Shodan: Shodan is a device search engine, it searches for servers, IOT, and similar devices which are open to the outside world. When interpreting Shodan results for a domain name search, its important to note that just because a firms name appears, the device in question may not belong to them. Use other tools to verify ownership.

Search by domain name: What was found? (List at least two if there are multiples): __________________________, _______________________

Screenshot(s) of the specific devices in the search results:

What evidence do you have that the device(s) belong(s) to the company in question? ___________________________________________________________________

Search for a potential vulnerability for one of the devices found, using a vulnerability search engine or a generic search engine. What was the vulnerability? ______________________. CVE # or other source reference: ______________

Search one of the main IP addresses (typically their webserver) for the same firm. What additional device(s) were found? ____________________, ________________________

Screenshot(s) of the devices found by IP search.

Builtwith: Use the tool at https://builtwith.com/ to find out what their public website was built with.

What technologies are in use? ________________________, ______________________, ___________________

What could you do with this information? ____________________________________

________________________________________________________________________

How can you get more detail? ________________________________________________________________________

Technologies: Find two specific technologies used by the company on public-facing sites or servers.

What technologies are in use?_______________________, ________________________

Source? _________________________

Employees: Find two employees of the company. For each employee, find a social network site that is verifiably theirs; e.g., make sure its the right person, not just the same name.

Employee 1:

Name: ________________________

Social network site URL: _________________

Evidence that this is the same person: ______________________

Any information on their social network site that gives details about their employer: __________________________________________________________________

Employee 2:

Name: ________________________

Social network site URL: _________________

Evidence that this is the same person: ______________________

Any information on their social network site that gives details about their employer: __________________________________________________________________

Other tools:

CHOOSE THREE (3) DIFFERENT TOOLS THAN USED FOR THE FIRST COMPANY. This information must be fundamentally different than previous tools, e.g.; not just another WHOIS tool. Use the lists at: http://osintframework.com/ and/or http://www.subliminalhacking.net/2012/12/27/osint-tools-recommendations-list/ for some tool ideas.

Tool 1:

Name: __________________________

Type of information found: ________________________________________________

How could this be useful in a penetration test? __________________________________

Tool 2:

Name: __________________________

Type of information found: ________________________________________________

How could this be useful in a penetration test? __________________________________

Tool 3:

Name: __________________________

Type of information found: ________________________________________________

How could this be useful in a penetration test? __________________________________

Other OSINT Links, in no particular order:

https://centralops.net/co/

https://inteltechniques.com/osint/facebook.html

http://exif.regex.info/exif.cgi

https://www.cia.gov/library/publications/the-world-factbook/

https://inteltechniques.com/menu.html

http://netbootcamp.org/facebook.html

https://www.courtlistener.com/recap/

https://hunter.io/

https://holisticinfosec.blogspot.com/2018/01/toolsmith-130-osint-with-buscador.html

https://www.elevenpaths.com/labstools/foca/index.html