Open Source Does Not Mean Low Value
The best intelligence I've gathered before an engagement came from sources the target didn't even know were public. LinkedIn, GitHub, job postings, and Shodan tell a detailed story about an organisation's technology stack, hiring patterns, and exposed infrastructure.
LinkedIn and Job Postings
Job postings reveal the tech stack:
- "3+ years Kubernetes experience" — containerised workloads
- "Palo Alto NGFW" — firewall vendor and likely specific models
- "Splunk admin" — SIEM visibility into your TTPs
theHarvester -d target.com -b linkedin,google,hunter
GitHub: The Credential Goldmine
# truffleHog — scan org repos for secrets
trufflehog github --org=TargetCorpGH --only-verified
I find AWS keys, internal domain credentials, and VPN configs in GitHub at least once per five engagements.
Shodan for Infrastructure Mapping
shodan search 'org:"Target Corp" product:nginx' --fields ip_str,port,hostnames
shodan search 'ssl.cert.subject.cn:*.target.com'
Google Dorks
site:target.com ext:pdf "confidential"
site:target.com inurl:admin
site:pastebin.com "target.com" "password"
Defensive Takeaways
- Run theHarvester and truffleHog against your own org quarterly
- Require pre-commit hooks that scan for secrets before push
- Monitor GitHub for your domain name using GitHub secret scanning alerts
- Job postings should describe role requirements, not vendor-specific tooling
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.