The Power of Open Source Intelligence

In cybersecurity, the battle is often won before the first exploit is launched. OSINT (Open Source Intelligence) is the art of gathering publicly available information to build a profile of your target. The Web OSINT room on TryHackMe is an excellent training ground for learning how to connect the dots across the internet.

At Kian Technologies, we emphasize that a "Digital Commando" must first be a "Digital Detective." OSINT allows us to find entry points that automated scanners often miss.

Also Read: The OpenSSH Crisis: Understanding CVE-2023-38408

Task 1 When A Website Does Not Exist:

Here our target is given RepublicofKoffee.com and this domain doesn’t exist and we have to find information about this domain and as described in task section I just googled it with quotes “RepublicofKoffee.com” and got some results about it.

Press enter or click to view image in full size

I was interested in this result https://dawhois.com/ and got so many answers of second Task

So dawhois is basically a website which gives information about domain names.

Task 2 Whois Registration:

We’ll also need to use this tool lookup.icann.org for finding more information.

Q1 What is the name of the company the domain was registered with ?


Namecheap Inc

Q2 What phone number is listed for the registration company? (do not include country code or special characters/spaces)


6613102107

Q3 What is the first nameserver listed for the site?


DNS1.REGISTRAR-SERVERS.COM

Nameservers: A nameserver, also referred to as “name server,” is a server designed to translate domain names into IP addresses. It handles queries from clients, like a computer or tablet, about the location of a domain name and its services on the DNS servers. Any server that has DNS software can be considered a nameserver. source: bluehost.com

Q4 What is listed for the name of the registrant?

This question consumed my much time because I was getting this name of company(registrant):

But when I used this tool lookup.icann.org for finding more information. I got different result


You’ll think both names are same but answer was redacted for privacy , I don’t know why ???

Q5 What country is listed for the registrant?

This question also took a lot time first I got it’s country was Iceland but it’s present one and when the company started it’s country was different.

I used this tool https://www.whoxy.com/republicofkoffee.com#history to find history of this domain and go this result:

Press enter or click to view image in full size


 Panama

Now we are done with task 2 in which we used tools like https://dawhois.comhttps://lookup.icann.org, https://www.whoxy.com/ and also learned about nameservers and how to find history of domain names.

Task 3 Ghosts of Websites Past:

Now moving towards task this in this we have used waybackmachine (It’s an online archive which crawls all the web pages on internet and stores in it’s database with all the dates .) It’s not official defination but yes it’s easy to understand.

So, let’s solve the problems.

Q1 What is the first name of the blog’s author?

I just entered the domain name on waybackmachine (archive.org) and got the website, it was a wordpress based blogging website , and when I opened the blog I got the name of author.

Press enter or click to view image in full size

Press enter or click to view image in full size


Steve

Q2 What city and country was the author writing from?

For this question I read each and every blog and one thing was common in each blog was city name, Gwangju searched for it and this city is in South Korea


Gwangju, South Korea

Q3 [Research] What is the name (in English) of the temple inside the National Park the author frequently visits?

I got one blog in which part was mentioned then I just searched the park name with temple keyword and got the result.

Press enter or click to view image in full size

Press enter or click to view image in full size


 Jeungsimsa Temple

Now we are done with Task 3 also, in which we learned about waybackmachine, how we can use it for finding things which doesn’t exist in present time.

Task 4 Digging into DNS

In this we have to find some information about IPs history, for this we have used viewdns.info

Q1 What was RepublicOfKoffee.com’s IP address as of October 2016?

For this we used IP history utility, https://viewdns.info/iphistory/?domain=RepublicofKoffee.com and got this result

Press enter or click to view image in full size


173.248.188.152

Q2 Based on the other domains hosted on the same IP address, what kind of hosting service can we safely assume our target uses?


It’s Shared

Q3 How many times has the IP address changed in the history of the domain?


It’s 4 times we can see in above result

Now we are done this Task 4 and learned about viewdns.info IP history utility.

Task 5 Taking Off The Training Wheels

Now in task 5 we have got another domain heat.net and we have find info about this domain name. For finding all answers we used all the tools which we used earlier till task 4.

Q1 What is the second nameserver listed for the domain?

Use dawhois or whois


NS2.HEAT.NET

Q2 What IP address was the domain listed on as of December 2011?

Use viewdns.info

Press enter or click to view image in full size


72.52.192.240

Q3 Based on domains that share the same IP, what kind of hosting service is the domain owner using?


Shared

Q4 On what date did was the site first captured by the internet archive? (MM/DD/YY format)

For this I used archive.org and got the result

Press enter or click to view image in full size


06/01/97

Q5 What is the first sentence of the first body paragraph from the final capture of 2001?


After years of great online gaming, it’s time to say good-bye.

Q6 Using your search engine skills, what was the name of the company that was responsible for the original version of the site?


You can sega.com was there in above ans so ans was segasoft.

Q7 What does the first header on the site on the last capture of 2010 say?

Search yourself hahahah

Now we are done with Task 5 also and completed most of the questions with the help of wayback machine.

Task 6 Taking A Peek Under The Hood Of A Website

Q1 How many internal links are in the text of the article?


Head over to this website http://heat.net/36/need-to-hire-a-commercial-heating-contractor/ and count the links which is visible and it’s 5.

Q2 How many external links are in the text of the article?


There is one external link purchase.org

Q3 Website in the article’s only external link ( that isn’t an ad)


purchase.org

Q4 Try to find the Google Analytics code linked to the site


Open the source code by right click and click on view page source and search for ga.js then you’ll get the answer UA-251372–24

Q5 Is the the Google Analytics code in use on another website? Yay or nay

use nerdydat.com

Press enter or click to view image in full size


nay

Q6 Does the link to this website have any obvious affiliate codes embedded with it? Yay or Nay

No I searched for href and there was no any affiliate links


Nay

Now finally we are done with task 6 now let’s move towards final task.

Task 7 Final Exam: Connect the Dots

In this I just used viewdns.info and compared results of both the domains heat.net and purchase.org and one thing was common , owner of both the company was Liquid Web, L.L.C

Press enter or click to view image in full size

Press enter or click to view image in full size

Q1 Use the tools in Task 4 to confirm the link between the two sites. Try hard to figure it out without the hint.


Liquid Web, L.L.C

Task 8 Debriefing:


Click to complete
No Answer needed.

Task 9 Wrap-up:

A little web OSINT knowledge can go a long way in online investigations. A few examples of where it comes into play include any kind of business OSINT, online scams, or even political journalism. If you would like to see a prime example of this kind of research being put into practice, I highly recommend checking out NixIntel’s expose linking antifa.com to Russia, which is an amazing case study.

Make sure to check out the other OSINT boxes out there such as:

There are also two fantastic podcasts that every OSINT practitioner should regularly listen to. The OSINT Curious podcast and The Privacy, Security, & OSINT Show.

Finally, a solid paid option for OSINT training that won’t break the bank is TheOSINTion. If you enjoyed the content of this room you would LOVE the Business OSINT course they offer. I have no affiliation with the course other than being a satisfied customer.

Also Read: Digital Fingerprinting: File and Hash Threat Intel Walkthrough

 

Empowering the next generation of ethical defenders.

- Kian Technologies