Lesson 22: Reconnaissance — OSINT Techniques for Beginners

What You Will Learn in This Lesson

• What OSINT is and why it forms the foundation of every professional penetration test
• The difference between passive and active reconnaissance and when to use each
• How to use real-world tools — Shodan, theHarvester, Maltego, and Google Dorks — to map a target's attack surface
• How OSINT aligns with SAMA CSCC and NCA ECC requirements for threat intelligence and vulnerability management

What Exactly Is OSINT?

Open Source Intelligence — OSINT — is the practice of collecting and analyzing information from publicly available sources to build actionable intelligence about a target. Think of it as the homework a penetration tester does before touching a single port. The target could be a domain name, an IP range, an employee list, or a technology stack. Every piece of data gathered during this phase shapes the rest of the engagement: what to scan, where to probe, and which attack vectors are most likely to succeed.

OSINT is not hacking. Everything you collect during passive reconnaissance comes from sources anyone can access: DNS records, WHOIS databases, search engine caches, social media profiles, job postings, public code repositories, and certificate transparency logs. The skill lies in knowing where to look, how to correlate fragments, and when a seemingly harmless detail — like a developer posting a screenshot with an internal hostname visible — becomes a critical finding.

Passive vs. Active Reconnaissance

Reconnaissance splits into two categories, and understanding the boundary matters — especially when you are operating under a rules-of-engagement document for a Saudi financial institution. Passive reconnaissance means you never send a single packet to the target. You query third-party databases, search engines, and public records. The target has no way to detect you. Active reconnaissance means you interact directly with the target's infrastructure: DNS zone transfers, port scans, banner grabbing. The target's security team — or their SIEM — can see your activity.

In a professional engagement, you almost always start passive. You exhaust every public source before escalating to active techniques. This is both a tactical and a legal requirement. Saudi regulations, including SAMA's expectations around authorized testing, demand clear scoping. Performing active reconnaissance outside your authorized scope can violate the Anti-Cyber Crime Law (Royal Decree No. M/17).

Practical Example: A penetration tester is scoping a Saudi bank's external footprint. Before running a single Nmap scan, they spend two days on passive OSINT: enumerating subdomains via certificate transparency logs, harvesting employee emails from LinkedIn and public filings, identifying the bank's CDN provider and web application firewall from HTTP headers cached in Shodan, and reviewing old job postings that reveal the bank uses Oracle EBS and F5 BIG-IP. By the time the first active scan begins, the tester already has a prioritized target list — and the bank's SOC sees far less noise than a brute-force approach would generate.

The OSINT Toolkit — Tools You Should Know

You do not need expensive licenses to start. The OSINT ecosystem is rich with free, battle-tested tools. Here are the essentials every beginner should master:

1. Google Dorks — Google's advanced search operators are your first stop. They cost nothing and return surprisingly sensitive results when targets have misconfigured web servers or left documents exposed.

# Find exposed PDF documents on a target domain
site:targetbank.com.sa filetype:pdf

# Find login portals
site:targetbank.com.sa inurl:login OR inurl:admin

# Find directory listings
site:targetbank.com.sa intitle:"index of"

# Find configuration files accidentally exposed
site:targetbank.com.sa filetype:env OR filetype:xml OR filetype:conf

2. theHarvester — A command-line tool that aggregates emails, subdomains, IPs, and URLs from multiple public sources in a single run.

# Harvest emails and subdomains from multiple sources
theHarvester -d targetbank.com.sa -b google,bing,linkedin,dnsdumpster -l 500

# Export results to an XML file for later analysis
theHarvester -d targetbank.com.sa -b all -f targetbank_recon.xml

3. Shodan — Often called "the search engine for the Internet of Things," Shodan indexes internet-facing devices, services, and banners. It tells you what a target is running before you scan them.

# Search for all services associated with a target's IP range
shodan search "net:203.0.113.0/24"

# Find specific technologies
shodan search "hostname:targetbank.com.sa product:Apache"

# Check SSL certificate details
shodan search "ssl.cert.subject.cn:targetbank.com.sa"

4. Maltego — A visual link-analysis tool that maps relationships between entities: domains, IPs, email addresses, social media accounts, and more. The Community Edition is free and powerful enough for most reconnaissance tasks. Maltego excels at showing how a leaked employee email connects to a personal GitHub account that contains code referencing internal API endpoints.

