THE ROLE OF OSINT IN MODERN PENETRATION TESTING

РОЛЬ OSINT В СОВРЕМЕННОМ ПЕНТЕСТИНГЕ

Сивков Павел Александрович

студент, Институт кибербезопасности и информационных технологий, Российский технологический университет МИРЭА,

РФ, г. Москва

Дорошенко Антон Алексеевич

студент, Институт кибербезопасности и информационных технологий, Российский технологический университет МИРЭА,

РФ, г. Москва

Нефёдов Александр Сергеевич

студент, Институт кибербезопасности и информационных технологий, Российский технологический университет МИРЭА,

РФ, г. Москва

Горчаков Алексей Алексеевич

студент, Институт кибербезопасности и информационных технологий, Российский технологический университет МИРЭА,

РФ, г. Москва

ABSTRACT

The article examines the role of Open Source Intelligence (OSINT) in modern penetration testing. The methods, tools, and OSINT sources used during the information gathering phase are analyzed. Key advantages of integrating OSINT into pentesting are identified, as well as legal, ethical, and practical limitations of the method. The necessity of combining OSINT with active techniques to enhance the effectiveness of security assessments is substantiated.

АННОТАЦИЯ

В статье рассматривается роль разведки на основе открытых источников (OSINT) в процессе современного тестирования на проникновение. Проанализированы методы, инструменты и источники OSINT, применяемые на этапе сбора информации. Выявлены ключевые преимущества интеграции OSINT в пентест, а также обозначены правовые, этические и практические ограничения метода. Обоснована необходимость комбинирования OSINT с активными техниками для повышения эффективности оценки защищённости.

Keywords: OSINT, open source intelligence, pentest, penetration testing, cybersecurity, information gathering, ethical hacking.

Ключевые слова: OSINT, разведка по открытым источникам, пентест, тестирование на проникновение, кибербезопасность, сбор информации, этичный хакинг.

Introduction

Penetration testing (pentest) is a key practice for assessing the security of information systems by simulating the actions of a real attacker. The first and critically important phase of any pentest is information gathering about the target. This is where Open Source Intelligence (OSINT) comes to the forefront. OSINT allows the pentester to collect extensive data about the target organization, its infrastructure, employees, and technologies without direct interaction with systems and without leaving traces. The purpose of this article is to analyze the role, methods, and limitations of OSINT in modern penetration testing.

OSINT as the Foundation of the Pentest Reconnaissance Phase

Most pentest methodologies (PTES, OSSTMM, NIST SP 800-115) single out reconnaissance as a distinct and crucial phase. Traditionally, reconnaissance is divided into passive and active. OSINT belongs to passive collection, as it avoids direct interaction with target systems and is therefore practically undetectable. This gives the pentester a significant advantage: they can reconstruct the digital portrait of an organization without the risk of premature discovery.

Practice shows that neglecting the OSINT phase often leads to an incomplete pentest. For instance, publicly exposed credentials, leaked configuration files, or information about software versions can immediately point to obvious attack vectors. Moreover, data from social networks and professional profiles of employees make it possible to build effective social engineering scenarios, which are often the easiest way to gain initial access.

OSINT Sources and Methods in Pentesting

The range of OSINT sources is extremely broad. They can be roughly divided into several categories. Technical sources include search engines (Google, Shodan, Censys), WHOIS services, DNS records, SSL/TLS certificates, and code repositories (GitHub, GitLab). Subdomain analysis, passive DNS data collection, and website history examination via archive.org allow the restoration of network architecture and the discovery of forgotten or poorly protected nodes. Shodan, for example, can reveal open ports, running services, and even specific vulnerable versions of industrial systems, which is especially valuable for pentesters.

Social and corporate sources are no less important. Professional networks (LinkedIn), news publications, job postings, and internal documents that accidentally become public all shape the picture of an organization’s internal structure. A pentester can discover what hardware and software are in use, who is responsible for security, and which corporate portals and cloud services are employed. Special attention should be paid to the metadata analysis of documents (Word, PDF, images), which often contain usernames, internal IP addresses, and exact software versions.

The methods of working with these sources are constantly improving. If a decade ago the pentester’s toolkit was limited to search queries and manual analysis, today automated frameworks (Maltego, Recon-ng, theHarvester) combine data from dozens of sources and build relationship graphs. Specialized OSINT distributions like Tsurugi Linux are also gaining popularity, offering a ready-to-use environment for reconnaissance.

OSINT and Active Collection: Boundary and Interaction

Although OSINT is traditionally considered a passive method, in practice the boundary between passive and active collection can be blurred. For example, querying a service’s public API or downloading an exposed file is technically an active action, albeit a legal one. It is important to understand that OSINT does not replace the active phase but rather prepares the ground for it. The results of OSINT enable the pentester to focus port scanning and vulnerability analysis on specific targets, avoiding noisy scanning of entire address ranges that could be detected by intrusion detection systems.

Thus, OSINT serves not as a replacement but as an effective complement to active reconnaissance. A combined approach not only reduces the time required for a pentest but also lowers the risk of detection in the early stages, which is critical for mimicking real-world attackers.

Legal and Ethical Aspects of OSINT

OSINT occupies a special legal zone. Because only publicly available data is used, collecting such information formally does not violate the law. However, limitations exist even in this area. For example, massive automated collection of data from websites may violate their terms of service or personal data protection laws. In GDPR jurisdictions, special care is required when processing personal data, even if it is openly published. The pentester must strictly adhere to the boundaries defined in the testing contract and not exceed the permitted methods.

The ethical dimension is equally important. OSINT findings may include confidential information that accidentally became public due to employee negligence. A professional must handle such data responsibly, document it, and immediately inform the client, without using the obtained information for any other purposes.

Limitations of OSINT and the Risk of Disinformation

Despite its value, OSINT has several limitations. First, there is the problem of data currency: information from open sources may be outdated, leading to erroneous conclusions. Second, there is a risk of disinformation: organizations may intentionally plant false data to confuse potential attackers. A pentester must cross-check data through multiple independent sources. Third, information overload can lead to «analysis paralysis» where a specialist drowns in data and cannot identify the truly critical elements. Here, experience and well-tuned automated filtering tools become indispensable.

Conclusion

The role of OSINT in modern penetration testing can hardly be overestimated. It is not merely an auxiliary technique but a mandatory and independent discipline that ensures the quality and depth of the entire assessment. Integrating OSINT in the initial stages allows the pentester to accurately define the attack surface, identify weaknesses related to the human factor, and prepare the most effective penetration scenarios. At the same time, OSINT demands from the specialist not only proficiency with a wide range of tools but also an understanding of legal and ethical boundaries. The future of OSINT in pentesting lies in further automation, the application of machine learning for big data analysis, and integration with Threat Intelligence platforms, making reconnaissance even more precise and timely.

References:

1. Bazzell M. Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information. – 8th ed. – New York: CCI Publishing, 2021. – 512 p.
2. NIST. Technical Guide to Information Security Testing and Assessment. SP 800-115. – Gaithersburg, 2008. – 80 p.
3. Grigor’ev A.A., Kuznetsov M.V. Application of OSINT in the Reconnaissance Phase of Penetration Testing // IT Security. – 2023. – Vol. 30, No. 2. – P. 44–51.
4. GDPR Enforcement Tracker [Electronic resource]. – URL: https://www.enforcementtracker.com/ (accessed: 07.05.2026).
5. Anikin D.A., Grishin M.V. OSINT in Penetration Testing: Advantages and Challenges // Bulletin of the Ural Federal District. Security in the Information Sphere. – 2024. – No. 2. – P. 75–84.