On This Page

Offensive Open Source Intelligence

Shubham Mittal | March 20 - 21


Reconnaissance is the very first phase of any Risk Assessment Exercise, which is often under-rated by many security professionals. Every pentester's arsenal should, therefore, include Open Source Intelligence (OSINT) and active reconnaissance for effective assessments.

This training not only talks about using OSINT to extract data but also focuses on the significance of this data and how it could be directly used in offensive security. Of course, OSINT has found its application in various fields, but for this training, we will be focusing on the use-cases related to the offensive side of security. This hands-on training covers a wide range of OSINT techniques for finding, collecting and correlating publicly available information related to the target, be it a person, company, email, domain or an IP Address. This Extracted information will be further used for launching targeted and effective attacks.

The training will cover topics like unconventional search engines, Social Media Intelligence (SOCMINT), automated data mining, metadata extraction, data-dump harvesting, breach monitoring, Tor and much more. Utilizing a variety of such techniques along with freely available tools and services like DataSploit, Maltego, Foca, etc. as well as tailored scripts, participants will perform real-life attack scenarios. Training will not only cover these topics but will also go in-depth on how OSINT techniques can be chained together and even a small piece of information can lead to the catastrophic results for an organization.

The training program will cover the following topics:

Day 1
  • Organization Profiling and Scoping
  • Mapping the Attack Surface
  • Whois & Reverse Whois, ASN ID, IP Lookups, Allocated IP Range Extraction
  • Subdomain Enumeration
  • Advanced Searching - Searching beyond Google
  • Enumerating and Attacking Subdomains
  • Certificate Transparency Reports and LDNS Walking
  • Identifying Sensitive information from Code Aggregators and Public-Disclosures/Forums
  • Spraying OSINT data over Organization Assets
  • Attacking Assets with Spidering and Metadata Extraction
  • Intelligent Brute Force Attacks like a Pro
  • Automating Dorking and Pattern Matching
  • Attacking Domain IP History

Day 2
  • Identifying and Attacking Neighbours
  • Identifying and Attacking Organization's Supply Chain
  • Email co-relation Account identification and User Profiling
  • Phishing Framework INtegration
  • User's Domain/Service(s) Passwords using Breach Status
  • Writing custom Module for DATASPLOIT
  • Info Gathering using custom MALTEGO Transforms and Machines
  • OSINT for Internal Network Penetration at Catastrophic Level
  • Automating the 'Walkthrough Public Dumps'. Love for Python?
  • Monitoring and Alerting for Attacks
  • Online Anonymity
  • Case Studies
  • Quick OSINT CTF for Fun

Who Should Take this Course

  • Penetration Testers
  • Social Engineers
  • Red-Teamers
  • Bug Bounty Hunters
  • Risk Management Professionals
  • Anyone with an interest in privacy, social media and OSINT

Student Requirements

Should have basic knowledge of Internet operations and Networking

What Students Should Bring

You should have a laptop with admin access on it. It should have a browser and should support Wifi Connection in order to reach the Internet. Any OS is fine (Windows/Mac/Linux). Everything else will be provided in the Student Kit.

Please avoid Chromebooks.

What Students Will Be Provided With

Student Pack which contains:
  • Slide deck and OSINT CheatSheet
  • Important Tools and custom Scripts
  • Code Skeletons
  • Custom OSINT Browser
  • Vagrant Configs - To create instant OSINT Machine(s).
  • Answers to challenges (covered during the training program)
  • Bonus Challenges
  • Access to private CTF Server
  • 1 Month Lab Access


Shubham Mittal is an active Information Security researcher with 5+ years of experience in offensive/defensive security, with interests in OSINT. He has spoken/trained/presented at Black Hat, DEFCON, NullCon, c0c0n, Null (Bangalore, Delhi, and Mumbai chapters), IETF, etc. He is core organizer for Recon-Village at @DEFCON and other security conferences(s). He works from the command line, uses vi and loves beer. Twitter: @upgoingstar / @datasploit / @reconvillage