Deep dive into OSINT methods, or how do "they" know everything about you?
OSINT, or Open-Source Intelligence, has been around for years, and you, as well as me and probably everyone that has had contact to the internet, have used it, even unknowingly.
OSINT techniques can refer to as little as looking up a person on Facebook or reading the local newspaper. Considering this, it is crucial to know how much you are disclosing about yourself.
This article will learn what OSINT, how much people know about you, and the top OSINT tools you can use safely is.
Table of Contents
An OSINT definition is:
- a very diverse collection of information gathered from open, public sources
- while commonly used by professionals in the cybersecurity field, as well as business intelligence and law enforcement, but not limited to that
Unfortunately, while being publicly available to everyone has its perks, OSINT can still be used by malicious hackers for information gathering.
A trusted source divides OSINT into the following categories:
- Media, consisting of television, radio, news, magazines
- Internet, a widely utilized resource composed of social media such as Instagram, LinkedIn, Facebook, blogs, online publications, dark web resources, etc.
- Academic publications and scientific journals, acquired through articles, theses, dissertations, and others
- Business data, collected through tax information, business profile, board meetings, and such
- Geospatial information, which includes handy maps and transport tracking applications (for busses, trains, planes, etc.)
Considering the above-mentioned methods of collecting open-source information, we can safely say that the internet is by far the most used option and has the most extensive collection of tools and resources used for Open-Source Intelligence.
As of 2021, there are currently 4.66 billion active users on the internet, according to statista.com, which accounts for almost 60% of the entire population.
However, sources from the other categories should not be disregarded.
Studies show that in the year 2020, 64% of Americans watch network and cable TV (nielsen.com), while only 32% read their news from digital or regular newspapers (pewresearch.org).
The Open-Source Intelligence techniques can also be categorized based on the level of contact with the target; they are either passive or active.
- Passive OSINT represents using the services of other third parties, with a low risk of detection but some possible errors. An example could be utilizing a website to find information about a social media account.
- Active OSINT consists of direct contact with the target – this increases the risk of detection but is more reliable. Port scanning would be a fit example because the action is performed directly on the target without using third-party software.
The “Open-Source” term regarding OSINT refers to the fact that data comes from open-source origins. It does not require special skills or techniques to acquire information, but it is not limited to regular search engines such as Google or Bing.
Some free OSINT tools that will be discussed in this article can help you manage the immense volume of information.
We will talk about the OSINT framework, which organizes resources based on their purpose and makes it very easy to find what you are looking for.
Then, we will discuss how a very powerful OSINT software, Shodan, can help as a great resource for automating OSINT.
Lastly, we will find out how we can use “Google hacking” to get what we want from the search bar.
If you are looking into learning new OSINT techniques, Kali Linux OS already has Open-Source Intelligence resources incorporated.
If you are wondering, "where can I get OSINT" the answer is: everywhere! A good place to start using OSINT software is the OSINT Framework. It contains a collection of free tools and resources built to ensure easier data gathering, research, and reconnaissance.
I have recently used some tools from this framework, which can be found in branches such as IP Address, Encoding/Decoding, and Tools. I found them very useful. Below, you can see a snippet of some of the many categories and subcategories existent in this framework.
Expanding the “Social Networks" branch, we can gather publicly available information based on accounts on Facebook, Linked In, Twitter, and others. For example, under the LinkedIn branch, there are Python scrips that can scrape the website and find users and their emails based on search preferences.
Under the Facebook section, we can even find an application that can track your friends’ sleep patterns and duration. However, this is educational and should not be used on the Facebook website, as it is against their terms, according to the author of the application.
On the other side, the OSINT framework has a very useful category, named “Malicious File Analysis”. There, you can find tools that analyze files and source codes and determine if a file is legit or if it contains potential harming scripts. These resources come in very handy if you are not sure if a file is safe or not.
I think this is very user-friendly and easy to use, providing an intuitive interface.
There are endless possibilities when it comes to Open-Source Intelligence.
The short answer is – it depends. Do you post on social media every time you meet someone or go shopping?
Since Open-Source Intelligence sources include information gathered from social media, everything you publicly post on the internet may be viewed by anyone. This may include but is not limited to: your username, your birthday, relatives, workplace, favourite dining locations, movies watchlists, and so on.
