⚠️ For educational and lawful research purposes only. Always respect privacy laws and platform TOS.

πŸ”§ OSINT Tools Directory

Comprehensive reference for CLI, web, and desktop OSINT tools β€” with installation commands, usage examples, and key flags.

ℹ️ Click on any tool card to expand the full guide including installation, usage, and example commands. All commands assume a Linux/macOS environment unless noted.
πŸ•΅οΈ
Sherlock
Hunt down social media accounts by username across 300+ sites
FreeCLIPython

πŸ“¦ Installation

# Clone the repo git clone https://github.com/sherlock-project/sherlock cd sherlock # Install dependencies pip3 install -r requirements.txt # Or with pipx pipx install sherlock-project

πŸš€ Basic Usage

# Search for username across all sites python3 sherlock.py username # Search multiple usernames python3 sherlock.py user1 user2 user3 # Save results to file python3 sherlock.py username --output results.txt

βš™οΈ Advanced Flags

# Check only specific sites python3 sherlock.py username --site twitter instagram # Use Tor for anonymity python3 sherlock.py username --tor # Timeout (default 60s) python3 sherlock.py username --timeout 30 # CSV output python3 sherlock.py username --csv # Print only found accounts python3 sherlock.py username --print-found

πŸ’‘ Pro Tips

  • Run against common username variations (e.g. john_doe, johndoe, j_doe)
  • Cross-reference found accounts with image reverse search
  • Use --folderoutput to organise by case
  • Combine with WhatsMyName for broader coverage
πŸ“‚ View on GitHub β†’
πŸ•·οΈ
SpiderFoot
Automated OSINT footprinting β€” scan IPs, domains, emails, names & more
FreeCLIWeb UIPython

πŸ“¦ Installation

# Clone SpiderFoot git clone https://github.com/smicallef/spiderfoot cd spiderfoot pip3 install -r requirements.txt # Start web UI (recommended) python3 sf.py -l 127.0.0.1:5001 # Then open http://127.0.0.1:5001

πŸš€ CLI Usage

# Scan a domain (all modules) python3 sf.py -s example.com -t DOMAIN_NAME # Scan an IP address python3 sf.py -s 1.2.3.4 -t IP_ADDRESS # Scan email python3 sf.py -s user@example.com -t EMAILADDR # Save results as JSON python3 sf.py -s example.com -o JSON -f

πŸ” Scan Types

# Use specific modules only python3 sf.py -s example.com -m sfp_dns,sfp_shodan # List available modules python3 sf.py -M # Correlate with SFDB HackerTarget python3 sf.py -s example.com -m sfp_hackertarget

πŸ’‘ Key Modules

  • sfp_shodan β€” IoT/device scanning
  • sfp_dns β€” DNS enumeration & records
  • sfp_haveibeenpwned β€” Breach checks
  • sfp_hunter β€” Email harvesting
  • sfp_whois β€” WHOIS lookups
  • sfp_github β€” GitHub code search
  • sfp_pgp β€” PGP keyserver lookup
πŸ“‚ View on GitHub β†’ πŸ“– Documentation β†’
🌾
theHarvester
Gather emails, subdomains, IPs, URLs from public sources
FreeCLIPython

πŸ“¦ Installation

# Clone & install git clone https://github.com/laramies/theHarvester cd theHarvester pip3 install -r requirements/base.txt # Kali Linux (pre-installed) theHarvester --help

πŸš€ Basic Usage

# Search Google for example.com theHarvester -d example.com -b google # All sources, limit 500 results theHarvester -d example.com -b all -l 500 # Save HTML report theHarvester -d example.com -b all -f report

πŸ“‘ Data Sources

# Available sources (-b flag): anubis, bevigil, baidu, bing, bingapi, brave, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, netlas, omnisint, otx, pentesttools, projectdiscovery, rapiddns, rocketreach, securitytrails, shodan, sitedossier, sublist3r, threatminer, tomba, urlscan, virustotal, yahoo

πŸ’‘ Pro Tips

  • Use -b all for comprehensive results
  • Add API keys in api-keys.yaml for better results
  • Run with Shodan source for IP ranges
  • Combine with Maltego for visualisation
πŸ“‚ View on GitHub β†’
πŸ”—
Maltego
Interactive data mining & link analysis platform
FreemiumGUICross-platform

πŸ“¦ Installation

# Download from official site # https://www.maltego.com/downloads/ # Kali Linux sudo apt install maltego # Create free Community Edition account # at maltego.com to activate

πŸ”„ Key Transforms

  • Domain to IP β€” resolve host records
  • Email to Person β€” identify owner
  • Person to Social Media β€” link accounts
  • IP to Shodan β€” device & port data
  • Phone to Owner β€” identify registrant
  • Phrase to News β€” media mentions

πŸ” Workflow

  • Start with a seed entity (domain, email, name)
  • Run transforms to expand the graph
  • Pivot on discovered entities
  • Use Machines for automated multi-step transforms
  • Export as graph (GraphML) or PDF report
  • Install community Transform Hub packs for free extra transforms

πŸ’‘ Community Edition Limits

  • 12 results per transform (vs unlimited in commercial)
  • Watermarked exports
  • No case management features
  • Still extremely powerful for solo analysts
⬇️ Download Maltego β†’ πŸ“– Documentation β†’
πŸ”­
Recon-ng
Full-featured web reconnaissance framework with modular design
FreeCLIPython

