OSINT for Beginners
Open-source intelligence is the practice of collecting information from publicly available sources — and a surprising amount of an organisation’s footprint is sitting in plain sight.
Where to start
Begin with the passive sources that never touch the target directly:
- Public DNS and WHOIS records
- Certificate transparency logs
- Cached pages and archives
The goal of OSINT is not to break in. It is to understand a footprint using only what someone has already published.
Enumerating subdomains
Certificate transparency is a goldmine for finding hostnames an organisation may not realise are exposed:
# Pull names from certificate transparency, dedupe, sort
curl -s "https://crt.sh/?q=%25.suspiciousbytes.com&output=json" \
| jq -r '.[].name_value' | sort -u
Source types
| Source | Example | Sensitivity |
|---|---|---|
| DNS | A, MX, TXT records | low |
| Cert transparency | crt.sh entries | low |
| Social profiles | public posts | medium |
Keep notes on where each fact came from. Provenance is what separates intelligence from a pile of interesting trivia.