In the last step we looked as searching through publicly available information, to discover more about our target. This process is usually called OS-INT (Open Source Intelligence)

OS-INT Walkthgough

Let's walk through the approach a hacker may take as part of an Phishing attack on an organisation.

Our first task is to identify the people that we might be interested in. A good way to do this is to make use of any "staff directory" on the company website. Many organisations publish staff names, email addresses and telephone numbers on their homepage.

Let's use Coventry University as an example:

Here we can identify:

• Names of members of staff
• Email addresses
• Job Titles

Sometimes, the organisation may not have a public staff directory. In this case, there are third party sites such as http://www.data.com that may help.

Digging deeper

Having identified the people we are interested in, we could start to look for more information based on things like their work email. Let's dig a little deeper using myself (aa9863@coventry.ac.uk) as an example.

Our first step may be a simple google search.

Again, you can see that we identify several university-related sites (such as the pure portal where research articles are published) as well as associations between me and other colleagues.

NOTE: We could go a lot further with google than a simple email search. However, for this example we will take a more focused approach

Digging even deeper

We can now start using the information we have identified to search relevant forums, message boards and social media to discover more about our target. For example, we can take a look at GitHub to try to find any information about our target user.

NOTE: This is an interesting one. Coventry University has a private group on github.com, so if you are logged in with a university email address, then you may get slightly different results. For this example I logged out to see what information I can find.

If we visit the main GitHub page https://github.com and search for aa9863 we get no results.

However, GitHub doesn't tend to use emails as usernames. Let's cast our net a little wider and take a look for anything to do with Coventry University, then try to narrow things down again.

After a search for Coventry university we discover the Coventry University group. We can further refine the search using the term "hacking", based on my job title.

We find a repo called "The Hitchhikers Guide to Ethical Hacking", and looking at the contributors we can discover our targets github username (@djgoldsmith). From here we can start to dig into other public repositories this user has. Additionally, we can start to make a guess at the username for other sites, as people tend to keep the same online persona. Finally, we can also make a guess at some hobbies and interests; given the name of the repository, it's likely one of the authors is a Douglas Adams fan.

Remaining ethical

This part is important. While this information is all publicly available, it is important to remember that we are "ethical hackers". Performing this kind of OS-INT on a target that is not aware of the process is considered bad form. Please consider permission, before using any of the tools and techniques described.

Your task

🕑 _{60 minutes}

Take a look at google and both of OS-INT websites below, examine the tools and >see what kind of information you can find about yourself.

• https://inteltechniques.com
• https://www.uk-osint.net

Tell us what you find out in the comments:

• What was the most interesting piece of information you found?
• What tool impressed/scared you the most?
• Are there any other tools you can find apart from the two above?