OSINT Collections and tools || Check Lists
Core Concepts
OSINT (Open Source Intelligence) is the practice of collecting and analyzing publicly available information about a target (organization, domain, person, or asset) without touching the target directly. The goal is to map the attack surface and human footprint that an adversary could exploit, before any active testing begins.
Methodology
- Scope and seed data: confirm authorized targets and gather starting points (company name, domains, key people, brands).
- Passive collection: search engines, social media, public records, and metadata, leaving no trace on the target.
- Infrastructure and footprint mapping: domains, subdomains, IP ranges, exposed services, certificates, and cloud assets.
- People and credential exposure: employees, emails, usernames, roles, and breach/leak data tied to the org.
- Leak and code search: paste sites, public repos, and document metadata for secrets or sensitive disclosure.
- Triage and report: validate findings, remove noise, and prioritize what feeds the active assessment.
What to look for
- Externally exposed hosts, forgotten subdomains, and shadow IT not in official inventory.
- Leaked credentials, API keys, and tokens in breaches, pastes, and source code.
- Employee details usable for phishing or social engineering (emails, titles, tech stack hints).
- Sensitive metadata in public documents (usernames, software versions, internal paths).
- Misconfigured or public cloud storage and services tied to the organization.
| Site | Description |
|---|---|
| WebCheck | An all-in-one tool for discovering information about a website or host. |
| CIRCL - AIL Framework | The Analysis Information Leak (AIL) framework for analyzing leaks of sensitive information. |
| Leakcorp.com | An online community focused on discussions and information related to data breaches. |
| Leaked.site | A platform to check if your email or data has been compromised. |
| Leakedsource.ru | A resource for accessing data from past data breaches. |
| Hashes.org | A repository for cryptographic hash values commonly used in password cracking. |
| Dehashed.com | A platform offering access to breached databases and password cracking services. |
| Joe.black/leakengine.htm | A website related to data leak analysis and information. |
| Intelx.io | An intelligence search engine providing access to various data sources. |
| Weleakinfo.to | A site known for sharing information from various data breaches. |
| Metagoofil | A tool for extracting metadata from public documents (PDF, DOC, XLS, PPT, etc.) available on the web. |
| Scatteredsecrets.com | A service that searches for exposed personal data and credentials. |
| Maltego | A comprehensive tool for gathering information from various public sources and visualizing the relationships between entities. |
| ZoomEye | A search engine for cyberspace, enabling searches for specific network components and vulnerabilities. |
| Private-base.info | A source for leaked databases and personal information. |
| IntelTechniques | A website offering various OSINT tools and resources for online investigations. |
| Leak-lookup.com | A tool to check if your personal information is part of any public data breaches. |
| DataSploit | An OSINT framework to perform various reconnaissance techniques on companies, individuals, and employees. |
| Haveibeenpwned.com | A widely recognized tool for checking if your email has been involved in data breaches. |
| Shodan | A search engine allowing users to find specific types of computers, services, and information connected to the internet. |
| Ghostproject.fr | A French website known for sharing data from various breaches. |
| Snusbase.com | A database of leaked credentials and data, useful for security and research. |
| Leakcheck.net | Another website to check if your email has been part of a data breach. |
| Services.normshield.com | A service offering cybersecurity solutions and breach monitoring. |
| Leakpeek.com | A platform providing insights into leaked data and breaches. |
| SpiderFoot | An open-source OSINT automation tool for gathering data from various sources for reconnaissance purposes. |
| Gephi | An open-source platform for visualizing and analyzing large networks, useful for understanding social connections. |
| TheHarvester | A tool for gathering information like email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources. |
| Leakcheck.io | A tool to verify if your email address has been involved in data breaches. |
| Leak-sx | A platform known for sharing information about data leaks and breaches. |
| Breachchecker.com | A website for checking if your email address has been compromised in data breaches. |
| Haveibeensold.app | A service helping you check if your personal data is being sold online. |
