Open Source Intelligence(OSINT)

Open-source Intelligence(OSINT) is the first step when it comes to red teaming. In this post, I will provide some reference and technique that is commonly used by penetration tester and red teamer for passive information gathering.

Search Engine OSINT

Search engines like Google is a powerful tool to find most of the publicly available information.

sitesite:microsoft.comDisplay those results if the body has CISO
cachecache:microsoft.comDisplay cached version
intitleintitle:”Admin Login”Display Result that has this keyword
inurlinurl:index.phpDisplay the result if the URL has index.hp
intextintext:”CISO”Exclude the keyword from the search result. Useful for subdomain
filetypefiletype:txt inurl:passwordFind the specified file type.
-(Operator) -wwwExclude keyword from the search result. Useful for subdomain

General Search Engines List

Privacy Oriented

These search engine usually does not store your search history and does not track you.

Image Search

Have an image? It could be something. Search more about that image!

Video Search

People OSINT

Here peoples mean, employees, and relative peoples of the target. To gather information about peoples the best source is LinkedIn and Facebook. You should try Other social media sites too!

General People Search

Social Media




Go To the Company profile and get the list of all employees. There are automated tools that can be used too which are mentioned below!

Username Check


Found an email address? Search for more information against that email.

Password OSINT

Search if the company domain and email have been compromised.

Archive OSINT

Check for the previous version of their website. They may have some old information that is useful for a hacker!

  • Wayback Machine
  • Clone a Site: wget --mirror --adjust-extension --page-requisites --convert-links --no-parent

Job Posting

Why look at job postings?

  • May be company revealing too much information about its infrastructure.
  • Another open way makes a social engineering attack by sending attachments.

Where to look?

  • Company website career pages.
  • Popular job posting sites such as indeed, Glassdoor, LinkedIn, etc.
  • Search on country-based job posting sites.

Meta Files

When a file is created, automatically some information is stored as metadata, Such as Creation date, Location, Username, Information about Software, and its version.

exiftool -v -f hello.pdf/doc/png
strings hello.png

Supporting OSINT Tools

Automated tools speed up the OSINT process. There is some good open-source tools built-in in Kali Linux and some tools needed to be downloaded from Github. But a hacker does not really have lots of automated tools!

Recon-ng(OSINT Framework)

Recon-ng is a reconnaissance framework.

> recon-ng
[recon-ng][default] > workspaces create osint
[recon-ng][osint] > workspaces list

| Workspaces |       Modified      |
| default    | 2022-03-17 17:57:28 |
| osint      | 2022-03-19 05:24:22 |
[recon-ng][default] > marketplace search recon

[recon-ng][default] > marketplace install recon/domains-hosts/netcraft
[*] Module installed: recon/domains-hosts/netcraft
[*] Reloading modules...
[recon-ng][default] > marketplace
Interfaces with the module marketplace

Usage: marketplace <info|install|refresh|remove|search> [...]

[recon-ng][default] > modules
Interfaces with installed modules

Usage: modules <load|reload|search> [...]

[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...

[recon-ng][default] > modules load recon/domains-contacts/whois_pocs

[recon-ng][default][whois_pocs] > back

[recon-ng][default] > marketplace install ghdb
[*] Module installed: recon/domains-vulnerabilities/ghdb
[*] Reloading modules...

[recon-ng][default] > modules load recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > info recon/domains-vulnerabilities/ghdb
[recon-ng][default][ghdb] > options set GHDB_WEB_SERVER_DETECTION true

[recon-ng][default][ghdb] > run

[*] Searching Google for: intitle:"Apache HTTP Server" intitle:"documentation"
[*] Category: Google Dork
[*] Example:
[*] Host:
[*] Notes: None
[*] Publish_Date: None
[*] Reference: intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------
[*] Category: Google Dork
[*] Example:
[*] Host:
[*] Notes: None
[*] Publish_Date: None
[*] Reference: intitle:"Apache HTTP Server" intitle:"documentation"
[*] Status: None
[*] --------------------------------------------------

[recon-ng][default][ghdb] > show hosts

theHarvester(Find Email, Names, etc)

Gathers emails, names, subdomains, IPs, and URLs from public sources.

theHarvester -d -b all

Some public sources require an API key. In kali Linux the api-keys config file is located at /etc/theHarvester/api-keys.yaml

Metagoofil(Find Meta File)

Search for meta files.

proxychains4 metagoofil -d -f -t pdf,doc,xls


exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u

Spiderfoot(Automated OSINT)

Opensource OSINT automation tools

Start the web server:

spiderfoot -l

Datasploit/Foca(OSINT Automation)


Datasploit is another OSINT automation tool

More details on HackerTarget


And Foca is a windows OSINT tool to analyze metadata

Download: From Github

Amass(DNS Enumeration)

An information-gathering tool from owasp

amass enum -d -ip -dir microsoft -src
amass intel -d, -ip -list

Email2phonenumber(Email to Phone Number)

If we have an email address, we can try to find the phone number

git clone

#Scrape websites for phone number digits

email2phonenumber scrape -e [email protected]

#Generate a dictionary of valid phone numbers based on a phone number mask

python3 generate -m 555XXX1234 -o /tmp/dic.txt

#Find target's phone number by resetting passwords on websites that do not alert the target using a phone number mask and proxies to avoid captchas and other abuse protections

email2phonenumber bruteforce -m 555XXX1234 -e [email protected] -p /tmp/proxies.txt -q

Tutorial: Youtube

CrossLinked & InSpy(Find Employee from Linkedin)

Find employees on LinkedIn and create a possible email addresses.



git clone
cd crosslinked
pip3 install -r requirements.txt


python3 -f '{first}.{last}' company_name
python3 -f 'domain\{f}{last}' -t 45 -j 1 company_name


Note: This tool coded in Python2


git clone
cd InSpy
pip install -r requirements.txt
python2 --domain --email [email protected]


Maltego is a good OSINT tool but unfortunately, It is not free, and the price is also not for everyone.

More details on their website!

Sherlock(Find social media username)

Sherlock is an open-source tool to find one or multiple usernames from dozens of social media sites.

> sherlock redtm
> sherlock redtm redtm1 redtm2

Another Wonderful OSINT Framework