• In this part you will find tools installable in your machine or VM to perform some OSINT task


  • Tool to get information from a file (image or pdf)


  • Install on kali: sudo apt install libimage-exiftool-perl


  • exiftool filename

The Harverster

  • Tool to hunt emals and breached data

  • Preinstalled on kali linux


  • theHarverster -d domain.com -b all will get infos about domain.com from all search engines available with the tool.

  • Can be combined with other tools such as:

Tools for username and Account OSINT



  • git clone https://github.com/WebBreacher/WhatsMyName.git

  • cd WhatsMyName


  • python3 web_accounts_list_checker.py -u username



  • sudo apt install sherlock


  • sherlock username


  • A tool to osint phone number


  • curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install | bash

  • tar -xf phoneinfoga_Linux_x86_64.tar.gz


  • phoneinfoga serve -p 8080 will serve the gui on port 8080 then you will just have to go to http://localhost:8080 and make a research

  • phoneinfoga scan -n number you will need to specify the cuntry code in front of the number for example for US or Canada you need to put 1


  • Tool for Twitter OSINT available here.


  • Upgrade

    • pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint

    • pip3 install --upgrade aiohttp_socks

  • twint -u username

  • twint -u username -s keyword

  • Lots of other possibilities it is worth reading the doc

Tools for website OSINT

Identifying website technology


  • We can use the browser add on Wappalyzer to see the technologies used on the website


  • It is preinstalled on Kali. You can find the githb page here

  • whatweb webiste.com

Hunting subdomain


  • Tool to find subdomains. See about it here

  • apt install sublist3r Install it

  • sublist3r --domain [domain_name] launch it


  • Tool to find subdomains

  • Available here

  • subfinder -d domain


  • Another tool to find subdomains

  • Available here

  • assetfinder domain we can put our results in a file by adding > results.txt if you already have a file with results you can append it with >> instead of >


  • Tool for subdomain enumeration

  • Available here

  • amass enum -d domain


  • After finding multiple subdomains we can use httprobe to check if they are alive or not

  • Find httprobe here

  • We could use a command like this cat findings.txt | sort -u | httprobe -s -p https:443 we can limit our results to port 443

  • We can put our result in a file named alive-findings.txt (we then need to strip https://, http:// and :443 and use it in gowitness


  • We can also go through our findings and get screenshots of them using gowitness

  • Find GoWitness here

  • gowitness file -f ./alive-findings.txt -P ./screenshots --no-http this command will go through every finding and make a screenshot

Burp Suite

  • The community edition is preinstalled on kali

  • You can get it here

  • We can use burpsuite as well and check the response headers of our targeted website to see if it discloses any interesting information.

OSINT Frameworks


  • Find it here along with some documentation

  • recon-ng

  • marketplace search see all available tools

  • marketplace install tool install one of the tool from the market (some of them require API keys)

  • modules load tool load the tool just installed

  • info to see what we can do with the module

  • options set ITEM setting to set something in the module for instance if we were playing with hackertarget we could do options set SOURCE domain.com

  • run to run the module

  • Some nice module on recon-ng are hackertarget (OSINT on website such as subdomain enum and ip adr finder), profiler (search for accounts with a specific userame on different websites)


  • Preinstalled on kali

  • Run for free register and account confirm it

  • We will need api keys for most of the modules

  • We can use it without modules also

  • We can make a new graph domain for instance if we want to make website OSINT


  • Paid tools but free trial possible. Only runs on google chrome.

  • Find Hunchly here

  • We can launch new case and keep them in our dashboard

  • We can start the "tracking" and add it to a specific case

  • We can highlight keywords, take notes on website

  • It will record everything viewed

Last updated