| FOCA | A tool for metadata analysis and information gathering from public documents, including Word, PDF, and PowerPoint files. |
| Pipl | A people search engine that allows you to find detailed information about a person based on their online presence. |
| Leakcheck.io | A tool to verify if your email address has been involved in data breaches. |
| Leak-sx | A platform known for sharing information about data leaks and breaches. |
| Breachchecker.com | A website for checking if your email address has been compromised in data breaches. |
| Haveibeensold.app | A service helping you check if your personal data is being sold online. |
| FOCA | A tool for metadata analysis and information gathering from public documents, including Word, PDF, and PowerPoint files. |
| Pipl | A people search engine that allows you to find detailed information about a person based on their online presence. |
| PeekYou | A search engine that provides comprehensive people search, including social media profiles and public records. |
| IntelTechniques | A website offering various OSINT tools and resources for online investigations. |
| Echosec | A social media monitoring platform that enables real-time threat detection by analyzing publicly available social media posts. |
| Recon-ng | A full-featured web reconnaissance framework written in Python, providing a powerful environment for conducting reconnaissance. |
| TheHarvester | A tool for gathering information like email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources. |
| Echosec | A social media monitoring platform that enables real-time threat detection by analyzing publicly available social media posts. |
| Recon-ng | A full-featured web reconnaissance framework written in Python, providing a powerful environment for conducting reconnaissance. |
| Echosec | A social media monitoring platform that enables real-time threat detection by analyzing publicly available social media posts. |
| Recon-ng | A full-featured web reconnaissance framework written in Python, providing a powerful environment for conducting reconnaissance. |
| Echosec | A social media monitoring platform that enables real-time threat detection by analyzing publicly available social media posts. |
| Recon-ng | A full-featured web reconnaissance framework written in Python, providing a powerful environment for conducting reconnaissance. |
Check lists for OSINT
Information Gathering
Define Objectives
- Clearly define the objectives and scope of the OSINT investigation.
Legal Considerations
- Ensure compliance with legal and ethical guidelines.
- Respect privacy and terms of service.
Target Identification
- Identify the target(s) or subject(s) of the investigation.
Online Sources
Search Engines
- Conduct online searches using search engines like Google, Bing, and DuckDuckGo.
Social Media
- Search for information on social media platforms (e.g., Facebook, Twitter, LinkedIn, Instagram, etc.).
Forums and Communities
- Explore relevant forums, discussion boards, and online communities.
Blogs and Personal Websites
- Look for blogs and personal websites related to the target.
News Articles
- Search for news articles or mentions related to the target.
Public Records
- Access public records, such as property records, court documents, and business registrations.
WHOIS Lookup
- Use WHOIS databases to gather information about domain registrations.
- Tool: WHOIS Lookup
DNS Enumeration
- Enumerate DNS records to identify subdomains and related services.
Email Addresses
- Search for email addresses associated with the target.
Social Engineering
Phishing
- Use ethical phishing techniques to gather information (obtain informed consent).
In-Person Engagement
- Attend events, conferences, or gatherings where the target may be present.
Dark Web
Dark Web Monitoring
- If relevant, monitor dark web marketplaces and forums for mentions of the target.
Onion Sites
- Explore Tor network (.onion) sites for hidden information.
Tools and Resources
OSINT Tools
- Utilize OSINT tools and frameworks for automated data collection.
- Tools: Maltego, theHarvester, SpiderFoot
Wayback Machine
- Check archived web pages for historical data.
- Tool: Wayback Machine
Google Dorks
- Use advanced Google search operators to refine search results.
Social Media Scraping
- Employ tools or scripts to scrape social media profiles and content.
Publicly Available Data
- Explore public datasets, such as data.gov and data repositories.
APIs
- Access APIs of social media platforms or data providers for information retrieval.
Verification
Cross-Reference Data
- Verify information from multiple sources to ensure accuracy.
Source Reliability
- Assess the reliability and credibility of information sources.