OSINT Cheatsheet
Quick reference for Open Source Intelligence gathering, reconnaissance, and information discovery.
Search Engine Operators
Google Dorking
| Operator |
Description |
Example |
site: |
Search within site |
site:example.com |
filetype: |
Find file types |
filetype:pdf |
intitle: |
Search in title |
intitle:"index of" |
inurl: |
Search in URL |
inurl:admin |
intext: |
Search in body |
intext:password |
cache: |
Cached version |
cache:example.com |
"..." |
Exact match |
"admin login" |
* |
Wildcard |
"admin * password" |
- |
Exclude |
site:example.com -www |
OR |
Either term |
admin OR login |
.. |
Number range |
$100..$500 |
Useful Dorks
# Find exposed directories
intitle:"index of" "parent directory"
# Find login pages
inurl:login OR inurl:admin OR inurl:portal
# Find exposed files
site:example.com filetype:pdf OR filetype:doc OR filetype:xls
# Find config files
filetype:env OR filetype:cfg OR filetype:conf
# Find backup files
filetype:bak OR filetype:old OR filetype:backup
# Find exposed databases
filetype:sql "insert into" OR "create table"
# Find credentials
intext:password filetype:log
"username" "password" filetype:csv
# Find vulnerable pages
inurl:php?id=
inurl:index.php?id=
Other Search Engines
- Bing: Similar operators, sometimes different results
- DuckDuckGo: Privacy-focused,
site:, filetype:
- Yandex: Better for Russian/Eastern European content
- Baidu: Chinese content
Domain & Website OSINT
DNS & Whois
# Whois lookup
whois example.com
# DNS records
dig example.com ANY
dig example.com MX
dig example.com TXT
nslookup -type=any example.com
# Zone transfer (if allowed)
dig axfr @ns1.example.com example.com
Online Tools
| Tool |
URL |
Purpose |
| ViewDNS |
viewdns.info |
DNS, IP, whois |
| SecurityTrails |
securitytrails.com |
Historical DNS |
| DNSDumpster |
dnsdumpster.com |
DNS recon |
| crt.sh |
crt.sh |
Certificate transparency |
| Shodan |
shodan.io |
Internet-connected devices |
| Censys |
censys.io |
Similar to Shodan |
| BuiltWith |
builtwith.com |
Technology profiler |
| Wappalyzer |
wappalyzer.com |
Tech detection |
| Wayback Machine |
web.archive.org |
Historical snapshots |
Subdomain Enumeration
# Amass
amass enum -d example.com
# Subfinder
subfinder -d example.com
# Sublist3r
sublist3r -d example.com
# Certificate transparency
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u
# DNS brute force
gobuster dns -d example.com -w wordlist.txt
Technology Detection
# Whatweb
whatweb example.com
# Wappalyzer CLI
wappalyzer https://example.com
Email OSINT
Email Verification
| Tool |
URL |
| Hunter.io |
hunter.io |
| EmailHippo |
emailhippo.com |
| Verify Email |
verify-email.org |
| Email-Checker |
email-checker.net |
Email Discovery
# theHarvester
theHarvester -d example.com -b all
# Hunter.io API
curl "https://api.hunter.io/v2/domain-search?domain=example.com&api_key=YOUR_KEY"
| Tool |
URL |
| MXToolbox |
mxtoolbox.com/EmailHeaders.aspx |
| Google Admin Toolbox |
toolbox.googleapps.com/apps/messageheader |
Username & People OSINT
Username Search
| Tool |
URL |
Purpose |
| Namechk |
namechk.com |
Username availability |
| WhatsMyName |
whatsmyname.app |
Cross-platform search |
| Sherlock |
github.com/sherlock-project |
CLI username search |
| Maigret |
github.com/soxoj/maigret |
Sherlock alternative |
# Sherlock
python3 sherlock username
# Maigret
maigret username
People Search
| Tool |
Purpose |
| Pipl |
People search engine |
| Spokeo |
US people search |
| BeenVerified |
Background checks |
| ThatsThem |
Free people search |
| TruePeopleSearch |
Free US lookup |
| Webmii |
Aggregated web presence |
