From Pentesting to OSINT, Leveraging China's Sources of Information

Image Credit: Foreign Policy illustrations

If you want to listen and watch instead of reading, me taking you trough the entire blogpost in a short video.

Hey everyone, This post answers the question of why our 'Chinese OSINT Investigator' course is the most comprehensive and its unique aspects out there in the market of Chinese OSINT courses. We cover scenarios, case studies, examples, guides and visual examples, we talk about actually expanding your skills of thinking out of the box, we teach you the art of conducting source development. And we bring our 10+ years of experience in penetration testing into this course, we take you from A to Z in becoming truly comfortable around the linguistic obstacle. This blog post intends to cover one example out of several that is presented in the Resource book - your guide and best friend to any research and investigation inside China's ecosystem.

To clear up the fog, the methods and techniques presented in the book in reference to pentesting, are not active. Lets take a case scenario from ground 0 - you are an OSINT practitioner wanting to identify "interesting" services on Baidu that you can leverage for OSINT purposes. One method you apply do is leveraging Google Dorking using an elimination method (that I leverage in pentesting as well, discovering subdomains). In this screenshot we applied the so called "elimination" method in Google Dorking in order to remove each newly identified resource / subdomain passively and by doing so creative a list of "services" under Baidu. To give you an understanding of what services are: e.g., (https://fanyi.baidu.com) if you're seeing "fanyi" as a subdomain that would usually represent a translation service offered often by a Chinese based company. So In the case of elimination method we would do -fanyi So after applying the elimination method we observe an interesting subdomain named "wenku" - it appears to be a document sharing service offered by Baidu.

It looks something like this, now let's understand what this website is, keeping in mind the question of: how does it help me for OSINT.. I know I have western resources like Dropbox, Google Drive and many other sources to draw insights from using tools or scripts or dorks, about for example.. leaked documents, or potentially sensitive data, but how does it apply to Chinese website?

Let's start first by trying to view a random file and see what we get: We see that whenever we as the end user view any file on wenku in the URL we are presented with the view/fileID data. How can we leverage this further and actually transform this website (that initially requires registration or VIP paid access) to view many files.

One of the ways is to leverage Google Dorking to narrow our focus on this targeted website, and see what results we get by using this custom dork:

We can see that the results are narrowed down to only desired output (files).

Now that we understand how this website works, we can attempt to utilize this as a source of information (a resource) if you will that searches for interesting data for us anytime we need to gather data on X or Y in China.

Now for the sake of this being passive blog post, we are not searching for specific company names but let me give you couple case scenarios and how to think creatively here: 1. Search English company name 2. Search Chinese company name (the real Chinese company name) 3. Pair either of the names with keywords like "机密" or "机密文件" (Secret / Confidential Document) e,g., these may be written in different variations.

Keep in mind that's only one example of how to creatively utilize Chinese websites into sources of information, so now you can add to your checklist or workflows in OSINT within China's ecosystem or on Chinese companies. Of course there might be some more complex scenarios that require more research, technical skills and creative thinking, this is simple case study for the Western investigators out there. You can apply that to other sources China offers.

Here's a video if you want to listen a bit about myself as the founder, my background and why I created this course, and to get more clarification about what skills you actually gain from this? All questions answered here

If you loved this blogpost, give it a like and share with your networks, our course currently has 30% OFF for the early sale of U.S independence day.

https://www.epcyber.com/COSINTI

Happy learning! :)