Using OSINT Techniques to Land that Dream Job

    Open-source Intelligence (OSINT) is the practice of using publicly available data to gather information on a target passively. If you work in Information Security or IT, OSINT is a great way to gain an advantage on landing that perfect job. Using OSINT techniques can help you discover the following on potential employers:

- Know more about their technology stack so that you can match that to your experience during interviews.
- Get a sense of the company's true IT & security maturity, without asking them.
- Find red flags which can allow you to negotiate salary or even back away from a potential bad fit.

Outlined below are a few tools and techniques which are useful for researching a potential employer. If you are happily employed, these tools can also to audit your own company's exposure.

DNS Dumpster: dnsdumpster.com

DNS Dumpster is one of my favorite OSINT tools, with it you can view DNS records to get a footprint of the company. You can find things like what type of email services they use, what SaaS service they subscribe to, and even find unpublished sub-domains which can give you a sense of how they run their IT. With this type of information, you match services they use with your own experience and highlight them on your resume or the interview process. To start, simply enter the employer's primary domain name on the search box. 

 

What to look for:

Find out what type of email protection they use.

• Look at their MX record, if it's pointing to a 3rd party email protection company like Proofpoint (PPhosted.com) or Mimecast (mimecast.com), its safe to assume they use that service. If you have experience with the same service then highlight it on your resume or during the interview process. If you don't have experience with these you can ask them how they like the tool, and if they ask how you know they use it, you can talk about your awesome OSINT new skills.

Find out what type of cloud services they use.

•  Many SaaS services ask admins to enter a TXT record publicly in their DNS in order to verify they own the domain. Most companies forget to delete these, so you can get idea of what services they use by looking verification record under TXT Records section . Use this information to highlight your experience with these services  or if you don't have any ask them how they utilize some of those services. 

Shodan: shodan.io

Shodan scans the internet continuously, it indexes the result, and gives you an interface to search through that data. It sounds like Google but the difference is that Shodan also scans common ports not just HTTP(S). This is great because it can give you a true sense of the company's exposure and security hygiene. 

What to look for:

Look for non-standard ports exposed to the web. You can do this by looking at a few of the company's SSL certificate and finding a commonality like company name. Then you can use Shodan to search for publicly accessible devices using an SSL certificate with that company's name on it. This can give useful results like sites hosted on non-standard ports, and other domains they may own for further OSINT analysis. If you see a lots of  Remote Desktop (RDP) ports exposed to the internet, that should be considered a red-flag. 

• Search Query: ssl:"<Company Name>"

MX Toolbox: mxtoolbox.com

Email is the top attack vector for most breaches, and so configuring email protections like SPF, DKIM and DMARC is critical for protecting the company against spoofing attacks. By using a tool like MX Toolbox you can see if the company is mature enough to have SPF properly configured (with a hard fail) or what services they use to send email. 

What to look for:

Are they using best practices for email security?
Enter in the company's  domain name, then select SPF Record Lookup and click search. If there is no SPF record this is probably a red flag for me. If they are using hard fail ( a "-" instead of a "~"on the SPF record)it means they have gone through a business process to maintain a list of all services which send mail for them, to me this shows good IT maturity as most companies have not done this yet.

SSL Labs: ssllabs.com

SSL Labs is a free service that grades TLS/SSL configuration of any web page, this can be handy to quickly see if the company has a good handle on configuration management.

What to look for:

Are they using best practices for TLS? SSL Labs grades website's TLS configuration from and 'A' to 'F' (A being the best) and most mature organizations know about this service and configure their TLS settings to conform with SSL Labs best practices (A). I'd consider D or F here to be a red flag as most modern default configurations receive a B.   

Google Fu / Google Dorks: google.com

Google has some built-in search filters which can be very useful in finding if a company has poor security hygiene. With cleaver Google searching you can discover sub-domains were not meant to be exposed, login pages which are meant to be internal and many other misconfigurations. 

What to look for:

What interesting Sub-domains do they have exposed?
Start with searching: site:<DOMAIN> -inurl:www

Replace <DOMAIN> with the company's primary domain, the "-inrul:www" removes their primary site in order to show you other interesting sub-domains indexed by google. If you find development, QA or test sites publicly accessible, admin interfaces or website that should not be accessible, take that as a red flag for low security maturity.

Other Google Dorks / Google Fu  resources: There are hundreds of other Google search queries that you can use to find interesting information on a company, below some sites that list out some great ones.  

• https://www.exploit-db.com/google-hacking-database
• https://jakecreps.com/2018/09/10/osint-applications-for-google-dorks/
• https://osintcurio.us/2019/12/20/google-dorks/