Social media and public OSINT (open source) documents play an important role in today’s information world. This powerful tool allows you to gain valuable information about various aspects, including people, companies, events and trends. Using social media to gather OSINT provides a unique view into the lives and activities of individuals and organizations. The information people share on social media can provide valuable insight into their interests, behaviors, opinions, and connections. Any public documents that are publicly available, such as official reports, publications, academic studies and reference books, are also a valuable source of information. Effective use of social media and public OSINT documents requires specialized tools and technologies. Automated data monitoring, analysis and visualization systems help to efficiently collect, filter and analyze information from large-scale sources.
The use of social media and public OSINT documents has a wide range of applications. It can be used to obtain information about competitors, monitor brand reputation, analyze the target audience, identify new market opportunities and trends, as well as to support strategic decision-making. Thanks to social media and public OSINT documents, enterprises get the opportunity to stay one step ahead in today’s competitive environment. Proper use of these sources helps companies gather information that is a valuable asset for strategic planning, decision making, and success. In the previous section, we discussed the use of sophisticated OSINT data collection tools. However, you don’t always need fancy ways to get information. Often it is enough to view pages in social networks. In this section, we’ll discuss how some of the most innocent messages on the Internet can be used as weapons. You’ll learn how to gather OSINT from these platforms, as well as several non-social platforms that are just as effective. You’ll read public company documents and learn how to take automated screenshots to document your findings.
Social media platforms give us a glimpse into the lives of the people and companies we focus our efforts on. While some organizations have clean-up workplace policies that require employees to remove sensitive information from their desks during breaks, lunch breaks, or outside the office, many of these policies do not include photos taken on personal devices. As a result, people open up publicly about anything that bothers them or worries them, whether at home or at work. This gives OSINT detectives full access to the organization’s facilities and often allows us to see more than a personal tour.
In Chapter 6, we’ll return to social media as a means of learning about the person posting.
LinkedIn is a great professional social network. Many of its users talk too frankly about their experience, revealing all the technologies and processes used within the company. By looking at the company’s employees on the site, we can fill out a list of phishing targets, find the technologies used by the company, and come up with roles we could play in phishing attacks. LinkedIn is an OSINT goldmine, especially for smaller companies with limited online presence.
NOTE Some of the analytics features discussed below are only available to LinkedIn Premium users, which at the time of writing cost $29 per month. Keep in mind that the properties of any product or service may change for better or worse over time. In the following sections of this chapter, I will focus less on tools and functions than on methods.
Let’s take a look at Walmart’s LinkedIn business page (Figure 5.1). At the top of the page, we can see how many subscribers Walmart has, how many contacts of this account work for Walmart, the stock ticker, and an overview of the company. The About Us section also provides us with general information about Walmart.
The page below lists the websites and addresses of all major Walmart locations, when and where the company was founded, the location of the headquarters, the size of the company, and its specialty.
Because people often use LinkedIn as a job board, company pages provide information relevant to job applicants, such as the official number of employees and their increase or decrease (Figure 5.2).
Average employee experience can help us interact with phishing and witch targets. We can estimate how likely it is that one employee will know an employee in another department, especially in large companies with more than 300,000 employees, such as Walmart. Likewise, LinkedIn’s data on staff distribution, company growth, and new hires can give us an idea of how likely we are to encounter a new, inexperienced colleague if we start calling offices.
LinkedIn users who are company employees are listed on a separate page. Use this information to see the role each person plays. For example, in fig. Figure 5.3 shows a person in an intrusion analyst position, a standard position in a cybersecurity department that involves a company actively monitoring its websites and networks for malicious behavior.
We can evaluate the security of a company by the number of information security employees. An easy way to accomplish this is to review employee profiles for specific abbreviations for job titles and professional certifications. A good starting point is to review the CISSP, GPEN, OSCP, CEH, and Security+ acronyms. Relevant job titles to search for include information security, cyber security, intrusion, OpSec, and CISO.
Employee profiles also tell us a lot about the technology the company uses. By analyzing profiles, we may detect the presence of Security Event and Incident Management (SEIM) solutions, anti-malware software, email filtering or VPNs. In addition, they help us build an email list for further profiling and phishing.
Employees, recruiters and outsourced recruitment providers may link to job pages or job boards on their social media platforms. As a byproduct, smart social engineers, red teamers, and OSINT analysts can harvest this information and use it as a weapon.
Depending on how the job ad is written, you can find the keys to the kingdom in just one sentence. In fig. Figure 5.4 shows that the candidate should have experience with Oracle E-Business Suite (EBS) version 12.2.7. This tells a potential attacker to look for vulnerabilities in that particular version of the software. Judging by the way the job posting is written, an attacker can conclude that the company is also still using version 184.108.40.206, which has vulnerabilities dating back to 2006.
