OS OPERATION CHIMERA

OPEN-SOURCE INTELLIGENCE MODULE // SECURITY BLUE TEAM

OPERATION CHIMERA – OSINT

CONTENTS
[1] What is OSINT?
[2] Why is it Useful?
This document is not 100% finished and will be updated within the next 24
[3] Associated Roles hours. Thank you for your patience.
[4] Recommended Sources
[5] Counter-OSINT This module is designed to give a look into the world of Open-Source
[6] Module Challenge Intelligence gathering and utilization. It is aimed at individuals who are moving
in to Cyber, so the material is aimed at an entry-level student. We strongly
This information has been gathered encourage further reading using the provided sources and any that you find
from public sources and combined with yourself. Want to talk to other hackers about this specific module? Join the
my own knowledge and experiences discussion in the “osint-module” channel within the “Operation Chimera”
for the purpose of Operation Chimera,
category in the SBT Discord server. There is also a Chimera mega-thread on
an online, live blue-team training
operation conducted by myself under
Reddit. Please make use of this to ask questions and talk to other participants!
the alias Known Divide, for the
SecurityBlueTeam community.
WHAT IS OPEN-SOURCE INTELLIGENCE?
Useful Links:
[1] https://securitytrails.com/blog/top-
20-intel-tools “Open source intelligence (OSINT) is information collected from public
[2] sources such as those available on the Internet, although the term isn't strictly
https://www.sans.org/course/open- limited to the internet, but rather means all publicly available sources.”
source-intelligence-gathering
[3]
https://securitytrails.com/blog/what-is-
osint-how-can-i-make-use-of-it
WHY IS IT USEFUL?
Information gained from OSINT sources can be useful in many different
circumstances. Whether that’s keeping up to date with the latest vulnerability
If you’ve enjoyed this event, releases and exploitation activity, tracking employees responsible use of
please consider donating social media in regard to their working lives, or using threat exchanges to
whatever you can spare to buy check and share malicious IOCs, OSINT is a key aspect of cyber defense, and
me pizza, coffee, and help fund utilizing this freely available information is crucial. OSINT is also used by law
future events! (even £5/$5 will enforcement agencies and governments to profile and track the activity of
make a huge difference, and it only criminals and individuals of interest.
takes a few seconds).

https://paypal.me/KDMentoring
OS OPERATION CHIMERA
OSINT MODULE // SECURITY BLUE TEAM

ASSOCIATED ROLES
The below roles generally contain work that includes utilizing Open-Source
Intelligence for defensive cyber purposes:

• Tier One SOC Analyst (Junior Security Analyst)

OSINT is used to perform searches on potentially malicious IPs,
domains, and other IOCs. By checking threat exchanges, reputation
reports can help investigations.
• Tier Two SOC Analyst (Security Analyst)
OSINT is used to connect with organizations and groups that share not
only malicious IOCs, but also defensive techniques, such as custom
SIEM and IDS rules to help boost cyber defences.
• Threat Intelligence Analyst
Using OSINT sources to keep up to date with the latest security news,
including malicious campaigns, vulnerability releases, and
exploitation activity.
• Vulnerability Analyst
Using OSINT sources to keep up to date with the latest security news,
including malicious campaigns, vulnerability releases, and
exploitation activity.

RECOMMENDED OSINT SOURCES

OSINT Framework: This web application is a hub for hundreds of OSINT
sources, and is easily sorted so you can find the tool that you need quickly. Say
I wanted to create a fake persona so I could launch some social-engineering
attacks during a Red Team exercise at my company. By opening the OpSec
arm, and then Persona Creation, I’m provided with 5 links to online tools that
can help me with the task I’m trying to complete.
OS OPERATION CHIMERA
OSINT MODULE // SECURITY BLUE TEAM

I strongly suggest you check out this tool and see what interesting sites and
tools you can find from it. https://www.osintframework.com

HaveIBeenPwned: This collection of public data breaches has been

combined and allows users to enter their email addresses to see if they have
been mentioned in any breaches. This is the result of an old email address I
have, that I now use as a phishing honeypot:

You can reverse this, and enter in the email address of a target, and see if they
have been spotted in a breach. From there, you could try find access to a
dump of the breach and see if their email was leaked with a password, or other
information which could be used to conduct social engineering attacks (make
sure this is in scope of your threat simulation engagement). Try it out yourself
at https://haveibeenpwned.com (If you’ve been pwned, might be time to
change your passwords!)

Maltego: This is a great tool that allows you to visually record all data point
you find using OSINT techniques, allowing you to map out all the information
you have. “The basic focus of the application is analyzing real-world
relationships (social networks and computer network nodes) between people,
groups, webpages, domains, networks, internet infrastructure, and affiliations
with online services such as Twitter and Facebook”. This tool comes included
in Kali Linux, so have a go yourself!

