OSINT isn't hacking, cracking, or dark magic. It's simply the ability to Google, but systematically. Some people collect information on people, some mine domains, and some search for leaks. There are tons of tools, but if you're just getting started, here's a list of what's actually used, not what's sitting on "top 100 OSINT tools" lists.
I've been through this myself, tried half of it, and tossed the rest. I kept only what was truly necessary at the start. No fluff, to the point.
1. Maltego — Relationship Graphs
This thing builds a relationship map. You throw in an email, domain, name, and nickname, and it crawls databases, whois, social media, and DNS, building everything into a graph.
What it can do:
· Find connections between domains and email addresses
· Show which servers share the same IP address
· Pull data from social networks (if modules are available)
Pros: Visual, you can click and drill down. Cons: The paid version is for large volumes, the free version is limited.
Who needs it: If you need to quickly understand how objects are related—people, domains, email addresses.
2. theHarvester — Email and Subdomain Collection
A console utility that simply collects email addresses and domains from search engines.
How it works:
Enter a domain
Select a source (Google, Bing, LinkedIn, PGP servers)
Get a list of found email addresses and subdomains
Example:
```
theHarvester -d example.com -b google
```
In a couple of minutes, you can see which email addresses are showing up in open sources.
Pros: Fast, free, works out of the box. Cons: Only what's indexed by search engines.
Who needs it: For initial reconnaissance before phishing or pentesting.
3. Shodan – Device Search Engine
This isn't Google for websites, it's Google for servers, cameras, routers, and everything else that's on the internet.
What can be found:
· Open CCTV cameras
· Password-less databases
· Industrial controllers
· Old vulnerable services
Example request:
```
port:21 Anonymous
```
Finds FTP servers with anonymous access.
Pros: You can see the target's infrastructure, even if it doesn't show up in a regular search. Cons: Free access is limited, and you have to pay for a full search.
Who needs it: Network analysis, finding unused services, and checking if your own server is running with an open port.
4. SpiderFoot – Automatically collects everything
Launch it on a domain or IP, and it starts collecting everything it can from open sources.
What's inside:
· whois
· DNS
· leak search
· social media
· Shodan
· and a ton of other modules
Pros: automation, no need to manually use every tool. Cons: can take a long time to run, so-so interface.
Who needs it: for passive reconnaissance, when you don't want to be seen but want to gather maximum information.
5. Recon-ng — OSINT framework
Modeled after Metasploit. Same workspace, modules, console.
What's good about it:
· There are modules for everything from whois to social media
· Results can be exported immediately
· Automation via scripts
Example:
```
marketplace install all
workspace create example
use recon/domains-hosts/google_site
set source example.com
run
```
Pros: Flexible, you can add your own modules. Cons: Requires some familiarity, console isn't for everyone.
Who needs it: Anyone who wants to get serious about OSINT and automate data collection.
6. Google Dorking — Advanced Search
Google knows more than you think. You just have to know how to ask.
Basic operators:
· site: — search only a specific site
· filetype: — search for files of a certain type (pdf, doc, xls)
· intitle: — search by page title
· inurl: — search by URL
· cache: — show a saved version of the page
Example:
```
site:example.com filetype
df
```
Finds all PDFs on the site.
Another example:
```
inurl:wp-config.php
```
Shows sites where WordPress configuration is exposed (usually a vulnerability).
Pros: Free, everyone has Google. Cons: Google can cut queries if you use it too often.
Who needs it: Anyone who knows how to Google. This is a database.
7. Have I Been Pwned — leak checker
A service that shows whether an email address has been in leaked databases.
What it does:
Enter an email address
Get a list of leaks where it was found
API: You can programmatically pull and check email lists automatically.
Example:
```
curl -X GET https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]
```
Pros: Simple, fast, API available. Cons: Only leaks included in the HIBP database.
Who needs it: For account security audits, checking if it's time to change passwords.
Typical OSINT workflow
1. Target — what we're looking for (domain, name, nickname, email).
2. Passive collection — theHarvester, SpiderFoot, Google dorks.
3. Link analysis — Maltego, Recon-ng.
4. Infrastructure inspection — Shodan, DNS queries.
5. Leaks — HIBP, database search.
6. Structuring — write everything down in a spreadsheet, build connections, look for repetitions.
Summary
OSINT isn't magic, but a methodical review of sources. At first, it seems like there's a ton of information and it's unclear what to do with it. Then you get used to it and start seeing connections that aren't immediately obvious.
These seven tools are a good place to start. They cover 80% of the tasks: searching for email addresses, domains, devices, leaks, and connections. The rest is tailored to the specific purpose.
