Episode Details

Back to Episodes
Course 8 - Penetration Testing OSINT Gathering with Recon-ng | Episode 3: Harvesting Data, Optimizing Contacts, Geolocation

Course 8 - Penetration Testing OSINT Gathering with Recon-ng | Episode 3: Harvesting Data, Optimizing Contacts, Geolocation

Published 6 months, 1 week ago
Description
In this lesson, you’ll learn about: Conducting a Multi‑Stage OSINT Campaign Using Recon‑ng 1. Initial Data Harvesting & Database Population The OSINT campaign begins by creating a dedicated workspace and planning the stages of information gathering. The first objective is to populate core database tables—contacts and hosts. Contact Gathering
  • whois_pocs module collects domain registration information, extracting email addresses and owner details.
  • PGP search modules identify additional contacts by searching for PGP keys associated with the target domain.
Host Discovery
  • bing_domain_web module scans the domain to enumerate subdomains and hostnames.
  • brute_hosts module brute‑forces common hostnames to uncover additional active hosts not found through search engines.
File Analysis
  • Once the hosts table is filled, the interesting_files module scans discovered hosts for publicly accessible files such as:
    • sitemap.xml
    • phpinfo.php
    • Test files
      These files may contain operational details useful for further analysis.
2. Contact Optimization & Breach Assessment This phase enhances collected contact data and checks whether employees or organizational accounts have been compromised. Email Construction Using Mangle
  • The mangle module builds complete email addresses using partial names and organizational naming patterns.
  • It combines first/last names with the domain to produce likely valid addresses.
Breach Monitoring Using HIBP
  • hibp_breach module checks if collected or constructed emails were exposed in known credential leaks.
  • hibp_paste module searches paste sites for leaked emails or credentials.
  • Any hits are stored in the credentials table for responsible reporting and remediation.
3. Geolocation of Target Servers This stage identifies the physical locations of the target’s online infrastructure. IP Resolution
  • The resolve module converts hostnames into IP addresses and updates host entries.
Geolocation
  • The free_geoip module geolocates IPs, revealing the server’s approximate city, region, and country.
  • Location details are appended to the host’s database record.
Shodan Integration (Optional)
  • When a Shodan API key is available:
    • Latitude/longitude data is used by the shodan module to gather additional OSINT such as services, banners, and exposed ports.
4. Comprehensive Software Stack Profiling The final stage performs a deep analysis of the technologies behind the target website. BuiltWith Technology Scan
  • The BuiltWith module identifies:
    • Web technologies (e.g., Apache, Nginx, Ubuntu)
    • Infrastructure providers (e.g., AWS)
    • Associated tools (jQuery, New Relic, Analytics services)
  • For large domains, the scan may return hundreds of data points, greatly enriching the OSINT profile.
Additional Discoveries
  • Administrative contacts
  • Social media integrations
  • CDN details
  • Heat‑mapping and analytics tools (e.g., Mouseflow)
  • Optimization platforms (e.g., Optimizely)
Summary By the end of this lesson, students understand how to conduct a complete OSINT workflow using Recon‑ng:
  • Populate key database tables
  • Form accurate contact and host profiles
  • Identify data breaches ethically
  • Geolocate infrastructure
  • Profile the full technology stack of a target domain
This staged approach reflects real-world ethical OSINT methodology and supports responsible security research.

Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us