Business Intelligence – Intro to reconnaissance

Pierluigi Paganini October 29, 2013

Exploring the Business Intelligence module proposed by the online course of the Hacker Academy – Intro to reconnaissance phase for a penetration testing.

One of the most important components of the reconnaissance process in pen testing activity is the business intelligence. Once chosen the target it is important to gather business information on it before to try to probe target systems, for the attackers is crucial to know the business model of victims and the data they manage.

Understand the information structure for the target is essential to discover information vulnerabilities, it’s quite different to attack an IT company for which Intellectual Property is the core business from a merely commercial business for which sales information represent the real corporate assets.

Business is based on information, and the main goal of business intelligence is to obtain information that could advantage the successive phases of the attack (e.g. Personal information, knowledge of company products, subcontractor’s name and so on).


The Hacker Academy


It is essential to distinguish Passive information gathering from active reconnaissance. In passive information gathering the attacker doesn’t interact with targets directly, a typical example is represented by the collection of information from third party including search engines and social network platforms.

Inactive information gathering scenario the attacker directly interacts with the target, for example though social engineering techniques or Dumpster diving.

Google as usual is an invaluable tool for the intelligence analysis, let’s remember that intelligence agencies like NSA have trained their agents in the used by so powerful tool for OSINT activities. Another precious source of information is represented by social networking platform, from the analysis of network of contacts of employees in the targeted information it is possible to acquire useful information for the attack, it is amazing the quantity of information leaked by corporate personnel in the social media (e.g. Images, location,habits) .

Publicly available documents represent a mine of information on the target, let’s think to company press releases or public news published on the corporate web site (e.g. The target is hiring specific figures that could give to the attacker an idea of internal organization). On the internet is also to find numerous websites that aggregates company information and allow their clients to conduct paid researches to organize their marketing activities, but those data are crucial for hackers during the reconnaissance phase.

Recruiting information for example are considerably one of the best sources of company information, job posting page on the official website could provide to the attacker information on technologies used in the company (e.g. Firewall, Internal server type, network appliances adopted).

The information gathering during reconnaissance phase is simply for public companies that are obliged to make public a lot of information including the list of key employees, business processes and partnerships. Web sites such as website are a good example of a company information repository, but other precious sources to examine are Google Groups to search for post by people of the target company or The Mail Archive website ( to conduct researches on the mailing list.

reconnaissance OSINT Hoovers

The web is full of tools that could support reconnaissance phase, theHarvester is surely one of them.

The tool is designed to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources including search engines, social networks, PGP key servers and SHODAN computer database. theHarvested is also able to conduct active reconnaissance, it could be used to DNS brute force and DNS reverse lookup. Following an example of information retrieved by the tool searching for

 OSINT reconnaissance harvester-screenshot

Another powerful professional tool for business intelligence is Maltego, it is an application that can be used to determine the relationships and real world links between:

  • People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as:
    • Domains
    • DNS names
    • Netblocks
    • IP addresses
    • Phrases
    • Affiliations
    • Documents and files

The tool is very powerful and provides a friendly graphical interface to visualize relationships within entities of interest.

 reconnaissance Maltego

The tools presented are just a couple of options in the arsenal of the attackers that could count on other efficient applications including the following ones:

Application Description
Addict-o-matic Aggregator that allows to enter a search term and build a page from search and social networking sites.
Creepy Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services.
Jigsaw Jigsaw is a tool used to obtain company profile and information such as sales leads and business contacts.
FBStalker FBStalker, a tool created to find a comprehensive amount of data on any Facebook user.
Foca Multi search engine to search servers, domains, URLs and documents published, and the discovery of software versions of servers and clients. Useful mainly for metadata extraction on public documents.
Google Hacking DB  Google Search Query to mine data with popular search engine
Glass Door Search jobs then look inside. Company salaries, reviews, interview questions, and more – all posted anonymously by employees and job seekers.
LittleSis LittleSis is a free database for analisys of profile in business and government.
Recon-NG Reconnaissance tool for LinkedIn, Jigsaw, Shodan and some search engine fu.
Recorded Future Recorded Future intelligence analysis tools help analysts understand trends in big data, and foresee what may happen in the future.
Scythe Scythe was designed to test a range of email addresses (or account names) across a range of websites (e.g. social media, blogging platforms, etc…) to find where those “targets” have active accounts.
Shodan Search for computers based on software, geography, operating system, IP address and more.
Silobreaker Enterprise Semantic Search Engine, allows virtualiation of data, analytics and exploration of key data.
Social Mention Real-time social media search and analysis
Spokeo People search engine, it allows to find free white pages finds phone, address, email, and photos
Whos Talkin Social media search tool that allows users to search for conversations on topics of interest


Have a fun!

Pierluigi Paganini

(Security Affairs – OSINT, security)

you might also like

leave a comment