Top 12 Open Source INTelligence (OSINT) Tools [Updated 2024]
Open Source INTelligence or simply OSINT, is a method of extracting information from the target system by using public resources available on the internet. Penetration testers and security professionals usually use OSINT methods to enhance the attack surface.
The best part of using OSINT is its anonymous nature. As this method mainly deals with open resources, the target system will not know that somebody is performing OSINT. Using OSINT methods helps to search publically available emails, usernames, passwords, private keys, sensitive files/directories, etc.
OSINT may be divided into two types: Offensive and Defensive. In Offensive OSINT, general information about the company will be gathered before the attack. While Defensive OSINT was performed to know the root cause of the attack.
OSINT Process
OSINT process may be divided into 5 steps:
| Step 1: Target Identification | The first step is to know the target and defined the scope of the target |
| Step 2: Identifying different sources for information and collecting data | The second step is to identify different tools and techniques that will be applied against the target. This step allows attackers to extract as much information against the target |
| Step 3: Filter data | The third step helps the attacker to filter data and convert it into meaningful and actionable information |
| Step 4: Analysis | The fourth step combines information from multiple sources |
| Step 5: Reporting | The fifth step is the most important step. Here, report the information to the client with risk and mitigation details |
Top 12 Open Source INTelligence (OSINT) Tools
In this article, we will cover the Top 12 OSINT tools that may be used by security professionals to gather information and increase the attack surface:
(1) Maltego
Maltego tool is pre-installed on Kali Linux. This tool is not free but provides a lot of sensitive information about the target. Maltego is a professional tool used by big companies and government organizations for linking information and connecting the dots.
(2) Recon-ng
Recon-ng is free and open-source pre-installed on Kali Linux. This tool is an awesome reconnaissance framework based on public resources.
(3) Censys
Censys is a public search engine to identify hosts and networks available on the internet based on search queries. This tool supports the below options for search results.
- IP
- IP Range
- Protocol
- website
- Industrial Control System
- and many more
(4) Shodan
Shodan is the biggest search engine for the Internet of Things (IoT) devices and helps in identifying public-facing misconfigured IoT devices. This tool is not expensive and also offers free searches to identify misconfigured IoT devices.
(5) Google Dorks
Google is the most popular search engine in the world. Google dorks, is the method of simply extracting information from the target by using different search operators. I am listing some powerful operators that can be used to refine the search:
- site: display search only for the mentioned site
- intitle: display search results if the title matches the web page
- inurl: display search if URL contains text
- intext: display search text in the body of the article
- filetype: display only specific file type
- cache: search based on old indexed content
- link: display external links to pages
- Numrange: locate specific numbers
Refer Learn 15 Google Search Tips & Tricks for Best Results
(6) theHarvester
theHarvester is pre-installed on Kali Linux. This tool helps in collecting employee details, emails, subdomains, banners, etc. of the target organization. The below command provides results by using the domain (-d), data source (-b) selected as Google, and limits the number of results (-l) to 400.
theharvester -d test-website -l 400 -b google
(7) Wappalyzer
Wappalyzer is used to identify the technologies of the target system. This is helpful in quickly identifying different versions of technologies used in the website and further searching exploits to attack the target system.
(8) Exiftool
Exiftool is a free and open-source tool developed by Phil Harvey. This tool is used to extract and manipulate metadata information of files of different formats (pdf, image, audio, and video).
(9) Check Usernames
This tool helps in identifying searched usernames on 160 social networks like Twitter, Facebook, and Linkedin.
(10) TinEye
TinEye is a reverse image search engine and is useful in identifying juicy information about the target. You can search based on the uploaded images or give the public URL of the image. Click Here to know more techniques related to reverse image search.
(11) Metagoofil
Powerful open source OSINT tool used for gathering metadata of public documents of target by utilizing Google search engine. This tool is command-based and can be installed by using the below command:
sudo apt-get install metagoofil
As of now, this tool extracts information for the following document types:
- Pdf format (.pdf)
- Word documents (.docx,.doc)
- Presentation files (.pptx, .ppt, .odp)
- Excel documents (.xlsx, .ods, .xls)
(12) OSRFramework
OSRFramework is an open-source tool and helpful in identifying information related to DNS, deep web search, unintentional or intentional leaks, etc. This tool is simple and can be installed by using the below one-line command:
pip3 install osrframework
Conclusion
OSINT tools help in searching for juicy information that may be anything but must be sensitive and valuable. These tools must be used in the first step in security assessment engagement.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
