OSINT UNCOVERED
15 Essential Tools & How to Use Them
TABLE OF CONTENTS
🔍 What is OSINT?
Open Source Intelligence (OSINT) is the systematic collection and analysis of publicly available information to produce actionable intelligence.
Golden rule: Information is not intelligence. Raw data must be verified, correlated, and contextualized.
What qualifies as open source? Websites, social media, DNS records, Shodan, public records, archives, and leaked data (ethically handled).
📌 Where OSINT is Used
| User Group | Applications |
|---|---|
| Cybersecurity | Threat detection, attack surface mapping, red teaming |
| Law Enforcement | Criminal investigations, missing persons, suspect tracking |
| Journalism | Fact-checking, war crimes documentation (Bellingcat) |
| Corporate Security | Due diligence, third-party risk, brand protection |
| Financial/AML | Fraud detection, shell company identification |
Advanced search operators that expose invisible data – login panels, config files, exposed documents, and databases.
📘 How to Use:
- Core operators:
site:,intitle:,inurl:,filetype:,"exact phrase",cache: - Example:
site:nasa.gov filetype:pdf "confidential" - Find webcams:
intitle:"Live View / - AXIS" - Exposed Git repos:
intitle:index.of .git - AWS keys:
filetype:pem intext:PRIVATE KEY
| Use Case | Application |
|---|---|
| Penetration Testing | Discover admin panels, backup files, open directories |
| Breach Assessment | Find publicly indexed database dumps |
| Competitive Intel | Uncover competitor's exposed documents |
| Personal Audit | Check your own domain exposure |
Curated OSINT resources from world‑leading investigators – geolocation, image verification, satellite imagery, and more.
📘 How to Use:
- Visit bellingcat.com/resources
- Browse categories: Geolocation, Chronolocation, Verification, People, Archives
- Click any tool – direct link + investigation tips
| Use Case | Application |
|---|---|
| War Crimes Documentation | Geolocate conflict videos via satellite imagery |
| Disinformation Debunking | Reverse image search, ELA analysis |
| Human Rights | Track forced evictions using historical imagery |
Interactive relationship graphs connecting emails, domains, people, IPs, and social media using 100+ data sources.
📘 How to Use:
- Download Maltego CE – free registration
- Install transforms from Hub (Shodan, HIBP, BuiltWith)
- Drag entity → enter target → right‑click → Run Transform
- Pivot: right‑click any new entity → run additional transforms
| Use Case | Application |
|---|---|
| Cybercrime Investigation | Link emails → social accounts → crypto wallets → infrastructure |
| Fraud Detection | Map shell companies, nominee directors |
| Attack Surface Mapping | Visualize all domains, IPs, certs related to your org |
Search engine for internet‑connected devices – webcams, routers, servers, industrial control systems.
📘 How to Use:
- Visit shodan.io – free search without account
- Use filters:
port:3389 country:JP(RDP in Japan) vuln:CVE-2021-44228(Log4j vulnerable hosts)org:"Your Company"– monitor your own assets
| Use Case | Application |
|---|---|
| Attack Surface Management | Identify unauthorized devices, forgotten servers |
| Vulnerability Prioritization | Scan for Log4j, ProxyShell on your IPs |
| Third‑Party Risk | Assess vendor security posture |
Email, subdomain & employee name harvester from public sources.
📘 How to Use:
theHarvester -d example.com -l 100 -b bing,duckduckgo,threatcrowd
| Use Case | Application |
|---|---|
| Pentest Recon | Build target list, find staging servers |
| Phishing Assessment | Discover exposed employee emails |
| Shadow IT | Uncover dev/test subdomains |
Dark web, data leak & historical WHOIS archive. Selector‑based search (email, domain, IP, bitcoin).
📘 How to Use:
- Visit intelx.io – enter email/domain/bitcoin address
- Free tier returns limited results; register for more credits
- Use advanced filters (date, media type, TLD)
| Use Case | Application |
|---|---|
| Credential Exposure | Search company email domain in breach archives |
| Dark Web Intel | Monitor paste sites without Tor |
| Historical WHOIS | Recover pre‑GDPR registration data |
Internet asset & certificate search – stronger on SSL/TLS than Shodan.
📘 How to Use:
- Visit search.censys.io
- Certificate search:
names: target.com - Find all domains sharing same certificate (phishing infrastructure)
- Host search: IP → open ports, services, history
| Use Case | Application |
|---|---|
| Phishing Investigation | Cert fingerprint → all malicious domains using same cert |
| Shadow IT | Find unauthorized subdomains with valid certs |
| Expiry Monitoring | Certificates near expiration |
Tree‑structured directory of OSINT tools by information type (username, email, domain, IP).
