Ready to Start Your Career?

How To Gain Intel Using OSINT Tools

Marylin de Kort's profile image

By: Marylin de Kort

June 4, 2020

Cybercriminals are becoming more versatile with their attacks by carefully selecting information about their target that could be useful in a fake email (phishing email). Many cybercriminals are using a technique called Open Source Intelligence (OSINT) to gather as much valuable information about their target(s) as possible. Most of the time, valuable information is found by just using a search engine such as Google or social media such as Facebook.

What is OSINT?

By definition, OSINT is a way to collect, analyze, and disseminate publicly available information. OSINT is used for gathering intel for different types of purposes, whether it is to gather information before a cyber-attack (reconnaissance) or to learn more about attacks against the company. The term “open source” refers to many types of sources, such as:

  • Internet sources (Surface Web, Deep Web and Dark Web)
  • Traditional media (television, newspaper, and radio)
  • Publications (books, reports, and journals)
  • Photo and video material
  • Geoinformation

However, as Tino Sokic stated in his OSINT Fundamentals course, the fact that the data is publicly available does not imply the absence of restrictions to processing them. One should always consider how the information will affect someone’s life or organization.

Who uses OSINT?

OSINT is useful for nearly any organization, team, or person, whether for offensive or defensive purposes. OSINT gives opportunities to both the cyber defender and the attacker. Still, it also proves useful for other types of professionals such as journalists, recruiters, travelers, marketing people, and private investigators.

The OSINT Cycle.

To process raw data into usable information, both cyberattacks and defenders use the OSINT cycle. The OSINT Cycle consists of five steps (see image below).

Image 1. OSINT-Cycle.
  1. Planning: As a starting point, the attacker or defender clearly defines what they are looking for and what kind of information they wish to obtain. This step defines the purpose of the investigation.

  2. Gathering: In this step, the attacker or defender collects the information found from many selected sources and tools. Some of the OSINT tools are free, and others are a paid version. The easiest way to start gathering is to search the internet or to use simple queries on Google.

  3. Analyzing: This step involves validating the gathered information and making it usable, which is very important.

  4. Dissemination: The findings are presented through the physical exchange of data and interconnected data and connection networks.

  5. Feedback: The last step involves getting feedback from the customers or clients. This is the final confirmation of the investigation.

Tools & Techniques

When it comes to working with OSINT, the purpose of the reconnaissance needs to be clear to know where to start gathering information. According to Melinton Navas, in his course ‘Intro to Cyber Threat Intelligence’, the best places to start gathering intel about cyber threats are in threat feeds and forums, media, news, and the Dark Web.

However, if the purpose of the reconnaissance is to know more about the target, there is a set of OSINT-tools and techniques to help gather various information. With tools like Whois, attackers can get information on the public domain, such as the registrant, organization, address, phone number, and email address.

There are other OSINT-tools like Shodan, The Harvester , Recon-ng, and Maltego. Shodan is an OSINT-tool (free and paid version), which can be used if the purpose is to find vulnerable devices and to gather IP-address. The Harvester is mainly used if the purpose is to find the email addresses of employers, employee names, open ports, or subdomain names. Recon-ng is a ‘bucket of tools’ where an attacker can grab email addresses that have been compromised and find associations with social media profiles. With Maltego, an attacker can find associated data with search terms. Maltego Community Edition (the free version) is a data mining tool, with limitations, that mines a variety of open-source data resources and uses that data to create graphs for analyzing connections.

An attacker could also simply visit the company’s website to gain information on the management team, events, contact information, and social media. An attacker could search on a job board to see which technology a company is using or take it further with ‘Google Dorking.’ Google Dorking (or Google Hacking) is a way to exploit Google’s database with queries such as “site:” “filetype:” “intitle:” and “inurl.”

When it comes to social media, Ken Underhill shows in his Online Reconnaissance course the different ways the information posted on social media can be used by an attacker. An attacker will search for information that could be used in a phishing email or other social engineering techniques (smishing and vishing). The information could be about the bank or insurance company a target is using or the events they have attended. The information could even be about the school the target has attended, for phishing emails about reunions.


OSINT can be used by anyone, regardless of their background and intent. With the use of several OSINT-tools such as Shodan, Whois, The Harvester, Recon-ng, and Maltego, an attacker could gain a lot of information about a company. The attackers could gain intelligence on email addresses of employers and employees and send targeted phishing emails. But even without the use of tools, an attacker could use search engines like Google or Duckduckgo to find information and files about a target or company.

Using OSINT can be simple for non-technical attackers as well those who have the intent to search for more information about an employee. The attacker could use social media like Facebook, Twitter, and LinkedIn to find valuable information to use in all sorts of social engineering tricks. The information posted on social media about business events, social groups, schools, and even family members can be used against a target. An employee should always be conscientious about what is posted online for the world to see.

Companies can also use OSINT for their advantage and be one step ahead of their attackers. A company could gather information about vulnerabilities (vulnerable devices and ports) and publicly available information. Using OSINT can prove valuable for any company to strengthen its defense against cybercriminals.

Schedule Demo