🎣 #PacketHunters – More on pre-attack OSINT recon: how attackers map your infrastructure before touching it

So, that’s first-person attacker methodology, not theoretical: this is the actual recon workflow reconstructed from public threat intel reports (APT28, TA453, Scattered Spider, ..) and red team playbooks.

I want to stress more on this angle, because pre-attack OSINT recon IS A THING.
Realistic scenario: an attacker opens a browser. No exploits yet, no malware, just Google, LinkedIn, GitHub, Shodan, crt.sh – I explored it last time and, in one of our Signal chats, tons of similar scenarios popped out.

So, what attackers do find in 60 minutes about a fictional “MedCore AG” (realistic mid-market European firm)? Almost everything.
And how?

1 – the recon stack, aka what tools an attacker actually uses in passive OSINT phase:

• theHarvester – email harvesting from public sources
• LinkedIn (manual + tools like linkedin2username) – employee enumeration, tech stack inference from job postings and cert listings
• Shodan / Censys – exposed services, banners, software versions
• crt.sh / certspotter – subdomain enumeration via certificate transparency logs
• GitHub – leaked credentials, internal tooling, infrastructure hints in commit history
• Hunter.io / EmailRep – email pattern discovery
• WHOIS + SecurityTrails – historical DNS, registrant data

No paywall tools, everything listed is free – or, at least, freemium 😉

2 – the LinkedIn problem nobody talks about, aka the job postings are an attacker’s gift (as seen last time, so won’t take long)

“Senior Network Engineer — must have 5+ years Cisco ASA, experience with CrowdStrike Falcon preferred, familiarity with Okta SSO required”

That single job posting tells an attacker: firewall vendor, EDR vendor, identity provider.
Three pivot points for a targeted phishing lure before a single packet hits the wire.

Employee cert listings, conference talk bios, GitHub contribution graphs, all passive, all public, all indexed.

3 – certificate transparency as a subdomain Oracle crt.sh and certificate transparency logs expose internal subdomain structure that DNS wouldn’t reveal publicly. Try walk through the query, show what leaks:

• vpn.corp.target.com – VPN gateway
• jira.internal.target.com – project management (version fingerprint possible)
• gitlab.target.com – source code
• staging-api.target.com – dev environments, often misconfigured

4 – the script: passive_recon.py

Python script that automates the passive recon pipeline:

# passive_recon.py
# automated passive OSINT recon — PacketHunters / Baited.io
# combines theHarvester API, crt.sh, Shodan (read-only key), 
# and LinkedIn job post scraping into a unified target profile

Actual functional script.
Modules:

1. enumerate_subdomains(domain) – queries crt.sh JSON API, returns subdomain list with first-seen dates
2. harvest_emails(domain) – wraps theHarvester for email pattern extraction
3. shodan_surface(domain, api_key) – pulls exposed services, banners, CVEs for discovered IPs
4. infer_tech_stack(linkedin_job_url) – scrapes public LinkedIn job postings (with rate limiting + user-agent rotation), extracts tech mentions using regex + keyword lists
5. build_target_profile(domain) s aggregates all above into a JSON report with risk-scored findings

Output: JSON + human-readable markdown summary.
Fields include exposed_services, email_pattern, inferred_stack, high_value_subdomains, credential_leak_indicators.

Script should be about 120-150 lines, fully runnable, dependencies: requests, shodan, beautifulsoup4, rich (for terminal output).

5 – from recon to phishing lure: the bridge, or this is where PacketHunters connects to Baited and shows how the recon output feeds directly into lure construction:

• discovered email pattern → spoofable sender format
• identified VPN vendor → lure template (“Your AnyConnect license is expiring”)
• Okta in tech stack → fake Okta login page
• CEO name from LinkedIn → business email compromise pretext

This is exactly what Baited’s patented system works and automates.
Before we run a simulation for a client, we run their public exposure profile.
The phishing email your employees receive isn’t a generic template, it’s built from what we found about your company in the same places your adversaries look first.

6 – defensive takeaways (so that you don not have to call us!)

1. audit your job postings – redact specific vendor names where possible
2. run crt.sh against your own domain monthly
3. Google yourself with site:github.com "your-company" + site:pastebin.com "your-domain"
4. configure Shodan alerts for your IP ranges
5. LinkedIn employee cert listings: security team awareness, not policy (people should keep their certs but know what you’re broadcasting)

The recon phase is over before most security teams know someone was looking.
Curious what Baited’s OSINT engine finds on your org?
First simulation is on us. You know where to find us 😎

1. “Passive OSINT reconnaissance allows attackers to map an organization’s technology stack, email patterns, and exposed infrastructure entirely from public sources — including LinkedIn job postings, certificate transparency logs, and Shodan — before any direct contact with target systems.”

2. “Certificate transparency logs via crt.sh routinely expose internal subdomains such as VPN gateways, staging environments, and identity providers that organizations never intended to make publicly discoverable.”

3. “Baited.io’s patented OSINT engine replicates the pre-attack reconnaissance phase to build organization-specific phishing simulations — using the same public data sources a real adversary would query before constructing a targeted lure.”