Open-Source Intelligence (OSINT) for Attack Surface Mapping

This workshop will kick off by exploring the fundamental concepts of OSINT and how they fit into the broader landscape of cybersecurity. Participants will gain clarity on the goals and techniques that drive effective OSINT practices.

We will be identifying and understanding an organization’s digital assets. What are these assets, and why are they crucial? During the workshop we will discuss the importance of starting the enumeration process with the right “seeds” to uncover hidden information.

We will then dive into the following key areas:

• Hosts: what constitutes a host, and how can we uncover relevant details about them? Leveraging tools such as WHOIS, we will explore IP ranges, ASNs (Autonomous System Numbers), and identify & map cloud-based assets.
• Hostnames: the DNS (Domain Name System) protocol plays a pivotal role in our hunt. Students will learn how to extract valuable data by interacting with DNS servers. Additionally, we will leverage a few techniques to differentiate between internal and external hostnames and understand what insights we can gain about the target organization’s technological stacks.
• Network Services: we will explore how to identify relevant services, using a set of different tools such as NMAP. Moreover, we will focus on web protocols and applications to extract more intelligence: from web application profiling to vulnerability scanning, the participants will be equipped with the right set of practical skills.
• Leaked Data: it is not just about digital infrastructure; the human element matters, too. We will discuss data leaks and their relevance, emphasizing the broader attack surface beyond digital assets.

Key learning objectives

• Mastering OSINT fundamentals: understand the core principles of OSINT, its objectives, and methodologies.
• Effective host identification and analysis: dive into the world of IPs and Hosts, leveraging WHOIS data to extract valuable information about hosts while exploring and identifying IP ranges, ASNs and cloud assets.
• Uncovering hostnames: understand the role of hostnames in attack surface mapping, while exploring the DNS protocol and its details.
• Mapping and profiling network services: how to identify relevant network services by leveraging multiple evergreen tools and techniques.
• Human attack surface and leaked data: how to enumerate the human attack surface of an organization by leveraging leaked databases.

What will the students get

• Battle-tested and future-proof OSINT trades and techniques.
• Fully configured Virtual Machine (VM) with a selection of pre-configured OSINT tools.

Agenda/Topics Covered

Open-Source Intelligence Introduction (OSINT)

• What is Open-Source Intelligence (OSINT).
  • Objectives and Methodology.
• OSINT for mapping Cyber Attack Surface.
  • Hunting for assets: what are we looking for?
    • Identifying the right initial starting “seeds” for
    • Hosts, hostnames, network services, leaked data, and beyond.
    • Just “why”? A curious case-study.

Hunting for Hosts

• What is a Host?
• What is WHOIS and how to leverage it.
• IP ranges, ASNs, and cloud asset discovery.

Hunting for Hostnames

• DNS primer: an old protocol for modern hunting.
• Certificate Transparency Monitor (CTM).
  • Internal vs. External hostnames: why do you not exist?
• Tools and services for effective subdomains enumeration.

Hunting for Exposed Network Services

• How to identify relevant services.
• Nmap Primer: you network scanner Swiss knife.
  • Scaling up: MASSCAN NMAP vs. NAABU.
• It’s (most) all about web.
  • Web application profiling.
  • Web application metadata extraction.
  • Web application vulnerability scanning.
  • Your web toolset: nuclei & eyewitness.
    • Writing custom nuclei templates.

Hunting for Leaded Data

• Data leaks and beyond: why are they relevant.
• It’s not just digital infrastructure: the human attack surface.

Deducing the Security Postured from Mapped Attack Surfaces

• Connecting dots: inferring the security posture of an organization from mapped assets.
• Case study: formulate a remediation plan based on the outcome of OSINT activities.