1. OSINT

OSINT - Organizational

• Employees & Structure:

  • LinkedIn/Xing: Identify C-Level targets for spear-phishing and IT/Security staff to understand the internal tech stack.

  • Structure: Map reporting lines to identify high-value targets (e.g., Finance, DevOps).

• Site Locations:

  • Physical: Map headquarters and satellite offices. Useful for physical bypasses or identifying localized egress IP ranges.

• Business Relations:

  • Supply Chain: Look for “Our Partners” or “Case Studies” to find trusted third-party vectors.

  • M&A: Research recent acquisitions; these often have weaker security postures during integration.

OSINT - Technical

• Search Engines (GHDB):

  • File Discovery: site:example.com filetype:pdf OR filetype:docx OR filetype:xlsx (Look for internal memos, directories, or network maps).

  • Infrastructure: site:example.com inurl:admin OR inurl:login OR inurl:setup.

  • Directory Listing: site:example.com "index of /".

• Internet Scanners:

  • Shodan/Censys: shodan domain example.com. Check for: “Product: Remote Desktop”, “Product: VPN”, or “Product: Citrix”.

  • Wigle: Check for corporate SSID leakage and geographic Wi-Fi mapping.

• History & Leaks:

  • Wayback Machine: Recover deleted pages, robots.txt, or old JavaScript files containing API keys.

  • h8mail: h8mail -t target@example.com -q "local_breach_file.txt" (Search for cleartext passwords).

4.