Google Dorks: Google is helpful in general, but Google Dorks are little hacks,
where we can use special arguments in a normal Google query to find specific
information. Real-world examples of using Dorks include:
OS OPERATION CHIMERA
OSINT MODULE // SECURITY BLUE TEAM

• Retrieving files from domains to analyze them for internal system

leaked information, and for use in creating targeted password
wordlists.
• Finding hidden webpages and login portals.
• Subdomain enumeration
• And more!

Dorks come in the format operator:keyword, an example of this would be

filetype:pdf. So, let’s see what PDFs we can find that are associated with
Facebook, using the complete query Facebook.com filetype:pdf

Now let’s see how Dorks can be used to enumerate all subdomains of a
domain, for passive reconnaissance purposes. For this, we will use Facebook
again as the example, with the following query:
site:”Facebook.com” -site:”wwwFacebook.com”
(Look for sites that include .Facebook.com) (but NOT www.Facebook.com)

Here we can see the list begins with two subdomains, code.facebook.com, and
portal.facebook.com. We have successfully enumerated subdomains using
Google Dorks! Have a go yourself with any Domain you choose.
Google Dorks are very useful, so take a look at this list of common Dorks and
use them yourself to really understand how they work, and how they could be
used for defensive or offensive security.
https://securitytrails.com/blog/google-hacking-techniques
OS OPERATION CHIMERA
OSINT MODULE // SECURITY BLUE TEAM

Tweetdeck: Twitter is an incredible source of information. Read my personal

post about using Twitter and Tweetdeck for Defensive Monitoring and Threat
Intelligence -
https://www.reddit.com/r/SecurityBlueTeam/comments/cmca63/using_tweet
deck_for_defensive_monitoring_threat/
You’ll be using this in the OSINT Challenge, so make sure you’ve read this,
and understand how to set it up.

The Harvester: This is an information gathering tool that utilizes OSINT

sources to gather information about the target domain, and retrieve
information such as hostnames, IP addresses, employees and their positions,
email addresses, and much more. In the below example, I am performing
simple reconnaissance on the domain Google.com, using Google as the data
source:
Theharvester -d google.com -l 100 -b google
(tool) (target domain = google.com) (list 100 results max) (source = google)

This didn’t give us too much information, but knowing the IPs associated with
google subdomains could be useful. Now let’s try something a little bit
different. If we wanted to launch social engineering attacks against some
OS OPERATION CHIMERA
OSINT MODULE // SECURITY BLUE TEAM

Google employees, we can quickly identify potential targets by setting the

data source to be ‘Linkedin’ instead of ‘Google’:
Theharvester -d google.com -l 100 -b linkedin
(tool) (target domain = google.com) (list 100 results max) (source = linkedin)

Now we have a list of potential targets, along with their job titles. We can do
further reconnaissance on them using Linkedin itself and build up a profile on
them using a tool like Maltego, then we can launch spear-phishing attacks as
part of a threat simulation engagement.

Try using The Harvester with different domains, and different data sources.
You can access the help sheet for this tool by using the command theharvester.

COUNTER-OSINT
In such a digital world, it’s hard to maintain total privacy, especially with the
popularity of social-media, and social expectations to share everything you
do. However, over time laws and regulations regarding privacy have become
more prominent, and now it’s easier than ever to take control of who sees your
content, as well as use products and services to keep your online life private.
This section will cover three main areas, VPNs (Private Internet Access), Social
Media, and Operational Security (OpSec) – COMING SOON.
OS OPERATION CHIMERA
OSINT MODULE // SECURITY BLUE TEAM

MODULE CHALLENGE
If you feel you’re familiar with what OSINT is, and how to gather information
effectively, then you may be ready for the Challenge! We suggest you still do
some of your own research using the ‘Useful Links’ on the first page before
attempting the Challenge.

What will I need for this Challenge?

• A Twitter account (throw-away or legitimate, it won’t matter)
• Virtualbox (https://www.virtualbox.org/wiki/Downloads)
• Kali Linux VM (https://www.kali.org/downloads)

Challenge Brief:
Throughout the following tasks there will be flags which can be submitted for
points. Please find the submission form on the website
https://securityblue.team/operation-chimera

Part One) Setup your own Tweetdeck monitoring panel. Create 3 columns to
monitor for security-related activity (see my Tweetdeck blog post above).
Create a fourth column which is performing the following search:
#Unc4gedSq4d AND flag

Part Two) Use Google Dorks to find all pages (visible and hidden) of
SecurityBlue.Team (site:”securityblue.team” -site:”www.securityblue.team”)
1. How many pages can you find this way?
2. What is the name of the page that features my Tweetdeck image?
3. What is the flag on the “secret” page? (Use a different Dork for this!)
4. What is the name of the first PDF result under the domain
Twitter.com?

Part Three) Use The Harvester to perform OSINT reconnaissance on any

domain you choose. You will be asked to submit a short report on what
information was discovered, and how this could be useful to both an Attacker
and a Defender.