name: offensive-osint description: "Comprehensive OSINT methodology skill for offensive security, red team intelligence gathering, and bug bounty reconnaissance. Covers domain recon, email harvesting, social media profiling, GitHub/code leaks, Shodan/Censys enumeration, breach data lookup, employee profiling, infrastructure mapping, cryptocurrency tracing, geospatial intelligence, and AI-assisted analysis workflows. Use when performing reconnaissance against a target domain or organization, investigating a person or entity, tracing cryptocurrency flows, geolocating images or events, or building an attack-surface map."
Offensive OSINT Methodology
Workflow
- Define target scope (domain, org, person, crypto address, or geo subject)
- Select applicable categories below based on scope
- Work top-down within each category; pivot on discovered artifacts
- Archive every key artifact: URL + timestamp + screenshot (PNG) + hash (SHA-256)
- Log findings in JSONL with a
run_idand tool versions for reproducibility - Suggest next steps based on what each tool returns
General OSINT
- Bookmarks — Comprehensive OSINT bookmarks
- OSINT Framework — Tool/resource directory
- IntelTechniques Tools — Suite of investigative tools
- Bellingcat Toolkit — Investigative journalism tools
- CyberSudo OSINT Toolkit — OSINT websites list
- Google Dorks — Efficient Google searching
- Distributed Denial of Secrets — Leaked data
- Country-Specific Resources — Country-targeted OSINT
Search Engines
| Tool | Notes |
|---|---|
| Carrot2 | Clusters results by topic |
| etools | Metasearch engine |
| Kagi | Privacy-first, non-personalized results |
| Brave Search | Independent index; Goggles for custom ranking |
| PDF Search | Search PDF files and view table of contents |
| Google Fact Check Explorer | Cross-site fact-check search |
Username & Email Investigation
| Tool | Purpose |
|---|---|
| Sherlock | Username search across social networks |
| Maigret | Collect profiles by username from many sites |
| What's My Name | Username search across platforms |
| Holehe | Check if email is registered on platforms |
| Epieos | Email address pivots and metadata |
| OSINT Industries | Email/username/phone lookups |
| Hunter.io | Find email addresses for a domain |
| EmailRep | Email reputation and associated data |
| Emailable | Verify email existence |
| Mugetsu | X/Twitter username history |
| RocketReach / Apollo | Email enrichment and pattern guessing |
| PhoneInfoga | Phone number intelligence framework |
Browser extensions: GetProspect, SignalHire
People Search
- TruePeopleSearch — Free U.S. people search
- WhitePages — Contact information
- Spokeo — People search engine
- Webmii — People search
- Pipl — Deep web people search (paid)
- Clearbit — Company/individual data enrichment
- FaceCheck / FaceSeek — Reverse face search
Phone Number OSINT
- TrueCaller — Caller ID and spam blocking
- ThatsThem — Reverse phone search
- Infobel — Phone search outside USA
- FreeCarrierLookup — Carrier/type lookup (US)
- NumlookupAPI [Freemium] — Programmatic carrier/line-type checks
- CallerIDTest — Phone search
- Advanced Background Checks — All people linked to a number
Social Media
| Platform | Tool |
|---|---|
| Picuki — view profiles without account | |
| X/Twitter | snscrape — preferred CLI scraper; use Twint only as fallback |
| Graph Search, sowsearch.info, lookup-id.com, whopostedwhat.com | |
| Facebook (research) | Meta Content Library — CrowdTangle successor (researcher-gated) |
| YouTube/Twitch | Social Blade — analytics |
| TikTok | Tokboard — trend and profile analytics |
| Reveddit — removed content; RedTrack.social — user history | |
| Bluesky | Firesky — real-time firehose; SkyView — follower graphs |
| Mastodon | FediSearch — cross-instance search; Fedifinder — find Twitter users on Mastodon |
| Faces | Search4Faces |
Public Records & Company Information
- OpenCorporates — World's largest open company database
- SEC EDGAR — U.S. company filings
- OpenOwnership Register — Beneficial ownership datasets
- MuckRock — FOIA repository and request tracking
- EU Tenders (TED) — EU procurement notices
- World Bank Projects — Project and procurement records
RU/CN Registries
Russia: Rusprofile, Kontur.Focus (freemium), zakupki.gov.ru (procurement), EGRUL/EGRIP (official, captcha-gated)
China: GSXT (National Enterprise Credit), Qichacha/Tianyancha (freemium), MIIT ICP/Beian (ICP filings)
