One of the most comprehensive ways to gather Technical OSINT on a penetration testing target is to use a search engine called “Shodan.” Shodan isn’t a normal search engine like Google or DuckDuckGo. What Shodan does is scan the internet for devices. 

If you missed part one of our pentesting series, check it out now. 

Shodan can be leveraged to show data about devices in a particular area or attached to a particular network. Unfortunately, the example of nmap.org doesn’t work in this particular scenario as there are no devices like webcams or ftp servers attached to the network so we will have to use another example. Below is an example of finding all listening telnet servers on port 23 in the country of Sweden. As you can see, there are over 20,000 of these servers listening on the internet! If the target was a larger company or a multinational company, it would be much easier to find devices that were facing the internet. Shodan is an extremely powerful search engine that can yield to some potentially beneficial information for your penetration testing target. What is important to note is that building this initial information, Shodan could lead to other ways into the network not previously known.

CONCLUSION

This article did not cover all the ways to accomplish Technical OSINT  but served as an introduction into finding information about a target network. This is just a starting point to finding the tools needed to gather Technical OSINT. Finding the technical information on a penetration testing target can lead to ways into the network through its outer perimeter. Knowing the IP addresses owned, the servers maintained, the devices facing the internet will aid in a technical means of entering the network. More importantly, knowing what IP spaces belong to the network also aids in keeping penetration testers in ensuring they are within the legal bounds of their penetration test.


There are many ways to accomplish Technical OSINT in penetration testing methodology. It is also possible to use the tools mentioned above in other ways not written about. How the tools were used just scratched the surface of their capabilities. These tools used is just a small subset of ways to get passive information and use it to your advantage. Also keep in mind that each tool presents information in different ways and at times more or less information than another tool. Get out there and read more about these tools, experiment with them, and discover the other information they can provide. In the next article we will discuss the topics of Human OSINT and how it can be helpful in penetration testing and how APT1 leveraged it to gain initial access into a foreign network.