Passive OSINT: Mapping the Target Without Touching It

By Debraj Basak·Jun 19, 2026 · Updated Jun 20, 2026·12 min readRed Teaming

Objective: Understand how authorized red teamers and defenders build a complete external attack-surface picture of an organization using only public, third-party data sources — generating zero packets to target systems — and how defenders run the same exercise against themselves to shrink that exposure.

1. What “Passive” Actually Means

Passive reconnaissance never interacts with the target’s own infrastructure. Every byte you read comes from a third-party aggregator — a registrar’s WHOIS server, a certificate transparency log, Shodan’s index, a breach database, a search-engine cache. The target’s web servers, DNS resolvers, and firewalls log nothing, because you never send them anything. That property is the entire point: passive OSINT leaves no forensic trail on the defender’s systems.

This contrasts directly with Active Scanning (T1595), where you resolve hostnames against the target’s authoritative nameservers, fingerprint services, or port-scan a CIDR. Active scanning touches the target and is logged. T1595 is explicitly out of scope here — it is the technique that begins the moment passive recon ends.

Authorization first. Run these techniques only against organizations you are contractually authorized to assess, within a signed Rules of Engagement (RoE) and defined scope. Querying public databases is legal in most jurisdictions, but acting on harvested credentials or accessing exposed services is not — that is active intrusion, governed by your authorization.

All techniques below map to MITRE ATT&CK Tactic: Reconnaissance (TA0043).

2. The OSINT Intelligence Cycle

Unstructured “Googling the company” wastes time and produces noise. Disciplined OSINT follows a repeatable cycle driven by intelligence requirements defined before any tool runs.

Phase	Activity
Planning	Define intelligence requirements: what assets, people, or exposures matter to the engagement
Collection	Gather raw data from open sources (CT logs, Shodan, DNS, dorks)
Processing	Clean and normalize results, deduplicate, validate sources
Analysis	Link normalized data to the target to determine if an exposure is reachable
Dissemination	Route findings to stakeholders with remediation steps
Continuous Monitoring	Automate the cycle for ongoing exposure enrichment

Below is the full passive source landscape this tutorial works through.

Source Category	Tool / Service	What It Yields
DNS & WHOIS	`dig`, `host`, SecurityTrails	Registrar, nameservers, mail providers, subdomains
Certificate Transparency	`crt.sh`, CertSpotter	Every issued cert — forgotten dev/staging subdomains
Passive DNS	SecurityTrails, CIRCL pDNS	Historical domain-to-IP relationships over time
Scan Databases	Shodan, Censys, ZoomEye	Indexed service banners, open ports, product versions
Search Dorking	Google, Bing (GHDB)	Exposed panels, config files, directory listings
Code Repositories	GitHub, GitLab	Internal hostnames, tooling, leaked secrets
Social / HUMINT	LinkedIn, job boards	Org structure, tech stack, key personnel
Breach Databases	HIBP, DeHashed	Exposed employee credentials
Web Archives	Wayback Machine	Old endpoints and removed infrastructure
BGP / ASN	BGPView, RIPE, ARIN	ASN, owned prefixes, upstream providers
Cloud / Shadow IT	GrayhatWarfare	Exposed S3/Azure/GCP buckets

Circular flow diagram showing the six-stage passive OSINT intelligence cycle: Plan, Collect, Process, Analyze, Disseminate, Monitor, looping back to Plan — Disciplined OSINT follows a repeatable intelligence cycle — starting with defined requirements before any tool runs.

3. Domain & DNS Reconnaissance

Start with the apex domain. WHOIS/RDAP reveals registrar, registration dates, and (where not privacy-protected) ownership contacts. DNS record enumeration against public resolvers — not the target’s nameservers — exposes mail providers, CDN usage, and SPF/DMARC posture.

# Enumerate core DNS records via a public resolver (no packets to the target)
for rr in A MX NS TXT SOA; do
  echo "== $rr =="
  dig +short @1.1.1.1 example.com $rr
done

# MX reveals the mail provider; TXT reveals email-auth posture
dig +short example.com MX          # e.g. *.mail.protection.outlook.com -> M365
host -t TXT _dmarc.example.com      # p=none vs p=reject tells you spoofability

An MX pointing to mail.protection.outlook.com identifies Microsoft 365; an SPF record ending in ~all instead of -all, or a missing DMARC policy, flags mail-spoofing potential. This covers Domain Properties (T1590.001) and DNS (T1590.002).

