The Best 5 OSINT Tools with Usage Examples

Hello learners, in this article we will learn about how we can use different OSINT tools and find some very interesting information that is publicly available on the internet. OSINT has become more relevant now due to the Internet and social media , so with that in mind, let's get started!

 

What is OSINT?

OSINT aka Open source Intelligence is the data and information that is retrieved from all kinds of sources like Social media , Search engines , Domains , DNS Names , emails , journals , newspapers and what not. All these resources are scanned for information and can be used by an Ethical hacker or a Threat hunter depending upon the requirements.

Advertisement

Governments and political parties have long used newspapers and television broadcasts to track military , political and economical activities. But, with the rise of Internet , social media and modern industry lead to vast amounts of information publicly available. So, OSINT is now more crucial than ever.

 

How does OSINT work ? 

There is no predefined way or method to know how OSINT work actually. It’s because there are various OSINT tools available in the market that can be used for various purposes. So, you can think of the process like this i.e any thing that you can obtain over the internet and traditional media can be used for OSINT and one of the most easiest way to gather information is using Google Dorks.

Let’s take an example like the below : 

Suppose an organisation have a Github/Bitbucket repository and they have a team of 6 working on a Ruby on Rails application . Now, you can navigate to Github and find their repository and see who is working on which part of the application and then use their names to find out their social media accounts , emails etc…

The information you will get from a proper OSINT will range from 

  • Domains
  • DNS Names
  • Emails
  • Links between people 
  • Documents 
  • Affiliations
  • Social media handles
  • IP addresses
  • Geo location
  • Organisations

 

Legal effects of OSINT

It all depends on the country you live and for what purpose you are using OSINT for. OSINT is legal in US and UK, but still you need to follow a clearly defined framework so that you don’t cause any legal complications. 

Advertisement

Example: If you are performing OSINT upon an organisations request then it’s perfectly legal , but if you are stalking your Ex Gf or stalking a person then its outright illegal.

 

Top 5 OSINT Tools 

We will cover the following top 5 OSINT Tools in this tutorial:

  1. Maltego
  2. Shodan
  3. Google Dorks
  4. Recon-ng
  5. Harvester

 

1. Maltego 

Maltego can be said the best tool available in the market for OSINT because it grabs the information from various kinds of resources and also presents them in graphs and visuals for an easier review. The graphs contain information such as email , organisation , domains , Nameservers and a lot more. Maltego uses Java, so it is available on Windows , Mac and Linux and is available in many Hacking distro’s like Kali Linux and Parrot OS.

Installation 

For Ubuntu / Debian 

wget https://maltego-downloads.s3.us-east-2.amazonaws.com/linux/Maltego.v4.2.19.13940.linux.zip

unzip Maltego.v4.2.19.13940.linux.zip

cd bin

./maltego

OSINT Tool

For Mac OS

brew install maltego

For Kali Linux 

sudo apt install maltego

Maltego Usage

1. Open Maltego and click on New --> Create new Graph

The Best 5 OSINT Tools with Usage Examples

2. After that, all you have to do is select an Entity from the Entity Palette which is on the left side.

3. Let's check what happens if we select Domain. Select domain and drag it to the Graph.

The Best 5 OSINT Tools with Usage Examples

4. Click on the default domain which is white in colour and replace it with your domain.

5. Now click right click on the domain in the graph and select All Transforms and click on Run.

The Best 5 OSINT Tools with Usage Examples

6. You will be able to see all the domains, documents , name servers and a lot of information.

You can perform the same for all the other entities and obtain a lot of information you need from Maltego.

 

2. Shodan 

Shodan can be basically called a deep search engine because just like how we use Google dorks, Shodan also has its own dorks which we can use to find CC Cameras , printers , databases , ftp servers, open ports, vulnerable instances and what not. Shodan is a must use tool when you are looking at a large scale for CVE’s , vulnerable instances.

There is no application you can download for Shodan. You can directly visit their website to create an account and start using it. You can also buy a plan for more better features like more number of requests ,API Access , Network Monitoring and etc..

 

Examples of Shodan dorks 

1. country:DE
The Best 5 OSINT Tools with Usage Examples

 

2. country:US port:22

The Best 5 OSINT Tools with Usage Examples

 

3. os:"windows 7"

The Best 5 OSINT Tools with Usage Examples

 

4. country:US x-jenkins 200

The Best 5 OSINT Tools with Usage Examples

 

5. title:"citrix gateway"

The Best 5 OSINT Tools with Usage Examples

 

3. Google Dorks

Search engines like Google and bing make finding information easy and simple, particularly if we want to shop , find an address , looking for a job. However, you can use these search engines more advanced by making use of the search operators. 

