In this article, we will look at top five Open Source Intelligence tools. Before we jump directly on tools, it is essential to understand what is Open Source Intelligence(OSINT) and how it can benefit researchers/malware actors/organizations, etc.

What is OSINT?

Open Source Intelligence(OSINT) refers to a collection of data from public sources to be used in an intelligence context, and this type of information is often missed by link crawling search engines such as Google. Also, as per DoD, OSINT is “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for addressing a specific intelligence requirement.”

Top 5 OSINT Tools

Below are the tools which are more often used by penetration testers and even malware actors than others to gather information about the specified target. Information gathering plays an essential part in any penetration activity. The data that we get from information gathering phase reveals a lot about the target, and in the digital world, there are huge footprints of assets exposed to the outside world. Challenge for Penetration testers and malware actors is to make sense of this humongous chunks of data to know all the possible traits of intended targets. Below are some of the common OSINT tools often used by malware actors and penetrations testers.

Note: We will only see one or two features for each tool mentioned below to see how much value they can bring in during reconnaissance phase.


Maltego is developed by Paterva and is an inbuilt tool in Kali Linux (ships with community edition). Maltego helps to perform a significant reconnaissance against targets with the help of several built-in transforms (as well as gives the capability to write custom ones). To use Maltego first, the user should be registered on the Paterva site.

After registering, the user can create a new machine OR user can run machines to run transforms on the target. After configuring that configured machines needs to be started. There are various footprints built-in inside Maltego which can be run against the target. Maltego will start to run all the transforms with the Maltego servers.

Expected results might be Domain to IP conversion has happened, netblock will be identified, AS number is also identified, locations and other phrases as well. These are all icons in Maltego, and it gives detail view about all these icons. Researchers can continue this process to dig more information about the target. Absolutely fantastic tool to track the footprints of a single entity over the internet.


Recon-Ng is another useful tool to perform reconnaissance on the target and is also built into Kali Linux. Recon-ng has various modules inbuilt, and its usage somewhat resembles to that of Metasploit. Below is the welcome screen of Recon-ng on Kali Linux.

As mentioned above, recon-ng has various inbuilt modules. A snippet of that is shown below.

Workspaces can be created to carry out all operation inside that. As soon as the workspace is created user will be redirected to that workspace. Once inside the workspace, then the domain can be specified using add domain <domainname>. After the domains is added into the recon-ng, recon-ng modules can be used to extract information about this domain. There are some excellent modules like bing_domain_Web and google_site_web to find additional domain related to the initial target domain. The output of these domains will be all indexed domains to these search engines. Another handy module is bing_linkedin_cache which can be used to fetch the email addresses related to the domain which can further be leveraged to perform social engineering. So, with other modules, we can get additional information regarding targets. Thus recon-ng is a great tool and must be in the toolkit of researchers.


theHarvester is again an excellent tool for collecting info from the specified target. The Harvester is inbuilt into Kali, is very fast and is much simpler to use than Recon-ng to collect basic information. Below is the welcome screen of the Harvester in Kali Linux.

We can see it trying to fetch results from Google, Bing, PGP key servers, etc. These parameters (and others) are explained in below figure.

Below are the details that we can get from theHarvester:

  • Email Address related to the domain.
  • Results of hosts and virtual hosts which are found in search engines.

So, we can see that theHarvester is also very useful to extract information from the specified targets and is very useful with all its features.


Shodan is touted as the ‘Search Engine for Hackers’ because it gives a huge footprint of devices which are connected online. It is a gold mine for researchers to see the exposed assets.

Shodan also gives the top most used searches by the community like below:

Ethical Hacking Training – Resources (InfoSec)

For example, one can see the connected webcams, netcams, traffic lights, etc. Below are some of the use cases from Shodan:

  • Testing of Available assets with RDP port open.

  • Testing of “Default Passwords.”

  • Assets with VNC viewer

So Shodan is an excellent tool for finding the fingerprint of connected assets; their details; their vulnerabilities etc. Researchers can easily imagine how much they can push boundaries of this to gather the deep level of information.

Google Dorks

Search engines do provide us much information, and they index much information, too, which can be used to gather information about a target. Google dorks provide such information through the usage of some operators which are otherwise difficult to extract using simple searches. Below are some of the operators used in Google Dorking:

  • Intitle: Looks out for mentioned words in the Page title
  • Inurl: Looks out for mentioned words in the URL.
  • Filetype: This is used to find filetypes.
  • Ext: This is used to identify files with specific extensions. Think of using it for finding such files like .log which are not supposed to be indexed.
  • Intext: This helps to search for specific text on the page.

Below is an example of finding all indexed PDF files

Google dorks have been in place since 2002, and they still give good results and can prove very handy very performing reconnaissance.

So, in this article, we have investigated some of the most common OSINT tools used by researchers. Their tools are very powerful when used alone but can be very lethal when used with each other.