The main thing is to keep a low profile and always remember that collecting information without permission can be illegal. This isn't a game.
I've been through this myself, tried half of it, and tossed the rest. I kept only what was truly necessary at the start. No fluff, to the point.
1. Maltego — Relationship Graphs
This thing builds a relationship map. You throw in an email, domain, name, and nickname, and it crawls databases, whois, social media, and DNS, building everything into a graph.
What it can do:
· Find connections between domains and email addresses
· Show which servers share the same IP address
· Pull data from social networks (if modules are available)
Pros: Visual, you can click and drill down. Cons: The paid version is for large volumes, the free version is limited.
Who needs it: If you need to quickly understand how objects are related—people, domains, email addresses.
2. theHarvester — Email and Subdomain Collection
A console utility that simply collects email addresses and domains from search engines.
How it works:
Enter a domain
Select a source (Google, Bing, LinkedIn, PGP servers)
Get a list of found email addresses and subdomains
Example:
```
theHarvester -d example.com -b google
```
In a couple of minutes, you can see which email addresses are showing up in open sources.
Pros: Fast, free, works out of the box. Cons: Only what's indexed by search engines.
Who needs it: For initial reconnaissance before phishing or pentesting.
3. Shodan – Device Search Engine
This isn't Google for websites, it's Google for servers, cameras, routers, and everything else that's on the internet.
What can be found:
· Open CCTV cameras
· Password-less databases
· Industrial controllers
· Old vulnerable services
Example request:
```
port:21 Anonymous
```
Finds FTP servers with anonymous access.
Pros: You can see the target's infrastructure, even if it doesn't show up in a regular search. Cons: Free access is limited, and you have to pay for a full search.
Who needs it: Network analysis, finding unused services, and checking if your own server is running with an open port.
4. SpiderFoot – Automatically collects everything
Launch it on a domain or IP, and it starts collecting everything it can from open sources.
What's inside:
· whois
· DNS
· leak search
· social media
· Shodan
· and a ton of other modules
Pros: automation, no need to manually use every tool. Cons: can take a long time to run, so-so interface.
Who needs it: for passive reconnaissance, when you don't want to be seen but want to gather maximum information.
5. Recon-ng — OSINT framework
Modeled after Metasploit. Same workspace, modules, console.
What's good about it:
· There are modules for everything from whois to social media
· Results can be exported immediately
· Automation via scripts
Example:
```
marketplace install all
workspace create example
use recon/domains-hosts/google_site
set source example.com
run
```
Pros: Flexible, you can add your own modules. Cons: Requires some familiarity, console isn't for everyone.
Who needs it: Anyone who wants to get serious about OSINT and automate data collection.
6. Google Dorking — Advanced Search
Google knows more than you think. You just have to know how to ask.
Basic operators:
· site: — search only a specific site
· filetype: — search for files of a certain type (pdf, doc, xls)
· intitle: — search by page title
· inurl: — search by URL
· cache: — show a saved version of the page
Example:
```
site:example.com filetype
df```
Finds all PDFs on the site.
Another example:
```
inurl:wp-config.php
```
Shows sites where WordPress configuration is exposed (usually a vulnerability).
Pros: Free, everyone has Google. Cons: Google can cut queries if you use it too often.
Who needs it: Anyone who knows how to Google. This is a database.
7. Have I Been Pwned — leak checker
A service that shows whether an email address has been in leaked databases.
What it does:
Enter an email address
Get a list of leaks where it was found
API: You can programmatically pull and check email lists automatically.
Example:
```
curl -X GET https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]
```
Pros: Simple, fast, API available. Cons: Only leaks included in the HIBP database.
Who needs it: For account security audits, checking if it's time to change passwords.
Typical OSINT workflow
1. Target — what we're looking for (domain, name, nickname, email).
2. Passive collection — theHarvester, SpiderFoot, Google dorks.
3. Link analysis — Maltego, Recon-ng.
4. Infrastructure inspection — Shodan, DNS queries.
5. Leaks — HIBP, database search.
6. Structuring — write everything down in a spreadsheet, build connections, look for repetitions.
Summary
OSINT isn't magic, but a methodical review of sources. At first, it seems like there's a ton of information and it's unclear what to do with it. Then you get used to it and start seeing connections that aren't immediately obvious.
These seven tools are a good place to start. They cover 80% of the tasks: searching for email addresses, domains, devices, leaks, and connections. The rest is tailored to the specific purpose.
The main thing is to keep a low profile and always remember that collecting information without permission can be illegal. This isn't a game.
