What is OSINT?
OSINT (Open Source Intelligence) refers to the process of collecting and analyzing publicly available information to produce actionable intelligence. In cybersecurity and ethical hacking, OSINT is crucial during the reconnaissance phase to understand the target's digital footprint without directly interacting with it.
🛠️ Categories of OSINT Tools
1. Email & People Search
- Hunter.io: Find email patterns and employee emails
- Have I Been Pwned: Check if an email was part of a data breach
- IntelX: Deep web and public data archive search
2. Domain & DNS Intelligence
- SecurityTrails: DNS records, subdomains, WHOIS, historical data
- DNSDumpster: DNS mapping and infrastructure visualization
- crt.sh: Certificate transparency log search (find subdomains)
3. Social Media & Image Analysis
- Social-Searcher: Live monitoring of keywords and profiles
- ExifTool: Extract metadata from images (GPS, device info)
- Foca: Extract metadata from documents (DOCX, PDF)
4. Automated Frameworks
- theHarvester: Collect emails, subdomains, hosts from search engines and public sources
- SpiderFoot: Fully automated OSINT scanner with over 200 modules
- Recon-ng: Modular recon framework like Metasploit
📌 Step-by-Step Example: Using theHarvester
Goal: Collect emails and subdomains related to example.com
theHarvester -d example.com -b allExplanation: This command will query multiple sources (Google, Bing, etc.) and return:
- Discovered email addresses
- Known subdomains
- Public IPs and hosts
🌐 Real-World Use Case: Subdomain Enumeration via crt.sh
To discover subdomains of a target domain using certificate transparency logs:
https://crt.sh/?q=%25.example.comThis reveals all SSL certificates issued for example.com and its subdomains. This data helps in mapping attack surfaces.
💡 Practical Tips
- Always start with passive tools to avoid detection
- Cross-reference data from multiple tools for accuracy
- Document timestamps, sources, and findings for your report
- Use VPNs or TOR when working with sensitive investigations