Top 12 Open Source INTelligence Tools [Updated 2022]

Open Source INTelligence or simply OSINT, is a method of extracting information of the target system by using public resources available on the internet. Penetration testers and security professionals usually used OSINT methods to enhance the attack surface.

The best part of using OSINT is its anonymous nature. As this method mainly deals with open resources, the target system may not know that somebody is performing OSINT. Using OSINT methods helps to search publically available emails, username, password, private keys, sensitive files/directories, etc.

OSINT may be divided into two types: Offensive and Defensive. In Offensive OSINT, general information about the company will be gathered before the attack. While Defensive OSINT was performed to know the root cause of the attack.

OSINT Process

OSINT process may be divided into 5 steps:

Step 1: Target IdentificationThe first step is to know the target
Step 2: Identifying different sources for information and collecting dataThe second step is to identify different tools and techniques that will be applied against the target.
This step allows attackers to extract as much information against the target
Step 3: Filter data The third step helps the attacker to filter data and convert it into meaningful and actionable information
Step 4: AnalysisThe fourth step combines information from multiple sources
Step 5: ReportingThe fifth step is the most important step. Here, report the information to the client with risk and mitigation details

In this article, we will cover the Top 12 OSINT tools that may be used by security professionals to gather information and increase the attack surface:

(1) Maltego

Maltego tool is pre-installed on Kali Linux. This tool is not free but provides a lot of sensitive information about the target. Maltego is a professional tool used by big companies and government organizations for linking information and connecting the dots.

(2) Recon-ng

Recon-ng is free and open-source pre-installed on Kali Linux. This tool is an awesome reconnaissance framework to do reconnaissance based on public resources.

(3) Censys

Censys is a public search engine to identify hosts and networks available on the internet based on search queries. This tool supports the below options to search results.

  • IP
  • IP range
  • Protocol
  • website
  • Industrial Control System
  • and many more

(4) Shodan

Shodan is the biggest search engine for the Internet of Things (IoT) devices and helps in identifying public-facing misconfigured IoT devices. This tool is not expensive and also offers free searches to identify misconfigured IoT devices.

(5) Google Dorks

Google is the most popular search engine across the world. Google dorks, is the method of simply extracting information of target by using different search operators. I am listing some powerful operators that can be used to refine the search:

  • site: display search only for mentioned site
  • intitle: display search results if the title matches the web page
  • inurl: display search if URL contains text
  • intext: display search text in body of the article
  • filetype: display only specific file type
  • cache: search based on old indexed content

Refer Learn 15 Google Search Tips & Tricks for Best Results

(6) theHarvester

theHarvester is pre-installed on Kali Linux. This tool is helpful in collecting employee details, emails, subdomains, banners, etc. of the target organization. The below command provides results by using the domain (-d), data source (-b) selected as google, and limits the number of results (-l) to 400.

theharvester -d test-website -l 400 -b google

(7) Wappalyzer

Wappalyzer is used to identify the technologies of the target system. This is helpful in quickly identifying different versions of technologies used in the website and further search exploits to attack the target system.

(8) Exiftool

Exiftool is a free and open-source tool developed by Phil Harvey. This tool is basically used to extract and manipulate metadata information of files of different formats (pdf, image, audio and video).

(9) Check Usernames

This tool help in identifying searched username on 160 social networks like Twitter, Facebook, Linkedin.

(10) TinEye

TinEye is reverse image search engine and useful in identifying juicy information of the target. You can search based on upload image or simply giving public URL of image. Click Here to know more techniques related to reverse image search.

(11) Metagoofil

Powerful open source OSINT tool used for gathering metadata of public documents of target by utilizing Google search engine. This tool is command based and can be installed by using below command:

sudo apt-get install metagoofil

As of now, this tool extract information for following document types:

  • Pdf format (.pdf)
  • Word documents (.docs,.doc)
  • Presentation files (.pptx, .ppt, .odp)
  • Excel documents (.xlsx, .ods, .xls)

(12) OSRFramework

OSRFramework is an open-source tool and helpful in identifying information related to DNS, deep web search, sensitive unintentional or intentional leaks, etc. This tool is simple and can be installed by using the below one-line command:

pip3 install osrframework


OSINT tools helps in searching juicy information that may be anything but must be sensitive and valuable. These tools used in the first step in security assessment engagement.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.