OSINT techniques and tools

Searching for information in public sources and making intelligence with this information is something very useful for a hacker. Sometimes you don’t need to break into any system to get the information you need. You just need to know where to look. 

Google Dorks

Some time ago I published a post in which I explained how to do hacking with google dorks. I recommend you to take a look at it. Using search engines to find data is very effective, but there are tools that make the job much easier. In this post I will show you the different tools I have been trying and collecting over time.


Shodan is a search engine for finding specific services such as webcams, SCADA systems, linksys… The possibilities with this search engine are almost infinite. To search for cameras, the best thing to do is to use its Beta version. You have much more information about this search engine in the post I dedicated to it a few weeks ago.


Maltego is a data mining program that allows results to be displayed in the form of graphs that are linked to each other.

Maltego makes it possible to link and integrate people, social networks, companies, organizations, websites, documents… It is one of the best and most intuitive intelligence tools.

Maltego example

Soon I will make a post explaining how this program is used and analyzing my website with it.

Fake accounts

To test and maintain anonymity, the easiest way is to use temporary emails like temp-email or yopmail.

However, some websites or social networks have blacklists that prevent the registration of this type of temporary emails. Therefore, another option is to create a gmail email, and use the + symbol in the name of the email. For example, if you create the email lethani@gmail.com, you can create hundreds of Instagram accounts by adding at the end of the name the sum symbol and a number: lethani+01@gmail.com, lethani+02@gmail.com, lethani+03@gmail.com, lethani+04@gmail.com…

And all those accounts redirect the emails to lethani@gmail.com, since they are actually the same.

Other temporary emails:

Email Impersonation

It is possible to impersonate another person in the recipient of an email using the web https://emkei.cz/

emkei fake email

The sender will receive the message as if it had been sent by email to DonaldTrump@gmail.com. Depending on the impersonated email and the server to which it is sent (gmail, hotmail, yahoo, etc.) the mail will be marked as spam or not. In this case, we can see how the sender receives the email without any notice, except for a question mark in the image.

emkei fake emailWith this technique, the victim can be tricked to obtain more information from him or to incite him to perform a certain action.

Images intelligence

For image intelligence the best search engines, besides google one, are tineye y yandex.

These three search engines allow you to upload an image and search for web pages that contain it. In addition, you can find plugins for the three engines for Firefox and Google Chrome that make it easy to upload images.

Telephone numbers

To get information about a certain phone number, you can add that number to your address book and search for contacts on the main social networks: instagram, whatsapp, telegram, twitter…

If the owner of that number has linked it to one of their social networks, which is common, you can get information such as name, nick, profile pictures, likes… And then you can use this information to expand your search.


All social networks and platforms use nicknames or usernames that people often repeat. If you have the username or nickname that your target uses in the networks, besides searching it in google you can use pages like checkusernames.com or namechk.com.

These pages allow you to search if that user exists in a large number of websites and social networks.

Peer-to-Peer Networks and Anonymity


Bell¿ngcat is an independent international network of detectives, investigators and journalists specialised in open source research and social media. They have a google document in which you can find the repertoire of tools they use in their investigations:

Bellingcat’s Online Investigation Toolkit

Other Sources

Finally, I recommend you to read the pdf of the Spanish National Intelligence Center that shows the techniques they use to analyze intrusions and collect information (only in Spanish):


You can also find all kinds of OSINT tools divided into categories on this website:



5/5 - (83 votes)

4 thoughts on “OSINT techniques and tools”

  1. Very few internet websites that transpire to be comprehensive beneath, from our point of view are undoubtedly effectively really worth checking out. Roda Wallas Angelis


Leave a comment