OSINT Tools & Frameworks
A comprehensive collection of tools for automating intelligence gathering, data analysis, and reconnaissance workflows.
API Keys
OSINT Frameworks
SpiderFoot
FrameworkAutomated OSINT reconnaissance tool with 200+ data sources and web UI.
Installation
pip install spiderfoot && spiderfoot -l 127.0.0.1:5001Recon-ng
FrameworkFull-featured web reconnaissance framework with modular architecture.
Installation
pip install recon-ngMaltego
FrameworkVisual link analysis tool for mining and gathering information.
Installation
# Download from maltego.com - CE version is freetheHarvester
FrameworkE-mail, subdomain, hostname, and banner harvester.
Installation
pip install theHarvesterOWASP Amass
FrameworkIn-depth attack surface mapping and asset discovery.
Installation
go install -v github.com/owasp-amass/amass/v4/...@masterreconFTW
FrameworkAutomated reconnaissance workflow with multiple tools.
Installation
git clone https://github.com/six2dez/reconftw.git && ./install.shDomain & DNS Tools
Subfinder
SubdomainFast passive subdomain enumeration from multiple sources.
Installation
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestAssetfinder
SubdomainFind domains and subdomains related to a given domain.
Installation
go install github.com/tomnomnom/assetfinder@latestFindomain
SubdomainCross-platform subdomain enumerator with monitoring.
Installation
cargo install findomainDNSRecon
DNSDNS enumeration script with multiple query types.
Installation
pip install dnsreconMassDNS
DNSHigh-performance DNS stub resolver for bulk lookups.
Installation
git clone https://github.com/blechschmidt/massdns.git && makeFierce
DNSDNS reconnaissance tool for locating non-contiguous IP space.
Installation
pip install fiercePeople & Social Media
Sherlock
UsernameHunt down social media accounts by username across 400+ sites.
Installation
pip install sherlock-projectMaigret
UsernameCollect person's data from thousands of sites (enhanced Sherlock).
Installation
pip install maigretGHunt
GoogleInvestigate Google accounts with email addresses.
Installation
pip install ghuntHolehe
EmailCheck if email is registered on different sites.
Installation
pip install holeheSocial-Analyzer
SocialAPI and CLI for analyzing social media profiles.
Installation
pip install social-analyzerCrossLinked
LinkedInLinkedIn enumeration to extract employee names.
Installation
pip install crosslinkedInfrastructure & Search
Shodan CLI
SearchSearch engine for Internet-connected devices.
Installation
pip install shodan && shodan init YOUR_API_KEYCensys CLI
SearchInternet-wide scanning data and certificate search.
Installation
pip install censysHttpx
ProbingFast HTTP probing with technology detection.
Installation
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latestWhatWeb
TechNext-gen web scanner for technology identification.
Installation
gem install whatwebwaybackurls
HistoryFetch URLs from the Wayback Machine.
Installation
go install github.com/tomnomnom/waybackurls@latestgau
HistoryGetAllUrls - fetch known URLs from multiple sources.
Installation
go install github.com/lc/gau/v2/cmd/gau@latestEmail & Breach Hunting
EmailFinder
EmailFind company emails from various public sources.
Installation
pip install emailfinderInfoga
EmailEmail information gathering from public sources.
Installation
git clone https://github.com/m4ll0k/Infoga.gitFramework Usage Examples
SpiderFoot
# Start SpiderFoot web UI
spiderfoot -l 127.0.0.1:5001
# Navigate to http://localhost:5001
# CLI scan
spiderfoot -s target.com -t all -o html -H report.html
# Specific module scan
spiderfoot -s target.com -m sfp_dnsresolve,sfp_shodan -o json
# Scan with API keys (configure in ~/.spiderfoot/settings)
spiderfoot -s target.com -t all
# Docker deployment
docker run -p 5001:5001 spiderfootRecon-ng
# Start Recon-ng
recon-ng
# Create workspace for target
workspaces create target_company
db insert domains target.com
# Set API keys
keys add shodan_api YOUR_KEY
keys add censys_id YOUR_ID
keys add censys_secret YOUR_SECRET
# Load and run modules
modules load recon/domains-hosts/hackertarget
run
modules load recon/domains-hosts/certificate_transparency
run
modules load recon/domains-contacts/whois_pocs
run
# Search for modules
modules search subdomain
modules search email
# Export results
modules load reporting/html
options set FILENAME /tmp/report.html
run
# List gathered data
show hosts
show contactsOWASP Amass
# Passive enumeration (safe, no direct contact)
amass enum -passive -d target.com -o passive_subs.txt
# Active enumeration (includes DNS resolution)
amass enum -active -d target.com -o active_subs.txt
# Brute force subdomain discovery
amass enum -brute -d target.com -w /path/to/wordlist.txt
# Intel gathering (reverse WHOIS)
amass intel -d target.com -whois
# Track changes over time
amass track -d target.com
# Visualize results
amass viz -d3 -d target.com
# Full configuration file scan
amass enum -config config.ini -d target.com
# Output to database for later analysis
amass enum -d target.com -dir ./amass_outputreconFTW
# Full reconnaissance
./reconftw.sh -d target.com -r
# Subdomain enumeration only
./reconftw.sh -d target.com -s
# Full recon with all modules
./reconftw.sh -d target.com -a
# Multiple targets from file
./reconftw.sh -l targets.txt -r
# Output in specific directory
./reconftw.sh -d target.com -r -o /path/to/output
# Custom configuration
./reconftw.sh -d target.com -r -c custom_config.cfgPractice Labs & CTFs
Hacker101 CTF
Free CTF with OSINT challenges
TryHackMe OSINT Rooms
Guided OSINT learning paths
Sourcing Games
OSINT challenges for recruiters and investigators
GeoGuessr
Geolocation skills practice
CTFtime
Find CTFs with OSINT categories
Quiztime
Daily OSINT verification challenges
External Resources
OSINT Framework
Comprehensive OSINT tool collection
Awesome OSINT
Curated list of OSINT resources
IntelTechniques
Michael Bazzell's OSINT tools
Ultimate OSINT Collection
Curated bookmark collection
Bellingcat Guides
Professional OSINT investigation tutorials
Week in OSINT
Weekly OSINT news and tools