Then you can go in several ways. The first is to look for Common Vulnerabilities and Exposures (CVEs) associated with that particular software and then check sites like https://www.exploit-db. com/, for known exploit code. Additionally, we may use this information in our phishing or phishing campaigns. Finally, one could simply brute force any publicly available instances of the relevant software, which would be the loudest option outside of social engineering or OSINT.
Other important things to look for in job postings are mentions of which manager the employee reports to. Knowing the organizational structure and who’s in what role can be helpful in creating justifications in situations where mentioning a name will help you build trust. Don’t limit yourself to the latest posts. Check out old posts on sites like Indeed, Ladders, and LinkedIn. You can also view old pages at https://archive.org/. By looking at old posts, you can get a sense of how often an organization patches or updates its software, as well as assess its human resources and security culture.
The Facebook social network was blocked at the request of Roskomnadzor on the territory of the Russian Federation in accordance with the federal law “On measures to influence persons involved in violations of fundamental human rights and freedoms, rights and freedoms of citizens of the Russian Federation” for regularly posting unreliable information and refusing to grant equal rights to publication by the Russian mass media.
Facebook can be a goldmine or a cesspool, depending on who you ask and what you’re looking for. All because there is a lot of data, but it is minimally verified, although from time to time it is supported by facts. Many people tend to over-share information on this site (this behavior will be discussed later in Chapter 6). In this section, we will focus on business information about the company and its customers.
To start analyzing on Facebook, create an account that you do not use for personal purposes. Although creating a fake account violates the site’s Terms of Service, it will prevent you from appearing on the People You May Know tab under your real profile. You’ll also be able to post to your page publicly without confusing your legitimate friends or risking giving them away. Keep in mind that after a series of scandals, Facebook is cracking down on fake accounts, especially those that use AI-generated images.
As an additional layer of security, avoid using the site’s mobile apps, as they usually have access to all the apps on your mobile device and can determine for sure that the account belongs to you without even using additional data. You may also start receiving more and more personal ads, which personally annoys me a lot.
So what can we find on Facebook? Competitors, customers, promotions, press releases, news and public opinion.
Look for contact information or press releases on the organization’s Facebook page (see Figure 5.5 for Walmart). For smaller companies, it’s common to find news about awards they’ve won or lists they’ve been added to. You can also see messages about the activities and achievements of employees, especially if you focus on consulting.
Take a look at the About section (Figure 5.6). Here we can find phone numbers, even if they are for technical support, customer support or the company’s hotline. We can find email addresses and almost certainly see their website.
Companies may also share a timeline of events, such as dates of incorporation, relocations, mergers and acquisitions, and terminations of key employees, which may provide us with information for use in our communications or interactions.
When you make an energetic call to a company, one of the most effective ways to get an employee to talk to you is to pretend to be a customer. You can find many real customers by checking the Facebook Community tab and reading reviews. 5.7 Walmart’s Community tab shows various feedback from the general public. They should be taken with a grain of salt and in the general context of the topic. Some of these messages are valid fears or claims, but others rely on conspiracy theories or are unsubstantiated claims, attempts to start a viral wave, and reports of fake or impersonating pages.
The “Community” tab shows the number of subscribers of the company. This indicator shows the strength of the brand and how actively the company interacts with and engages customers.
See what messages customers are sharing on your business page and how often they are posting. Does the company respond to these messages? Is the company responsive or cold? This can help us develop a dossier on the company as well as a dossier that we use as an excuse.
Sometimes people share random messages on the company wall in an attempt to create a viral company. Take this into account when analyzing.
The Instagram social network was blocked at the request of the Roskomnadzor in the territory of the Russian Federation in accordance with the federal law “On measures to influence persons involved in violations of fundamental human rights and freedoms, rights and freedoms of citizens of the Russian Federation” for regularly posting false information and refusing to grant equal rights to publication by the Russian mass media.
Instagram is a treasure trove of OSINT. In a social engineering Capture the Flag (SECTF) contest I once participated in, I found over 90% of my target company’s information using Instagram.
Who is more interesting than the followers of a business account are those who are subscribed to the business account itself. Company accounts are typically signed by executives and influencers, as well as marketing and public relations professionals. For example, look at who Walmart subscribes to (Figure 5.8). The list includes the brands they sell and LeBron James.
Also, look for hashtags the target is subscribed to. This tells us what the target considers important. Hashtags can be related to a company’s promotion or indicate whether its team is active on social media. They can also point to the company’s competitors. From the hashtags that Walmart chose (Figure 5.9), we learn about internal initiatives, incentives for customers and possible internal jargon.
Then leave the company page on Instagram and find the address of the company office on Instagram. This brings us to all geotagged posts at that address. Geotagging is done automatically when location services and device apps are turned on. The location will be embedded in the message and searchable by the content of the image metadata field. In geotagged photos, you’ll probably find two very useful parts: company icons and photos of employees’ desktops.
