Open Source Intelligence (OSINT) has been getting some air time lately. It is nothing new – but now we have a label. Below is a collection of tools/services/websites I think are awesome for OSINT (which is essential for any target discovery or spear phishing attack)


Passive Recon (FireFox)
Great little FireFox plugin that directs you to online services for passive recon and intelligence gathering. This includes a large RANGE of OSINT related services – so I do not include them below.

Created by Paterva. An epic framework for finding, organising and sorting information on targets. (Can use a wide variety of transforms for target websites/social networks – or make your own)

One of my favorites. Shodan is a website which is constantly scouring the internet grabbing banners for services. You can find A LOT of exposed systems and devices using Shodan. This is passive and the work is already done for you. You can use granular search functions to really pin down a target you like. (It’s even good for boredom – i.e. some of the security cameras you find online are quite humrous)

This is an awesome tool which extracts meta data from documents which you can find on the open internet. For example – if you Google Dorked for a particular company’s Excel documents online, then feed them in to MetaGoofil to harvest information (which a lot of the time is not hidden, but should be)

Google Hacking Database (Online Version). A nice skiddie version of the GHDB which allows you to perform search functions directly from the interface.

Creepy is a tool which aggregates geolocation information from various social networks. Can come in handy on OSINT missions.

WHOIS History
Not many people are aware that you can search through archived history of WHOIS information. This can come in extremely handy for tracking down information on a host or target that may have not been so careful in the past.


Leave a Reply