What intelligence firms charge $500/hr for. Here it is free, complete, and dumb-proof.
This is what threat analysts do for a living — mapping people, companies, and infrastructure using nothing but public data.
No hacking. No illegal access. Every tool here is free. Everything it finds was already public — you just didn’t know where to look. This guide changes that
**This is what threat analysts do for a living — mapping people, companies, and infrastructure using nothing but public data.** No hacking. No illegal access. Every tool here is free. Everything it finds was already public — you just didn't know where to look. *This guide changes that.* --- [details=" What Is OSINT — 60 Seconds to Get It"] Think of OSINT like being a digital private investigator. You're not breaking into anything. You're reading what was already left unlocked on the internet — and most people leave a LOT unlocked. OSINT stands for **Open Source Intelligence.** Intelligence agencies, law firms, and corporate security teams pay millions for OSINT platforms. This guide shows you how to do the same thing for free. | Concept | Plain English | |---|---| | **OSINT** | Collecting information from publicly available sources | | **Digital footprint** | Every account, post, photo, and record someone left online | | **Reconnaissance** | Mapping everything about a target BEFORE doing anything else | | **Google Dorking** | Special search operators that surface data Google hides by default | | **Credential breach** | When a hacked site's login data ends up in a public dump — searchable by anyone | | **Identity resolution** | Linking scattered data points (username, email, IP) into a single profile | [/details] [details=" What You Can Actually Do With This"] This isn't just for hackers and investigators. Here's what real people use OSINT for — and some of it pays. | Use Case | What It Looks Like | Worth It? | |---|---|---| | **Bug Bounty Hunting** | Map a company's digital attack surface → find exposed subdomains, leaked credentials, misconfigs → report it → get paid | $100–$100,000+ per valid finding on HackerOne, Bugcrowd | | **Romance Scam Detection** | Someone on a dating app seems too good. Run their photo, username, and email through OSINT tools → verify in 10 minutes | Could save you from losing your savings | | **Freelance Investigations** | Corporate due diligence, missing person leads, background checks | Legit niche with paying clients | | **CTF Competitions** | OSINT is a core category in every major Capture the Flag — practice legally, win prizes | Skill-building with a scoreboard | | **Audit Your Own Footprint** | Search yourself before someone else does. Find what's out there and lock it down | Priceless for anyone with a public presence | | **Journalism & Research** | Expose shell companies, track disinformation, verify identities | Real investigative journalists use this daily | > *Bug bounty programs paid out over $300M in rewards in 2023 alone. OSINT is how hunters find targets nobody else noticed.* [/details] [details="️ Step 1 — The Foundation: Google Dorking & OSINT Framework"] Before touching any scripts, master the two free starting points that everyone skips. **Google Dorking** is Google used properly. Most people type names and hope. Dorking lets you search for emails, exposed files, and hidden profiles with surgical precision. It's the first vector — and it almost always surfaces something. **[OSINTFRAMEWORK.COM](https://osintframework.com)** is the master directory. Hundreds of categorized tools for finding information on people, companies, domains, usernames, images, and more. Most OSINT tutorials skip this. Don't. | Tool | What It Does | |---|---| | **Google Dorks** | Uncover emails, names, exposed docs, and linked accounts using advanced operators | | **[OSINT Framework](https://osintframework.com)** | Categorized directory of hundreds of free tools — your starting map | [/details] [details=" Step 2 — Social Media Mapping: Sherlock Project"] If a target uses the same username across platforms — and most people do — you can automate the hunt. **Sherlock-Project** is the most efficient way to hunt down social media accounts by username across hundreds of networks simultaneously. One command, dozens of results. | Tool | Use | |---|---| | **[Sherlock](https://github.com/sherlock-project/sherlock)** | Username → all