Top 12 Open Source INTelligence (OSINT) Tools [Updated 2023]

Open Source INTelligence or simply OSINT, is a method of extracting information from the target system by using public resources available on the internet. Penetration testers and security professionals usually used OSINT methods to enhance the attack surface.

The best part of using OSINT is its anonymous nature. As this method mainly deals with open resources, the target system will not know that somebody is performing OSINT. Using OSINT methods helps to search publically available emails, usernames, passwords, private keys, sensitive files/directories, etc.

OSINT may be divided into two types: Offensive and Defensive. In Offensive OSINT, general information about the company will be gathered before the attack. While Defensive OSINT was performed to know the root cause of the attack.

OSINT Process

OSINT process may be divided into 5 steps:

Step 1: Target IdentificationThe first step is to know the target and defined the scope of the target
Step 2: Identifying different sources for information and collecting dataThe second step is to identify different tools and techniques that will be applied against the target.
This step allows attackers to extract as much information against the target
Step 3: Filter data The third step helps the attacker to filter data and convert it into meaningful and actionable information
Step 4: AnalysisThe fourth step combines information from multiple sources
Step 5: ReportingThe fifth step is the most important step. Here, report the information to the client with risk and mitigation details

In this article, we will cover the Top 12 OSINT tools that may be used by security professionals to gather information and increase the attack surface:

(1) Maltego

Maltego tool is pre-installed on Kali Linux. This tool is not free but provides a lot of sensitive information about the target. Maltego is a professional tool used by big companies and government organizations for linking information and connecting the dots.

(2) Recon-ng

Recon-ng is free and open-source pre-installed on Kali Linux. This tool is an awesome reconnaissance framework to do reconnaissance based on public resources.

(3) Censys

Censys is a public search engine to identify hosts and networks available on the internet based on search queries. This tool supports the below options to search results.

  • IP
  • IP Range
  • Protocol
  • website
  • Industrial Control System
  • and many more

(4) Shodan

Shodan is the biggest search engine for the Internet of Things (IoT) devices and helps in identifying public-facing misconfigured IoT devices. This tool is not expensive and also offers free searches to identify misconfigured IoT devices.

(5) Google Dorks

Google is the most popular search engine in the world. Google dorks, is the method of simply extracting information from the target by using different search operators. I am listing some powerful operators that can be used to refine the search:

  • site: display search only for mentioned site
  • intitle: display search results if the title matches the web page
  • inurl: display search if URL contains text
  • intext: display search text in the body of the article
  • filetype: display only specific file type
  • cache: search based on old indexed content
  • link: display external links to pages
  • Numrange: locate specific numbers

Refer Learn 15 Google Search Tips & Tricks for Best Results

(6) theHarvester

theHarvester is pre-installed on Kali Linux. This tool is helpful in collecting employee details, emails, subdomains, banners, etc. of the target organization. The below command provides results by using the domain (-d), data source (-b) selected as google, and limits the number of results (-l) to 400.

theharvester -d test-website -l 400 -b google

(7) Wappalyzer

Wappalyzer is used to identify the technologies of the target system. This is helpful in quickly identifying different versions of technologies used in the website and further searching exploits to attack the target system.

(8) Exiftool

Exiftool is a free and open-source tool developed by Phil Harvey. This tool is basically used to extract and manipulate metadata information of files of different formats (pdf, image, audio, and video).

(9) Check Usernames

This tool helps in identifying searched usernames on 160 social networks like Twitter, Facebook, and Linkedin.

(10) TinEye

TinEye is a reverse image search engine and is useful in identifying juicy information about the target. You can search based on the uploaded images or simply give the public URL of the image. Click Here to know more techniques related to reverse image search.

(11) Metagoofil

Powerful open source OSINT tool used for gathering metadata of public documents of target by utilizing Google search engine. This tool is command based and can be installed by using the below command:

sudo apt-get install metagoofil

As of now, this tool extract information for the following document types:

  • Pdf format (.pdf)
  • Word documents (.docx,.doc)
  • Presentation files (.pptx, .ppt, .odp)
  • Excel documents (.xlsx, .ods, .xls)

(12) OSRFramework

OSRFramework is an open-source tool and helpful in identifying information related to DNS, deep web search, sensitive unintentional or intentional leaks, etc. This tool is simple and can be installed by using the below one-line command:

pip3 install osrframework


OSINT tools help in searching for juicy information that may be anything but must be sensitive and valuable. These tools must be used in the first step in security assessment engagement.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *