Complete OSINT Guide 2024: Open Source Intelligence Techniques & Tools

Key Takeaways

OSINT uses publicly available information for intelligence.
Social media is a goldmine for personal and corporate intelligence.
Shodan reveals internet-connected devices and their vulnerabilities.

Google dorking finds sensitive exposed information.
Always verify information from multiple sources.
Respect privacy and legal boundaries in investigations.

1. Introduction to OSINT
2. Domain & Infrastructure Recon
3. Social Media Investigation
4. Google Dorking

5. Essential OSINT Tools
6. People Search Techniques
7. Legal & Ethical Considerations
8. Frequently Asked Questions

1. Introduction to OSINT

Open Source Intelligence (OSINT) is the collection, analysis, and use of publicly available information to answer specific intelligence questions. Originally a discipline of intelligence agencies, OSINT is now widely used in cybersecurity, journalism, law enforcement, competitive intelligence, and due diligence investigations.

OSINT sources include websites, social media, public records, news articles, academic publications, satellite imagery, and any other openly accessible information. The skill lies not in accessing secret data, but in finding, correlating, and analyzing public information effectively.

The OSINT Process

1. Requirements: Define what you need to find
2. Collection: Gather relevant data from sources
3. Processing: Organize and filter information
4. Analysis: Draw conclusions from the data
5. Reporting: Present findings clearly

2. Domain & Infrastructure Recon

2.1 WHOIS Lookups

# Domain registration information
whois example.com

# Key information:
# - Registrant name/organization
# - Registration/expiration dates
# - Nameservers
# - Registrar information

2.2 DNS Reconnaissance

# Find subdomains
dig example.com ANY

# Zone transfer attempt (usually blocked)
dig axfr @ns1.example.com example.com

# Subdomain enumeration tools
amass enum -d example.com
subfinder -d example.com
assetfinder example.com

2.3 Shodan

Shodan is a search engine for internet-connected devices, revealing servers, webcams, IoT devices, and their vulnerabilities.

# Shodan searches
org:"Target Company"           # By organization
port:22                        # Open SSH
ssl.cert.subject.cn:example.com # By SSL certificate
http.title:"Login"             # Web pages with title
product:"Apache"               # Specific software
vuln:CVE-2021-44228            # Known vulnerabilities

2.4 Certificate Transparency

# Find all certificates issued for a domain
# Sites: crt.sh, censys.io
curl "https://crt.sh/?q=%.example.com&output=json" | jq

3.1 LinkedIn

Employee lists and organizational structure
Technology stack from job postings
Historical employment for individual investigations
Professional connections and networks

3.2 Twitter/X

# Advanced Twitter searches
from:username           # Tweets from user
to:username             # Replies to user
@username               # Mentions
"exact phrase"          # Exact match
since:2024-01-01        # Date range
near:London             # Location
filter:images           # Only images

3.3 Facebook & Instagram

Public profiles, photos, and check-ins
Group memberships reveal interests
Friends lists for relationship mapping
Historical posts via Wayback Machine

4. Google Dorking

Google dorks use advanced search operators to find specific information that may not be intended to be public.

# Common Google Dorks
site:example.com                    # Search specific site
filetype:pdf                        # Specific file types
intitle:"index of"                  # Directory listings
inurl:admin                         # URL contains "admin"
"password" filetype:xlsx            # Passwords in spreadsheets

# Sensitive Information
site:example.com filetype:sql       # Database dumps
site:example.com ext:conf           # Configuration files
intitle:"Index of" ".git"           # Exposed Git repos
site:example.com intext:@gmail.com  # Email addresses

# Exposure Detection
site:example.com "error" "warning"  # Error pages
site:pastebin.com "example.com"     # Company data on Pastebin
inurl:"/wp-content/uploads/"        # WordPress uploads

Google Dorking Ethics

Finding exposed data through dorking doesn't give you permission to access or use it. Accessing login pages you find may be illegal. Only use dorking to identify exposures for authorized security assessments or to protect your own organization.

5. Essential OSINT Tools

Tool	Purpose	Type
Maltego	Visual link analysis, relationship mapping	Commercial/Free
Shodan	Internet device search	Free/Premium
theHarvester	Email, subdomain, IP gathering	Free
SpiderFoot	Automated OSINT collection	Free/Commercial
Recon-ng	Modular recon framework	Free
Metagoofil	Metadata extraction from files	Free
FOCA	Document metadata analysis	Free

5.1 theHarvester

# Gather emails and subdomains
theHarvester -d example.com -b all

# Specific sources
theHarvester -d example.com -b google,linkedin,twitter

5.2 Recon-ng

# Start Recon-ng
recon-ng

# Create workspace
workspaces create example

# Add target domain
db insert domains domain=example.com

# Run module
modules load recon/domains-hosts/hackertarget
run

6. People Search Techniques

Username Search: namechk.com, knowem.com - Find accounts across platforms
Email Search: hunter.io, emailrep.io - Email verification and history
Phone Numbers: Truecaller, Sync.me - Number lookup
Images: Reverse image search with Google, TinEye, Yandex
Public Records: Property records, court records, voter registrations

6.1 Email Investigation

# Check email reputation
curl "https://emailrep.io/[email protected]"

# Find emails for a domain
# Tools: Hunter.io, Snov.io, Clearbit

7. Legal & Ethical Considerations

7.1 Legal Boundaries

Only access publicly available information
Don't bypass authentication or access controls
Respect Terms of Service (automated scraping may violate ToS)
Consider GDPR and privacy laws for personal data
Document your methodology for legal defensibility

7.2 Ethical Guidelines

Have a legitimate purpose for your investigation
Consider the impact on individuals being researched
Don't use OSINT for stalking, harassment, or doxing
Protect collected data appropriately
Report security vulnerabilities you discover responsibly

Responsible Disclosure

If your OSINT reveals security vulnerabilities (exposed databases, leaked credentials), report them responsibly to the affected organization. Many have bug bounty programs or security contacts. Don't exploit or publicize vulnerabilities.

8. Frequently Asked Questions

Is OSINT legal?

Collecting publicly available information is generally legal. However, how you collect it (bypassing access controls, violating ToS) and how you use it (stalking, harassment) can create legal issues. Always have a legitimate purpose and stay within legal boundaries.

How do I protect myself from OSINT?

Minimize your digital footprint: use privacy settings on social media, opt out of data brokers, use unique usernames per platform, avoid oversharing personal details, and regularly Google yourself to see what's exposed.

Conclusion

OSINT is a powerful discipline for security professionals, investigators, and researchers. Master the tools and techniques, but always operate within legal and ethical boundaries. The best OSINT practitioners combine technical skills with critical thinking and responsible conduct.

Continue Learning:
Recon Guide Ethical Hacking