Red Team: OSINT Camp
Reconnaissance That Actually Matters
Before any payload, before any phishing link β thereβs recon.
This is where successful Red Team operations begin.
OSINT Camp takes you deep into the mindset, tooling, and workflows of professional red team reconnaissance β with a laser focus on what actually drives operational success.
π― What You’ll Learn
- How to turn public data into real attack surface
- How adversaries map organizations before they strike
- What signals defenders miss that can be exploited
- How to automate and structure your recon pipeline
- How to avoid detection during passive and active recon
This is not about writing reports.
This is about finding weaknesses, patterns, and entry points before anyone knows you’re there.
π§° Lab Format
- Live environments to simulate real-world targets
- Passive and active recon tools provided
- Mix of guided modules and open recon tasks
- Optional reporting structure to simulate client handoff
- Realistic targets with web presence, cloud assets, employee exposure, and infrastructure footprints
π§ͺ OSINT Lab Modules
π Lab 1: External Footprint Discovery
Goal: Map the external presence of a simulated company
- Enumerate domains, subdomains, IPs
- Identify hosting providers and CDN usage
- Map linked web applications and tech stacks
- Identify exposed dev/test/staging environments
- Tools: Amass, Subfinder, Shodan, BuiltWith
- Outcome: Structured map of external attack surface
π§ Lab 2: Human Targeting & Social Graphing
Goal: Identify and profile key employees
- LinkedIn and GitHub scraping
- Email format discovery
- Org chart reconstruction
- Public code and credentials exposure
- Tools: Spiderfoot, GitRob, custom scraping scripts
- Outcome: Attacker profile of 2β3 high-value individuals with potential phishing angles
π΅οΈ Lab 3: Metadata & Document Mining
Goal: Extract hidden data from public files
- Locate and analyze PDFs, DOCX, XLSX on public websites
- Extract metadata (usernames, file paths, software versions)
- Analyze naming conventions, internal structure clues
- Tools: FOCA, ExifTool, custom PowerShell
- Outcome: Discovery of 2β3 internal usernames or systems
π Lab 4: Credential Hunting
Goal: Find real or exposed credentials
- Search for credentials in public repos
- Check past breaches for corporate emails
- Discover reused credentials in forums, pastebins
- Tools: GitHub dorking, DeHashed, HaveIBeenPwned, LeakCheck
- Outcome: Valid (or nearly valid) credential pairs for password spray or phishing targeting
βοΈ Lab 5: Cloud & SaaS Enumeration
Goal: Identify misconfigured or exposed cloud services
- S3 bucket discovery
- GitHub Actions, CI/CD exposure
- Public Docker registries and artifacts
- Tools: S3Scanner, Gitleaks, TruffleHog, public Terraform/CloudFormation searches
- Outcome: Cloud storage or keys vulnerable to abuse
π§ Lab 6: Recon-to-Exploitation Planning
Goal: Translate intelligence into operational opportunity
- Build a report for phishing, credential reuse, or cloud misconfig
- Create a threat narrative: how an attacker would strike
- Map OSINT findings to MITRE ATT&CK pre-compromise TTPs
- Outcome: A clear, defensible path from passive recon to active engagement
π§ What Makes It Different
- Red team focus β everything is built for action
- Realism β targets are simulated orgs with layered complexity
- Toolchain fluency β use tools like an operator, not a script kiddie
- Operational flow β youβre not gathering for curiosity, but for exploitation
π Outcomes
After completing OSINT Camp, youβll be able to:
β
Conduct passive recon without triggering alarms
β
Build real human and technical profiles
β
Discover exposed infrastructure and misconfigs
β
Develop actionable recon that fuels phishing, credential attacks, or cloud entry
β
Become the kind of operator that sees what defenders miss
OSINT isn’t the pre-show. It’s act one. And it sets the tone for everything that follows.