Lesson 3: OSINT — Open Source Intelligence
Before an attacker touches a system, they learn everything they can about it — from completely public and legitimate sources. OSINT (Open Source Intelligence) is the art of gathering information from open sources: WHOIS, Google Dorking, SSL certificates, and Shodan. In this lesson we learn how an at
OSINT is like solving a puzzle about someone using only things they've made public. No breaking in, no touching — just reading what's already there.
- Open Source Intelligence
- Gathering intelligence from publicly available sources — websites, social media, public databases — without unauthorized access
- WHOIS
- A protocol and database containing domain registration information: owner, nameservers, creation and expiry dates
- Google Dorking
- Advanced use of Google's search engine with special operators (site:, filetype:, inurl:) to find sensitive information accidentally exposed
- Passive Reconnaissance
- Gathering information about a target without sending a single packet to it — leaving no digital footprint on target systems
- Active Reconnaissance
- Information gathering that involves direct communication with target systems (port scanning, DNS queries) — may leave traces in logs
- Certificate Transparency
- A public log of all SSL/TLS certificates ever issued. Useful for discovering subdomains not otherwise published