5. Subfinder + httpx — A fast combination for subdomain enumeration and live-host detection.

# Enumerate subdomains passively
subfinder -d targetbank.com.sa -o subdomains.txt

# Probe which subdomains are alive and grab titles + status codes
cat subdomains.txt | httpx -title -status-code -tech-detect -o live_hosts.txt

6. Certificate Transparency Logs — Every publicly trusted SSL certificate is logged in transparency databases. Tools like crt.sh let you query them.

# Query crt.sh for all certificates issued to a domain
curl -s "https://crt.sh/?q=%.targetbank.com.sa&output=json" | jq '.[].name_value' | sort -u

Building a Reconnaissance Workflow

Random tool usage produces random results. Professionals follow a structured workflow. Here is a beginner-friendly sequence you can adopt immediately:

Step 1 — Define Scope. Confirm exactly which domains, IP ranges, and subsidiaries are in scope. For a Saudi financial institution, this typically comes from the CISO's office and references the assets registered with SAMA.

Step 2 — Passive Domain Intelligence. Enumerate subdomains (Subfinder, crt.sh, Amass), resolve DNS records (dig, dnsx), and identify hosting providers and CDNs.

Step 3 — Technology Fingerprinting. Use Shodan, Wappalyzer, and httpx to identify web servers, frameworks, WAFs, and CMS platforms without touching the target directly.

Step 4 — People Intelligence. Harvest employee names and emails from LinkedIn, public company filings (Tadawul disclosures for listed entities), and conference speaker lists. Map the IT and security team structure.

Step 5 — Data Leak Analysis. Check paste sites, breach databases (using legitimate services like Have I Been Pwned), and public code repositories for leaked credentials, API keys, or internal documentation.

Step 6 — Consolidate and Prioritize. Merge all findings into a single report. Flag high-value targets: forgotten subdomains, development environments exposed to the internet, services running outdated software, and employees whose credentials appeared in breaches.

Connecting OSINT to the Saudi Regulatory Landscape

OSINT reconnaissance is not just an offensive skill — it directly supports compliance obligations under both SAMA and NCA frameworks. SAMA CSCC Domain 3 (Cyber Security Operations and Technology) requires organizations to maintain an accurate asset inventory and conduct regular vulnerability assessments. If your penetration testers are not performing thorough OSINT, they are missing shadow IT assets that SAMA auditors will ask about. NCA ECC control 2-3-1 (Threat Management) expects organizations to leverage threat intelligence — and OSINT feeds directly into that capability. Furthermore, PDPL compliance demands awareness of what personal data your organization inadvertently exposes publicly. An OSINT assessment can reveal employee PII, customer data in cached pages, or metadata in publicly shared documents that violates data minimization principles.

Common Mistakes to Avoid

• Skipping passive recon and jumping straight to active scanning. This wastes your authorization window, generates unnecessary alerts in the target's SOC, and misses intelligence that no port scan can reveal — like leaked credentials on GitHub. Always exhaust passive sources first.
• Failing to document your sources and timestamps. Every OSINT finding must be traceable. Record the URL, the date you accessed it, and take screenshots. Without documentation, your findings have no evidentiary value in a pentest report — and they will not satisfy SAMA's audit trail expectations.
• Confusing OSINT with unauthorized access. Viewing a publicly cached page is OSINT. Logging into a system using a leaked credential you found is unauthorized access — even in a pentest, unless your scope explicitly permits it. In Saudi Arabia, the Anti-Cyber Crime Law carries penalties of up to 4 years imprisonment and SAR 3 million in fines for unauthorized access. Always stay within your rules of engagement.

Lesson Summary

• OSINT is the systematic collection of intelligence from public sources — it forms the foundation of every penetration test and directly supports SAMA and NCA compliance requirements for asset inventory and threat intelligence.
• Passive reconnaissance (Google Dorks, Shodan, crt.sh, theHarvester) should always precede active techniques. It is stealthier, legal, and often reveals more than brute-force scanning.
• A structured workflow — scope, domains, technology, people, leaks, consolidation — transforms scattered data into actionable attack surface intelligence that guides every subsequent phase of the engagement.

Next Lesson

In the next lesson we will cover: Network Scanning — Using Nmap Like a Professional — you will learn how to transition from passive OSINT to active network discovery, master Nmap's scan types and scripting engine, and interpret results to identify exploitable services.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.