OSINT Software Tools

OSINT software tools are essential for gathering valuable information from various sources on the Internet. These tools enable ethical hackers and threat hunters to access publicly available data from social media platforms, search engines, domains, DNS names, emails, journals, newspapers, and more. With the advent of the Internet and social media, OSINT has become increasingly relevant in today’s digital age.

What is OSINT?

OSINT, or Open Source Intelligence, refers to the collection and analysis of data and information from diverse sources such as social media platforms, search engines, domains, emails, and more. Governments, political parties, and other organisations have historically used newspapers and television broadcasts to track military, political, and economic activities. However, with the rise of the Internet and social media, there is now a vast amount of publicly available information, making OSINT more crucial than ever.

How does OSINT work?

There is no predefined method for how OSINT works, as there are various OSINT tools available in the market, each serving different purposes. However, the general process involves scanning online and traditional media for information that can be used by ethical hackers or threat hunters. One popular method is using Google Dorks, which involves using specific search queries to obtain information from search engines.

For example, let’s say an organisation has a Github or Bitbucket repository with a team of 6 developers working on a Ruby on Rails application. By navigating to their repository, you can identify who is working on which part of the application. Using their names, you can then find their social media accounts, emails, and more.

The information obtained through OSINT can include domains, DNS names, emails, links between people, documents, affiliations, social media handles, IP addresses, geolocations, organisations, and more.

The legality of using OSINT tools depends on the country and the purpose for which they are used. In the US and UK, OSINT is generally legal, but it is essential to follow a clearly defined framework to avoid any legal complications.

For example, if you are performing OSINT at an organisation’s request, it is perfectly legal. However, using OSINT for stalking or illegal activities is outright illegal.

Top 5 OSINT Tools

Here are the top 5 OSINT tools that we will cover in this article:

  1. Maltego
  2. Shodan
  3. Google Dorks
  4. Recon-ng
  5. Harvester

1. Maltego

Maltego is considered one of the best OSINT tools available in the market. It retrieves information from various resources and presents it in graphs and visuals for easier analysis. The graphs contain information such as email addresses, organisations, domains, nameservers, and more. Maltego uses Java and is compatible with Windows, Mac, and Linux operating systems. It is often included in popular hacking distributions like Kali Linux and Parrot OS.

Maltego Usage

  1. Open Maltego and click on “New” and then “Create new Graph”.
  2. Select an Entity from the Entity Palette on the left side.
  3. Drag the selected Entity to the Graph.
  4. Replace the default domain with the desired domain.
  5. Right-click on the domain in the graph, select “All Transforms”, and click on “Run”.
  6. Review the information obtained, including domains, documents, nameservers, and more.

You can perform similar actions for other entities and gather the information you need from Maltego.

2. Shodan

Shodan can be described as a deep search engine that allows users to find specific devices, services, and vulnerabilities on the Internet. Similar to using Google Dorks, Shodan has its own search queries, or dorks, that can be used to find various devices and vulnerabilities. Shodan is particularly useful when searching for vulnerabilities on a large scale.

To use Shodan, simply visit their website and create an account. You can also purchase a plan for additional features such as increased request limits, API access, and network monitoring.

3. Google Dorks

Search engines like Google and Bing are valuable tools for finding information on the Internet. By using advanced search operators, known as Google Dorks, you can refine your search and find specific information.

Some examples of Google Dorks include:

  • inurl: – Searches for a specific term in the URL.
  • intitle: – Searches for a specific term in the title of a webpage.
  • intext: – Searches for a specific term in the body text of a webpage.
  • site: – Limits the search to a specific website or domain.
  • cache: – Displays the cached version of a webpage.
  • filetype: – Searches for a specific file type.
  • | – Performs a logical OR operation.
  • - – Excludes a specific term from the search results.
  • OR – Performs a logical OR operation.
  • AND – Performs a logical AND operation.

By using these operators, you can filter and refine your search results to find the information you need.

4. Recon-ng

Recon-ng is a powerful tool for OSINT and reconnaissance purposes. It is similar to Metasploit in terms of syntax and interface. Recon-ng comes with built-in modules that allow users to gather information such as social media handles, email addresses, domains, files, and more. Additionally, users can create their own modules for custom use.

Recon-ng can also be used as a reconnaissance tool during web penetration testing, making it a versatile tool for both OSINT and penetration testing. Users can create workspaces in Recon-ng and perform reconnaissance and OSINT tasks within those workspaces. All the gathered information is stored in a database schema.


  • For Ubuntu/Debian:

git clone https://github.com/lanmaster53/recon-ng.git

  • For Mac OS:

brew install recon-ng

  • For Kali Linux:

Recon-ng is usually installed by default. If not, you can install it using the following command:

sudo apt install recon-ng

Recon-ng Usage

Before using Recon-ng, certain commands need to be executed:

  1. marketplace install all – Installs all the modules.
  2. workspaces create Osint – Creates a workspace.
  3. db schema – Checks the database schema.
  4. db insert domains – Inserts a domain into the database.

Once these commands are executed, you can start using Recon-ng.

To search for installed modules:

  • modules search [keyword]

To load a specific module:

  • modules load [module_name]

To set options for the loaded module:

  • options set [option_name] [value]

To run the module with the specified options:

  • run

Recon-ng has multiple modules that can be loaded, and options can be set accordingly to gather the required information.

5. Harvester

Harvester is an open-source tool written in Python that is easy to use and configure. It allows users to find domains, email addresses, IP addresses, employee names, open ports, and more. Harvester retrieves information from sources such as Google, Bing, Anubis, Censys, Shodan, and others.


  • For Linux:

git clone https://github.com/laramies/theHarvester

cd theHarvester

pip3 install -r requirements.txt

  • For Mac OS:

brew install theharvester

  • For Kali Linux:

Harvester is usually installed by default. If not, you can install it using the following command:

sudo apt install theharvester

Harvester Usage

To search for email addresses and domains using Google as the data source:

  • theHarvester -d example.com -b google

To set limits on the number of results:

  • theHarvester -d example.com -l 400 -b google

To save the results in an HTML file:

  • theHarvester -d example.com -b google -f results.html

The Harvester can be customised to search for specific information based on the desired data sources.

Bonus Tips

  • Tineye: Use Tineye to search for information using images. It can perform a reverse image search and provide details about the image.
  • Searchcode: If you need to find source code from a specific organisation, use Searchcode. It searches for code on platforms such as Github, Bitbucket, Gitlab, and Google Code.


In this article, we have explored the world of OSINT software tools and how they can be used to gather valuable information from various online sources. We have covered five top OSINT tools, including Maltego, Shodan, Google Dorks, Recon-ng, and Harvester. These tools enable ethical hackers and threat hunters to extract information ranging from email addresses to CCTV cameras. By utilising these tools effectively, users can enhance their OSINT capabilities and improve their overall security posture. If you are new to ethical hacking, be sure to check out other informative articles on our website. Feel free to leave any questions or issues in the comments section below.

This website uses cookies. By continuing to use this site, you accept our use of cookies.  Learn more