associated accounts across social networks |
**Pro tip:** Pair Sherlock with [WhatsMyName](https://whatsmyname.app/) for broader coverage — they use different source lists. [/details] [details="️ Step 3 — Deep Identity Resolution: Public Records"] Public records databases are underused and underestimated. Address, phone number, occupation, full name, date of birth — all legally searchable. This is how investigators build profiles on adults. OSINT Framework has the full list. These are the heavy hitters: | Registry | What It Holds | |---|---| | **[clustrmaps.com](https://clustrmaps.com/)** | Address history, resident data | | **[ancestry.com/search](https://www.ancestry.com/search/)** | Family trees, historical records, address chains | | **[whitepages.com](https://www.whitepages.com/)** | Phone, address, relatives | | **[publicdatadigger.com](https://publicdatadigger.com/)** | Aggregated public records search | [/details] [details=" Step 4 — Credential Intelligence: Breach Databases"] When sites get hacked, the data ends up somewhere public. Emails, usernames, passwords, addresses — all searchable. This is how you find what a target (or you) has already leaked. | Category | Services | |---|---| | **Clearnet Intel** | [haveibeenpwned.com](https://haveibeenpwned.com) · [dehashed.com](https://dehashed.com) · [intelx.io](https://intelx.io) | | **Breach Monitors** | [monitor.firefox.com](https://monitor.firefox.com) · [spycloud.com](https://spycloud.com) · [breachaware.com](https://breachaware.com) | | **Deep Web (.onion)** | `pwndb2am4tzkvold.onion` · `dumpedlqezarfife.onion` | **Pro tip:** Start with HaveIBeenPwned on any email you're researching. If it's been in a breach, every other tool becomes more useful instantly. [/details] [details=" Step 5 — Infrastructure Mapping: IP Resolvers"] Understanding the network behind a target is critical for security audits and bug bounty work. IP resolvers pull real-world network data from platform identifiers. A Skype resolver, for example, takes a Skype username and returns the client's IP address. Same concept applies to other platforms. | Tool | What It Resolves | |---|---| | **[skypeipresolver.net](http://www.skypeipresolver.net/)** | Skype username → IP address | | **[webresolver.nl](https://webresolver.nl/)** | Multi-platform resolver | | **[steamid.io](https://steamid.io/)** | Steam account → real name, linked accounts | | **[steamidfinder.com/lookup](https://steamidfinder.com/lookup/)** | Steam profile deep lookup | *Note: Steam ID lookups can surface real names registered to the account and linked social profiles.* [/details] [details=" Step 6 — The Silent Observer: Image Metadata"] This one is common in CTF competitions but almost never discussed in general recon guides. Every photo taken on a phone or camera embeds hidden data into the file — called EXIF metadata. **EXIF data can contain:** GPS coordinates of where the photo was taken, device model and serial, timestamp, and sometimes even the owner's name. Think of it as the photo's secret receipt — it records everything the camera knew when the shutter clicked. | Tool | Use | |---|---| | **[ExifTool](https://exiftool.org/)** | Extract full metadata from any image file | | **[Jeffrey's Exif Viewer](http://exif.regex.info/exif.cgi)** | Browser-based EXIF reader — no install needed | | **[pic2map.com](https://www.pic2map.com/)** | EXIF GPS coordinates → map location | **Pro tip:** Before posting photos anywhere, strip EXIF data. Tools like ExifTool can remove metadata in one command. [/details] --- ** Quick Hits** | Want | Do | |---|---| | ️ Find everything about a username | → [Sherlock](https://github.com/sherlock-project/sherlock) + [WhatsMyName](https://whatsmyname.app/) | | Check if an email was breached | → [HaveIBeenPwned](https://haveibeenpwned.com) first, then [Dehashed](https://dehashed.com) | | ️ Build a full identity profile | → [OSINT Framework](https://osintframework.com) → public records tier | | Find where a photo was taken | → ExifTool → extract GPS → drop in maps | | Get paid to do this | → [HackerOne](https://hackerone.com) or [Bugcrowd](https://bugcrowd.com) — run recon, report bugs | | ️ Audit your own exposure | → Search yourself across all 6 steps above | ---
This is what threat analysts do for a living — mapping people, companies, and infrastructure using nothing but public data.
