Reconnaissance

Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources.

MaiInt - Profiling China based Employees

Introduction MaiInt is a tool to perform OSINT, gather employee names and predict e-mail addresses for China based companies. The output is in HTML and CSV format. The Challenge The primary issue we’re trying to solve is that there are no good tools to enumerate employees in China based »

OffensiveSplunk vs. Grep

TLDR; Using Splunk for Offensive security data analysis has advantages over the traditional Grep when trifling through and analysing data. Why Splunk and not ELK? ELK is a fantastic open source project, and made even easier thanks to the HELK project by Cyb3rward0g. In fact, I actually tried ELK first »

DomLink — Automating domain discovery

TLDR: Give DomLink a domain, it’ll go and find associated organization and e-mail registered then use this information to perform reverse WHOIS. Simple. You then get an output of lots of other associated domains registered by the company. Author: Vincent Yiu (@vysecurity) DomLink Not saying this is a new »

CloudFront Domain Hijacks under Attack

Update: To my attention in April, it appears that Mindpoint may have been behind the automated assigning of the hijackable instances. See https://www.mindpointgroup.com/blog/pen-test/cloudfront-hijacking/ This is great, but CloudFront’s engineers definitely missed a whole lot, so I’m not sure if they actually see »

Finding Target-relevant Domain Fronts

My last blog post on finding high-value target domains that could be used for domain fronting was quite popular — found here. Although there are a few popular domains that everyone uses, I’ve also published quite a large list on GitHub for public consumption and defenders to watch for. This »

Reconnaissance using LinkedInt

Note: posted on June 2017 A key step in an adversary simulation is the reconnaissance phase which almost always requires obtaining e-mail addresses for employees within the organisation. LinkedIn is probably one of the most widely used sources for reliable profiling of employees. Although a great source of information, not »