Taking into consideration that the internet is publicly available, I recommend you make sure you protect your private data on social media following this simple guide.
The bad news is that what is put out there, on the internet, stays on the internet. Chances are, if you posted something and then you deleted it, it might still be there.
The Wayback Machine is a website that makes this possible. It preserves older versions of other websites, as well as lost images, videos, and others. It is essentially an archive of the internet. In 2020 alone, there were 514 billion pages archived, and it contained over 70 million gigabytes.
It contains OSINT history and OSINT websites that have been long gone.
However, do not worry. You can still control what will be posted in the future.
What can or cannot OSINT techniques find about you and your data may depend on you and your future decisions and measures. Choosing a more private approach can limit foreign access to your information. For example, a measure you can take is to start De-Googling Yourself.
The first phase of a cybersecurity attack, also known as the first stage of the Cyber Kill Chain, is reconnaissance. This step, taken by malicious hackers, involves gathering as much intelligence about the target as possible.
It can be done using various tools, but one of the key elements of this process is OSINT.
Image Source – maltego.com
Cutting off the possibility of acquiring enough data about yourself and your information may be a very good deterrent against malicious hackers, as it discourages them, therefore stopping an attack before it even begins.
My recommendation is to be careful what kind of information you disclose and to pay attention to any picture you upload on the internet – there have been many situations in which people have revealed their home location or have taken photos at work with their badge in plain sight.
Is OSINT illegal? No.
While many professionals from different fields use OSINT, it is important to understand that anyone can and probably has done it before. Simply typing a question on a search engine or asking a question on a forum are examples of OSINT. Therefore, any internet user can do that.
However, some risks come with it, which were identified for us by a trusted source.
- The risk of getting caught - this is the case especially for active OSINT when using techniques that put you in direct contact with the organization.
- The risk of being blocked - if an organization or individual notices that they are being tracked, they can try to erase the information, close their website or social media, or block you from accessing their data.
- The risk of turning into a victim - Performing OSINT may attract unwanted attention onto you, becoming the target of an investigation. You should always be very careful to not cross the line between legal and illegal actions.
With these risks in mind, we can safely improve our usual Google searches by using a tool called Google Dorks. It is a very simple mechanism that uses keywords to help you find exactly what you are looking for.
You do not have to install anything to use it, you just type “commands” in the search bar, which are simple and intuitive.
For example, if we want to search for information about VPNs, but we only want to see a specific website, we use the keyword “site” followed by a colon and the website URN, just like in the image.
We can also use keywords such as “filetype” follow by two colons and the type of file to search, for example, only for PDFs, or put words between quotation marks to tell the search engine that we want that exact word or phrase to appear in the results.
Another keyword that has come in handy for me many times is the pipe: “|”. Using this logical operator between two words renders results that contain at least one of those words.
Similarly, the minus operator (“-“) put between two words but concatenated with one of them will return results that contain the first word but do not contain the second one.
Many commands can be used to improve our Google searches. You can find more in this detailed guide.
Google Dorking may help you find information that is not apparent on normal searches and can only be found using these types of commands. For this reason, it is also called “Google hacking”, although it is legal and legitimate.
Furthermore, if you are looking to improve your searches and want to skip Google, you can use Shodan, a free search engine that collects data directly from the sources rather than looking for it on websites.
On an ending note, I challenge you to use tools existent in the OSINT framework, but not limited to, to find out as much as possible about you. Ask yourself: how much am I exposing? How much can someone else find out about me?
You can try to find information about yourself on Social Networks, Public Records, Business Records, Forums, and others.
Summing up everything that has been stated so far, you should be aware that everything that is put on the internet may be visible for the open eye. Not exposing yourself too much, hiding important information, and overall anonymizing yourself on social media and on the internet, in general, is the right thing to do.
These extra measures could make the difference between becoming the victim of a cyber-attack and keeping your private data safe.
However, you should not be scared of OSINT; it includes many useful tools that can be used by anyone. They can be very helpful when researching topics, trying to find someone, or simply looking for information.
Google hacking is just an example.
If you found any useful tools on the OSINT framework or if you have any questions about the discussed ones, please do share them in the comments!