Passive Reconnaissance & OSINT
Gather target information without touching the system. Learn OSINT basics, Google Dorking, WHOIS lookups, DNS enumeration, theHarvester, and Shodan to discover exposed information.
What is OSINT?
Definition
OSINT stands for Open Source Intelligence. It involves collecting and analyzing publicly available information from various sources to gather actionable intelligence about a target without ever touching their systems.
Key Principle
Passive reconnaissance means no direct interaction with the target. You're not scanning ports, sending packets, or triggering alarmsโjust gathering information from publicly available sources on the internet.
Information Sources
Internet
Websites, blogs, social media, forums, GitHub, company pages
Publications
News articles, press releases, academic papers, industry reports
Multimedia
Images, videos, metadata (EXIF), podcasts, YouTube channels
Public Records
Government databases, legal documents, business filings, court records
OSINT Tools & Resources
Ethical Considerations in OSINT
- โ Always have written authorization for OSINT activities
- โ Use sock puppets only when ethically justified and with proper safeguards
- โ Respect privacy and data protection regulations (GDPR, CCPA)
- โ Document all sources and findings for reporting
Key Takeaways
- 1. Passive reconnaissance gathers intelligence without alerting targets
- 2. Google Dorking reveals sensitive documents and exposed information
- 3. WHOIS and DNS provide ownership and infrastructure details
- 4. theHarvester automates email and subdomain collection
- 5. Shodan finds internet-exposed services and vulnerable devices
- 6. Always conduct OSINT ethically with proper authorization