OSINT Investigations with

A comprehensive view of an organization’s digital presence, security posture, and technological infrastructure.

When using for an OSINT investigation of an organization, you can find a variety of data types that could be insightful for cybersecurity analysis, market research, and other investigative purposes.

Building a Company Profile

With Netlas, you can build a comprehensive technical overview of a company. Here’s an overview of the types of data you might uncover:

  1. Network Infrastructure
    Details on the network infrastructure, such as ASN (Autonomous System Number) information, which can help in understanding the organization’s internet service providers (ISPs) and network size.
  2. Geographical Distribution
    Geolocation data of the IP addresses, showing the physical locations of servers and other devices, which can illustrate the geographical reach of the organization’s infrastructure.
  3. Device and Service Footprint
    Information about the servers, including web servers, mail servers, and other application servers, detailing the technologies and software versions in use.
  4. Technological Profile
    The technology stack used by the organization, including web server types, programming languages, and content management systems (CMS), which can inform about the organization’s technical capabilities and preferences.
  5. External Partnerships
    Digital presence on SaaS platforms such as Slack, Atlassian, DocuSign, ServiceNow, etc. Content Delivery Networks (CDNs) or third-party services (like DDoS protection or external WAF) in use, which can be relevant for understanding dependencies and external partnerships.
  6. Security Posture
    Exposed services and open ports that might be vulnerable or misconfigured, indicating potential security risks. Specific vulnerabilities associated with the devices and services identified, based on known vulnerabilities of the software versions detected.
  7. Web Content and Metadata
    Snapshot or metadata of web content hosted by the organization, which can include titles, descriptions, and keywords. Searching resources published on subdomains can sometimes even lead to sensitive documents.

Let’s explore a few particular information gathering areas to grasp the depth of this subject.

Company Email Addresses

APIs designed to retrieve publicly available organization emails can significantly streamline OSINT and cybersecurity tasks. Netlas may not primarily focus on supplying contact information, yet it can serve as one of your data sources for this purpose.

Contacts Lookup Example

Given the breadth of Netlas’s data collections, you’re apt to discover numerous relevant contacts for the businesses you’re targeting. You can retrive data from:

  • Internet scan data (not only http, but dozens of supported protocols);
  • WHOIS data for domains and IP addresses;
  • SSL certificates.

Through the API, accessing contacts from Netlas’s extensive data archives is straightforward. If you are regulary encounter this task, you can download a Python script that searches for email addresses by given domain name in all data collections. This and many others handy scripts published on one of Netlas Github repositories.

Netlas scripts repo

Search for Internal Documents

Subdomains are often used to host various internal services, such as development environments, staging areas, and internal documentation. If this documentation are accidentally exposed to the public internet, it can become a treasure trove of sensitive information.

There are two strong reasons to use Netlas in addition to traditional search engines to find document links:

  • While search engines such as Google may not scan subdomains that employ robots.txt or noindex tags, Netlas archives responses from all known subdomains.
  • Utilizing Netlas in conjunction with other search engines ensures that you’re accessing previously gathered data, rather than directly interacting with a company’s infrastructure. Consequently, your activities remain untraceable.
netlas-scripts % python3 | grep employ    

In the Netlas Scripts repository, you’ll find another handy script. This script iterates through scan outcomes for a specific domain and all its subdomains, searching for links to files, like TXT, DOCX, PDF and others.

We considered only two small areas of information collection. Using the API, you can expand or build your own solution for OSINT investigations. Refer to the documentation and sample scripts to learn more about the Netlas API.

Netlas scripts repoDocumentation

Get your free account!

Sign up to get up to 50 requests/day for free