πŸ“¦ Installation

# Clone the repo git clone https://github.com/lanmaster53/recon-ng cd recon-ng pip3 install -r REQUIREMENTS # Kali (pre-installed) recon-ng

πŸš€ Basic Workflow

# Start recon-ng recon-ng # Create a workspace [recon-ng] > workspaces create target_co # Add a seed domain [recon-ng] > db insert domains domain > example.com # Load a module [recon-ng] > marketplace install recon/domains-hosts/hackertarget [recon-ng] > modules load recon/domains-hosts/hackertarget [recon-ng] > run

πŸ“¦ Useful Modules

# Subdomain enumeration recon/domains-hosts/hackertarget recon/domains-hosts/bing_domain_web # Email harvesting recon/domains-contacts/hunter_io recon/domains-contacts/pgp_search # IP geolocation recon/hosts-hosts/ipinfodb # Social media recon/profiles-profiles/twitter_mentioned # Credentials in breaches recon/domains-credentials/pwnedlist

πŸ“Š Reporting

# Generate HTML report [recon-ng] > modules load reporting/html [recon-ng] > options set FILENAME /tmp/report.html [recon-ng] > run
πŸ“‚ View on GitHub β†’
πŸ“¬
GHunt
Investigate Google accounts via email β€” linked services, location, devices
FreeCLIPython

πŸ“¦ Installation

# Clone & install git clone https://github.com/mxrch/GHunt cd GHunt pip3 install pipx pipx install ghunt # Authenticate (one-time setup) ghunt login

πŸš€ Usage

# Investigate a Gmail account ghunt email target@gmail.com # Get Google Drive documents ghunt gaia GoogleID # Check Google Calendar public events ghunt cal target@gmail.com

πŸ” What GHunt Finds

  • Google Account ID & creation date
  • Profile picture (even if hidden)
  • Linked Google services (Maps, YouTube, etc.)
  • Public Google Calendar events with locations
  • Google Reviews and places visited
  • Android device information
  • Last seen active timestamp

⚠️ Requirements

  • Requires a Google account for authentication
  • Use a dedicated/throwaway Google account for OPSEC
  • Respect Google's Terms of Service
πŸ“‚ View on GitHub β†’
πŸ“·
ExifTool
Read, write, and edit metadata in files β€” images, videos, audio, docs
FreeCLIPerl

πŸ“¦ Installation

# Ubuntu/Debian sudo apt install libimage-exiftool-perl # macOS (Homebrew) brew install exiftool # Windows β€” download installer from # https://exiftool.org

πŸš€ Basic Usage

# Show all metadata exiftool image.jpg # Extract GPS coordinates exiftool -GPS* image.jpg # Extract specific tag exiftool -DateTimeOriginal image.jpg # Bulk scan directory exiftool -r /path/to/images/

βš™οΈ Advanced Commands

# Extract GPS and convert to decimal exiftool -n -GPS* image.jpg # Strip all metadata (sanitize) exiftool -all= image.jpg # Output as JSON exiftool -json image.jpg # Find images with GPS in directory exiftool -if '$GPSLatitude' -filename -GPSLatitude -GPSLongitude *.jpg

πŸ’‘ OSINT Use Cases

  • Extract GPS coordinates from social media photos
  • Identify device (phone model, camera) from metadata
  • Extract software versions from documents
  • Recover creation/modification timestamps
🌐 Official Site β†’
πŸ“„
Metagoofil
Extract metadata from public documents (PDF, DOC, XLS, PPT)
FreeCLIPython

πŸ“¦ Installation

# Kali Linux (pre-installed) metagoofil --help # Manual install git clone https://github.com/opsdisk/metagoofil cd metagoofil pip3 install -r requirements.txt

πŸš€ Usage

# Harvest PDFs from example.com metagoofil -d example.com -t pdf -l 20 -o output/ # Multiple file types metagoofil -d example.com -t pdf,doc,xls -l 50 # Limit search pages metagoofil -d example.com -t pdf -l 10 -n 5

πŸ” What It Extracts

  • Usernames & real names from document properties
  • Software versions (OS, Office version)
  • Internal network paths & server names
  • Email addresses embedded in documents
  • Dates & document creation history
  • Printer names and network shares
πŸ“‚ View on GitHub β†’
πŸ“‹

More Essential Tools

Tool Purpose Type Cost Link
FOCAMetadata extraction & fingerprintingGUI / WindowsFreeGitHub
AmassIn-depth attack surface mapping & subdomain enumCLIFreeGitHub
SubfinderFast passive subdomain enumerationCLI (Go)FreeGitHub
PhotonFast OSINT web crawlerCLI (Python)FreeGitHub
OsmedeusAutomated recon workflow engineCLIFreemiumGitHub
IntelOwlOSINT aggregation API platformDocker/APIFreeGitHub
MailSniperExchange email enumeration & searchCLI (PowerShell)FreeGitHub
CreepyGeolocation from social network postsGUI (Python)FreeWebsite
DatasploitAutomated OSINT on domains, IPs, emailsCLI (Python)FreeGitHub
HoleheCheck if email is registered on 120+ sitesCLI (Python)FreeGitHub
MaigretCollect dossier by username on 3000+ sitesCLI (Python)FreeGitHub
BlackbirdOSINT on usernames & email addressesCLI (Python)FreeGitHub