OSINT for Red Teams: Turning Public Data into Attack Vectors
For Red Teams, Open Source Intelligence (OSINT) is more than just passive data collection. It provides critical insights that can be transformed into real attack vectors, enabling simulated attacks on a target’s infrastructure. By gathering information from public sources such as leaked credentials, DNS records, social media profiles, and unpatched vulnerabilities, Red Teams can craft precise, effective attacks that mimic real-world threats.
This guide will walk you through how OSINT data can be leveraged to identify and exploit weaknesses in a target’s infrastructure. We’ll explore techniques for discovering exposed email addresses, credentials, and vulnerable web applications, all while remaining undetected during the reconnaissance phase.
Step 1: Gathering Public Data
OSINT starts with gathering all available public data on a target. This phase includes searching for information on a company’s infrastructure, employee email addresses, and potential leaks. Below are key techniques and tools for performing this initial reconnaissance.
Using theHarvester to Collect Baseline Information
theHarvester is a powerful tool for gathering publicly available information on a target, such as subdomains, email addresses, IP addresses, and URLs. Start by identifying your target domain and running theHarvester to collect data.
theHarvester -d example.com -l 500 -b all
- Emails: TheHarvester scrapes email addresses associated with the target domain, which can later be used for phishing or email spoofing.
- Subdomains: It identifies subdomains that can be further probed for vulnerabilities.
- IP Addresses: These IPs can reveal infrastructure details, such as open ports or exposed services.
Using Recon-ng for OSINT Automation
Recon-ng is another OSINT framework that automates the process of collecting and organizing intelligence from multiple public sources. You can use it to search for additional data like company credentials, domain information, and social media profiles.
recon-ng
marketplace install all
workspace create example_com
modules load recon/domains-hosts/bing
set SOURCE example.com
run
Recon-ng makes it easy to automate the gathering of emails, domains, and employee information from sources like LinkedIn, Google, and Shodan.
Step 2: Identifying Weaknesses in Email Infrastructure
One of the most common attack vectors for Red Teams is email spoofing or phishing. OSINT tools can reveal weaknesses in a target’s email infrastructure, which can be exploited for spear-phishing campaigns or other attacks.
Checking for Email Spoofing Risks with MXToolbox
Use MXToolbox to analyze a target’s email domain for issues like weak SPF, DKIM, or DMARC records. These email security protocols are designed to prevent email spoofing, but misconfigurations can leave the organization vulnerable.
- SPF (Sender Policy Framework): Ensures that only authorized mail servers can send emails from the domain.
- DKIM (DomainKeys Identified Mail): Allows receivers to verify that an email was not altered during transit.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Prevents attackers from sending emails from the domain without permission.
Example Check:
Go to MXToolbox and perform an SPF, DKIM, and DMARC lookup for the target domain. If weak or missing records are found, this creates an opportunity for email spoofing attacks.
Phishing Campaign with Spoofed Emails
Once you have verified that email spoofing is possible due to weak email security records, you can craft a phishing campaign using a spoofed email address to target employees or partners of the company. You can simulate phishing to evaluate how effectively employees respond to suspicious emails.
Step 3: Exposed Credentials from Data Breaches
Public data breaches often contain exposed usernames and passwords that attackers can use to gain access to internal systems. These credentials are commonly found on the dark web or breach databases.
Searching for Leaked Credentials on Dehashed
Dehashed is a search engine that allows you to find leaked credentials, email addresses, and passwords from data breaches. By inputting the target domain or email addresses found in Step 1, you can search for compromised credentials.
dehashed "target_email@example.com"
If credentials are found, you can:
- Attempt Credential Stuffing: Use the leaked passwords to log into company services (e.g., VPNs, email accounts).
- Password Spraying: Use a limited set of common passwords across all identified email accounts to see if any employee reused weak passwords.