No hacking. No illegal access. Every tool here is free. Everything it finds was already public — you just didn’t know where to look. This guide changes that
**This is what threat analysts do for a living — mapping people, companies, and infrastructure using nothing but public data.** No hacking. No illegal access. Every tool here is free. Everything it finds was already public — you just didn't know where to look. *This guide changes that.* --- [details=" What Is OSINT — 60 Seconds to Get It"] Think of OSINT like being a digital private investigator. You're not breaking into anything. You're reading what was already left unlocked on the internet — and most people leave a LOT unlocked. OSINT stands for **Open Source Intelligence.** Intelligence agencies, law firms, and corporate security teams pay millions for OSINT platforms. This guide shows you how to do the same thing for free. | Concept | Plain English | |---|---| | **OSINT** | Collecting information from publicly available sources | | **Digital footprint** | Every account, post, photo, and record someone left online | | **Reconnaissance** | Mapping everything about a target BEFORE doing anything else | | **Google Dorking** | Special search operators that surface data Google hides by default | | **Credential breach** | When a hacked site's login data ends up in a public dump — searchable by anyone | | **Identity resolution** | Linking scattered data points (username, email, IP) into a single profile | [/details] [details=" What You Can Actually Do With This"] This isn't just for hackers and investigators. Here's what real people use OSINT for — and some of it pays. | Use Case | What It Looks Like | Worth It? | |---|---|---| | **Bug Bounty Hunting** | Map a company's digital attack surface → find exposed subdomains, leaked credentials, misconfigs → report it → get paid | $100–$100,000+ per valid finding on HackerOne, Bugcrowd | | **Romance Scam Detection** | Someone on a dating app seems too good. Run their photo, username, and email through OSINT tools → verify in 10 minutes | Could save you from losing your savings | | **Freelance Investigations** | Corporate due diligence, missing person leads, background checks | Legit niche with paying clients | | **CTF Competitions** | OSINT is a core category in every major Capture the Flag — practice legally, win prizes | Skill-building with a scoreboard | | **Audit Your Own Footprint** | Search yourself before someone else does. Find what's out there and lock it down | Priceless for anyone with a public presence | | **Journalism & Research** | Expose shell companies, track disinformation, verify identities | Real investigative journalists use this daily | > *Bug bounty programs paid out over $300M in rewards in 2023 alone. OSINT is how hunters find targets nobody else noticed.* [/details] [details="️ Step 1 — The Foundation: Google Dorking & OSINT Framework"] Before touching any scripts, master the two free starting points that everyone skips. **Google Dorking** is Google used properly. Most people type names and hope. Dorking lets you search for emails, exposed files, and hidden profiles with surgical precision. It's the first vector — and it almost always surfaces something. **[OSINTFRAMEWORK.COM](https://osintframework.com)** is the master directory. Hundreds of categorized tools for finding information on people, companies, domains, usernames, images, and more. Most OSINT tutorials skip this. Don't. | Tool | What It Does | |---|---| | **Google Dorks** | Uncover emails, names, exposed docs, and linked accounts using advanced operators | | **[OSINT Framework](https://osintframework.com)** | Categorized directory of hundreds of free tools — your starting map | [/details] [details=" Step 2 — Social Media Mapping: Sherlock Project"] If a target uses the same username across platforms — and most people do — you can automate the hunt. **Sherlock-Project** is the most efficient way to hunt down social media accounts by username across hundreds of networks simultaneously. One command, dozens of results. | Tool | Use | |---|---| | **[Sherlock](https://github.com/sherlock-project/sherlock)** | Username → all associated accounts across social networks |
**Pro tip:** Pair Sherlock with [WhatsMyName](https://whatsmyname.app/) for broader coverage — they