Skip to content
Reconnaissance

OSINT Techniques

Open source intelligence gathering for security research

Company Information

Corporate Data

TEXT 
LinkedIn - Employee info, tech stack
Crunchbase - Funding, acquisitions
SEC EDGAR - Financial filings
hunter.io - Email patterns

Historical Data

BASH 
# Wayback Machine
waybackurls target.com | sort -u

# Historical DNS
securitytrails.com
dnshistory.org

# Archive.org
curl "https://web.archive.org/cdx/search/cdx?url=target.com/*&output=text"

Domain Intelligence

DNS Records

BASH 
# Full DNS enumeration
dig target.com any
dig target.com txt
dig target.com mx
dig _dmarc.target.com txt

# DNSSEC
dig target.com dnskey

Reverse DNS

BASH 
# PTR records
dig -x 1.2.3.4

# From IP range
for ip in $(seq 1 255); do dig -x 10.10.10.$ip +short; done

Certificate Transparency

BASH 
# crt.sh
curl "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

# certspotter
curl "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true"

Email Discovery

Finding Emails

BASH 
# theHarvester
theHarvester -d target.com -b all

# Hunter.io pattern
https://hunter.io/email-finder

# Phonebook.cz
https://phonebook.cz

Email Verification

BASH 
# Verify email exists
emailhippo.com
emailrep.io

GitHub Recon

Finding Secrets

BASH 
# Search patterns
org:company password
org:company secret
org:company api_key
org:company token
"target.com" password

# Gitleaks
gitleaks detect --source=/path/to/repo

# trufflehog
trufflehog github --org=company

Finding Employees

TEXT 
# GitHub search
"@target.com" in:email
company:"Target Inc"

Social Media

Twitter/X

TEXT 
from:target_company password
from:target_company api
"target.com" password

LinkedIn

TEXT 
"Target Company" developer
"Target Company" security engineer
site:linkedin.com "target company"

Cloud Resources

S3 Buckets

BASH 
# Common patterns
target.com
target-backup
target-dev
target-prod
target-assets
target.com.s3.amazonaws.com

# Tools
cloud_enum -k target
s3scanner scan -l buckets.txt

Azure Blobs

TEXT 
target.blob.core.windows.net
targetbackup.blob.core.windows.net

GCP Storage

TEXT 
storage.googleapis.com/target
target.storage.googleapis.com

Technology Fingerprinting

Wappalyzer

BASH 
# CLI version
wappalyzer https://target.com

# Browser extension for live sites

WhatWeb

BASH 
whatweb https://target.com
whatweb -v https://target.com

Shodan

BASH 
# Search by organization
shodan search org:"Target Company"

# By hostname
shodan search hostname:target.com

# Technologies
shodan search "Server: Apache" hostname:target.com

Network Infrastructure

BGP/ASN

BASH 
# Find ASN
whois -h whois.radb.net -- "-i origin AS12345"

# Hurricane Electric
bgp.he.net

# ASN lookup
https://bgp.tools

IP Ranges

BASH 
# From ASN
whois -h whois.radb.net -- "-i origin AS12345" | grep -oE "([0-9.]+){4}/[0-9]+"

# ARIN
whois -h whois.arin.net target company

Automation

Amass

BASH 
amass intel -org "Target Company"
amass intel -asn 12345
amass intel -whois -d target.com

Spiderfoot

BASH 
# Web UI
spiderfoot -l 127.0.0.1:5001

# CLI
spiderfoot -s target.com -t EMAILADDR,WEBSERVER
Back to Cheatsheets
On this page