OSINT for Penetration Testers

October 26, 2021

Part of performing an effective and successful penetration test requires gathering as much information about the target as possible. The more information you have on your target, the more likely you are to discover an exploitable service or land a successful phish.

For example, through OSINT you may discover that the target is openly advertising a job position, and invites applicants to send a resume through to HR. You craft a document using template injection to pull a C2 beacon from one of your C2 domains and can achieve a foothold on the internal domain by mimicking a job applicant.

Without effective recon, it is likely that this opportunity may be missed resulting in an extended period attempting to gain an internal foothold.

So how do you go about effective OSINT/recon?

Breach Data

While breach data may not always contain information on your target, or even recent or up-to-date passwords, it can provide valuable information.

For example, it can give an idea of if users practice sensible account hygiene and register for non-work websites using work email addresses. It can also provide an indication of how users structure their passwords. While “Mary1987” may not be the most recent password, it indicates password format in the form of “NameYear” may be suitable for password spraying.

Figure 1 - Checking breach data for potential credentials

Social Media

Social media is a good place to identify employees at your target. LinkedIn generally provides a solid list of employee names, along with job titles that can help you land a juicy phish.

Creating a list can be done using JavaScript to print employee names to console, or you can use the BurpSuite plug-in GatherContacts.

Figure 2 - Creating a list of employees for phishing and password spraying

Social media can also be useful for determining what relationships a business might have with other companies in the same industry that could be exploited, or what technology might be in use that may need to be avoided when you gain an internal foothold.

DNS Records

DNS records can also reveal a large amount of information regarding potential targets and remote entry points such as VPN or RDP gateways. In addition, with a lot of organisations moving to cloud platforms it can also help identify issues such as subdomain takeovers (they still very much exist in 2021!)

Figure 3 - DNS record lookup using the dnsrecon tool (not stealthy)

One thing you should be wary of with DNS is that it can be noisy if you start querying the organisations DNS servers directly, so depending on how stealthy you need to be, this may need to be done via historical DNS records and/or certificate transparency lookups.


A number of tools exist that can automate some of this reconnaissance. During a time-limited penetration test these can be quite valuable, as they allow you to work on other tasks while the information is gathered.

  • theHarvester - Almost a one-stop shop for reconnaissance and OSINT gathering. The tool can perform lookups using a number of different services, generating employee lists, lists of hosts, interesting files etc. Be aware that a majority of actions performed by theHarvester will touch the target, so may not be suitable for all tests.
  • dnsrecon - This tool will do all the DNS reconnaissance required to enumerate subdomains. By default, it will use the target’s own nameservers, but you can specify which to use, and it does have the ability to lookup via certificate transparency logs, check for zone transfers etc.
  • Fierce - DNS brute force tool, capable of performing reverse DNS queries. Noisy, so only useful on penetration tests where stealth doesn’t matter.
Figure 4 - fierce in action
  • Hunter.io - Hunter.io is a useful tool for gathering target email addresses from around the Internet. The free tier limits the number of results returned but does give you an idea of how email addresses are formatted to create your own list from people enumerated through other sources. Paid tier does allow full results and the ability to download a CSV file.
  • Shodan.io - Shodan can be useful for enumerating open services on target IP addresses without the need for active port scanning. Free tier allows you some use of the API such as domain, CIDR etc. but does have a limited number of daily queries.
Figure 5 - shodan interface
Share this article

Recent Post

Detecting and defending against advanced persistent threats utilizing the latest in industry-leading tools and techniques to strengthen and mature the security posture.

Conti Group - Tooling, Leaks and Russian FSB Ties

The Conti group have been featured across many news outlets lately both inside and outside the cyber security community. It is well known that this specific threat actor is mainly operated from within Russia, and with the recent events within Russia and Ukraine we thought it would be a good idea to do a recap […]

Read More

Yes, Local Administrators ARE a Risk

Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those changes takes strategy and labour, and every change has an overhead in both of those resources. What do you do when your users want new […]

Read More

OSINT for Penetration Testers

Part of performing an effective and successful penetration test requires gathering as much information about the target as possible. The more information you have on your target, the more likely you are to discover an exploitable service or land a successful phish. For example, through OSINT you may discover that the target is openly advertising […]

Read More

CONTI Group - The not so advanced APT

Recently in the news it was revealed that a member of an “APT” group that utilises the “Conti” ransomware became disgruntled at the state of their relationship with the group and leaked a large majority of the groups “Tools, Techniques and Procedures” documents. Conti was first discovered in 2020 and is used primarily by the […]

Read More

Hidden Cobra - Uncovering the North Korean APT

Advanced persistent threats come in many forms ranging from your crime groups, activists all the way through to your state sponsored groups. While some of these threat actors such as crime groups are seen on a regular (if not daily..) basis, state sponsored attacks are less common and more sophisticated. While most state sponsored groups […]

Read More

Please Sign Here - Why NTLM Relaying Is Still a Risk in 2021

The Windows Name Resolution Flow You may be under the impression that turning host names into IP addresses is simple. You check:  The Hosts file; then  Your system’s DNS (Domain Name System) resolver  That’s it right? If you don’t get a response from your local file or DNS, then the system doesn’t exist. Well, no; the name resolution flow in Windows looks something like this:  Well, that’s a […]

Read More

The benefits of Red Teaming

Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll take a dive into: What differentiates a Red Team engagement from a Penetration Test. Why you shouldn't consider a red team engagement (You totally should.) […]

Read More

Stealing Password Reset Tokens for Fun and Profit

When adding a “Password Reset” function to your application it is especially important to ensure this has the same security considerations as any other critical function within the application. Due to the nature of resetting a user’s password, along with many security considerations being overlooked, it is not uncommon for attackers to spend extra time […]

Read More

MITRE ATT&CK Framework Primer

The MITRE ATT&CK framework is an incredibly powerful framework that organisations can utilise to improve their cyber security capabilities.

Read More