Building My OSINT Lab for Passive Reconnaissance and Target Profiling

I created this Hackademy OSINT Lab to help students understand how passive reconnaissance works in cybersecurity. A lot of beginners hear the word OSINT and think it only means searching Google, but OSINT is much deeper than that. It involves collecting public information, organizing it properly, validating what is useful, and building a clear profile of a target without directly attacking the target.

The lab is based on a fictional company called TerraVault Financial Group. The target domain is terravault.com, and the main objective is to teach students how to investigate a company using passive reconnaissance methods. I wanted the lab to feel realistic, but still beginner-friendly, so students can understand how different OSINT tools connect together.

The first screenshot shows the OSINT terminal and the tool reference section. This is where students can type recon commands and learn what different tools are used for. The tool reference includes tools like whois, dig, nslookup, subfinder, amass, theHarvester, Shodan, exiftool, metagoofil, crt.sh, hunter.io, trufflehog, waybackurls, recon-ng, SpiderFoot, and whatweb.

I added this section because beginners often get overwhelmed by the number of OSINT tools available. Instead of just listing random tools, the lab groups them into a workflow. Some tools are used for domain and DNS information. Some are used for subdomain discovery. Some help with emails and people. Others help with exposed services, metadata, leaked credentials, and historical web data.

The most important lesson from this section is that OSINT should be structured. You do not just run tools randomly. You start with the domain, then move into DNS records, subdomains, employees, public files, exposed services, metadata, and possible credential exposure.

The second screenshot shows the target profile for TerraVault Financial Group. It gives basic information about the company, including the domain terravault.com, the industry, the founding year, and the headquarters. This helps students understand that the first step in OSINT is building context.

The same screenshot also shows discovered subdomains such as www.terravault.com, mail.terravault.com, vpn.terravault.com, remote.terravault.com, portal.terravault.com, and dev.terravault.com. I wanted this part of the lab to show students that subdomains can reveal a lot about an organization’s public-facing infrastructure.

For example, a normal website may not be very risky by itself, but a VPN portal, remote desktop gateway, employee portal, or development environment can be more sensitive. In the screenshot, some subdomains are marked low risk, while others are marked medium or high. This teaches students that OSINT is not only about finding information. It is also about understanding the risk of what you found.

This section is important because subdomain enumeration is one of the most common parts of reconnaissance. A company may protect its main website properly, but forget about old portals, dev environments, staging servers, remote access panels, or outdated services.

The third screenshot shows identified employees from sources like LinkedIn and GitHub. It includes names, job titles, departments, and email addresses. The lab also confirms the email format as {first_initial}.{lastname}@terravault.com.

I included this section because people are a big part of OSINT. In real security work, employee information can help defenders understand exposure risk. Job titles can reveal who might have privileged access, who works in IT, who works in finance, and who may be targeted by phishing or social engineering.

For example, the lab shows users like executives, IT staff, security staff, finance staff, HR staff, and network engineers. This helps students understand that not all employees carry the same risk. A systems administrator, CISO, IT director, or finance executive may be more valuable to an attacker because of their access or role.

The email format lesson is also important. Once a pattern is confirmed, it becomes easier to understand how an organization structures its email addresses. From a defensive point of view, this helps show why companies need to be careful about what employee information is exposed publicly.

The fourth screenshot shows the OSINT challenges. I added challenges because I wanted students to do more than just look at information. They need to prove that they understand the workflow.

The first challenge is to identify the email format used by TerraVault Financial Group. This teaches students how to confirm patterns from public information instead of guessing.

The second challenge is to enumerate all subdomains using at least two different techniques. This is important because relying on one tool can miss results. A good analyst compares results from multiple sources.

The third challenge is to read DNS records, including MX and TXT records. This helps students understand email infrastructure, SaaS usage, domain verification records, and security-related DNS information.

The fourth challenge is to find exposed services with Shodan. This teaches students how internet-facing services can reveal VPN portals, outdated software, remote access systems, databases, or other exposed assets.

The fifth challenge is to extract document metadata. This shows how public documents may accidentally reveal usernames, internal hostnames, software versions, or file paths.

The sixth challenge is to find exposed credentials in GitHub repositories using secret-scanning style checks. This teaches students that code repositories can accidentally leak API keys, passwords, tokens, and other sensitive data if developers are not careful.

The main goal of these challenges is to teach students that OSINT is not just collection. It is analysis. You have to find information, confirm it, understand its importance, and explain the risk clearly.

I designed this lab to be passive. That means students are not attacking the target, exploiting systems, or sending aggressive traffic. The goal is to understand what can already be discovered from public sources. This is an important distinction because good OSINT work is about responsible investigation and clear reporting.

Building this lab helped me understand how much information can be exposed without anyone touching a system directly. A company’s domain records, subdomains, employee profiles, public documents, exposed services, archived pages, and code repositories can all reveal useful information. When these pieces are combined, they create a target profile.

This project is important for my portfolio because it shows that I am not only learning offensive and defensive tools. I am also building structured labs that teach investigation, analysis, and reporting. OSINT is a valuable skill because it supports penetration testing, threat intelligence, incident response, fraud investigation, and security awareness.

The biggest lesson from building this lab is that reconnaissance should always be organized. A beginner should not just collect random information. They should ask: What did I find? Where did it come from? Is it verified? Why does it matter? What risk does it create? How should it be reported?

Overall, the Hackademy OSINT Lab gave me a practical way to teach passive reconnaissance and target profiling. It helps students move from basic searching to structured analysis by using tools, challenges, and evidence-based thinking. The lab shows that OSINT is not about guessing. It is about collecting public information carefully and turning it into useful security intelligence.