There are various kinds of operators available :

  • Inurl:
  • intitle:
  • intext:
  • site:
  • cache:
  • filetype:
  • |
  • -
  • OR
  • AND

We can make use of these operators to filter out any information we need from Google or Bing. 

Let’s see some examples how we can use Google dorks to find information!

Dork: Deepak Prasad site:twitter.com

The Best 5 OSINT Tools with Usage Examples

Dork: inurl:security intext:vulnerability

The Best 5 OSINT Tools with Usage Examples

Dork: site: edmodo.com

The Best 5 OSINT Tools with Usage Examples 

Dork: site:*.at responsible disclosure

The Best 5 OSINT Tools with Usage Examples

 

4. Recon-ng

Recon-ng is one of the easiest tools available to use for your OSINT purposes. If you have ever used Metasploit , then you will find the syntax and interface very similar. Recon-ng has its own modules inbuilt through which we can find information like social media handles , email addresses , domains , files and etc. You can also write your own modules and use them if you want to.

Recon-ng can also be used as a recon tool while you are doing Web Penetration testing , so it can be said to an ultimate tool for Web pentesters Recon and OSINT. You can create your own workspace in Recon-ng too. All the recon or OSINT will be done by inserting values into Db schema.

There are multiple tables in the db module:

 companies|contacts|credentials|domains|hosts|leaks|locations|netblocks|ports|profiles|pushpins|repositories|vulnerabilities

 

Installation 

Ubuntu/Debian 

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
recon-ng

The Best 5 OSINT Tools with Usage Examples

For Mac OS

brew install recon-ng

For Kali 

Recon-ng is installed by default , but if it’s not installed , you can install by using this command 

sudo apt install recon-ng

 

Recon-ng Usage

Before we start the using Recon-ng, we have to perform some commands in recon-ng using

marketplace install all ---> Install all the modules [image in media]
workspaces create Osint ---> Create a workspace for us.
db schema ---> Check the Database schema
db insert domains ---> Use this command and enter your domain

Only after you execute these 4 commands , you can start using Recon-ng.

The Best 5 OSINT Tools with Usage Examples

Search for modules installed

modules search hack

The Best 5 OSINT Tools with Usage Examples

Load the module you searched

modules load recon/domain-hosts/hackertarget

The Best 5 OSINT Tools with Usage Examples

Set Options Source to Default to use the domains inserted into Db Schema

 options set SOURCE default

The Best 5 OSINT Tools with Usage Examples

Last and final, use command run and you will be able to find lot's of subdomains. There are various modules installed in recon-ng and you can always load them and set options for each module and run them according to your need.

 

5. Harvester 

Harvester is an open source tool made with python which is very easy to use and configure. It can be used to find domains , email addresses , IP’s , employee names , open ports and etc. It grabs the information from many sources like google , bing , Anubis, censys, shodan and 15 more.

 

Installation

You can install theHarvester on Linux OS using the following commands : 

git clone https://github.com/laramies/theHarvester 
cd theHarvester
pip3 install -r requirements.txt 

The Best 5 OSINT Tools with Usage Examples

For Mac OS

brew install theharvester

For Kali 

If you are running recent kali version then it is already installed, if not you can always run the following command 

sudo apt install theharvester

 

Harvester Usage

Search email addresses and domains from example.com and using Google as data source.

theHarvester -d example.com -b google

The Best 5 OSINT Tools with Usage Examples

Set limits to your results.

theHarvester -d example.com -l 400 -b google

Save the result in HTML file by using -f option.

theHarvester -d example.com -b google -f results.html

 

Bonus Tips

Checkout Tineye if you want to find data using an image because it can reverse search the image for you and find details about it. If you want to find some source code of a particular organisation then you can use Searchcode because it grabs codes from Github , Bitbucket , Gitlab , Google code and more resources.

 

Conclusion

In this article, we have learnt what actually OSINT is and how we can use 5 different OSINT tools to find out any information ranging from email addresses to CC TV cameras. If you are just getting started in Ethical hacking, then please check out other articles on our website. Please let us know if you encounter any issues in the comments below.

 

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment

X