Social Media
| Platform |
OSINT Approach |
| LinkedIn |
Company employees, roles, connections |
| Twitter/X |
Public posts, followers, connections |
| Facebook |
Public profiles, photos, check-ins |
| Instagram |
Photos, locations, stories |
| GitHub |
Code, email in commits, contributions |
Image OSINT
Reverse Image Search
| Tool |
URL |
| Google Images |
images.google.com |
| TinEye |
tineye.com |
| Yandex Images |
yandex.com/images |
| Bing Images |
bing.com/images |
# ExifTool
exiftool image.jpg
# View GPS coordinates
exiftool -gpslatitude -gpslongitude image.jpg
# Remove metadata
exiftool -all= image.jpg
Geolocation
| Tool |
URL |
| GeoGuessr |
geoguessr.com |
| Google Earth |
earth.google.com |
| Mapillary |
mapillary.com |
| SunCalc |
suncalc.org |
Password & Breach OSINT
Breach Databases
| Tool |
URL |
Notes |
| Have I Been Pwned |
haveibeenpwned.com |
Check if email breached |
| DeHashed |
dehashed.com |
Paid breach search |
| LeakCheck |
leakcheck.io |
Email/username search |
| IntelX |
intelx.io |
Multiple data types |
| Snusbase |
snusbase.com |
Breach database |
Password Policy Discovery
# Check password policies in AD
crackmapexec smb target -u user -p pass --pass-pol
Business & Company OSINT
Company Information
| Tool |
URL |
Purpose |
| OpenCorporates |
opencorporates.com |
Global company database |
| Crunchbase |
crunchbase.com |
Startup/company info |
| LinkedIn |
linkedin.com |
Employees, structure |
| SEC EDGAR |
sec.gov/edgar |
US public filings |
| Companies House |
companieshouse.gov.uk |
UK company data |
Financial
| Tool |
URL |
| Bloomberg |
bloomberg.com |
| Yahoo Finance |
finance.yahoo.com |
| Google Finance |
google.com/finance |
Network & Infrastructure OSINT
Shodan
# CLI
shodan search "hostname:example.com"
shodan host 1.2.3.4
# Common queries
org:"Target Company"
hostname:example.com
port:22
product:Apache
ssl.cert.subject.cn:example.com
Censys
# Search syntax
services.http.response.html_title:"Example"
ip:1.2.3.4
autonomous_system.name:"Example ISP"
BGP & ASN
| Tool |
URL |
| BGP.he.net |
bgp.he.net |
| ASN Lookup |
asnlookup.com |
| BGPView |
bgpview.io |
Wireless OSINT
| Tool |
URL |
Purpose |
| Wigle |
wigle.net |
WiFi network database |
| WifiMap |
wifimap.io |
WiFi passwords |
OSINT Tools - CLI
theHarvester
# All sources
theHarvester -d example.com -b all
# Specific sources
theHarvester -d example.com -b google,linkedin,twitter
Recon-ng
# Start
recon-ng
# Install modules
marketplace search
marketplace install all
# Set workspace
workspaces create example
db insert domains
domains add example.com
# Run modules
modules load recon/domains-hosts/hackertarget
run
# Run scan
spiderfoot -s example.com -o output.html
Maltego
- GUI-based relationship mapping
- Entity transformations
- Visualize connections
OSINT Workflow
1. Define scope and objectives
↓
2. Passive reconnaissance
- Search engines
- Social media
- Public records
↓
3. Domain/Infrastructure
- DNS, Whois
- Subdomains
- Technology stack
↓
4. People/Organization
- Employees
- Email addresses
- Usernames
↓
5. Breach data
- Exposed credentials
- Data leaks
↓
6. Document findings
- Organize data
- Create report
Sock Puppets
Creating Fake Identities
- Use AI-generated photos (thispersondoesnotexist.com)
- Create dedicated email (ProtonMail)
- Use VPN/Tor
- Build history over time
- Keep consistent persona
Operational Security
- Separate browser/profile
- No real personal info
- Different IP addresses
- Avoid linking accounts
Resources
Websites
Books
- "Open Source Intelligence Techniques" by Michael Bazzell
- "The OSINT Handbook" by Dale Meredith
Training
