PenTest: OSINT on Pentest Targets - Pentestmag

PenTest: OSINT on Pentest Targets


Get the access to all our courses via Subscription


Categories: , Tag:



Dear PenTest Readers,

In this month’s edition we focus on the role of OSINT in penetration tests. Well performed research and reconnaissance on your target can help you save a lot of time and effort to achieve your aim. 

All the contributors did a magnificent job with their articles, so the issue is a great compendium for the best understanding of open-source intelligence and its meaning for cybersecurity. While reading you will start a fascinating journey with numerous tools, techniques, and various out-of the box approaches to OSINT in the penetration testing context. As one of the authors - Aaron Roberts - states in his article, “OSINT is an art-form when it comes to cybersecurity, and understanding how to maximise its value will aid not just intelligence professionals, but pentesters, Security Operations Centre (SOC) analysts and vulnerability managers.

Let’s take a closer look at what's inside the issue!

Our OSINT edition opens with an article written by Eva Prokofiev. The author presents an excellent guide on how to use OSINT in your pentests efficiently, and how to refine your searches, as new tools and methods are appearing constantly. What is important, the article discusses not only technical details, but also puts emphasis on understanding the data that you’re working on and out-of-the-box thinking. 

Aaron Roberts contributes with a summary of OSINT tools, some of them widely used, other less-known but really interesting anyway. A must-read for everyone who looks for a proper OSINT toolbox!

Raymond Musumba examined OSINT and explored the role it plays in both personal and professional aspects. Additionally, he discussed some tools and techniques that can be used to gather information from public sources, as well as the potential danger of the same information falling in the hands of cybercriminals.

Ygor Maximo describes and goes through an OSINT engagement focused on gathering information about high profile employees (VIPs) within a given company, such as executives, board of directors, etc., in a way that the collected data could be used for Red Team exercises.

Ensar Seker focuses on explaining the methodologies for OSINT in the pentesting process with a practical tutorial, presenting various research methods, along with a list of recommended tools for your own practice.

Jhansi Jonnakuti, Priyanka Boodidhi, and Joyce Munigety prepared a detailed tutorial on using one of the OSINT tools - Spyse. The article gives you an insight into the key features of this innovative tool for information gathering. 

If you are looking for an explanation on how you can mitigate OSINT, Jeremy Walker suggests eliminating password as one of possible methods, presenting interesting real-life scenarios.

As usual, you will read articles not only related to the main topic, but to various cybersecurity tutorials, walkthroughs, and discoveries. Dor Amit contributed an interesting presentation on remote access solutions, Marlon Fabiano showed how he identified a great bug in Microsoft’s payment method in his step-by-step case study, and - last but not least - Sk Saifullah Dabir brought in an interesting walkthrough of a Hack the Box retired machine.

Table of Contents

OSINT for Pentesting

by Eva Prokofiev

During penetration testing, pentesters have to work with large amounts of information. Finding this information can be done using manual command-line methods. Doing it manually can take up lots of time as you’d also have to sort this data by yourself because it might not be in a preferable format. The second option is relying on open-source intelligence, or OSINT, which is the go-to method for most pentesters nowadays.

Utilising OSINT Tooling for Penetration Testing

by Aaron Roberts

For this article, I want to cover some of my favourite OSINT tools that I think could help professional pentesters with their reconnaissance of a target. These tools will assist with both the infrastructure you’re trying to access or from the tid bits of information that you can glean from employees for future social engineering opportunities, making life more straightforward once you either get to the client site (in a post-COVID world, of course) or start your various phishing/vishing/smishing campaigns from afar.

Leveraging Open-Source Intelligence (OSINT) in Proactive Cyber Defence

by Raymond Musumba

Open-source intelligence plays a critical role in our daily lives as technology continues to advance and our traces on the internet continue to grow. We examined OSINT and explored the role it plays in both personal and professional aspects. Additionally, we discussed some tools and techniques that can be used to gather information from public sources, as well as the potential danger of the same information falling in the hands of cybercriminals. Finally, we explored a few use cases to understand how OSINT tools and techniques can be leveraged to proactively secure information assets.

Leveraging VIPs Attack Surface Through OSINT

by Ygor Maximo

A mind map is a vital resource usually used by analysts and researchers on their OSINT engagements or investigations. It helps them organize their thoughts, actions, and decisions to what directions to follow among the sea of data that they will probably find themselves into. This tool basically tries to materialize the abstract aspect of the human mind when it comes to ideas and organization of thoughts. There are several tools like this freely available to download. This article recommends the usage of XMind (, specifically.

OSINT in a Pentesting Process

by Ensar Seker

Collecting OSINT is also less expensive than other forms of information. Although a range of open-source resources is available in the intelligence community, Google, as most know it, is a search engine. The attacks on targets by social engineers are often seen as a form of active knowledge collection. In some cases, critical information, such as user accounts to be obtained from paste sites, administrator accounts, or database connection information, can be discovered via OSINT and with such information, the rest of the pentest steps can be skipped all the way to the end.

SPYSE: a Pentester’s OSINT Tool Ready for Advanced Research


by Jhansi Jonnakuti, Priyanka Boodidhi, and Joyce Munigety

Our main focus in this article is on the initial stage, common intelligence gathering, which includes discovering a person’s/organization’s digital footprint and performing digital investigations for penetration testing. The most problematic thing is gathering information from multiple resources/pages about the target within the organization/project. With this mode, Spyse caught the eye of pentesters for an advanced and innovative approach of information gathering. There are many tools that are helpful but without knowing its importance it would do no good to the users. So, in this article I would like to give a clear idea of Spyse and its key features. Still thinking? Give it a try!

Mitigating OSINT by Eliminating Passwords

by Jeremy Walker

My attacks were moderately low tech. However, I leveraged OSINT to exploit the human element rather easily. No great level of effort or sophistication was necessary. Leveraging even small amounts of OSINT data allows attackers to gain enough information to seem familiar and manipulate people based on feelings. Based on some of the OSINT methods we have seen in other articles, hackers have the strategic advantage over people. Even basic OSINT powered methods are very effective, so how can average users be expected to discern a sophisticated and well thought out OSINT based social engineering attack - they cannot.

Remote Access Solutions

by Dor Amit

We are entering a new era with the Corona reality, organizations are forced to change their working paradigm and one of the major changes is moving the workforce from on premise to remote connectivity. This type of change, especially when done on a large scale in a short period of time, introduces some challenges since the existing remote access models that worked fine for a limited pre-defined scope may not be as efficient nor secure. So let's go over traditional remote access solutions and identify the bottlenecks and gaps that may lead eventually to security breaches and operational overhead. 

Microsoft Vulnerabilities

by Marlon Fabiano

Microsoft has an extensive Bug Bounty program. I have already participated a few times and received some acknowledgements on the MSRC (Microsoft Security Response Center) portal, so I identified a great bug in Microsoft's payment method. A failure that allowed me to buy products from the store and not pay anything for it.

Poison - Hack the Box Walkthrough

by Sk Saifullah Dabir

With this Poison HTB walkthrough, you will learn Log Poisoning, SSH Tunneling/Port forwarding, and using VNC for privilege escalation techniques. This article is a part of our regular section of walkthroughs on Hack The Box retired machines.


There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023