Sanctions & Compliance
- OFAC SDN List
- EU Sanctions Map
- OpenSanctions — Aggregated persons/entities datasets
- OCCRP Aleph — Investigative documents, leaks, company records
Breach & Leak Data
- Have I Been Pwned — Breach lookup; Pwned Passwords API (k-anonymity)
- Dehashed — Credential search
- IntelX — Data intelligence
- LeakCheck — Breach lookups
- Snusbase — Database breach lookups
- BreachDirectory — Recent breach credentials
- Scattered Secrets
- Cavalier (Hudson Rock) — Infostealer lookups
- Phonebook
- LeakPeek
Infrastructure & Attack-Surface OSINT
- Shodan — Internet-connected device/service search
- Censys — Host and certificate enumeration
- GreyNoise — Distinguish background noise from targeted scans
- SecurityTrails — Passive DNS and asset discovery
- SpiderFoot — Automated recon and correlation
- theHarvester — Subdomain, email, metadata harvesting
- Recon-ng — Web recon framework
- Amass / Subfinder — Passive subdomain discovery
- BuiltWith — Tech stack enumeration
- Netlas — Large-scale HTTP/DNS/certificate pivots
- BinaryEdge / FOFA / ZoomEye — Infra pivots complementing Shodan/Censys
- RiskIQ PassiveTotal — Passive DNS/cert/host pivots
- Spur — IP lookups and tracking
- Robtex — Passive DNS and infrastructure pivots
ASN/BGP & Internet Measurement
- Hurricane Electric BGP Toolkit — ASN, prefix, peers, IRR data
- RIPEstat — IP/ASN history, routing, geolocation, abuse contacts
- BGPView — ASN and prefix explorer
- bgp.tools — Clean ASN/IX views, routing details
- PeeringDB — Facility and peering info
Certificates & CT Monitoring
- crt.sh — Search Certificate Transparency logs
- Censys Certificates — CT and x509 attribute pivots
- CertStream — Real-time CT feed via WebSocket
- Rapid7 Open Data — Sonar DNS/HTTP/SSL datasets
- Cert Spotter [Freemium] — CT monitoring and alerts
- Favicon hash (mmh3): cluster infrastructure; pair with Shodan/Censys favicon search
Threat Intel & IOCs
- Vendor/CERT advisories: CISA/NSA/CSA joint advisories, CERT-EU, NCSC-UK, JPCERT/CC, CERT-UA
- MISP Project and public MISP feeds
- OpenCTI — CTI knowledge graph
- Malpedia — Malware families, YARA, references
- ThreatFox / URLHaus / SSLBL
- MalwareBazaar — Hash-based sample sharing
- PhishTank / OpenPhish
Malware Analysis & Sandboxes
- Static analysis: pefile, FLOSS, capa
- Similarity: SSDEEP, TLSH
- Sandboxes: ANY.RUN, Hybrid Analysis, CAPE, Tria.ge
- Intelligence: Intezer (code reuse), VirusTotal (caution: uploads become public)
- TLS fingerprints: JA3, JA4
Cryptocurrency OSINT
Blockchain Explorers
| Chain | Explorer |
|---|---|
| Bitcoin | Blockchain.com, Blockchair |
| Ethereum | Etherscan |
| BNB Chain | BSCScan |
| Polygon PoS | PolygonScan |
| Solana | Solscan |
| Multi-chain | OKLink [Freemium], Cielo |
L2 Explorers: Arbiscan, Optimistic Etherscan, BaseScan, zkSync Era, L2Beat (risk/TVL comparison)
Transaction Tracking & Analytics
- Arkham — Multichain explorer, entity labels, graphs, alerts
- TRM — Address/transaction graphs
- MetaSleuth — Visual crypto flow analysis
- Breadcrumbs [Freemium] — Visual graphing and labeling
- Bubblemaps — Holder concentration visualization
- Whale Alert — Large transaction monitoring
- Chainalysis / Crystal Blockchain — Professional analytics
- GraphSense — Cryptocurrency analytics platform
- Nansen — Smart Money labels (paid)
- Dune — Custom blockchain data queries
- Token Sniffer — Honeypot and scam token detection
NFT & Exchange Intelligence
- OpenSea / NFTScan — NFT marketplace/explorer
- DappRadar — NFT sales and marketplace activity
- CoinGecko / CoinMarketCap — Market data
- Glassnode — On-chain market intelligence
Bridge Monitoring
- Socketscan — EVM bridge explorer
- L2Beat Bridges — Bridge risk analysis
- Pulsy — Bridge explorer aggregator
Media Intelligence
Reverse Image & Facial Search
- Google Images — General reverse image search
- TinEye — Reverse image search
- Yandex Images — Effective for Russian/Eastern European content
- PimEyes — Face-based image search
- FaceCheck — Find people by photo
Image Forensics
- Forensically — Digital image forensics toolkit
- ExifTool — Read/write/edit metadata
- Jimpl — Online EXIF viewer
- Jeffrey's EXIF viewer — Online metadata viewer
- FOCA — Metadata in documents
- Metagoofil — Extract metadata from public documents
- C2PA Verify — Verify content credentials and AI provenance
Video Analysis
- YouTube Data Viewer — Extract YouTube metadata
