OSINT (Open-Source Intelligence) Cheatsheet 🔍

📌 What is OSINT?

OSINT (Open-Source Intelligence) refers to collecting and analyzing publicly available information from various sources, including social media, websites, government records, and dark web marketplaces. It is widely used in cybersecurity, penetration testing, law enforcement, and threat intelligence.

This cheatsheet covers the best tools, techniques, and methodologies for conducting OSINT investigations effectively.

---

1️⃣ OSINT Data Sources

🔹 Search Engines: Google, Bing, DuckDuckGo
🔹 Social Media: Twitter, Facebook, LinkedIn, Reddit
🔹 Domain & IP Information: WHOIS, Shodan, VirusTotal
🔹 Leaks & Breach Data: Have I Been Pwned, Dehashed
🔹 Metadata Analysis: ExifTool, FOCA, Metagoofil
🔹 Dark Web: Onion search engines, Tor services
🔹 Public Records: Government databases, court records

---

2️⃣ Search Engine Dorking (Google Hacking)

Google Dorks are advanced search queries that help find exposed databases, sensitive files, and misconfigurations.

🚀 Common Google Dorks:
🔹 Find exposed login pages:

inurl:login

🔹 Find files with sensitive data (PDF, XLS, DOC, etc.):

filetype:pdf OR filetype:xls OR filetype:doc site:example.com

🔹 Find cameras and IoT devices:

inurl:"view/view.shtml"

🔹 Discover indexed directories:

intitle:"index of" site:example.com

🔹 Find emails from a domain:

site:example.com intext:"@example.com"

📌 More Google Dorks: Exploit-DB Google Hacking Database

---

3️⃣ Social Media OSINT

🔍 Tracking Social Media Footprints:
🔹 Twitter OSINT: TweetDeck, Twint
🔹 Facebook OSINT: Facebook Graph Search
🔹 LinkedIn OSINT: Search for employee leaks using:

site:linkedin.com "@company.com"

🔹 Reddit Investigations: Find discussions related to a target:

site:reddit.com "keyword"

📌 Tool: Sherlock – Finds social media accounts across platforms

---

4️⃣ WHOIS & Domain Reconnaissance

🚀 Find details about a domain:
🔹 WHOIS Lookup:

whois example.com

🔹 Find subdomains:

sublist3r -d example.com

🔹 Reverse DNS lookup:

nslookup example.com

🔹 Scan ports for vulnerabilities:

nmap -A example.com

📌 Tools:
🔹 Shodan – IoT search engine
🔹 VirusTotal – Check for malicious domains

---

5️⃣ OSINT on Leaks & Breaches

🔹 Find leaked passwords & credentials:

site:pastebin.com OR site:throwbin.io "email@example.com"

🔹 Check if your email is part of a data breach:
Have I Been Pwned

📌 Tool: Dehashed – Search leaked databases

---

6️⃣ Image & Metadata Analysis

🚀 Find metadata in images & documents:
🔹 Extract metadata from an image:

exiftool image.jpg

🔹 Find GPS coordinates in images:

exiftool -gps image.jpg

🔹 Reverse Image Search: Google Images, Yandex

📌 Tool: FOCA – Extracts metadata from documents

---

7️⃣ OSINT Dark Web Investigations

🔹 Access dark web safely with Tor Browser
🔹 Use dark web search engines:

• Ahmia

• Dark.fail

• OnionSearch

📌 Tool: OnionScan – Analyzes dark web services for vulnerabilities

---

8️⃣ OSINT Investigation Automation

🚀 Best OSINT Frameworks & Tools:
🔹 SpiderFoot – Automated OSINT recon
🔹 theHarvester – Gathers emails, subdomains, and names
🔹 Maltego – Graphical link analysis tool
🔹 Recon-ng – Python-based reconnaissance framework

---

9️⃣ OSINT Best Practices & Ethics

✅ Always use legitimate & legal sources
✅ Protect your own identity during OSINT research (use VPNs, Tor)
✅ Avoid unauthorized access to systems (stick to public data)
✅ Document findings with proper evidence collection

📌 Learn More: OSINT Framework

---

🚀 Conclusion

Mastering OSINT gives you an edge in threat intelligence, cybersecurity, and investigations. Whether you’re tracking hackers, gathering intel on vulnerabilities, or investigating leaks, these tools and techniques will help you navigate the world of open-source intelligence.