OSINT & Proxies

Week 5 of Penetration Testing course.

Course material: https://terokarvinen.com/2022/tunkeutumistestaus-ict4tn027-3010-syksylla-2022/

Environment: VirtualBox VM running Kali Linux. VM has 2 GB of RAM and 80 GB of disk space.

Bellingcat OSINT

Objective: Read and summarize a Bellingcat OSINT guide of your choosing.

I read Bellingcat’s Invitation Is Waiting For Your Response: An Investigative Guide To LinkedIn .

  • Search for Linkedin profiles via the Linkedin search bar or using Google. Try using hidden search operators such as site:linkedin.com and double quotes (""). There work in Google but Linkedin also has its own hidden search operators.
  • Use other tools that return contact information based on a Linkedin profile.
  • Search the Linkedin profile photo in Yandex and Google reverse image search to find more profiles.
  • Try looking at the Linkedin profiles endorsers’ friends lists on other platforms such as Facebook to find profiles.

OSINT Finland

Objective: Many OSINT guides focus on a few bigger countries. Describe an OSINT source that is specific to Finland.

Finnish companies have a lot of information public information about them. To find information, use sites like finder.fi which gathers information from ytj.fi, asiakastieto.fi, and fonecta.fi among others. In particular you can find out a companies board members and what other boards they sit on.


Objective: Install OWASP ZAP. Browse the web and show that the traffic shows up in the proxy.


Written from memory since I already had ZAP installed: I downloaded the Linux installer from zaproxy.org and ran the installer with bash.


I launched ZAP from the Applications panel in Kali.


I selected to not store my session and clicked Start.

option screen

I clicked on Manual Explore in the Quick Start menu.

quick start

I set the URL to https://www.wikipedia.org and clicked Launch Browser.

manual explore

The ZAP HUD start screen popped up. I clicked on Continue to target.

zap hud

I clicked on the English wikipedia page and looked at the ZAP log. ZAP was logging hundreds of alerts relating to web vulnerabilities and a bunch of HTTP requests the page made. Below is a GET request the page made to a picture.

zap traffic

ZAP certificate

Objective: Intercept TLS encrypted traffic with ZAP.

I followed this guide on how to create a self-signed TLS certificate.

I started by creating a directory called certs.

$ cd /
$ mkdir certs
$ cd certs/

I created the private and public key for the certificate with openssl. Further explanations for the command parameters can be found in the source article.

$ openssl req -newkey rsa:4096  -x509  -sha512  -days 365 -nodes -out certificate.pem -keyout privatekey.pem

I answered the questions the command required.


I returned to the ZAP proxy Firefox session and went to Settings and searched for Certificates. I clicked on View Certificates.

firefox search

In the Certificate Manager on the Authorities tab I clicked on Import and selected the certificate.pem file I had created.

cert manager

cert file

In the popup I clicked on “Trust this CA to identify websites.”.

cert trust

I could now see my certificate listed.

cert list

Not sure if I should just use the ZAP certificate and set it so that it’s trusted by the browser.

Update 4.12.2022:

I checked some of the other reports of this assignment (Github: OskarBer, mansicka). It seems like I had the OWASP Root CA certificate up and running the whole time. Because I launched Firefox from Manual Scan option in ZAP, in automatically added the OWASP certificate.

I viewed the site certificate in Firefox to make sure.

zap certificate


Objective: Install mitmproxy. Surf the web and show the traffic in the proxy.

I already had mitmproxy preinstalled in Kali Linux.

I installed Foxyproxy extension to Firefox and configured it to send all traffic to localhost port 8081.

foxyproxy settings

I ran mitmproxy on port 8081.

$ mitmproxy -p 8081

I connected to a Metasploitable 2 VM I had running in the same network and a public HTTP site (source: OskarBer). Mitmproxy logged the traffic.

mitmproxy traffic

Mitmproxy TLS

Objective: Intercept TLS-encrypted traffic with mitmproxy.

I found mitmproxy’s documentation on certificates. With the proxy on I went to the address mitm.it in Firefox. There I found instructions on how to install the certificate.

mitmrproxy cert guide

After downloading the certificate, I navigated to my downloads directory, moved the certificate to under the /usr/ directory, and updated certificates.

$ cd Downloads/
$ mv mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy.crt
$ sudo update-ca-certificates

I imported the certificate to Firefox in Settings > Certificates. I tried browsing tuomasvalkamo.com and it worked. I double-checked that the certificate used was indeed mitmproxy.

it works

mitmproxy logs

Proxy WebGoat

Objective: Solve a WebGoat lesson of your choice using a man-in-the-middle proxy like mitm or ZAP.

I decided to solve A3 Sensivite Data Exposure. The goal of this lesson is to intercept traffic. A packet sniffer would be more suitable for this but a proxy does the job as well.

webgoat task

I opened up ZAP and clicked the Firefox button in the top right corner to open up Firefox with ZAP configured as proxy.

zap button

In ZAP, I clicked on the breakpoint button to stop all requests until I approve them.

intercept button

In WebGoat, I clicked on the Log in button and the ZAP overlay HUD popped up with the HTTP request. I could see that the username was CaptainJack and the password was BlackPearl. If I wanted to I could’ve modified the parameters.

zap hud

I entered the credentials to WebGoat and completed the lesson.

task completed

Update 4.12.2022: Finished ZAP certificate assignment. Added Mitmproxy assignment.

Update 11.12.2022: Added mitmproxy TLS assignment. Added WebGoat assignment.


Profile picture

Written by Tuomas Valkamo who is studying IT at Haaga-Helia University of Applied Sciences.

Check out my GitHub. or Connect with me.

© 2022 Tuomas Valkamo