Open Source Intelligence (OSINT) Resources for Reconnaissance

A curated list of OSINT resources for reconnaissance in the cyberspace.

This post is divided in the following sections:

• ASN
• Domains
• Screenshots
• Where to look for secrets
• Search strings
  • Ran out of ideas?
• Internal vs External point of view

ASN

• apps.db.ripe.net

Domains

• bgp.he.net
• lookup.icann.org
• community.riskiq.com
• viewdns.info
• virustotal.com
• www.whois.com
• crt.sh

Screenshots

• urlscan.io

Where to look for secrets

Search functionality of popular platforms can be leveraged to identify useful information such as secret keys left in source code, API documentation and structure as well as internal hostnames.

• searchcode.com
• postman.com
• github.com
• virustotal.com

Search strings

The following list provides potentially interesting search strings that may lead to the discovery of secrets:

<property name="password" value="
.windows.net (e.g. database.windows.net)
.env (filename)
key="connectionString" value="server=tcp:
aws_secret_access_key

The searches can be performed on any source code management platform, issue and project tracking system, fileshare or knowledge base, externally or internally.

Ran out of ideas?

You may have ran out of search ideas. That’s not a problem. You can get some fresh ideas from work other people have published. A good source of new ideas is the file rules implemented on the Snaffler project located at https://github.com/SnaffCon/Snaffler/tree/master/Snaffler/SnaffRules/DefaultRules/FileRules/Keep.

Internal vs External point of view

This section has been created to underscore the importance of performing searches from different points of view. The two points of view (internal and external) can be defined as:

• Internal: Leverage the search functionality a specific platform offers (such as Github search, Virustotal search, etc)
• External: Leverage the search functionality of public search engines that cache results from platforms we may be interested in. For instance, Google results from Github.

To make this concept easier to understand, consider the following example:

The company ImagineryCompany Inc, uses the domain imaginarycompany.com. In an internal search on Github, someone would search for that exact domain on Github search field. In an external search, the individual would use a search dork such as: imaginarycompany.com site:github.com. The internal search would identify and report occurrences of the searched string within code repositories. The external search - performed on public search engines - would identify and report occurrences of the searched string areas like comments.