Key Takeaways
- OSINT uses publicly available information
- Passive recon leaves no trace on target
- People research reveals attack vectors
- Document findings thoroughly
Contents
1. What is OSINT?
Open Source Intelligence (OSINT) is the collection and analysis of publicly available information. It's used in security research, threat intelligence, investigations, and penetration testing reconnaissance.
OSINT Sources
- Search engines and archives
- Social media platforms
- Public records and databases
- Domain and IP information
- Code repositories
- News and media
2. Domain & Infrastructure OSINT
# Domain enumeration
whois example.com
dig example.com ANY
host -a example.com
# Subdomain discovery
subfinder -d example.com
amass enum -passive -d example.com
assetfinder example.com
# DNS history
# SecurityTrails, DNSDumpster, PassiveTotal
# Certificate transparency
crt.sh/?q=%.example.com
# or use ctfr, certspotter
# IP information
# Shodan, Censys, ZoomEye
shodan host 1.2.3.4
# Historical data
# Wayback Machine: web.archive.org3. People Investigation
# Email discovery
theHarvester -d company.com -b all
hunter.io
phonebook.cz
# Username enumeration
sherlock username
whatsmyname.app
# People search engines
# Pipl, Spokeo, BeenVerified (commercial)
# WebMii, PeekYou (free)
# Employee enumeration
linkedin2username.py -c "Company Name"
# Breach data (legally!)
HaveIBeenPwned API4. Social Media OSINT
Social Media Tools
- Twitter: TweetDeck, Twitonomy, social-searcher
- LinkedIn: linkedin2username, manual research
- Instagram: osintgram, instaloader
- Facebook: Facebook Graph Search, lookup-id.com
# Instagram OSINT
python3 osintgram.py target_username
# Twitter advanced search
from:@username since:2023-01-01
"password" site:pastebin.com5. Technical OSINT
# Technology profiling
whatweb https://example.com
wappalyzer (browser extension)
builtwith.com
# Code repositories
# Search GitHub, GitLab for:
# - Company name
# - Domain name
# - API keys, credentials
github-dorks.py example.com
gitrob
# Google Dorks
site:example.com filetype:pdf
site:example.com inurl:admin
intitle:"index of" "example.com"6. Dark Web Research
# Accessing .onion sites requires Tor
# Use Tor Browser in a VM
# Dark web search engines:
# - Ahmia
# - DuckDuckGo .onion
# - Torch
# Monitoring tools:
# - IntelX (commercial)
# - Darkfeed
# - SpiderFoot
# CAUTION: Legal and safety risks
# Don't interact or purchase
# Document for legitimate purposes only7. Essential OSINT Tools
- Maltego: Visual link analysis
- SpiderFoot: Automated OSINT
- theHarvester: Email/domain enumeration
- Shodan: Internet-connected devices
- Recon-ng: Full-featured recon framework
- OSINT Framework: osintframework.com
8. Ethics & Legal Considerations
- ✅ Only collect publicly available information
- ✅ Respect privacy and ToS
- ✅ Document your methodology
- ❌ Don't access private accounts
- ❌ Don't use stolen credentials
- ❌ Don't harass or stalk individuals
FAQ
Is OSINT legal?
Collecting publicly available information is generally legal. However, how you use it matters. Harassment, stalking, or unauthorized access is illegal regardless of how you found the information.