Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 4

Cybersecurity II, Unit 4: Reconnaissance and Open-Source Intelligence

Build a complete OSINT picture of a fictional company without ever sending them a packet. Then validate your sources, document your methodology, and respect the line.

Length
240 min
Level
intermediate
Track
Cyber II
Cadence
Semester 2

Career paths

SOC AnalystPenetration TesterNetwork Defender
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 4: Reconnaissance and Open-Source Intelligence

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------------------------------------- | | Suggested length | 4 × 60 minutes | | Recommended placement | Week 5 of Cyber II | | Prerequisite | Cyber I Unit 8 | | Materials | Browser, Kali (whois, dig, theHarvester), teacher-prepared OSINT target dossier |

Safety: All OSINT exercises target the fictional company "AcmeWidgets" prepared by the teacher. Students do not perform OSINT against real people, peers, classmates, faculty, family members, or businesses. Doing so is a course violation.

Learning objectives

By the end of this unit, students can:

  1. Distinguish passive recon (no contact) from active recon (touches target).
  2. Use whois, dig, and DNS history tools to map a target's surface.
  3. Pull metadata from documents and explain what it reveals.
  4. Use breach-data concepts ethically (HIBP, no use of dump material).
  5. Score the credibility of an OSINT source.
  6. Produce a 3–5 page OSINT report on AcmeWidgets.

Vocabulary

  • Passive recon - Public sources; no packet sent to target.
  • Active recon - Probes that touch the target (port scan, banner grab).
  • WHOIS - Domain registration metadata.
  • Subdomain enumeration - Finding all hostnames under a domain.
  • Metadata - Data about data (author, software, GPS in photos).
  • OPSEC - Operational security; protecting yourself while gathering intel.
  • Source credibility - Reliability scale (e.g., A1–F6 admiralty system).

Pacing

| Day | Focus | Deliverable | | --- | ------------------------- | -------------------------------------- | | 1 | Domain + DNS recon | DNS map of AcmeWidgets | | 2 | People + tech stack recon | Org chart sketch + tech stack list | | 3 | Document metadata | Three findings from sample PDFs/images | | 4 | OSINT report write-up | 3–5 page report |

Day 1 - Domain and DNS recon

# WHOIS
whois acmewidgets.example

# DNS records
dig acmewidgets.example any +noall +answer
dig MX acmewidgets.example +short
dig TXT acmewidgets.example +short
dig NS acmewidgets.example +short

# Subdomain enumeration (use teacher-provided wordlist + lab DNS)
dig +short subdomain1.acmewidgets.example
# In real engagements: amass, subfinder. In class: teacher-curated list.

Students fill the DNS map worksheet: A records, MX, NS, TXT (SPF/DKIM clues about email infrastructure), interesting subdomains, hosting providers indicated by IP ASN.

Day 2 - People and tech stack

Curated AcmeWidgets sources include:

  • A "company website" (provided as static HTML).
  • A LinkedIn-like dump (provided as a CSV).
  • A few job postings (provided).
  • A handful of forum posts and developer blog entries (provided).
  • A code repository (provided as a tar.gz).

Students extract:

  • The org chart: leadership, IT, security (if any), engineering.
  • The tech stack: languages, frameworks, cloud providers, mentioned vendors.
  • Likely email format (first.last@, flast@, etc.).
  • Known applications and likely versions.

Day 3 - Metadata

Sample PDFs and JPEGs are provided. Students extract metadata:

# PDFs
exiftool sample-company-brochure.pdf

# Images
exiftool conference-photo.jpg
# Look for: GPS, camera model, software, author, organization.

# Office docs (legacy)
exiftool quarterly-report.docx

Three findings expected, e.g., "the brochure was last edited by j.morales@acmewidgets.example on 2024-08-12 with Adobe Acrobat Pro," or "the conference photo embeds GPS coordinates of the venue."

Day 4 - OSINT report

Template:

# AcmeWidgets OSINT Report
## Engagement
  - Engaged by: <teacher>
  - Date range: <dates>
  - Authorization: lab dossier only
## Methodology
  - Sources used (with credibility ratings)
  - Tools (whois, dig, exiftool, etc.)
## Findings
  ### Network surface
  ### People + organization
  ### Technology stack
  ### Document metadata leakage
## Risk implications
  - What could a real attacker do with this picture?
## Defensive recommendations
  - What AcmeWidgets could change tomorrow.
## Sources
  - Itemized list with credibility ratings.

Land the line: "This is the document a customer pays for. It's also the document that gets you hired."

OPSEC for the analyst

  • Never authenticate to OSINT targets with your real account.
  • Use a dedicated browser profile, dedicated email, no shared cookies.
  • Document the exact source URL and capture date for every finding.
  • If you accidentally crossed into active recon, stop, document, notify.

Common misconceptions

  • "OSINT is just Googling." - Search technique, source credibility, source diversity, and rigorous documentation are the real skill.
  • "Public means fair game for everything." - Public source ≠ unlimited use. Aggregating public data into a profile of a real person can violate privacy law and the program's ethics policy.

Assessment

  • Day 1 DNS map: rubric.
  • Day 2 org chart + tech stack: rubric.
  • Day 3 metadata findings: 3 documented findings.
  • Day 4 OSINT report: 3–5 pages, rubric scored.

Career connection

OSINT analysts (threat intel teams, fraud, due diligence) earn $70K–$120K+. Pen testers spend the first 25–40% of any engagement here.

Homework

Read the OSINT Framework intro. Identify three categories of sources you've never used and pick one to learn before next class.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum