NCL: Open Source Intelligence
Extracting information from publicly available sources using command-line tools
Open Source Intelligence (OSINT)
OSINT is the process of collecting information from publicly available sources — DNS records, domain registrations, image metadata, HTTP headers, and vulnerability databases. In the National Cyber League, OSINT challenges typically appear first and account for a significant portion of total points.
This page covers the six OSINT skill areas tested in NCL, with the exact tools and commands you need. Each section defines its terms, shows the tool in action, and includes practice questions.
Prerequisites: You should be comfortable with basic shell commands (grep, awk, cut, piping) from Weeks 1-2.
1. Image Metadata with exiftool
Digital photos contain embedded metadata in a format called EXIF (Exchangeable Image File Format) — a standard that stores camera settings, timestamps, GPS coordinates, and other technical data inside the image file itself. Most cameras and phones write EXIF automatically.
exiftool is the standard command-line tool for reading this metadata.
Basic usage
# Dump all metadata from a file
exiftool photo.jpg
This produces dozens of fields. In NCL, you typically need specific values. Use targeted extraction:
# Extract specific fields (-s3 outputs only the value, no label)
exiftool -s3 -CreateDate photo.jpg # When was it taken
exiftool -s3 -Make photo.jpg # Camera manufacturer
exiftool -s3 -Model photo.jpg # Camera model
exiftool -s3 -ImageSize photo.jpg # Width x Height
exiftool -s3 -ExposureTime photo.jpg # Shutter speed (e.g., 1/200)
exiftool -s3 -GPSPosition photo.jpg # GPS coordinates
The -s3 flag suppresses the tag name, outputting only the raw value. This matters in NCL because you can copy-paste the output directly into the answer field.
GPS coordinate conversion
EXIF stores GPS in DMS format (Degrees, Minutes, Seconds): 47 deg 39' 23.40" N. NCL sometimes expects decimal degrees instead. The conversion formula:
Decimal = Degrees + Minutes/60 + Seconds/3600
47 + 39/60 + 23.4/3600 = 47.6565
For West longitudes and South latitudes, the decimal result is negative.
What else stores metadata
exiftool works on more than images. It reads metadata from PDFs (exiftool document.pdf), Office documents, audio files, and video files. The pdfinfo command is an alternative for PDF-specific metadata. The file command identifies the true file type regardless of extension — it reads the file’s magic bytes (the first few bytes that identify the format, like 89 50 4E 47 for PNG).
Checkpoint: You run exiftool and see "GPSLatitude: 47 deg 39' 23.4" N" and "GPSLongitude: 117 deg 25' 12.8" W". What are the decimal coordinates?
Latitude: 47 + 39/60 + 23.4/3600 = 47.6565 Longitude: -(117 + 25/60 + 12.8/3600) = -117.4202 (negative because West)
Result: 47.6565, -117.4202 — paste these into Google Maps to see the location.
2. DNS Records with dig
DNS (Domain Name System) translates domain names like example.com into IP addresses and other records. The command-line tool dig (Domain Information Groper) queries DNS servers and returns structured results.
Record types
DNS stores several types of records. NCL frequently asks you to identify the correct type for a given purpose:
| Type | Purpose | Example query |
|---|---|---|
| A | Maps domain to IPv4 address | dig A example.com |
| AAAA | Maps domain to IPv6 address | dig AAAA example.com |
| MX | Mail server for a domain | dig MX example.com |
| NS | Nameserver (who manages DNS for this domain) | dig NS example.com |
| TXT | Arbitrary text (SPF email auth, domain verification) | dig TXT example.com |
| SOA | Start of Authority (zone admin info, serial number) | dig SOA example.com |
| CNAME | Alias pointing to another domain | dig CNAME www.example.com |
| PTR | Reverse lookup (IP to hostname) | dig -x 93.184.216.34 |
| DNSKEY | DNSSEC public key (used to cryptographically sign DNS responses) | dig DNSKEY example.com |
Useful dig flags
dig example.com +short # Concise output (just the answer)
dig example.com +trace # Follow the full resolution chain from root
dig @8.8.8.8 example.com # Query a specific DNS server (here, Google's)
dig example.com +noall +answer # Machine-parseable output (good for scripting)
+short is the most useful flag for NCL — it returns only the answer value, which you can paste directly.
Checkpoint: NCL asks "What DNS record type stores the DNSSEC public key?" What is the answer?
DNSKEY. DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS responses. The DNSKEY record stores the public key used to verify those signatures. Don’t confuse it with DS (Delegation Signer), which chains trust between parent and child zones.
