Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[OWASP Sofia] Angel Bochev - Penetration Testing: OSINT (May 9th, 2019)

[OWASP Sofia] Angel Bochev - Penetration Testing: OSINT (May 9th, 2019)

A real-world pentester talks about OSINT - Open Source Intelligence - the exploration of various techniques and tools for one of the most important parts of every penetration test - the information gathering.

Angel Bochev is Offensive Security Certified Professional (OSCP) since 2016; is a CTF player; has 12+ years of networking/sysadmin experience; currently working in the InfoSec team at PROS.



May 09, 2019


  1. Penetration testing: OSINT OSINT from a Penetration Test Perspective

  2. About me: • I <3 Linux • Network admin /

    Sysadmin / Infrastructure • OSCP • Now in the InfoSec team at Pros, Penetration Tester angel.bochev@gmail.com Twitter: @angelbochev LinkedIn: https://www.linkedin.com/in/angelbochev/
  3. What is OSINT? • “data collected from publicly available sources

    to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources).” Wikipedia
  4. What is “Penetration test” • “A penetration test, colloquially known

    as a pen test, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.” Wikipedia
  5. How is OSINT used in Penetration tests? • Social engineering

    – collect info on the target company, employees, partners, social media • Network assessments: discover assets, public code • Physical engagements: Physical locations, neighbours, etc.
  6. How it’s done? Drum roll…

  7. How it’s done? • With your favorite browser, mostly. (sorry,

    IE :( )
  8. How it’s done? • With your favorite browser, mostly. (sorry,

    IE :( ) • Starts with basic piece of information: company name, email, phone number, etc.
  9. How it’s done? • With your favorite browser, mostly. (sorry,

    IE :( ) • Starts with a basic piece of information: company name, email, phone number, etc. • We continue to individually further research every other interesting piece of information we encounter, that will help us with the pentest.
  10. What is interesting information? Depending on what’s our goal, that

    could be: • Network info – DNS, subnets, BGP peers, etc. • Company/personal information: emails, pictures, social media accounts, documents • Leaked secrets: passwords, API keys, confidential information.
  11. Tools for general search: • Bing! • DuckDuckGo • Google

    • Archive.org / Wayback machine • Wolfram Alfa
  12. Social media: • Facebook • Instagram • Twitter • https://namechk.com/

  13. DNS Search • https://domainbigdata.com • https://securitytrails.com • https://dnsdumpster.com/ • https://hackertarget.com/

  14. IP Information • https://ipv4info.com/ • https://shodan.io

  15. Email addresses: • TheHarvester (https://github.com/laramies/theHarvester) • Hunter.io • Github commits

    • pastebin
  16. OSINT Automation • Recon-ng

  17. More resources: • OSINT Framework: https://osintframework.com/ • Awesome OSINT: https://github.com/jivoi/awesome-osint

    • OWASP Penetration Testing Methodologies: https://www.owasp.org/index.php/Penetration_t esting_methodologies
  18. DEMO TIME!