During the penetration testing process, the penetration testers have to work with an immense amount of data. Processing this massive data manually will take a huge amount of time. In this scenario, they use OSINT techniques for penetration testing as already there is data from public sources, and with the help of the tools they can gather them systematically.
What is Penetration testing?
A simulated or emulated cyberattack performed against the machines or endpoints to inspect the vulnerabilities which can be exploited is called penetration testing. Ethical hacking and penetration testing are used interchangeably in the cybersecurity domain.
What is OSINT?
Open Source Intelligence (OSINT). OSINT is any data or information which is gathered from the resources which are publicly available. The process followed by the security practitioners to collect the information is focused to gather business intelligence on the threat actors.
OSINT Techniques for Penetration Testing: Different types of Penetration Testing
The infrastructure of the organisation is tested in real time attack, the attacker is playing blind as no information is given about the target company or the network infrastructure. This is called Black Box Penetration Testing. The penetration tester will try to exploit all the vulnerabilities found in the network or in the application to get into the organisation.
The penetration tester knows about the infrastructure of the organisation or the application beforehand. This is called White Box Penetration Testing. The details such as the source code of the application, Domain Name System details etc are provided to the penetration tester.
This kind of testing aims to validate the internal network and the infrastructure of the organisation against potential threats.
The penetration tester will know the restricted information about organisation networks, infrastructure code and about the application codes. This is called Grey Box Penetration Testing. This testing will help us know how the attacker will simulate the attack with the limited information and how much can effect can it make to the organisation.
Double Blind Testing
Double Blind Testing is also referred to as Covert Testing. In this type of penetration testing, the attacker will attack the organisation, without informing the organisation that penetration testing is taking place, only higher management will be knowing of this. This will help the organisation to know how well they respond to an attack if it happens in real time.
Different types of OSINT tools used for Penetration Testing
Shodan is a powerful and efficient advance search engine that is usually used by hackers to see through all private and public data. This may contain sensitive information, especially if it is publicly available information. It mainly involves information related to endpoints which are network connected.
Also, this tool can be accessed from machines, smartphones, traffic signals, webcams, and various internet of things devices. This gives them the best outcomes that make more sense and are connected to security professionals.
We can log on the Shodan website by visiting the URL shodan.io. We can see the search box and will enter our target name, IP address anything that we have on who we want to gather data.
I wrote “webcam” and hit enter. The query gets back with many results. I opened the third link which is named is “Webcam 7” and is from Rome, Italy. The pages show us the following details:
- Internet Service Provider
- Autonomous System Numbers
Spyse is a cybersecurity search engine for the acquisition of technical skills commonly used by hackers for cyber reconnaissance. Spyse offers detailed information and helps through different entry points to explore the victim.
The website Spyse has a very large database and is used by all the penetration testers who are using OSINT techniques for penetration testing.
The database is connected with multiple data sets which can be immediately accessed by the user. It has 1.2 billion domains, 160 million IP hosts with the port numbers, 2.2 billion domain name system records, 140,000 vulnerabilities, around 3.6 billion IPv4 hosts information.
The website also provides with the distinctive searching opportunities for the customers hence making the process easy for gathering the required information. The possibility of applying 5 different search criteria for a precise and thorough search is its distinctive feature.
We can enter the website name spyse.com in the domain name, and it will open the website. The website will provide us with an option to search for our target. We can search for the specific target details that include but not limited to the website address, IP address, etc.
I wrote facebook.com in the search box. We get the results that include many details such as the DNS records, MX records, A records, Domains with same name title, IPv4 with Host with same title etc.
TinEye is an important tool used which falls in OSINT techniques for penetration testing. It is a reverse image search engine, the first of the kind in this domain. We need to find an image which we want to get check on the website, after the processing done by the website, we can see the details such as where it came from and how it was used. Tineye performs the tasks by using the following techniques:
- Image Matching
- Signature Matching
- Watermark Classification
- Database Mapping of the Images
This is the best tool which we can find on the internet for searching reverse image. This tool can help the penetration tester to gather and boost the cyber threat intelligence, gathering more and more information.
The website can be visited entering the domain name tineye.com. We will upload the image which will cross-referenced with the website database.
Firstly, I uploaded my convocation picture and out of 44.6 billion searches, the website didn’t find any suitable match for the uploaded image.
After this, I uploaded an image of a cyber hacker which was downloaded from the google images (google search). The result immediately showed 216 results in 2.1 seconds.
4. The Harvester
The Harvester is a tool used in Linux and is built in Kali Linux which helps in the Open Source Intelligence to find the following:
- Email Address
- Pretty Good Privacy (PGP) key servers
The Harvester has been proved as a powerful tool and eases the process of the initial process of penetration testing. It has been created to be one of the effective, efficient and easy to use tool for the penetration testers. It is supported my many sources for data collection, nameservers, domains, subdomains, pretty good privacy hostnames etc.
We can see in the screenshots below the outlook of the tool the Harvester in Kali Linux. To run this tool, we need to run the command theHarvester in the terminal. As we hit enter, we can see that the tool is running. By typing theHarvester -help, it will provide us with the different options which can be used with this tool.
I used theHarvester to see hostnames, emails and the other subdomain names of the website Microsoft.com and used Bing as my search engine. We can see in the screenshot below little email address and the next screenshot we can see the subdomains gathered by the Harvester. It’s a must tool to if anyone want to learn about OSINT techniques in penetration testing.
Maltego is a built in open source intelligence tool marketed by Paterva in Kali Linux. Maltego has many built in transformations which helps in many critical open source intelligence investigations of different targets at multiple stages.
In order to use Maltego, we have to be registered on the product website that is Paterva website. The account can be created on any device, but it’s better to create where you will use the product.
Java is used to develop Maltego and gathers information from various sources providing graphical results to the user.
To run Maltego in Kali, either we can run it from the applications menu or we can write the command “maltego” in the terminal, it will open the software. Once Maltego is opened, we can see that there are plenty of options to use.
The most basic feature I used in Maltego was of Domain Mapping, I used the domain name of google.com. From the options table, I choose and dropped the name icon on the plain graph surface and wrote google.com in the domain name space and choose what transformation I want to run.
The structure generated by the transformation is very close to the structure of the entity relationship charts. We all can see the following:
- Domain Name System (DNS)
- Website host provider
- Location of the host
All this information is very helpful for the hacker in the initial steps of hacking.
6. Check Usernames
We know that it is a very hard and time consuming process to find the existence of a username without the help of an open source intelligence tool.
Hence, currently, check usernames is the best tool available to gather any username information without wasting any precious time.
The website will recursively search for the usernames from more the hundred and fifty websites at a given point of time. It will help us to determine our victim’s presence on the websites, hence we can start the penetration testing process without any delay.
We logged on the website by entering the domain name checkusernames.com. On the website, we can see the various names from which the website will map our query.
For testing, I entered the username swindle1234. We can see the information details gathered by the website that on what platforms the username is active and on what the username is available. We can start the hacking process for our target.
Penetration testing is one of the core services in the cybersecurity domain. Penetration testers have to work very hard to infiltrate the system and exploit the vulnerabilities. Open Source Intelligence plays a vital role in the collection of information.
With different tools and techniques, the tester can gather intelligence, without the help of these tools, it would have taken them a very long time and follow a tedious process to accomplish the task. The penetration testers now rely on OSINT as it a simplified process to collect the data.