OSINT: Open Source Intelligence in Cybersecurity
OSINT (Open Source Intelligence) Explained: How attackers and penetration testers use publicly available information, what tools are used, and how companies can reduce their OSINT attack surface.
Table of Contents (7 sections)
Before an attacker executes a single line of exploit code, they often spend hours researching their target—using only publicly available information. OSINT is the art of extracting actionable intelligence from freely available sources. What intelligence agencies have been using for decades is now standard practice in every penetration test and every professional attack.
What is OSINT?
OSINT (Open Source Intelligence) refers to the systematic collection and analysis of information from publicly available sources. "Open source" here does not mean open-source software, but rather publicly accessible information—in contrast to traditional intelligence gathered from secret sources.
OSINT sources include:
- Websites, social networks, forums
- Public registries (commercial registries, WHOIS, certificate logs)
- News and press releases
- Technical databases (Shodan, Censys, Pastebin)
- Leak databases (Have I Been Pwned, Dehashed)
- Job boards and job postings
- Government publications and patent databases
Why OSINT in Cybersecurity? OSINT is the first phase of every attack and every professional penetration test. The quality of the information gathered determines how targeted and effective the subsequent attack phases will be.
OSINT from an attacker’s perspective
What interests an attacker?
Technical infrastructure:
- IP address ranges, domains, subdomains
- Software versions in use (metadata, HTTP headers, Shodan)
- Open ports and services
- SSL certificates (subdomain enumeration via crt.sh)
- DNS records (MX, TXT, SPF, DMARC)
- Cloud providers and CDN configurations
Employee data:
- Names, positions, email addresses (LinkedIn, Xing, website)
- Derive email format (vorname.nachname@firma.de)
- Employees in IT departments, Finance (BEC targets)
- Technologies employees are familiar with (job postings, GitHub)
Organizational Information:
- Organizational chart structures
- Suppliers and partners (supply chain attack)
- Current projects and events (phishing pretext)
- Financial situation (extortion targeting)
Technology Stack:
- Job boards reveal which technologies are used internally
- GitHub repositories of employees containing internal company code
- Misconfigurations in publicly accessible APIs
Passive vs. Active OSINT
| Passive OSINT | Active OSINT | |
|---|---|---|
| Definition | Obtaining information from third parties (no direct interaction with the target) | Direct interaction with target systems |
| Examples | Shodan, crt.sh, WHOIS, LinkedIn | DNS zone transfer, SMTP verification, port scan |
| Detectability | Very low – no logs on the target | Potentially visible in firewall/IDS logs |
| Use in Penetration Testing | Always (no authorization required for passive) | Only with explicit authorization |
Important OSINT Tools and Techniques
Domain and Subdomain Enumeration
crt.sh: Certificate Transparency logs show all TLS certificates ever issued for a domain—including subdomains that are otherwise not publicly known.
# All subdomains of example.com via crt.sh
curl "https://crt.sh/?q=%25.example.com&output;=json" | jq '.[].name_value' | sort -uSubfinder / Amass: Automated subdomain enumeration from hundreds of sources.
WHOIS: Domain owner information (often hidden behind privacy proxies, but historical WHOIS data often remains accessible).
Shodan - the search engine for the Internet of Things
Shodan indexes the entire internet for open ports and services. Searches like:
org:"Company GmbH" port:3389 → Company's RDP server
org:"Company GmbH" http.title:"Login" → Web login pages
org:"Company GmbH" vuln:CVE-2021-44228 → Log4Shell-vulnerable serverCensys and Fofa offer similar features with different strengths.
Employee OSINT
LinkedIn / Xing:
- Complete list of employees with positions
- Technologies from experience sections
- Current projects and events
- Connections to suppliers
Hunter.io / Apollo.io: Email patterns and addresses for company domains.
GitHub:
# Search for company code on GitHub
site:github.com "company.de" password
site:github.com "company.de" api_keyAlarmingly common: Employees commit API keys, passwords, and internal URLs to public repositories.
Breach Intelligence
Have I Been Pwned (HIBP): Checks whether email addresses appear in known data breaches. Paid domain API allows queries for all addresses within a domain.
Dehashed / LeakCheck: Advanced breach search using password hashes and plaintext passwords from leaks.
From an attacker’s perspective: Found credential pairs are tested directly against the company’s VPN, webmail, and cloud services (credential stuffing).
