BIPI
BIPI

Advanced OSINT Techniques: Passive Recon, Persona Correlation, and Attack Surface Mapping

Threat Intelligence

Beyond Google dorking — advanced OSINT methods using Shodan, Maltego, data breach correlation, certificate transparency, and social graph analysis for pre-engagement intelligence.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 7, 2025 · 14 min read

#osint#reconnaissance#shodan#maltego#attack-surface

OSINT is not about tools — it is about questions. The best OSINT operators define the intelligence requirement first, then choose sources. Jumping straight to Shodan without a target model wastes hours on irrelevant data.

Defining the target model

Before opening a single browser tab, enumerate what you need to know: What infrastructure does the target own? Who are key employees? What acquisitions expanded their attack surface? What data breaches have exposed credentials? Write these as explicit intelligence requirements.

Passive DNS and certificate transparency

Certificate transparency logs expose every subdomain ever issued a TLS certificate — including dev, staging, and internal tooling accidentally made public. crt.sh, certspotter, and subfinder aggregate CT logs into subdomain lists in seconds.

  • crt.sh: %.target.com for wildcard certificate discovery
  • subfinder -d target.com -all for multi-source passive enumeration
  • amass enum -passive for ASN and IP range correlation
  • SecurityTrails API for historical DNS records showing old infrastructure

Shodan and Censys attack surface mapping

Shodan indexes banner data from every reachable port on the internet. Search by ASN, certificate CN, or HTTP title to find all assets belonging to an organisation, including cloud instances, VPNs, and forgotten test servers.

Data breach correlation

HaveIBeenPwned, DeHashed, and IntelligenceX surface employee credentials from historical breaches. Even stale passwords are valuable: people reuse passwords and password patterns. A 2019 breach password becomes a 2025 spray candidate with minor variations.

Social graph and persona analysis

LinkedIn, GitHub, and conference speaker lists map the human attack surface. Engineers list technologies they work with — confirming internal stack. GitHub commits from corporate email addresses expose internal repository naming conventions and sometimes accidentally committed secrets.

  • theHarvester for email and employee enumeration from public sources
  • LinkedIn Sales Navigator for org chart reconstruction
  • GitHub search: org:target-corp filename:.env or api_key
  • GitLeaks on public repos for secret scanning
  • Maltego transforms for social graph visualisation
3x more
Average subdomains found via CT logs vs DNS brute-force
20-30%
Credentials valid after 12 months in breach databases
majority
Engagements where GitHub leaked internal stack details
The most dangerous thing a company can do is believe that OSINT is someone else's problem.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.