Open-source intelligence (OSINT) gathering is a method of gathering publicly available intelligence sources to collect and analyze information about a target. OSINT is “open source” because collecting the information does not require any type of covert methods. Typically, the information can be found on the Internet. The larger the online presence of the target, the more information that will be available. This type of collection can often start with a simple Google search, which can reveal a significant amount of information about a target. It will at least give you enough information to know what direction to go with your information-gathering process. Let's cover two tools that can be used for OSINT gathering: Recong-ng and Shodan.

Recon-ng

Recon-ng is a modular framework, which makes it easy to develop and integrate new functionality. It is highly effective in social networking site enumeration because of its use of application programming interfaces (APIs) to gather information. It also includes a reporting feature that allows you to export data in different report formats. Because you will always need to provide some kind of deliverable in any testing you do, Recon-ng is especially valuable.

• To start using Recon-ng, you simply run recon-ng from a new terminal window.
• To get an idea of what commands are available in the Recon-ng command-line tool, you can simply type help and press Enter.
• Recon-ng comes with a “marketplace,” where you can search for available modules to be installed. You can use the marketplace search command to search for all the available modules in Recon-ng
• You can perform a keyword search for any modules by using the command marketplace search < keyword >
• You can install the module by using the marketplace install command
• You can use the modules search command to show all the modules that have been installed in Recon-ng.
• To load the module that you would like to use, use the modules load command. After the module is loaded, you can display the module options by using the info command.
• You can change the source (the domain to be used to find its subdomains) by using the command options set SOURCE. After the source domain is set, you can type run to run the query.

Recon-ng is incredibly powerful because it uses the APIs of various OSINT resources to gather information. Its modules can query sites such as Facebook, Indeed, Flickr, Instagram, Shodan, LinkedIn, and YouTube.

Shodan

Shodan is an organization that scans the Internet 24 hours a day, 365 days a year. The results of those scans are stored in a database that can be queried at shodan.io or by using an API. You can use Shodan to query for vulnerable hosts, Internet of Things (IoT) devices, and many other systems that should not be exposed or connected to the public Internet.

TIP Keep in mind that even though this is public information, you should not interact with any systems shown in Shodan results without permission from the owner. If the owner has a bug bounty program, you may get recognition and a reward for finding the affected system. A bug bounty is a program designed to reward security researchers and ethical hackers for finding vulnerabilities in a product, an application, or a system. In most cases, the compensation is monetary. Omar Santos has included several resources in his GitHub repository on how to get started in bug bounties; see *https://github.com/The-Art-of-Hacking/h4cker/tree/master/bug-bounties*.

Source: Cisco Certified Ethical Hacker Course

Tools

• Bellingcat’s OSINT Toolkit
• Geonames - Extremely useful for finding alternative names and co-ordinates of places.
• Who Posted What - A search engine for Facebook, built by Henk Van Ess.