Google Hacking / Google Dorks
Advanced Google search queries to find sensitive information:
site:company.com filetype:pdf confidential
site:company.com intitle:"index of" passwd
site:company.com ext:env OR ext:bak OR ext:config
"company.com" intext:"password" filetype:logThe Google Hacking Database (GHDB) on Exploit-DB collects thousands of proven dork patterns.
Maltego - Graphical OSINT Analysis
Maltego visualizes connections between OSINT data as a graph: Domains → IP addresses → Emails → People → Companies. Enables quick identification of complex relationships.
Social Media OSINT
Twitter/X, Mastodon, Instagram: Locations (geotagging), current activities, professional information.
theHarvester: Automated collection of email addresses, subdomains, hosts, and open ports from multiple public sources.
OSINT in Penetration Testing
In a professional penetration test, the reconnaissance phase using OSINT methods is always the first step:
Typical reconnaissance outputs:
Discoveries:
├── Infrastructure
│ ├── 47 subdomains (12 of which are unknown/undocumented)
│ ├── 3 IP ranges (1 cloud instance without WAF protection)
│ └── Outdated software versions on admin.company.de (Apache 2.4.49, vuln: CVE-2021-41773)
├── Employees
│ ├── 240 LinkedIn profiles, including 18 IT employees
│ ├── Email format confirmed: vorname.nachname@company.de
│ └── 3 employees involved in recent data breaches (HIBP check)
├── Technologies (from job postings)
│ ├── Active Directory (Kerberoasting candidate)
│ ├── FortiGate VPN (model known from forum post)
│ └── SAP ERP (from XING profiles)
└── Code leaks
└── GitHub: internal config file with DB credentials (2023, still active?)This information guides all subsequent testing phases—and often reveals the most critical attack vectors even before a single exploit has been executed.
OSINT Against Your Own Company
Defensive OSINT / Attack Surface Management (ASM): Companies should regularly assess themselves from an attacker’s perspective:
OSINT Self-Check: What Does an Attacker See?
Step 1: Domains and Subdomains
- Query crt.sh for your own domain
- Check all found subdomains for accessibility and currency
- Identify forgotten, outdated, or unknown domains
Step 2: Shodan Check
- What does Shodan see for your own IP ranges?
- Are unexpected services exposed?
- Which software versions are visible?
Step 3: Email Security
- Are DMARC, SPF, and DKIM configured correctly?
- Check MX records for suspicious configurations
Step 4: Employee Exposure
- Check LinkedIn profiles for excessive technical details
- Search GitHub for company code and secrets
Step 5: Breach Check
- HIBP domain check for all company emails
- Immediately reset compromised credentials
Step 6: Google Dork Search
- Are sensitive files publicly accessible?
- Are internal pages indexed?
Measures to Reduce OSINT Attack Surface
Technical:
☐ Maintain subdomain inventory and close forgotten subdomains
☐ Use robots.txt and noindex for internal tools
☐ Remove software version numbers from HTTP headers
☐ Set up Shodan alerts for your own IP ranges
☐ Use an ASM tool (Censys, Recorded Future, SecurityScorecard)
Organizational:
☐ GitHub guidelines: No company code in public repos
☐ LinkedIn guidelines: No internal system names in profiles
☐ Job postings: Do not disclose the technology stack in unnecessary detail
☐ Regular HIBP domain check (quarterly)OSINT, Data Protection, and Legal Framework
Is OSINT legal? Collecting publicly available information is generally legal—provided that:
- No technical protective measures are circumvented (Section 202a of the German Criminal Code)
- No personal data is processed in an unlawful manner (GDPR)
- Explicit written authorization is obtained for penetration tests
GDPR Gray Area: The systematic collection and aggregation of personal data from public sources may still be subject to GDPR if it results in a personal profile.
Penetration Tester Practice: Professional penetration testers document their OSINT activities in detail and remain within the scope of the written authorization.
Conclusion
OSINT is the foundation of every serious attack and every professional security test. The bad news: For most companies, the attack surface created by OSINT is larger than expected. The good news: With regular OSINT self-checks, clear guidelines for employees, and attack surface management, exposure can be significantly reduced—before an attacker uses this information against the company.
Sources & References
- [1] OSINT Framework - Sammlung von OSINT-Tools - OSINT Framework
- [2] Maltego - Graphische OSINT-Plattform - Maltego Technologies
- [3] BSI: Social Engineering und Informationssammlung - BSI
- [4] Have I Been Pwned - Breach Intelligence - Troy Hunt
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