Icon images can help us identify the manufacturer and their design. In some cases, you can even clone badge cards to access objects. Brent White and Tim Roberts wrote a good article on using the Proxmark access card cloner (and more) at https://wehackpeople. wordpress.com/2018/07/16/proxmark-3-cheat-sheet-and-rfid-thief-instructions/.
In these cases, you can repeat the badge design. For example, the Walmart vendor icon in Fig. 5.10 shows us what the vendors’ icons look like, including the fonts they use, the barcode, and the expiration date.
You may be able to reproduce the barcode of the icon. Although the icon does not contain any numbers useful for identification, it does have a date on it, potentially useful in a clever hack to gain access.
Alternatively, you can make fake badges and learn how people on the site dress, allowing you to blend in with them. For example, at Walmart stores, salespeople usually wear khaki pants and a navy blue shirt with a coat and badge. In fig. Figure 5.11 shows several images of Walmart icons, all of which look innocent enough until a social engineer or attacker uses them to gain unauthorized access to the facility.
Photos of the tables can tell us a lot of interesting things about the technologies used by the company. In fig. 5.12 shows an image of an employee’s workplace. The employee (partner) bragged about the card he received, but the picture also shows that he is using a MacBook with Photoshop, Microsoft Office 2016, and Cisco WebEx open on macOS.
Using Shodan for OSINT
John Matherly developed Shodan (https://www.shodan.io/) in 2009 as a search engine for indexing Internet-connected devices. In practice, this means that Shodan actively scans the Internet for vulnerable and exposed devices, and then enters these devices into its database to be searched and indexed for human use. Let’s look at the basic methods of analysis with Shodan.
The cost of a Shodan membership varies depending on the level of access, ranging from free to $899. Month. The levels are determined by the number of resources you want to constantly monitor, the number of scans you need to run, and whether you need to look for obvious vulnerabilities. Shodan often runs Black Friday specials, providing cheap lifetime dos boring.
Using the Shodan search options
Use one of the options below when searching Shodan.
city – for searching in a specific city; country – for searching in a specific country; geo – within a certain latitude and longitude; hostname – to search for a specific host name; net – to search for a specific IP address, range or CIDR; OS – a specific operating system; port – certain open ports; before/after – to define the search time frame.
As organizations change their hardware and software architectures and Shodan scans non-stop, database records change. Setting a time frame can help you find update patterns as well as current and trending technologies. For example, if you know your organization uses Cisco ASA, you can look at the software release dates and compare them to the version change date in Shodan to get an idea of how quickly patches were made.
If you know the IP address or range, you can query Shodan to identify the host, services, and service banners (see Figure 5.13). This will help if you are building OSINT to prepare for a penetration test.
Shodan also tells us about the TLS / SSL certificate used to encrypt incoming and outgoing web traffic. If the certificate uses weak ciphers, it can be considered an attack vector for technical intrusion.
If you enter the domain name of your target organization into Shodan, the system will respond with all known hosts. This will help to get information about used ports and protocols, as well as service banners and service versions. This method also helps us determine the types of Internet-connected systems used by the organization (such as NGINX, Apache, and IIS), in addition to hostnames and IP addresses.
Figure 5.14 shows the result of a lookup for the walmart.com domain, which indicates that the hosts must belong to Walmart stores. This prevents irrelevant domains containing the phrase walmart.com or sites linking to walmart.com from being included in the search results.
Knowing a specific hostname or subdomain, we can search for it in Shodan the same way we searched for domains. Shodan will provide us with more accurate information such as IP address, service and open ports on the host. The specific information returned depends on the domain, and its usefulness depends on what we plan to do with that information. For example, in fig. Figure 5.15 shows the Microsoft IIS Web servers owned by Walmart.
We see the character set, the HTTP code and, if there is a known vulnerability, the CVE number, which can lead us to a technical hack if that is our task
Take automatic screenshots with Hunchly
So far in this chapter, we’ve discussed manually analyzing web pages for useful information. But unless you’re using a dedicated OSINT tool like Recon-ng, it’s not always easy to keep track of all the information you find. Hunchly (https://www.hunch.ly/) is an extension for Chrome (or a Chromium browser like Brave) that provides screenshots of whatever you’re looking for (Figures 5.16 and 5.17). As of this writing, Hunchly, created by Justin Seitz, costs $129. per year but gives a 30-day free trial. If you frequently conduct OSINT investigations, purchasing a license is well worth it.
By clicking on the specific data icon, you can view the screenshot and any information about it, such as what you searched for, the URL path that matches the search, the date it was collected, the date the site was updated, and the hash of the screenshot. This information is critical if you are collecting OSINT for legal reasons and will use the screenshot as evidence in court.
We used materials from the book “Social Engineering and Ethical Hacking in Practice”, which was written by Joe Gray.