CTF Reconnaissance: OSINT Techniques for Capture The Flag
Open Source Intelligence (OSINT) is a critical skill for CTF competitions, penetration testing, and security research. This guide covers practical OSINT techniques that help you gather information before and during challenges.
What is OSINT?โ
OSINT involves collecting publicly available information from open sources. In CTF contexts, this means finding hidden clues in web pages, metadata, social media, DNS records, and public databases.
Why OSINT matters for CTF:
- Reveals hidden flags in metadata
- Uncovers usernames, emails, and credentials
- Maps infrastructure and relationships
- Discovers historical data and deleted content
Essential OSINT Toolsโ
Web Reconnaissanceโ
Wayback Machine (archive.org) - View historical versions of websites. Deleted pages often contain flags or sensitive information that current versions removed.
Google Dorking - Advanced search operators reveal hidden content:
site:example.com filetype:pdf- Find specific file typesinurl:admin- Locate admin panelsintitle:"index of"- Directory listings
Shodan (shodan.io) - Search engine for Internet-connected devices. Discover exposed services, default credentials, and vulnerable systems.
Metadata Analysisโ
ExifTool - Extract metadata from images, documents, and files:
exiftool image.jpg
exiftool -all= image.jpg # Strip all metadata
GPS coordinates, software versions, and usernames often hide in EXIF data.
Strings - Simple but effective for binary files:
strings file.bin | grep -i flag
DNS and Domain Intelligenceโ
dig - Query DNS records:
dig example.com ANY
dig -x 192.168.1.1 # Reverse lookup
whois - Domain registration data reveals owners, emails, and registration dates.
Certificate Transparency (crt.sh) - Discover subdomains through SSL certificates:
%.example.com
Social Media Intelligenceโ
Username OSINT - Tools like sherlock or namechk find accounts across platforms:
sherlock username123
Twitter Advanced Search - Filter by date, location, user, and keywords. Useful for timeline reconstruction.
LinkedIn - Employee information reveals organizational structure, technologies used, and potential social engineering targets.
Practical CTF Techniquesโ
Image Steganography Detectionโ
Check for hidden data in images:
binwalk image.png
steghide extract -sf image.jpg
zsteg image.png # PNG analysis
Archive and File Analysisโ
Recursive archive extraction:
binwalk -e firmware.bin
foremost disk.img # Carve files from disk images
Network Tracesโ
Analyze packet captures with Wireshark filters:
http.request.method == "POST"- Find form submissionsftp-data- Extract files from FTP trafficdns- DNS queries reveal accessed domains
Git Repository Miningโ
Extract secrets from Git history:
git log --all --full-history -- "*password*"
trufflehog --regex --entropy=False .
Deleted commits and branches often contain flags or credentials.
Building Your OSINT Workflowโ
1. Start broad - Use search engines and public databases
2. Go deep - Follow links, subdomains, and related accounts
3. Automate - Script repetitive tasks with Python or Bash
4. Document - Keep notes on findings and relationships
Quick Recon Scriptโ
#!/bin/bash
TARGET=$1
echo "[+] DNS Records"
dig $TARGET ANY
echo "[+] Subdomains (crt.sh)"
curl -s "https://crt.sh/?q=%.$TARGET&output=json" | jq -r '.[].name_value' | sort -u
echo "[+] Historical Snapshots"
curl -s "http://archive.org/wayback/available?url=$TARGET" | jq -r '.archived_snapshots.closest.url'
Common CTF OSINT Scenariosโ
Flag in metadata - Always check EXIF data on downloaded images
Deleted social posts - Search cached/archived versions
Subdomain enumeration - Flags often hide on forgotten subdomains
Historical leaks - Old pastebin/gist posts contain credentials
QR codes - Use zbarimg to decode without manual scanning
Legal and Ethical Considerationsโ
OSINT uses public information, but context matters. For CTF competitions, stay within challenge scope. For real-world research, respect privacy laws and terms of service.
Always:
- Get authorization before testing production systems
- Avoid social engineering real people without consent
- Document your methodology
- Report vulnerabilities responsibly
Practice Resourcesโ
CTF Platforms - TryHackMe and HackTheBox offer OSINT challenges
Trace Labs - OSINT CTF for missing persons (real-world impact)
OSINT Framework (osintframework.com) - Comprehensive tool directory
Conclusionโ
OSINT is reconnaissance without exploitation. Master these techniques to find flags faster, understand attack surfaces better, and develop a security researcher's mindset. The information is already publicโyou just need to know where to look.
Start with Google, dig deeper with specialized tools, and always check metadata. Happy hunting!