OSINT Footprinting Cheat Sheet
Introduction
This cheat sheet provides a step-by-step methodology, tools, and techniques for effective OSINT-based reconnaissance.
What is OSINT?
OSINT stands for Open Source Intelligence and it’s basically passive recon using public information. It could include some legal active recon like reaching out to the target via email or forum, but many people use the terms almost interchangeably.
Methodology Overview
We start from an outer layer, infrastructure, then inner layers, host-based, and finally OS-based.
1. Infrastructure-Level Enumeration
Focus on understanding the target’s network, domain registrations, IP ranges, and dependencies.
Techniques and Tools
DNS Enumeration: Fetch all DNS records for a domain:
dig example.com ANY
Find subdomains:
sublist3r -d example.com
amass enum -d example.com
Reverse DNS lookup for an IP:
dig -x <IP>
Whois Lookups: Retrieve domain registration details:
whois example.com
Tools for automation: RDAP, WhoisXML.
IP Address and ASN Mapping: Identify IP ranges and ASNs with:
curl https://api.ipinfo.io/<IP>
Online tools: BgpView, Hurricane Electric.
SSL/TLS Analysis: Check SSL certificates for subdomains:
curl -s https://crt.sh/?q=example.com | grep example.com
Tools: SSL Labs, sslscan.
Filter them by the unique subdomains:
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u > subdomain.txt
Identify the hosts that aren’t hosted by third-party providers:
$ for i in $(cat subdomain.txt);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done > subdomain.txt
Cloud Tools: Domains.glass, GrayHatWarfare —
2. Host-Based Enumeration
Focus on identifying specific systems and their running services.
Techniques and Tools
Service Identification: Find exposed services using Shodan:
shodan search "hostname:example.com"
Find from the local list:
$ for i in $(cat subdomain.txt);do host $i | grep "has address" | grep example.com | cut -d" " -f4 >> ip-address.txt;done
$ for i in $(cat ip-address.txt);do shodan host $i;done
Search for vulnerable services on Censys:
censys search "80.http.get.headers.server: Apache"
Passive Port Scanning: Query known public databases: Tools: GreyNoise, Onyphe.
Metadata Extraction: Extract metadata from public files:
exiftool document.pdf
Use FOCA for bulk metadata analysis of publicly hosted documents.
Vulnerability Search: Identify vulnerabilities in exposed services:
searchsploit apache 2.4.49
Online tools: Exploit-DB, Vulners.
3. OS-Based Enumeration
Identify operating systems on specific hosts using public information. Note that this is considered active recon though it’s legal as long as the target domain is public.
Techniques and Tools
Web Application Fingerprinting:
Analyze technologies to infer the OS:
Tools: BuiltWith, Wappalyzer.
Metadata Analysis: Check document metadata for OS mentions:
exiftool *.docx
Other Techniques
Search Public Git Repositories:
Look for sensitive files (e.g., docker-compose.yml):
github-dorks "org:example filename:docker-compose.yml"
Search Social Media: Gather technical insights from employee posts.
LinkedIn: Use Hunter.io or Socilion.
Twitter: Use Twint or Social Bearing.
You can find many other tools for other social media from OSINT Framework.
Passive DNS History: Use Passive DNS services.
Tools: PassiveTotal, SecurityTrails.
Chain of Custody
For the gathered data to be admissible in court, you must keep track of the chain of custody. This mean you must log:
Who collected it.
How and when it was collected.
How it was stored and accessed.
Who has had control of it at any given time.
And the log needs to be forensically sound, no possibility of tampering.
Logging and Reporting
Tools:
Hunchly
Forensic-grade, web-based data capturing.
Anti Tamper
I made this tool to make files tamper-evident. Note that this doesn’t meet strict forensic requirements.