[go: up one dir, main page]
Scribd
Upload
19 views11 pages

OSINT

This document outlines a comprehensive beginner OSINT (Open-Source Intelligence) class plan, covering theoretical concepts, practical exercises, and Kali Linux commands. It includes topics such as Google Dorking, domain and website OSINT, social media information extraction, and ethical considerations. Additionally, it introduces Nuclei, a vulnerability scanning tool, and provides practical exercises for students to apply their learning.

Uploaded by

drystankeir88
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views11 pages

OSINT

This document outlines a comprehensive beginner OSINT (Open-Source Intelligence) class plan, covering theoretical concepts, practical exercises, and Kali Linux commands. It includes topics such as Google Dorking, domain and website OSINT, social media information extraction, and ethical considerations. Additionally, it introduces Nuclei, a vulnerability scanning tool, and provides practical exercises for students to apply their learning.

Uploaded by

drystankeir88
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

OSINT

Comprehensive Beginner OSINT Class


Plan
This is a detailed lesson plan for your OSINT class, including theoretical
concepts, practical exercises, and Kali Linux commands for hands-on
demonstrations.

🟢 1. Introduction to OSINT
What is OSINT?
Definition: Open-Source Intelligence (OSINT) is the practice of collecting
and analyzing publicly available information.

Sources of OSINT:

Search engines (Google, Bing, DuckDuckGo)

Websites & Blogs

Social Media (Facebook, Twitter, LinkedIn, etc.)

Public Databases (WHOIS, government records)

Forums & Dark Web

Why is OSINT Important?


Cybersecurity professionals use OSINT to detect threats.

Journalists use OSINT for investigations.

Law enforcement & ethical hackers use OSINT for profiling.

Businesses use OSINT for competitor analysis.

Activity 1:
Ask students to search for their own name, email, or username online. Let them
share what they find.

OSINT 1
🟢 2. Google Dorking for OSINT
What is Google Dorking?
A technique to extract hidden data using advanced search operators.

Used to find sensitive files, admin panels, and indexed directories.

Google Dorking Commands to Try in Class:


1. Find PDF files on a website

filetype:pdf site:example.com

2. Find login pages

inurl:login site:example.com

3. Find open directories

intitle:"index of" site:example.com

4. Find email addresses

"@gmail.com" site:example.com

5. Find cameras open to the internet

inurl:/view/view.shtml

Activity 2:
Have students try different dorks on Google and report their findings.

🟢 3. Domain & Website OSINT


Whois Lookup
Retrieves domain owner, registration date, and IP information.

OSINT 2
Command:

whois example.com

Finding Subdomains with DNS Enumeration


Used to discover hidden subdomains.

Command:

dnsenum example.com

Finding Subdomains with Sublist3r

apt install sublist3r


sublist3r -d tesla.com

sublist3r -h //(for help)

sublist3r -d tesla.com -t 100 (-t THREADS)

Wappalyzer

Checking Website Technology Stack


Find what CMS, JavaScript libraries, and web servers a website uses.

Command:

whatweb example.com

🟢 4. Social Media OSINT


Extracting Public Info from Social Media

OSINT 3
People often reveal too much personal data in their social profiles.

Username Enumeration
Find accounts linked to a username across multiple social platforms.

Command:

cd /opt/sherlock
python3 sherlock.py username

Extracting Metadata from Photos


Photos often contain hidden data (EXIF metadata) like location, camera model,
etc.

Command:

exiftool image.jpg

🟢 5. Gathering Email & Employee Information


Find Emails on a Website
Collect emails from public sources.

Command:

theHarvester -d example.com -l 500 -b google

Check if an Email is Compromised

Command:

holehe email@example.com

🟢 6. OSINT for Cybersecurity


OSINT 4
Check for Open Ports & Services
Identifies running services on a target.

Command:

nmap -sV example.com

Check if a Website has Security Issues


Scan a site for common vulnerabilities.

Command:

nikto -h example.com

🟢 7. Ethics & Legal Considerations in OSINT


Legal Boundaries: Never access private data without permission.

Ethics in OSINT: Use information responsibly.

Case Studies: Discuss real-world cases where OSINT was used for both
good and bad purposes.

🟢 8. Final OSINT Challenge


Objective:
Each student picks a publicly available target (a website, company, or a public
figure) and gathers intelligence using OSINT tools.

Tasks:
1. Find Domain & Subdomains ( whois , dnsenum )

2. Check for Public Emails ( theHarvester )

3. Find Social Media Accounts ( Sherlock )

4. Analyze Metadata in Images ( ExifTool )

5. Perform Google Dorking to extract hidden data.

OSINT 5
At the end, each student presents their findings (ethically).

Lesson on Nuclei for OSINT &


Vulnerability Scanning
Nuclei is a powerful tool for vulnerability scanning, reconnaissance, and
OSINT. It is widely used by security professionals to scan websites, APIs, and
network assets for misconfigurations, leaks, and vulnerabilities.