3. Domain Registration with WHOIS
WHOIS is a protocol for querying databases of registered domain names. It returns the registrar (company the domain was purchased through), registration and expiration dates, nameservers, and sometimes the registrant’s contact information (though this is increasingly redacted for privacy under GDPR).
Basic usage
whois example.com
The output format varies by registrar. Key fields to extract:
whois example.com | grep -i "registrar:" # Who sold the domain
whois example.com | grep -i "creation date" # When it was registered
whois example.com | grep -i "registry domain" # Unique domain ID
whois example.com | grep -i "name server" # DNS servers
Use grep -i (case-insensitive) because different registrars capitalize field names differently.
TLD types
NCL sometimes asks about top-level domain categories:
| Type | Examples | Managed by |
|---|---|---|
| gTLD (generic) | .com, .org, .net | Various registries (Verisign for .com) |
| ccTLD (country code) | .uk, .de, .jp | National organizations |
| sTLD (sponsored) | .edu, .gov, .mil | Designated organizations (EDUCAUSE for .edu) |
Checkpoint: NCL asks "What is the TLD for ewu.edu, and what organization manages it?"
The TLD is .edu, a sponsored TLD managed by EDUCAUSE. Only accredited post-secondary US institutions can register .edu domains.
4. HTTP Headers
When a browser or curl requests a web page, the server sends back HTTP headers — metadata about the response including the server software, content type, caching policy, and security configuration.
Inspecting headers
curl -I https://example.com # HEAD request (headers only, no body)
curl -i https://example.com # Full response with headers
curl -v https://example.com # Verbose (request AND response headers)
Headers NCL tests
| Header | Purpose | NCL question pattern |
|---|---|---|
| User-Agent | Identifies the client software | “What header identifies the browser?” |
| Referer | URL of the page that linked to this request | “What header contains the referring URI?” |
| Accept | Content types the client can handle | “What header specifies accepted content types?” |
| Server | Web server software and version | Useful for vulnerability research |
| Content-Type | Format of the response body | “What header specifies the response format?” |
Note: Referer is intentionally misspelled in the HTTP specification — a typo from RFC 2616 that was never corrected.
Checkpoint: You see "Server: Apache/2.4.49" in the response headers. Why is this significant?
Apache 2.4.49 has a known path traversal vulnerability (CVE-2021-41773) that allows reading files outside the web root. Knowing the exact version lets you search the NVD for applicable exploits. This is why hardened servers suppress version information with ServerTokens Prod.
5. PGP Key Lookup
PGP (Pretty Good Privacy) uses public/private key pairs for encryption and signing. Organizations publish public keys on key servers so others can send encrypted messages or verify signatures. NCL tests your ability to search key servers and extract key details.
# Search by email
gpg --keyserver hkps://keyserver.ubuntu.com --search-keys security@example.com
# Download a key by ID
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys ABCD1234
# Show fingerprint (40-character hex identifier)
gpg --fingerprint security@example.com
NCL asks about fingerprints (the 40-hex-character unique ID), creation/expiration dates, and key algorithm (RSA, DSA, ECDSA with key size in bits).
6. Threat Intelligence
NCL includes knowledge questions about famous vulnerabilities and security history. The primary resources:
- NVD — National Vulnerability Database. Search by CVE ID (
CVE-YYYY-NNNNN) or software name. - Exploit-DB — public exploit code. CLI:
searchsploit [software].
SSL/TLS certificate analysis
# Display a server's certificate
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text -noout
# Extract issuer and dates
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -dates
# Show full certificate chain
echo | openssl s_client -showcerts -connect example.com:443 2>/dev/null
NCL asks about the certificate issuer (which CA signed it), key size (in bits), and chain length (number of certificates from server to root).
Commonly tested facts
| Question | Answer |
|---|---|
| CVE for POODLE attack | CVE-2014-3566 |
| VSFTPD version with backdoor | 2.3.4 |
| First Heartbleed-patched OpenSSL 1.0.1 | 1.0.1g |
| Telnet RFC | 854 |
| SQL Slammer worm size | 376 bytes |
Checkpoint: How do you check whether a specific software version has known vulnerabilities?
Search the NVD at nvd.nist.gov with the software name and version. Results show CVE entries with severity scores (CVSS), affected version ranges, and patch links. For actual exploit code, use searchsploit [software] (the Exploit-DB CLI, included in Kali Linux).
Resources
Practice: picoCTF (free, with learning guides) · TryHackMe OSINT rooms · OSINT Framework (tool directory)
Reference: CyberChef (encoding/decoding) · Exploit-DB · Shodan (device search)
Video: John Hammond — OSINT CTF walkthroughs · David Bombal — DNS