eLearnSecurity Blog

Pentesting 101: Human OSINT Continued

eLearnSecurity’s guide to penetration testing fundamentals continues with more information on human OSINT

Google and file searches on a website are good ways to accomplish manual Human OSINT. However, most penetration testers like automation. There is a tool called “Maltego” that automates many of the search processes one would use on multiple search engines and social media platforms. Maltego is an application that has many plugins that interface with APIs of various internet databases. Some of these databases are ones that previous articles have mentioned like shodan.io. These APIs can be installed and searched separately.

Using Maltego is straight forward. It creates nodes and links to pieces of data related to search terms input into the APIs. Using Maltego’s interface is quite easy and helps to view data graphically instead of mostly text based. This is a good way to build a profile of a pentester’s target network, email addresses, hosted files, servers, subdomains, etc. Keep in mind that there are different tiers of Maltego. The examples shown are what can be found using the free version of Maltego. Paid versions offer more access to different APIs, which could provide more information on a particular target. Below are screenshots of nodes and links when using Maltego for data mining.

Examples of how this data can be used is vast. In later articles, they will build upon the significance of conducting Human OSINT. However, just to jog the mind before those articles are released, here are a couple small examples:

  • The last article on Technical OSINT talked about the tool “theHarvester.” Using it, one could glean a domain registrar’s email address. Turning around and using the email address schema to email another user who has posted a .pdf on the company website from a CEO’s faked email address.
  • Some websites will host a spreadsheet to word document online that has their telephone directory with names. Using that data, an attacker could setup a fake website that looks identical to their organization’s website. However, the attacker’s website hosts malware. Using a name found in the telephone directory, a fake network administrator could call someone from HR and ask them to click on a link they receive in their email.


 Having Human OSINT helps build a profile for the target network. Doing homework up front on human factors of the network can yield a foothold into the network. Things like email attachments or targeted password reset links are just a couple of ways to use the information gained through Human OSINT. Even though Human and Technical OSINT are split into two categories, the data they produced are used to help shape the picture. These two OSINT disciplines complement each other.

Again, the way these tools were used in this article only scratches the surface of their true capacity. There are many other tools out there that can bring more or different information than presented above. The goal of this article is to show the concepts of Human OSINT and it can be accomplished through different means. Use the concepts seen here and apply them to other tools and learn those tools the best you can.

In the next article we will discuss the topics of scanning a network and the technical information that could be leveraged to gain initial access into a foreign network.

Hisomeru is a contributing player in the infosec community. In Hisomeru’s more than 15 years of experience, Hisormeru has managed IT security teams, developed custom tools and performed penetration tests. Cyber security is Hisomeru’s passion and Hisomeru has taught many individuals cutting edge penetration testing techniques. Hisomeru’s twitter is: https://twitter.com/Hisomeru

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page