📘 How to Use:
- Visit osintframework.com
- Click “+” to expand categories
- Click any link → opens tool in new tab
- Icons: (T1)=free, (T2)=registration, (T3)=paid
| Use Case | Application |
|---|---|
| Investigation Planning | Start with username → see all search resources |
| Tool Discovery | Find alternatives to your usual tools |
| Training | Learn OSINT categories systematically |
Website technology stack detection – CMS, analytics, hosting, frameworks, email providers.
📘 How to Use:
- Visit builtwith.com → enter domain
- Review detailed technology profile
- Click "History" tab to see changes over time
| Use Case | Application |
|---|---|
| Vulnerability Assessment | Detect outdated software versions |
| Competitive Analysis | See what tech competitors use |
| Acquisition Due Diligence | Profile target's tech debt |
Extracts metadata (authors, usernames, paths, software) from public documents.
📘 How to Use:
metagoofil -d example.com -t pdf,doc,xls -l 30 -o docs/ -f report.html
| Use Case | Application |
|---|---|
| Credential Guessing | Extract username patterns for wordlists |
| Internal Network Mapping | Discover internal server names from document paths |
| Data Leakage | Find confidential documents exposed online |
Community threat intelligence – IoC pulses (IPs, domains, hashes, TTPs).
📘 How to Use:
- Register at otx.alienvault.com – free
- Search any indicator (IP, domain, hash)
- View associated Pulses, threat families, tags
- Subscribe to Pulses and set up alerts
| Use Case | Application |
|---|---|
| Threat Hunting | Proactively search for IoCs in your environment |
| Incident Response | Pivot on IP/hash to understand broader campaign |
| Vulnerability Prioritization | Check if CVE is actively exploited |
Automated OSINT correlation across 200+ modules. Note: Open‑source version unmaintained.
📘 How to Use (Legacy):
git clone https://github.com/smicallef/spiderfoot.git && python3 sf.py -l 127.0.0.1:5001
| Use Case | Application |
|---|---|
| Continuous Attack Surface | Periodic scans to detect new exposures |
| M&A Assessment | Quick deep‑dive on acquisition target |
| Fraud Investigation | Connect fraudulent emails/domains automatically |
Clearnet search engine for Tor hidden services (.onion). No Tor browser needed.
📘 How to Use:
- Visit ahmia.fi in any browser
- Enter keywords – use quotes for exact phrases
- Filter by time (past day, week, month)
| Use Case | Application |
|---|---|
| Data Leak Monitoring | Search your company/domain on .onion leak sites |
| Dark Web Intel | Track discussions about vulnerabilities |
| Fraud Investigation | Research counterfeit markets without Tor |
Security, SSL, hosting history, email authentication (SPF/DKIM/DMARC), phishing reputation.
📘 How to Use:
- Visit sitereport.netcraft.com → enter domain
- Review SSL, headers, hosting timeline, blocklist status
- Report malicious sites via link
| Use Case | Application |
|---|---|
| Phishing Investigation | Check SSL validity, prior abuse, registrar |
| Email Security Audit | Verify SPF/DMARC configuration |
| Brand Impersonation | Run report on typosquatted domains |
Conversational OSINT – ask in plain English: "What domains are on this IP? Show WHOIS history."
📘 How to Use:
- Request access, get API key (free credits)
- Log in to Jake AI web interface
- Type questions: "Check domain example.com and its subdomains"
- Bulk investigations (up to 10 IPs/domains)
| Use Case | Application |
|---|---|
| Rapid Pivoting | Multi‑step queries without switching tools |
| Non‑Tech Analysts | Conduct OSINT via natural language |
| Report Generation | Build infrastructure profiles conversationally |
⚖️ Legal & Ethical Boundaries
✅ Permitted
- Viewing public content
- Using official APIs (rate limits)
- Archiving public information
- Passive reconnaissance
❌ Not Permitted
- Bypassing paywalls / authentication
- Impersonation / deception
- Violating terms of service
- Active scanning without authorization
📌 Privacy regulations (GDPR, CCPA) apply. Public information does not mean unrestricted use. Always balance intelligence objectives with reasonable privacy expectations. Verify tool status – many OSS tools become stale.
Built with ❤️ for the OSINT community · Free to share with attribution
OSINT Uncovered · 15 Essential Tools · Created by RIHAM