The focus of this section is to provide helpful resources for OSINT and Passive reconnaissance on a given target. There will be certain tools and sites you might be familiar with that could be applicable in this section, that I have omitted and with good reason.
1.
This section is "Passive" recon, which does not entail touching or interacting with your target in any way. For offensive operations, staying off radar is key. But can we check with other sources that may have already scanned out target? You bet.
2.
There are many research tools that provide similar output to the ones listed in the later sections. The ones that I have specifically omitted (and will document in another section) are tailored more to defensive operations and contain information like reputation data and historical activity.
OSINT Resources
OSINT Guides and Methodology
Specific for what you need to look for and how to find it, during the passive recon phase of a penetration test, or the proper way to OSINT.
βIntelTechniques - One of the best resources for OSINT has been Michael Bazzell's OSINT book and his website. I highly recommend you order his book. The HTML search tools I reference here come from his collection, available on his website for free. He also runs the Privacy and Security Podcast which is a highly recommended resource for both OSINT techniques and personal privacy.
βhttps://ohshint.gitbook.io/ - One of the most detailed OSINT resources available. Chocked full of search tools.
βSecurity Sift - This write up is a great guide to Passive recon when preparing for a penetration test. For building up your own workflow, start with this.
βPen Test Standard - Great guides for every step of a penetration test, but the recon section is especially useful as a reference here.
βVerification handbook - Designed for journalists but still quite useful, the Verification handbook provides a wealth of resources on investigative procedure.
βOsintion - OSINT and Social Engineering master Joe Grey's website. Resources, OSINT Courses, and consultation services.
βOSINT Dojo - A project that provides those new to OSINT a number of free resources and simple challenges that build on one another to provide a simple road map for learning more about the field and polishing up related skills while also earning badges to show off your hard work.
βBellingcat's OSINT How-To - Bellingcat is a collective of researchers and journalists that use OSINT tools and techniques for a variety of purposes and that have come together to share thier latest and greatest tools and techniques. They have a slow of guides for researching specific things with OSINT.
βAware-Online - Aware Online is a Netherlands based training institute specialized in providing training in the field of Open Source intelligence (OSINT) and Social Media Intelligence (SOCMINT).
βhttps://exposingtheinvisible.org/ - Exposing the Invisible is a project of Tactical Tech, an international NGO that engages with citizens and civil-society organizations to explore and mitigate the impacts of technology on society.
There are a few interesting organizations out there that take OSINT researchers and have them help with certain public good tasks like finding missing children or stopping pedophiles. It can be a heavy ask but can really do some good in the world with the skills that we have. Please check out and If you can donate some time to help, please do!
βosrframework - This package contains a set of libraries developed by i3visio to perform Open Source Intelligence tasks. They include references to a bunch of different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction and many others.
βScrummage β Ultimate OSINT and Threat Hunting Framework
βMr.Holmes β osint toolkit for gathering information about domains, phone numbers and social media accounts