Open Source Intelligence (OSINT) are skills used for reconnaissance and data gathering using publicly available information (i.e,, search engines, public repositories, social media, etc.) to gain in-depth knowledge on a topic or target. When conducting an OSINT exercise in preparation for a penetration test, the testers may want operate in a clandestine manner so not to disclose their presence.

OSINT Process Steps:

  • Source Id
  • Harvesting (Active or Passive Reconnaissance)
  • Data Analysis
  • Processing
  • Results Delivery

Types of Reconnaissance:

  •  Passive reconnaissance  – attempt to gain information about targeted computers and networks, using publicly available resources, without actively engaging with the systems.  
  • Active reconnaissance  – type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities.

Types of Data:

  • Geo-location
  • Technology infrastructure
    • IP, Hostnames, Services, Networks
    • Software / hardware versions, OS information
    • Network diagram
    • Databases
  • Documentation
    • papers, articles, blogs, presentations, spreadsheets and configuration files
  • Metadata
  • Personnel Info:
    • Employee data (Email and other personal information)
    • Social Media

Recommended Tools:

Scanning Tools:

  • OSINT Framework – queries free search engines, resources, and tools for publicly available info. 
  • Maltego – Included in Kali Linux ; collects footprints of any target
  • Google Dorks – ways to query Google against certain information using operators that may be useful.
  • Nmap  – open source utility utilized for security auditing and network exploration across local and remote hosts”.
  • Recon-ng – built in the Kali Linux distribution; used to perform reconnaissance on remote targets.
  • Shodan – network security monitor and search engine focused on the deep web & the internet of things. 
  • OpenVAS (Open Vulnerability Assessment System) – open source version of Nessus used for vulnerability scanner & security manager
  • Fierce  – IP and DNS recon tool written in PERL for finding target IPs associated with domain names.
  • FOCA (Fingerprinting Organizations with Collected Archives) – analyze web servers and their hidden info. Collects data from MS Office, OpenOffice, PDF, as well as Adobe InDesign, SVG and GIF files. Works with Google, Bing and DuckDuckGo


  1. Youtube: ‘Solving CTF Challenges: Reconnaissance‘ (57:25)
  2. Youtube: ‘Open Source Intelligence 101‘ (46:49)
  3. Youtube: ‘HackMiami %27 – OSINT 101 with Buscador and Maltegock
  4. YouTube: Information Gathering with Kali Linux : Use Maltego to Gather & Visualize Information|
  5. How Can You Build Your Cyber Skills By Open Source Intelligence (Medium)
  6. OSINT Treasure Trove