Automating Credential Searches with PwnedOrNot
PwnedOrNot is a Python tool that checks if an email has been compromised in any known breaches. It automates the process of searching for leaked credentials using the Have I Been Pwned API.
git clone https://github.com/thewhiteh4t/pwnedOrNot.git
cd pwnedOrNot
pip install -r requirements.txt
python pwnedornot.py -e target_email@example.com
With this tool, you can automate the search for compromised credentials related to the target organization.
Step 4: Scanning for Unpatched Vulnerabilities in Web Applications
Many organizations expose web applications or portals that may contain unpatched vulnerabilities. By analyzing OSINT data, you can identify weak points in a target’s web infrastructure and potentially exploit them.
Using Shodan to Identify Exposed Services
Shodan is a search engine for internet-connected devices. It allows you to find exposed services and systems running on the internet, such as web servers, databases, and industrial control systems. By feeding in the IP addresses or subdomains gathered during OSINT, you can identify public-facing services that may have vulnerabilities.
shodan search "http.title:example.com"
- Open Ports and Services: Look for exposed services on non-standard ports, such as RDP (3389) or SSH (22).
- Vulnerable Devices: Shodan can identify devices running outdated firmware or software versions that have known exploits.
Using WhatWeb to Fingerprint Web Applications
WhatWeb is a tool that identifies the technologies used in web applications, including their software versions, plugins, and content management systems (CMS). Outdated CMS installations or plugins are often targets for exploits.
whatweb example.com
If WhatWeb identifies outdated software, such as an old version of WordPress or Joomla, you can look up known vulnerabilities for those versions on Exploit-DB.
Exploiting Vulnerabilities with Metasploit
Once vulnerabilities are identified, use Metasploit to attempt exploitation. For example, if Shodan or WhatWeb reveals a vulnerable web application, you can search Metasploit for relevant exploits:
msfconsole
search cve-2023
use exploit/unix/webapp/wordpress_revslider_exec
set RHOSTS example.com
run
Metasploit will attempt to exploit the vulnerability, potentially providing shell access to the web server.
Step 5: Social Engineering Opportunities from Public Profiles
OSINT can also help you identify potential social engineering targets. Public profiles, such as those found on LinkedIn, Twitter, and Facebook, often reveal sensitive information about employees and organizational roles.
Using Social-Analyzer for Employee Profiling
Social-Analyzer is a tool that scrapes and analyzes public social media profiles across various platforms. It can help you find employees of a target organization and gather information on their job roles, interests, and activities.
git clone https://github.com/qeeqbox/social-analyzer.git
cd social-analyzer
python social-analyzer.py -u target_user
By analyzing the profiles of key employees, you can craft targeted phishing attacks or impersonation strategies to manipulate individuals into revealing sensitive information.
Using OSINT Data for Pretexting in Social Engineering
Once you've gathered information about specific employees, you can use this data to create convincing pretexts. For example:
- Impersonate IT Support: Contact employees, pretending to be internal IT staff, and request their login details for “maintenance.”
- Pose as a Colleague: Using information from public LinkedIn profiles, impersonate a colleague asking for access to shared files or sensitive documents.
Conclusion:
OSINT provides Red Teams with a wealth of actionable intelligence that can be transformed into attack vectors. By identifying exposed credentials, weak email configurations, unpatched vulnerabilities, and social engineering opportunities, you can simulate real-world attacks that help an organization understand its weaknesses.
Summary of Tools and Techniques:
- theHarvester – Gather emails, subdomains, and IP addresses.
- Recon-ng – Automate OSINT tasks for domains and employees.
- MXToolbox – Check email domain security (SPF, DKIM, DMARC).
- Dehashed – Search for leaked credentials from data breaches.
- Shodan – Identify exposed services and vulnerable systems.
- WhatWeb – Fingerprint web applications to find outdated software.
- Social-Analyzer – Scrape social media profiles for potential social engineering targets.
- Metasploit – Exploit discovered vulnerabilities in web applications.
By leveraging these tools and techniques, Red Teams can turn publicly available data into concrete attack vectors that help test and improve an organization’s defenses.
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