4. Certificate Transparency & Subdomain Enumeration

Under RFC 6962, every publicly trusted CA logs each certificate it issues to append-only, monitorable CT logs. That means every SSL certificate ever issued for a domain is searchable — including certs for staging, dev, and legacy VPN subdomains defenders forgot existed.

# Pull every CT-logged cert for *.example.com and extract unique hostnames
curl -s 'https://crt.sh/?q=%25.example.com&output=json' \
  | jq -r '.[].name_value' \
  | sed 's/\*\.//g' \
  | sort -u

Aggregators wrap CT and dozens of other passive feeds. Run them in passive mode so they never resolve against the target:

# Passive mode: third-party data sources only, no resolution against the target
amass enum -passive -d example.com -o subs.txt

# Contrast: 'amass enum -active' resolves and brute-forces -> NOT passive, out of scope

Forgotten subdomains like legacy-vpn.example.com or jenkins-dev.example.com are gold: they often run unpatched software outside the patch-management lifecycle. This is Digital Certificates (T1596.003).

5. Internet-Wide Scan Databases: Shodan & Censys

Shodan and Censys continuously crawl the entire IPv4 space and index the banner metadata that devices return on open ports — web servers, routers, databases, ICS/OT, cloud instances. Querying their index is fully passive: they touched the target months ago; you only read the cache.

import shodan

api = shodan.Shodan("YOUR_API_KEY")          # querying Shodan's index, not the target
results = api.search('org:"Example Corp"')

print(f"Total results: {results['total']}")
for host in results["matches"][:25]:          # respect plan rate limits
    ip   = host["ip_str"]
    port = host["port"]
    prod = host.get("product", "")
    print(f"{ip}:{port}\t{prod}")

Pivot with filters: org:, asn:AS64500, port:3389, product:Elasticsearch. Exposed RDP (3389), unauthenticated Elasticsearch (9200), and VPN gateway banners directly enumerate Software (T1592.002), Hardware (T1592.001), and Network Security Appliances (T1590.006). Cross-reference Shodan IPs with your CT-derived subdomains to attach service data to named hosts. This is Scan Databases (T1596.005).

6. Search Engine Dorking (Google Hacking)

Search operators surface content the target inadvertently exposed and the engine indexed. The Google Hacking Database (GHDB) catalogs thousands of proven patterns. Use these manually in a browser — automated scraping violates ToS and risks blocking.

Dork	What It Finds
`site:example.com filetype:pdf`	Public documents (then mine metadata)
`site:example.com intitle:"index of"`	Open directory listings
`site:example.com inurl:admin`	Login / admin panels
`site:example.com filetype:env OR filetype:cfg`	Exposed config files
`site:example.com intext:"sql syntax near"`	Error messages leaking internals

Combining site: with intitle:, inurl:, and filetype: is remarkably effective. Bing serves as a secondary index that sometimes retains content Google dropped. This covers Search Engines (T1593.002) and Search Victim-Owned Websites (T1594).

7. Code Repository Mining

Public repositories leak internal hostnames, tooling, and — too often — live secrets. Search GitHub/GitLab for the org name, email domains, and internal hostnames discovered earlier. For your own repositories, run secret scanners in CI:

# Audit your OWN org's repos for committed secrets (defensive use)
trufflehog github --org=example-corp --only-verified
gitleaks detect --source . --report-format sarif --report-path leaks.sarif

Commit history and job postings reveal the technology stack. This is Code Repositories (T1593.003).

8. Organizational & Personnel Intelligence

LinkedIn is the most complete public database of an organization’s employees — org structure, reporting lines, and the technology stack advertised in job postings. Combine with theHarvester and Hunter.io to derive the email-address convention (first.last@), feeding social-engineering target lists.

Public documents carry metadata that maps directly to usernames and software versions:

import subprocess, json

out = subprocess.run(
    ["exiftool", "-j", "report.pdf"], capture_output=True, text=True
).stdout
meta = json.loads(out)[0]

for f in ("Creator", "Author", "LastModifiedBy", "Producer"):
    if f in meta:
        print(f"{f}: {meta[f]}")   # e.g. Author: jsmith / Producer: Acrobat 15.0

This covers Determine Physical Locations (T1591.001), Identify Roles (T1591.004), Employee Names (T1589.003), and Email Addresses (T1589.002).

