Exploiting Public Information for OSINT 2023
Today we will learn about Exploiting Public Information for OSINT in this article.
Introduction about Exploiting Public Information for OSINT:
Open source intelligence is the act of finding information using publicly available sources; for example, these resources can be anything; newspapers, business directories, annual reports, etc. And the scope of OSINT is not limited to the Internet. The main responsibility of an OSINT professional is to connect the dots (data obtained from many sources) which seems difficult and time consuming only if we don’t have automated tools and scripts.
Search engines always play a significant role in finding relevant information; thanks to advanced operators and query management. In addition to search engines or a passive connection, the attacker sometimes needs to establish an active connection to the target; in this article we will discuss many tools, tools that use both active and passive techniques to find information about a company, a person and even a product.
People finder
Sometimes you want to find out details about a person, this person may belong to the organization you are investigating, it may be the CEO, director or any other key player who may contribute to the potential damage of that particular organization. No matter what the goals are, you can always use a people finder to find details about a person. A quick search on yatedo.com reveals an employee profile:
Related article:The Hacker Methodology 2023

Following are the steps that can be used to get information about the employees of any organization.
Step 1: Prepare a staff list; LinkedIn, Xing, Yatedo, and other professional networking sites help with staff list preparation.

Use Linkedin’s powerful feature to filter your search results; Figure 2 shows that there are currently 87 individuals working at the Infosec Institute. List all employees with their industry, job function, and seniority level, as this information helps launch the attack, and fortunately, all of this information is available on LinkedIn. Wait a minute; LinkedIn restricts access based on previous search history and connection level.

A premium account is a solution, but it’s not the only solution. The image above shows that even limited access provides enough information to create a Google dork and gain access to a public profile:

And it lets you in, using a private window or logging in with a different account always help:

Step 2: Once the basic information is identified, gather it and select the key players (depending on your goal, you can target the HR person to get more information about the individual, or you can target the marketing manager to help them launch the next campaign). After identifying the key players, try to find their personal information:
- Full name
- Education and work history
- Email, phone number and physical address
- Family and relationships
- interests and hobbies
You need to understand the life your target lives, what they do, when and who they go out with, their daily routine and weekend schedule. Social networking websites do the majority here; you can get education and work history from Linkedin; while interest, hobbies, family and relationship can be seen on Facebook and Twitter.
Spock.com Result:

It shows where you live, employer name and possibly contact information. Let’s dig deeper, here is someone who travels a lot and has lived in many places, works somewhere and has relationships (husband and kids).

A manual way of verifying the detail of the relationship is to actively monitor the social network profiles of the target and his relatives. Pipl.com also provides detailed information about the profile you are looking for:

A directory-based attack can be launched to guess email addresses, for example an attacker contacts an employee and obtains the email addresses of other employees; the trick of social engineering is at work here. Once it understands the pattern, it can guess the rest of the email addresses. For example, the use of first and last names seems to be a common practice in organizations; [email protected]
Use an Excel sheet to automate the task:

Formula: =CONCATENATE(firstname,”.”,lastname,”@”,domain) (replace first name, last name and domain with their respective column ID).
The next step is to verify the details, manually checking the mail server working, but the services like emailhunter execute the job efficiently:

However,

Get the premium account and upload the list harvested before, the tool will give you the output with the correct email addresses.
This service not only verifies the email, but it also discovers them with the pattern.

A simple query on Google search shows 100 email addresses per page:

Spammers also use the same techniques to scrape the email addresses from search engine, but getting the random email addresses is not the objective, so let’s tweak it a little:

Plain text email, bug, but the attacker gains an advantage. To name some people and company search engines:
- 192.com (for UK)
- Searchbug.com
- Companycheck.co.uk (for UK)
- Freecarrierlookup.com (Telephone Carrier Checkup)
- Phonebookoftheworld.com
- Zoominfo.com
- Anywho.com
- Europages.co.uk (Europe)
- Connect.data.com
- Wayp.com (international)
- investigativedashboard.org
Use of technological infrastructure for information:
A website is not a landing page that only carries information about an organization, the website itself is based on many factors and carries many important information that could be used against its own organization.
Let’s analyze the technology infrastructure, starting with the hardware:
- Match.io
- censys.io
- A basic censys scan shows listening ports and related services with certificates.

Shodan discovered another service running on the server:

Both Shodan and Censys discover Internet-connected devices, their services, and open ports. In addition to the running services, we also need to find out the details of the server. The following services do the same:
- centralops.net
- network-tools.com
- viewdns.info
What information to look for?
- DNS records
- Nameserver details
- Netblock
- IP address of the server
- MX, CNAM and SOA records
A DNS report using viewDNS shows a lot of interesting information about the technology infrastructure, it keeps logs of the information you get during the investigation process, this information helps to solve the problem and also to start the attack.

Domain Dossier using Centralops provides a complete picture of the infrastructure including server IPs, network block, IP WHOIS, network WHOIS record with contact details, DNS analysis and running services. This information is enough to understand what type of targeted network it is and what services they use. Points to note:
- Is it a shared server or private? And do they host any other websites on the server? (use reverse IP lookup to find out)
- Are IP addresses blacklisted or containing malware? (use IPvoide.com to test)
- Is there anything suspicious? Domain Hijacking? (check DNS record)
- What about subdomains and mail servers? See what this organization hosts in addition to its main website. For example, proprietary software that might interest you.
- Keep in mind that the goal is not just to get information, but to process it and use it to get some meaningful full output.
Automate the OSINT process with Spiderfoot
Spiderfoot is an open framework for automating intelligence; he does many tasks himself with the help of his robust spiders. This is important when examining technology infrastructure; however, this will not help people searching. It uses a large number of data sources; over 40 and counting including SHODAN, RIPE, Whois, PasteBin, Google, SANS and more.
Some of the key data sources are:
- abuse.ch
- AdBlock
- AlienVault
- Autoshun.org
- malc0de.com
- Onion.City (Dark Web Search Engine)
- PGP servers (PGP public keys)
- The Honeypot Project
- RIPE/ARIN
- And more…
- An intensive scan shows:

- Human name (real people associated with the domain), interesting
- Web server details
- Malicious affiliation
- Internal and external links
- Externally hosted javascript
- HTTP header details and server codes
- Presence on social networks
It has intensive modules to choose from; the choice of modules depends on the need and goal, maybe you only need to find out if the server is blacklisted or not, or any record can be hacked before?
