Whether you are new to OSINT (Open Source Intelligence) or use it regularly in your professional life for reconnaissance, threat intelligence or investigations, the recent speed of growth in the field means constant development in terms of tooling, data, content and community. In this post I aim to highlight some essentials that everyone relying on OSINT should know, plus newer resources that might provide additional insights.
If you are new to OSINT or come from a less technical background, there are some foundational resources you should gain a solid grasp of first because they’ll really help you get better use out of the other tools mentioned later in this post, in addition to gaining a deeper understanding the data they present:
- DNS: With tools like host, dig and nslookup you can look-up different types of DNS records (A, CNAME, NS, MX, TXT, etc), use alternate name servers and more. For instance, did you know that Quad9's DNS will always resolve any malicious host to 127.0.0.1? This means by using their name server to perform your lookup, you can quickly check if it’s potentially malicious:
$ nslookup m-tesla.pw 126.96.36.199
- Whois: Probably everyone knows about performing Whois lookups on domains, but did you know you can also perform Whois on IP addresses, networks and ASNs? Let’s see who owns 188.8.131.52 — yes, Google, but Whois shows us that the broader network range is owned by Level 3 Communications (now CenturyLink), who have sub-allocated 184.108.40.206/24 to Google:
$ whois 220.127.116.11
NetRange: 18.104.22.168 - 22.214.171.124
Parent: NET8 (NET-8-0-0-0-0)
NetType: Direct Allocation
Organization: Level 3 Parent, LLC (LPL-141)
OrgName: Level 3 Parent, LLC
Address: 100 CenturyLink Drive
NetRange: 126.96.36.199 - 188.8.131.52
Parent: LVLT-ORG-8-8 (NET-8-0-0-0-1)
Organization: Google LLC (GOGL)
- Port scanners (Nmap, masscan, …): Open ports indicate what services a server exposes. Port 443 is usually HTTPS; port 22 is usually SSH and so on. Port scanners will automate the process of identifying all the services a given IP/host has open, will potentially reveal the software being used, its version and can sometimes also identify the operating system of the host.
- Google search syntax: Many books cover this extensively (even one fully dedicated to the topic) so I won’t even attempt to consolidate it into a paragraph, but check out the Google Hacking Database (GHDB) and you’ll get the idea.
- Python: Eventually you’ll want to do something unique which brings together different tools and APIs for your specific use case. I’ve specifically mentioned Python because it’s an approachable language, usually easy to read and the standard library is rich with functionality. And if the standard library doesn’t have what you need you can bet there is already a module out there for it. Most OSINT tools I’ve come across are written in Python for this reason so if you’re new to Python and are looking to apply it specifically for OSINT, take a look at the online courses Justin Seitz (the author of Hunchly) has put together, or simply the Python Tutorial — it’s surprisingly readable.
- Think creatively! One of the things I love about OSINT is that it’s often a big puzzle of loosely connected (or often disconnected) pieces. You get one piece of information which leads to another and then another. You hit a dead end, have to pivot and meanwhile the information you are gathering along the way is building up a more coherent picture. The key is to not give up, think creatively and be resourceful. Hopefully at the end what you have is this:
With these essentials covered, you are ready to stand on the shoulders of giants by utilising more sophisticated tools and platforms others have created, many of which build upon the basics above but at a much larger scale.