🎯 Goal
Learn to legally collect, analyze, and operationalize publicly available information. Master techniques for investigating individuals, organizations, domains, and network infrastructure – a critical skill for red team reconnaissance, threat intelligence, social engineering assessments, and due diligence.
🔑 Key Skills to Learn
- OSINT Mindset & Ethics: Legality, terms of service, responsible disclosure, operational security (OPSEC) for the investigator.
- Search Engine Mastery: Advanced Google dorking operators (
site:,filetype:,intitle:,inurl:), Bing/Censys/Shodan queries. - Domain & DNS Intelligence: WHOIS (historical), reverse WHOIS, DNS dumpsters, certificate transparency logs (crt.sh, CertSpotter).
- Infrastructure Mapping: Subdomain enumeration, IP space identification, ASN lookups, service fingerprinting (Shodan, ZoomEye, Censys).
- Social Media Investigation: Profile discovery across platforms, metadata extraction, relationship mapping, geolocation from posts.
- Email & Username Correlation: Breach data (haveibeenpwned), email verification tools, username search across forums and social networks.
- Image & Video Analysis: Reverse image search (Google, Yandex, TinEye), EXIF metadata, geolocation clues.
- Data Breach & Leak Discovery: Using paste sites, breach databases, and leaked credential repositories (responsibly).
- Dark Web Research (Safety): Tor fundamentals, locating onion services, monitoring threat actor forums without operational risk.
- Automation & Reporting: Scripting OSINT collection (Python, Bash), visualizing relationships (Maltego), documentation.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Maltego CE | Graphical link analysis for mapping relationships between entities. |
| theHarvester | Email, subdomain, and name enumeration from public sources. |
| SpiderFoot | Automated OSINT automation platform (web/CLI). |
| Recon-ng | Modular reconnaissance framework for web-based OSINT. |
| Shodan / Censys / ZoomEye | Internet-wide device and service search engines. |
| Amass | DNS enumeration, subdomain discovery, and network mapping. |
| Sherlock / Maigret | Username search across hundreds of social networks. |
| ExifTool | Read and analyze file metadata. |
| Google Earth / Google Maps | Geolocation investigation from satellite and street imagery. |
| Wayback Machine (archive.org) | Historical versions of websites, old content and directories. |
📖 Free Learning Resources
- IntelTechniques (Michael Bazzell) – The definitive OSINT practitioner's guide; free podcast and search tools. Link
- OSINT Framework – Interactive web-based collection of categorized tools and links. Link
- Bellingcat’s Online Investigation Toolkit – Curated tools for verification, satellite imagery, and social media. Link
- Trace Labs OSINT VM – Free virtual machine preloaded with OSINT tools. Link
- Quizlet / Search.org – Free OSINT training exercises and quizzes. Link
- SANS SEC497 (Practical OSINT) – Expensive but has free webinars and blog posts with OSINT tips. Link
- OhSINT (TryHackMe) – Free room teaching image and social media investigation. Link
- OsintCurio.us – Video tutorials on advanced OSINT techniques (YouTube). Link
🔗 Roadmap Placement
- Prerequisites: Networking (DNS, IPs, HTTP), Linux command line, and strong ethical judgment. No prior hacking skills required; OSINT is accessible to beginners but scales to advanced.
- Directly Enables: Red Team reconnaissance, Social Engineering engagements, Threat Intelligence analysis, Law enforcement investigations, and Corporate security due diligence.
- Next Steps: Combine with Social Engineering or Physical Security Assessment, or move to GRC for a non-technical cybersecurity track.