Tooling

OSINT & Reconnaissance

Shodan, Maltego, theHarvester, SpiderFoot, Sherlock — passive intel from public sources.

Open-source intelligence is often the highest-ROI part of an engagement: free, undetectable, and rich. The 2024–26 toolkit blends classical OSINT (Maltego / theHarvester) with internet-scan databases (Shodan / Censys / FOFA) and bulk subdomain pipelines. For asset-surface specifically see Subdomain & Asset Discovery. For bug-bounty automation see Bug-Bounty Recon Workflows. For threat-intel feeds see Threat Intelligence (MISP).

All-in-one platforms

  • Maltego — graph-driven OSINT pivots; Community Edition free (12 results / transform, no commercial use); Pro / Enterprise paid. The classic visual link analysis tool.
  • SpiderFoot — open-source automated OSINT; 200+ modules; web GUI; runs against an email / domain / IP / username and pivots through 100+ data sources. Free + paid SaaS.
  • Recon-ng — modular Python recon framework with a Metasploit-like interface; many free / API-driven modules.
  • Lampyre — paid; visual link analysis competitor to Maltego.
  • Skopenow — paid; person-of-interest investigations.
  • Shodan — internet-wide port scan database; query for banner / cert / product / vuln. Free tier limited; Member $69 lifetime; Annual API tiers paid. Indispensable.
  • Censys — competitor; richer cert / X.509 view; free tier + paid.
  • FOFA (China) — alternative; powerful query language.
  • ZoomEye — Chinese alt.
  • Hunter.how / BinaryEdge / LeakIX — niche scan databases.
  • GreyNoise — "is this IP background internet noise or targeted?"; free tier + paid.

Email / username / person OSINT

  • theHarvester — emails / subdomains / hosts via search engines + Shodan + Censys + Hunter.io. Free.
  • Hunter.io — corp email patterns; free tier + paid.
  • Holehe — checks an email against 120+ services (account exists / doesn't).
  • EmailRep / EmailHippo — reputation / disposable detection.
  • HaveIBeenPwned API — breach exposure of an email.
  • Sherlock — username across 400+ social sites; the default username-search tool. Free.
  • Maigret — Sherlock fork with more sites and richer output.
  • WhatsMyName — community wordlist for username enumeration; data feeds Sherlock and others.
  • GHunt — Google account intel from a Gmail address.
  • OSINT.industries — paid aggregator.

Image / face

  • PimEyes / FaceCheck.id — face-search engines; paid.
  • Yandex / Google Lens / Bing Visual — free reverse image; Yandex still strongest for faces.
  • ExifTool — metadata; see Photo EXIF Metadata.
  • GeoSpy / GeoGuesser community tools — image geolocation.

DNS / WHOIS / cert

  • whois / RDAP — registrar / contact.
  • dnsx / massdns (ProjectDiscovery) — bulk DNS resolution.
  • crt.sh — Certificate Transparency search.
  • chaos.projectdiscovery.io — pre-resolved subdomain DB.
  • SecurityTrails — paid; rich historical DNS / WHOIS.
  • DNSDumpster / Robtex — free passive DNS lookups.
  • Amass intel — see Subdomain & Asset Discovery.

Document / metadata

  • FOCA — extract metadata from public docs.
  • MetaGoofil — Google-dork for docs + metadata.
  • ExifTool — file-level metadata.
  • Twint / SNScrape — Twitter/X scraping (limited post-2023 API changes).
  • Maltego Twitter / LinkedIn transforms — paid mostly.
  • LinkedInt / linkedin2username — convert a company → user list.
  • Aware-Online's social tools list.

Search-engine dorking

  • Google dorks (GHDB) — exploit-db.com/google-hacking-database; free.
  • DuckDuckGo / Yandex dorking — fewer rate-limits.
  • Pagodo — automate GHDB queries.
  • HackTricks Google Dorks — see Exploit DB & Cheatsheets.

Threat-intel adjacent

  • AlienVault OTX — free pulse / IoC sharing; see Threat Intelligence.
  • AbuseIPDB — IP abuse reputation; free tier + paid.
  • VirusTotal — file / URL intelligence; free tier + paid.

OPSEC reminders

  • Stay passive when scoped to passive. The line between OSINT and active recon matters legally.
  • Use dedicated OSINT browser profile (separate cookies, no logged-in personal accounts).
  • Route through Tor / ProtonVPN / Mullvad when target attribution matters; see Anonymity & Privacy OS.
  • Cache results — many sources are paywalled or change.

Pick this if…

  • Default automated OSINT, free: SpiderFoot.
  • Visual graph pivots: Maltego CE → Pro if it sticks.
  • Internet-asset search: Shodan + Censys + FOFA.
  • Username across the internet: Sherlock / Maigret.
  • Email recon: theHarvester + Hunter.io + Holehe.
  • Person-of-interest deep dive: SpiderFoot + Maltego + face-search.
  • Bug-bounty pipeline: see Bug-Bounty Recon Workflows.

On this page