📌 1. What is Nuclei?
Nuclei is an open-source fast vulnerability scanner that uses YAML-
based templates to detect misconfigurations, CVEs, and security issues.

It is developed by ProjectDiscovery and is widely used in OSINT,


penetration testing, and bug bounty hunting.

🛠️ Features:
✅ Fast & Lightweight – Uses parallel scanning.
✅ Customizable Templates – You can write your own vulnerability checks.
✅ Scans Web, Network, APIs, and Cloud – Supports various protocols (HTTP,
DNS, SSL, etc.).

✅ Great for OSINT – Can find exposed sensitive information.


📌 2. Installing Nuclei on Kali Linux
Nuclei is pre-installed in Kali Linux. If missing, install it with:

sudo apt install nuclei

Or install manually:

curl -s https://api.github.com/repos/projectdiscovery/nuclei/releases/latest
| grep "browser_download_url.*linux_amd64.zip" | cut -d '"' -f 4 | wget -qi
-
unzip nuclei-linux-amd64.zip

OSINT 6
chmod +x nuclei
sudo mv nuclei /usr/local/bin/

Verify installation:

nuclei -version

📌 3. Updating Nuclei & Templates


To ensure you have the latest scanning capabilities:

nuclei -update
nuclei -ut

📌 4. Basic Nuclei Scanning


🔹 Scan a Website for Vulnerabilities
nuclei -u https://example.com

🚀 What it does? – Scans example.com using built-in vulnerability templates.

🔹 Scan a List of Domains


nuclei -l targets.txt

📜 Example targets.txt file:


https://example.com
https://sub.example.com
https://testsite.com

🔹 Check for Exposed Sensitive Information (OSINT Use Case)


nuclei -u https://example.com -t exposures/

OSINT 7
🔍 Finds:
Open directories

Public logs

Misconfigured cloud storage (S3, Azure, Google Cloud)

📌 5. Advanced Scanning
🔹 Scan for Specific Vulnerabilities
Example: Scan for Log4j vulnerability

nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml

📌 Use Case: Checks if the website is vulnerable to the Log4j RCE exploit.
🔹 Scan for Web Technologies
nuclei -u https://example.com -t technologies/

🔍 Finds:
CMS (WordPress, Joomla, Drupal)

Web frameworks (Django, Laravel, Express.js)

Web servers (Apache, Nginx, IIS)

🔹 Scan for Open Ports & Network Issues


nuclei -u https://example.com -t network/

🔍 Finds:
Open ports

Misconfigured services

Weak TLS settings

📌 6. Writing Custom Nuclei Templates


OSINT 8
You can create your own vulnerability or reconnaissance checks using YAML
templates.

Example: Custom Template for Finding Admin Panels


Create a file admin-panel.yaml :

id: admin-panel-detect
info:
name: Admin Panel Finder
author: YourName
severity: info
tags: panel,admin

requests:
- method: GET
path:
- "{{BaseURL}}/admin/"
- "{{BaseURL}}/login/"

matchers:
- type: status
status:
- 200

Run your custom template:

nuclei -u https://example.com -t admin-panel.yaml

📌 7. Real-World OSINT Use Cases for Nuclei


1️⃣ Find Exposed API Keys & Credentials
nuclei -u https://example.com -t exposures/credentials/

🔍 Finds:
Hardcoded API keys

Publicly accessible .env files

OSINT 9
Exposed database credentials

2️⃣ Find Leaked Sensitive Files


nuclei -u https://example.com -t exposures/files/

🔍 Finds:
Open directories ( /backup/ , /logs/ )

Public .git repositories

Leaked configuration files

3️⃣ Find Publicly Open S3 Buckets


nuclei -u https://example.com -t cloud/aws/s3-takeover.yaml

🔍 Finds:
Misconfigured Amazon S3 buckets

Publicly accessible cloud storage

📌 8. Practical Exercise for Students


🔹 Task 1: Run a basic scan on example.com

🔹 Task 2: Find publicly accessible files ( ) exposures/

🔹 Task 3: Scan a list of websites and report findings


🔹 Summary
Feature Nuclei Command

Scan a single website nuclei -u https://example.com

Scan a list of websites nuclei -l targets.txt

Check for exposed sensitive


nuclei -u https://example.com -t exposures/
files
nuclei -u https://example.com -t cves/2021/CVE-2021-
Scan for a specific CVE
44228.yaml

Update templates nuclei -ut

OSINT 10
📌 9. Additional Resources
📘 Nuclei Documentation
🔍 Nuclei Templates
💻 ProjectDiscovery GitHub
Would you like a PowerPoint, lab guide, or worksheet for this lesson? 😊
📌 Additional Resources
OSINT Framework – List of OSINT tools.

Have I Been Pwned – Check if an email is compromised.

Shodan – Search engine for internet-connected devices.

Would you like PowerPoint slides, worksheets, or quizzes for this class? 😊

OSINT 11

You might also like