sh,hunter.io,amass, or web OSINT tools
Part 2: Metadata analysis
Files (PDFs, images, DOCX) with embedded metadata will be provided.
- Analyze with
exiftooland online tools - Identify authorship, timestamps, software, location
- Extract coordinates and plot them on a map
Part 3: Visualization in Maltego CE
- Create entities and use basic transformations
- Identify non-obvious connections
- Export the graph image for inclusion in the report
Submission
Report per pair (max. 3 pages plus images):
- Techniques and tools used
- Main findings per section
- Maltego visualization
- Critical analysis of risks, ethics, and privacy
- Brief personal reflection (one per student)
Additional resources: OSINT Cheatsheet | Report Template
Key concepts
| Term | Definition |
|---|---|
| OSINT | Process of collecting and analyzing publicly available information |
| theHarvester | OSINT tool that collects emails, subdomains, and hosts |
| Google Dorks | Advanced search techniques for finding exposed information |
| Kill Chain | Model describing the phases of a cyberattack, starting with reconnaissance |
| Sniffing | Capture of traffic or information on a network or public source |
Test yourself
-
Reconnaissance: What is the difference between passive and active reconnaissance? Which is riskier for the analyst and why?
-
Practical application: A client asks you to evaluate their company’s public exposure. What tools would you use and in what order? Justify your methodology.
-
Ethics: You find sensitive personal information about an employee during an authorized OSINT exercise. How do you handle it in your report?