use different source lists. [/details] [details="️ Step 3 — Deep Identity Resolution: Public Records"] Public records databases are underused and underestimated. Address, phone number, occupation, full name, date of birth — all legally searchable. This is how investigators build profiles on adults. OSINT Framework has the full list. These are the heavy hitters: | Registry | What It Holds | |---|---| | **[clustrmaps.com](https://clustrmaps.com/)** | Address history, resident data | | **[ancestry.com/search](https://www.ancestry.com/search/)** | Family trees, historical records, address chains | | **[whitepages.com](https://www.whitepages.com/)** | Phone, address, relatives | | **[publicdatadigger.com](https://publicdatadigger.com/)** | Aggregated public records search | [/details] [details=" Step 4 — Credential Intelligence: Breach Databases"] When sites get hacked, the data ends up somewhere public. Emails, usernames, passwords, addresses — all searchable. This is how you find what a target (or you) has already leaked. | Category | Services | |---|---| | **Clearnet Intel** | [haveibeenpwned.com](https://haveibeenpwned.com) · [dehashed.com](https://dehashed.com) · [intelx.io](https://intelx.io) | | **Breach Monitors** | [monitor.firefox.com](https://monitor.firefox.com) · [spycloud.com](https://spycloud.com) · [breachaware.com](https://breachaware.com) | | **Deep Web (.onion)** | `pwndb2am4tzkvold.onion` · `dumpedlqezarfife.onion` | **Pro tip:** Start with HaveIBeenPwned on any email you're researching. If it's been in a breach, every other tool becomes more useful instantly. [/details] [details=" Step 5 — Infrastructure Mapping: IP Resolvers"] Understanding the network behind a target is critical for security audits and bug bounty work. IP resolvers pull real-world network data from platform identifiers. A Skype resolver, for example, takes a Skype username and returns the client's IP address. Same concept applies to other platforms. | Tool | What It Resolves | |---|---| | **[skypeipresolver.net](http://www.skypeipresolver.net/)** | Skype username → IP address | | **[webresolver.nl](https://webresolver.nl/)** | Multi-platform resolver | | **[steamid.io](https://steamid.io/)** | Steam account → real name, linked accounts | | **[steamidfinder.com/lookup](https://steamidfinder.com/lookup/)** | Steam profile deep lookup | *Note: Steam ID lookups can surface real names registered to the account and linked social profiles.* [/details] [details=" Step 6 — The Silent Observer: Image Metadata"] This one is common in CTF competitions but almost never discussed in general recon guides. Every photo taken on a phone or camera embeds hidden data into the file — called EXIF metadata. **EXIF data can contain:** GPS coordinates of where the photo was taken, device model and serial, timestamp, and sometimes even the owner's name. Think of it as the photo's secret receipt — it records everything the camera knew when the shutter clicked. | Tool | Use | |---|---| | **[ExifTool](https://exiftool.org/)** | Extract full metadata from any image file | | **[Jeffrey's Exif Viewer](http://exif.regex.info/exif.cgi)** | Browser-based EXIF reader — no install needed | | **[pic2map.com](https://www.pic2map.com/)** | EXIF GPS coordinates → map location | **Pro tip:** Before posting photos anywhere, strip EXIF data. Tools like ExifTool can remove metadata in one command. [/details] --- ** Quick Hits** | Want | Do | |---|---| | ️ Find everything about a username | → [Sherlock](https://github.com/sherlock-project/sherlock) + [WhatsMyName](https://whatsmyname.app/) | | Check if an email was breached | → [HaveIBeenPwned](https://haveibeenpwned.com) first, then [Dehashed](https://dehashed.com) | | ️ Build a full identity profile | → [OSINT Framework](https://osintframework.com) → public records tier | | Find where a photo was taken | → ExifTool → extract GPS → drop in maps | | Get paid to do this | → [HackerOne](https://hackerone.com) or [Bugcrowd](https://bugcrowd.com) — run recon, report bugs | | ️ Audit your own exposure | → Search yourself across all 6 steps above | --- *Use this strictly for auditing, securing your own perimeter, and executing "Zero Day do Bem." Execution is the only metric that matters.*
[osint.txt|attachment](upload://xMecfH2Clwo2oUIaGgRV2mOwyfC.txt)