---
title: "Step 9: Open Source Intellegence
---Social engineering is where the attacker attempts to manipulate a human target to complete an attack, rather than using a technical approach. Like all other forms of cyber attack they rely on having a good understanding of the target to succeed.
Reconnaissance (or recon) is the initial step of any security audit. During the recon process a hacker will attempt to gather as much information as possible on the target network, and the people who use it. In this session we are going to look are recon techniques for the human element, and examine how much information we leave about ourselves on the internet.
Open Source Intelligence
Open Source Intelligence (OSINT) makes use of publically available information to build a picture of a target.
Information on Individuals can be found from a few different sources
- Social media accounts
- Forum / blog posts
- Organisational affiliations
- Potential passwords from other leaks
This sort of personal information can be a goldmine: hobbies and interests can help us shape potential passwords; Social media gives us a better handle on what kind of person we may be targeting. Again this can help us to target any phishing attack for a greater chance of success.
Having established how useful gathering information on the human element of an organisation is, the next questions is 'How do we get this information?'
Tools for OSINT
When it comes to tools for OSINT, there is no specific tool that can be used for everything. Instead, we rely on collecting information from a wide range of sources to help us draw our conclusions. I like to think of this as the bit in a detective drama, where they put maps, photos, and pieces of information on a whiteboard, with bits of string linking everything together.
Google Hacking
A Search Engine is usually our first point of call. Google puts a huge amount of effort into finding and indexing information that is available on the web.
As well as the standard google search, we can use the advanced search to help narrow our data down.
The advanced search gives us a lot of scope to filter the results. (Note, we can these filters outside of the "Advanced Search", using a keywords. I have included a link to a cheatsheet below)
These options give us much greater control over the results we gather. for examine limiting the search to a specific website, and searching for filetypes. For example, searching for me "Dan Goldsmith" may return a lot of false positives, highlighting the search results to those from "coventry.ac.uk" should return more relevant results.
Social Media
There are a huge number of social media platforms, and trawiling them for relevant information on our target would be a difficult task. Fortunately for us, both Intel Techniques and Qwarie have collected and categorised tools for all manner of OSINT; for discovering information from email addresses to social media profiles.
Searching For more information
There are a huge number of tools available for OSINT. It's beyond the scope of this course to discuss each of them. However, I hope that the examples above have given you some ideas on how, with some targeted searching, we can take a small amount of public information and discover a lot.
The next step is a practical activity using OSINT tools to see what information you can discover about yourself.