9. Breach Data & Credential Exposure

Have I Been Pwned, DeHashed, and credential-log collections reveal when employee credentials have been exposed in third-party breaches — frequently before those credentials are weaponized in credential-stuffing.

import requests

domain  = "example.com"
headers = {"hibp-api-key": "YOUR_API_KEY", "user-agent": "authorized-recon"}
url     = f"https://haveibeenpwned.com/api/v3/breacheddomain/{domain}"

for alias, breaches in requests.get(url, headers=headers).json().items():
    print(alias, "->", ", ".join(breaches))

Report the breach name, date, and exposed data classes (passwords, hashes, MFA seeds). Never reuse harvested credentials outside RoE scope — possession is recon; authentication is intrusion. This is Credentials (T1589.001).

10. BGP, ASN & IP Range Mapping

To bound the network footprint, resolve a known IP to its origin ASN, then enumerate every prefix that ASN announces. This delineates owned IP space, co-location, and cloud presence — without scanning a single host.

# 1. Resolve an IP to its origin ASN (Team Cymru WHOIS)
whois -h whois.cymru.com " -v 203.0.113.10"

# 2. Enumerate prefixes announced by that ASN
whois -h whois.radb.net -- '-i origin AS64500' | grep -E '^route:'

# 3. Or use the BGPView API for prefixes + upstreams
curl -s https://api.bgpview.io/asn/64500/prefixes | jq -r '.data.ipv4_prefixes[].prefix'

This maps Network Trust Dependencies (T1590.003), IP Addresses (T1590.005), and Network Topology (T1590.004).

11. Correlating the Picture: Building a Target Profile

The real power emerges when you correlate intelligence across platforms — joining a CT-derived subdomain to a Shodan banner to an ASN prefix to a breached employee account reveals patterns invisible in any single source. Document findings in a structured, repeatable report.

# OSINT Target Profile — <Engagement ID>
## 1. Scope & Authorization        # RoE ref, authorized domains/ASNs, date window
## 2. Domain & DNS                 # registrar/RDAP, NS, MX, SPF/DKIM/DMARC posture
## 3. Subdomains (CT + passive)    # host | source | state (live / parked / dev)
## 4. Exposed Services (Shodan)    # ip:port | product | version | notes
## 5. Network Footprint            # ASN | prefixes | hosting / cloud providers
## 6. Personnel & Org              # key roles | tech stack | SE surface
## 7. Credential Exposure          # breach | date | data classes | accounts
## 8. Risk Summary & Recommendations

Correlation across sources exposes attack paths invisible in any single dataset — a forgotten subdomain linked to a Shodan banner and a breached credential is a reachable exploit chain.

12. Common Attacker Techniques

Technique	Description
CT-log subdomain harvesting	Mine `crt.sh` for forgotten dev/staging/VPN hosts
Passive DNS pivoting	Use historical IP↔domain data to map shared infrastructure
Shodan/Censys banner mining	Identify exposed RDP, databases, and VPN gateways
Google dorking	Surface exposed configs, panels, and error leaks
Repo secret mining	Recover API keys and hostnames from public commits
LinkedIn org mapping	Build personnel and tech-stack intelligence for phishing
Breach-data correlation	Match exposed credentials to active employee accounts
Document metadata extraction	Derive usernames/software from public PDFs and DOCX

These feed downstream Initial Access — phishing the personnel map, password-spraying the breach list, or exploiting the exposed service — all of which occur after passive recon and are logged.

13. Defensive Strategies & Detection

Framing: True passive OSINT generates no logs on your systems — the adversary only queries third-party databases. Defense therefore shifts to attack-surface reduction and detecting downstream use of harvested intelligence, not the recon itself.

What Defenders Can Detect (Indirect Signals)

Signal	Mechanism	Notes
New certificate issuance	CT monitors: CertSpotter, `crt.sh` alerts	Subscribe to alerts for new certs on your domains — proactive
Shodan/Censys indexing	Not real-time; scanner IP ranges are published	Block known scanner ranges to reduce exposure
Downstream credential use	Windows Security `EventID 4625` / `4624` / `4648`	HIBP-known creds appearing in auth logs = stuffing/breach
Leaked secrets	GitHub secret scanning, `truffleHog`/`gitleaks` in CI	Detect before attackers do
Active DNS recon	Defender for Identity `DnsReconnaissanceSecurityAlert`	Catches active DNS recon — not passive external OSINT

Sigma Sketch — Downstream Credential Use

title: Possible Use of OSINT-Harvested Credentials
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4625   # Failed logon (credential stuffing)
      - 4648   # Explicit credential logon (harvested creds / PtH)
      - 4768   # Kerberos AS-REQ with harvested identity
  timeframe: 10m
  condition: selection | count() by SourceIp > 20
level: high

(Add environment-specific thresholds and allow-lists before deployment.)

