What is OSINT?

Open Source Intelligence, or “OSINT,” was defined by the Department of Defense (DoD) as “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.” This process is also commonly referred to as “Digital Footprinting.”

OSINT can help us obtain following types of information:

  • Information that’ll increase the attack surface (i.e.: domains, IP addresses)
  • Credentials (such as email addresses, usernames, passwords)
  • Sensitive information (Customer details, financial report, etc)
  • Infrastructure details (Technology stack, hardware equipment used and many more)

OSINT implies no direct communication with potential assets in scope. In this case, we can rely entirely on information collected from third-party resources through internet and/or other sources of information. The main problem here is that this information can be incorrect or outdated and that’s why passive recon phase is just one of two possible ways of obtaining such information.

Tools which can be used for OSINT

  1. SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, email addresses, names and more. You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other. It operates with huge amount of publicly-available services through their API (it requires you to manually insert API keys).
  2. Maltego is a well-known popular tool for both recon against infrastructure, companies, people, etc. Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node-based graph suitable for performing link analysis. It is an interactive data mining tool that renders directed graphs for link analysis. This tool is used in online investigations for finding relationships between pieces of information from various sources available on the Internet.
  3. Recon-NG is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-NG provides a powerful environment in which open-source web-based reconnaissance can be conducted quickly and thoroughly. However, it is quite different and it is a completely modular framework, making it easy for even the newest of Python developers to contribute and develop new modules.
  4. TheHarvester is an old tool which is not so popular nowadays due to the lack of integrations with a lot of useful services. But it still can be useful in case if you want to find people through social networks or obtain information quickly from google. TheHarvester can easily find people by company via LinkedIn, which lots of other tools can’t do, so in some cases it still can be useful to keep around.


There are a good number of tools and methods for extracting information which now publicly available. The main thing is to correctly determine the goal in order to correctly collect information and not waste time in vain. As an advantage, I would like to note the safety of using this passive reconnaissance approach in connection with the absence of direct scans of the end target.