- InVID & WeVerify — Video verification browser extension
- YouTube Geo Tag — Video geolocation via geo tags
- MediaInfo — Technical/tag info for video/audio
- Snap Map (public stories) — Area/event context
Browser Extensions for Media
- Fake News Debunker by InVID & WeVerify
- RevEye Reverse Image Search
- EXIF Viewer Pro
- Wayback Machine Extension
- Search by Image
Geospatial Intelligence
Satellite Imagery & Mapping
- Google Maps / Bing Maps — General mapping
- Sentinel Hub EO Browser — Sentinel/Landsat satellite imagery
- NASA Worldview — NASA satellite imagery
- Zoom Earth — Live satellite images and weather
- Wayback Imagery — Historical satellite images
- NASA FIRMS — Fire/hotspot data
- Open Infrastructure Map — Global infrastructure networks
- Windy — Live weather map
Geolocation Tools
- Mapillary — Crowdsourced street-level imagery
- KartaView — Open-source street-level imagery
- Overpass Turbo — Advanced OpenStreetMap queries
- SunCalc — Sun position for chronolocation
- GeoNames — Geographical database
- PeakVisor — Identify mountain peaks
- GeoGuesser tips — Geolocation methodology
Street View: Google Street View, Apple Maps, Yandex Maps, Baidu Maps
Flight OSINT
- FlightRadar24 / FlightAware / RadarBox
- ADSBExchange — Unfiltered community ADS-B feed
- Planespotters — Fleet/airframe history by tail number
- AirFrames / JetPhotos — Visual confirmation
Maritime OSINT
- MarineTraffic — Live AIS vessel tracking
- VesselFinder — Global ship movements and port calls
- FleetMon — Historical AIS data and analytics
- Global Fishing Watch — Fishing vessel behavior and AIS gap analysis
AI-Assisted OSINT
Warning: Never paste PII, sensitive IOCs, or unique pivots into cloud LLMs. They log inputs and may use them for training. Use local models (Ollama, LM Studio) for sensitive analysis.
| Tool | Strength |
|---|---|
| ChatGPT (paid) | Log parsing, dataset analysis, Code Interpreter for CSVs/JSON, GPT-4 Vision for image OCR |
| Claude (paid) | 200K token context for large document dumps and report synthesis |
| Gemini 1.5 Pro | 2M token context; Deep Research mode with citations |
| Perplexity Pro (paid) | Real-time web search + reasoning; multi-query synthesis |
Local/privacy-preserving: Ollama (Llama 3, Mistral), LM Studio, GPT4All
Commercial AI OSINT Platforms
- Cylect — AI entity extraction and link-analysis
- Fivecast Matrix — Generative-AI triage for social-media datasets
- Recorded Future — AI-driven threat intelligence
- DarkOwl Vision — AI-powered darknet data analysis
Deepfake & Synthetic Media Detection
- Sensity AI — Deepfake detection
- Reality Defender — AI-generated content detection
- Adobe Content Credentials Verify — C2PA verifier
- CarNet — AI car model identification (useful for geolocation)
Archiving & Evidence Preservation
- archive.today — One-page content archiver with screenshot
- URLScan.io — On-demand webpage scan with resource map
- ArchiveBox — Self-hosted archiving (HTML, PDF, screenshots, media)
- Hunchly — Evidence capture for investigators (paid)
- Wayback SavePageNow API v3 — On-demand archiving with job IDs
- SingleFileZ — Browser extension for offline HTML archives
- Kasm Workspaces — Containerized OSINT workspace/browser isolation
Evidence handling:
- Capture: URL + timestamp + PNG screenshot + WARC/SingleFileZ archive
- Hash all downloaded files (SHA-256) and record in case notes
- Separate work profiles/containers per case; store evidence read-only
- Use JSONL (NDJSON) logs with
run_idand tool versions for reproducibility
Automation & Workflows
- n8n — Self-hosted workflow automation (e.g., RSS → scrape → alert pipelines)
- Huginn — Agent-based monitoring, scraping, alerting
- Playwright — Headless browser automation with stealth plugins
- Browsertrix Crawler — Archival crawling with WARC export
- Prefect / Apache Airflow — Workflow orchestration for data pipelines
Regional Search Engines
- Russia/CIS: Yandex, Mail.ru Search
- China: Baidu, Sogou, 360 Search
- Russia social: VK, OK.ru
- China social: Weibo, Bilibili, Zhihu, Douyin
Telegram & Messaging Intelligence
- TGStat — Channel analytics and search
- Telemetr — Channel growth, overlaps, forwards
- Combot — Group analytics (partially paid)
- TelegramDB Search Bot — Basic Telegram OSINT
- Discord ID — Basic Discord account information
- Sogou Weixin search — WeChat Official Accounts content search
- View public Telegram channels:
https://t.me/s/<channel>