Hardening / Attack Surface Reduction

Mitigation	Description
Prune DNS & avoid telling names	Purge stale records; don’t name hosts `staging-db.example.com`
Wildcard certificates	Reduce per-subdomain CT exposure
CT + brand monitoring	Alert on new subdomains, certs, and leaked references
Email auth hardening	Enforce SPF `-all`, DKIM, and DMARC `p=reject`
Repo secret scanning	Enable GitHub push protection; run `gitleaks` in CI
Monthly Shodan/Censys review	Audit your own ASN; remediate unexpected ports
HIBP Domain Search	Enroll in breach-notification API alerts
Metadata stripping	`exiftool -all= file.pdf` before publishing
RDAP/registrar privacy	Reduce WHOIS exposure where legally permissible
Policy review	Curb LinkedIn oversharing; manage domain lifecycle

A defender running this exact exercise against their own organization has a structural advantage: OSINT needs no change-approval window because it touches no production systems, so perimeter assessment carries zero operational impact.

Hierarchy diagram splitting passive OSINT defense into two pillars: Attack Surface Reduction (CT monitoring, DMARC, secret scanning, metadata stripping) and Downstream Detection (Windows EventID 4625 and 4648) — Because passive recon leaves no logs on your systems, defense pivots to reducing exposed surface area and detecting when harvested intelligence is weaponized downstream.

14. Tools for OSINT Analysis

Tool	Description	Link
Amass	Passive subdomain enumeration & mapping	owasp.org
subfinder	Fast passive subdomain discovery	projectdiscovery.io
theHarvester	Emails, names, subdomains from public sources	github.com
Shodan / Censys	Internet-wide scan databases	shodan.io
Recon-ng / SpiderFoot	Modular OSINT automation frameworks	spiderfoot.net
crt.sh	Certificate transparency search	crt.sh
SecurityTrails	Passive DNS & historical records	securitytrails.com
Have I Been Pwned	Breach & credential exposure	haveibeenpwned.com
truffleHog / gitleaks	Repo secret scanning	github.com
exiftool	Document metadata extraction	exiftool.org
BGPView	ASN & prefix enumeration	bgpview.io
Wayback Machine	Historical web snapshots	archive.org

15. MITRE ATT&CK Mapping

All techniques fall under Reconnaissance (TA0043). T1595 Active Scanning is out of scope.

Technique	MITRE ID	Detection / Reduction
Gather Victim Network Information	`T1590` (.001–.006)	Prune DNS; reduce WHOIS/CT exposure
Gather Victim Org Information	`T1591` (.001–.004)	LinkedIn-oversharing policy
Gather Victim Host Information	`T1592` (.001–.004)	Monthly Shodan/Censys self-audit
Search Open Websites/Domains	`T1593` (.001–.003)	Repo secret scanning; dork your own site
Search Victim-Owned Websites	`T1594`	Remove exposed configs/listings
Search Open Technical Databases	`T1596` (.001–.005)	CT monitoring; passive-DNS hygiene
Gather Victim Identity Information	`T1589` (.001–.003)	HIBP alerts; auth monitoring (4625/4648)

Summary

Passive OSINT maps an organization’s entire external attack surface using only third-party data, generating zero packets — and therefore zero logs — on the target.
The disciplined intelligence cycle (plan → collect → process → analyze → disseminate → monitor) turns scattered searches into a correlated target profile across DNS, CT logs, scan databases, repos, personnel, and breach data.
Correlation is the multiplier: joining a forgotten subdomain to a Shodan banner to a breached credential reveals reachable exposure invisible in any single source.
Because passive recon is undetectable on your systems, defense means attack-surface reduction — CT monitoring, DMARC p=reject, secret scanning, metadata stripping — plus detecting downstream credential use via Windows EventID 4625/4648.
All techniques map to ATT&CK Reconnaissance (TA0043); the boundary is T1595 Active Scanning, which begins the moment you touch the target directly.

References

Post Views: 17

Get new drops in your inbox

Windows internals, exploit dev, and red-team write-ups — no spam, unsubscribe anytime.