πŸ‘οΈβ€πŸ—¨οΈ Digital Detective Starter Kit β€” OSINT From Zero to Recon

What is good, OneHack community.

:eye_in_speech_bubble: OSINT Masterclass β€” Zero-Cost Recon That Pays

What intelligence firms charge $500/hr for. Here it is free, complete, and dumb-proof.


This is what threat analysts do for a living β€” mapping people, companies, and infrastructure using nothing but public data.

No hacking. No illegal access. Every tool here is free. Everything it finds was already public β€” you just didn’t know where to look. This guide changes that.


πŸ” What Is OSINT β€” 60 Seconds to Get It

Think of OSINT like being a digital private investigator. You’re not breaking into anything. You’re reading what was already left unlocked on the internet β€” and most people leave a LOT unlocked.

OSINT stands for Open Source Intelligence. Intelligence agencies, law firms, and corporate security teams pay millions for OSINT platforms. This guide shows you how to do the same thing for free.

Concept Plain English
OSINT Collecting information from publicly available sources
Digital footprint Every account, post, photo, and record someone left online
Reconnaissance Mapping everything about a target BEFORE doing anything else
Google Dorking Special search operators that surface data Google hides by default
Credential breach When a hacked site’s login data ends up in a public dump β€” searchable by anyone
Identity resolution Linking scattered data points (username, email, IP) into a single profile
πŸ’° What You Can Actually Do With This

This isn’t just for hackers and investigators. Here’s what real people use OSINT for β€” and some of it pays.

Use Case What It Looks Like Worth It?
Bug Bounty Hunting Map a company’s digital attack surface β†’ find exposed subdomains, leaked credentials, misconfigs β†’ report it β†’ get paid $100–$100,000+ per valid finding on HackerOne, Bugcrowd
Romance Scam Detection Someone on a dating app seems too good. Run their photo, username, and email through OSINT tools β†’ verify in 10 minutes Could save you from losing your savings
Freelance Investigations Corporate due diligence, missing person leads, background checks Legit niche with paying clients
CTF Competitions OSINT is a core category in every major Capture the Flag β€” practice legally, win prizes Skill-building with a scoreboard
Audit Your Own Footprint Search yourself before someone else does. Find what’s out there and lock it down Priceless for anyone with a public presence
Journalism & Research Expose shell companies, track disinformation, verify identities Real investigative journalists use this daily

Bug bounty programs paid out over $300M in rewards in 2023 alone. OSINT is how hunters find targets nobody else noticed.

πŸ—ΊοΈ Step 1 β€” The Foundation: Google Dorking & OSINT Framework

Before touching any scripts, master the two free starting points that everyone skips.

Google Dorking is Google used properly. Most people type names and hope. Dorking lets you search for emails, exposed files, and hidden profiles with surgical precision. It’s the first vector β€” and it almost always surfaces something.

OSINTFRAMEWORK.COM is the master directory. Hundreds of categorized tools for finding information on people, companies, domains, usernames, images, and more. Most OSINT tutorials skip this. Don’t.

Tool What It Does
Google Dorks Uncover emails, names, exposed docs, and linked accounts using advanced operators
OSINT Framework Categorized directory of hundreds of free tools β€” your starting map
πŸ‘€ Step 2 β€” Social Media Mapping: Sherlock Project

If a target uses the same username across platforms β€” and most people do β€” you can automate the hunt.

Sherlock-Project is the most efficient way to hunt down social media accounts by username across hundreds of networks simultaneously. One command, dozens of results.

Tool Use
Sherlock Username β†’ all associated accounts across social networks

:high_voltage: Pro tip: Pair Sherlock with WhatsMyName for broader coverage β€” they use different source lists.

πŸ›οΈ Step 3 β€” Deep Identity Resolution: Public Records

Public records databases are underused and underestimated. Address, phone number, occupation, full name, date of birth β€” all legally searchable. This is how investigators build profiles on adults.

OSINT Framework has the full list. These are the heavy hitters:

Registry What It Holds
clustrmaps.com Address history, resident data
ancestry.com/search Family trees, historical records, address chains
whitepages.com Phone, address, relatives
publicdatadigger.com Aggregated public records search
πŸ” Step 4 β€” Credential Intelligence: Breach Databases

When sites get hacked, the data ends up somewhere public. Emails, usernames, passwords, addresses β€” all searchable. This is how you find what a target (or you) has already leaked.

Category Services
Clearnet Intel haveibeenpwned.com Β· dehashed.com Β· intelx.io
Breach Monitors monitor.firefox.com Β· spycloud.com Β· breachaware.com
Deep Web (.onion) pwndb2am4tzkvold.onion Β· dumpedlqezarfife.onion

:high_voltage: Pro tip: Start with HaveIBeenPwned on any email you’re researching. If it’s been in a breach, every other tool becomes more useful instantly.

🌐 Step 5 β€” Infrastructure Mapping: IP Resolvers

Understanding the network behind a target is critical for security audits and bug bounty work. IP resolvers pull real-world network data from platform identifiers.

A Skype resolver, for example, takes a Skype username and returns the client’s IP address. Same concept applies to other platforms.

Tool What It Resolves
skypeipresolver.net Skype username β†’ IP address
webresolver.nl Multi-platform resolver
steamid.io Steam account β†’ real name, linked accounts
steamidfinder.com/lookup Steam profile deep lookup

Note: Steam ID lookups can surface real names registered to the account and linked social profiles.

πŸ“· Step 6 β€” The Silent Observer: Image Metadata

This one is common in CTF competitions but almost never discussed in general recon guides. Every photo taken on a phone or camera embeds hidden data into the file β€” called EXIF metadata.

EXIF data can contain: GPS coordinates of where the photo was taken, device model and serial, timestamp, and sometimes even the owner’s name.

Think of it as the photo’s secret receipt β€” it records everything the camera knew when the shutter clicked.

Tool Use
ExifTool Extract full metadata from any image file
Jeffrey’s Exif Viewer Browser-based EXIF reader β€” no install needed
pic2map.com EXIF GPS coordinates β†’ map location

:high_voltage: Pro tip: Before posting photos anywhere, strip EXIF data. Tools like ExifTool can remove metadata in one command.


:high_voltage: Quick Hits

Want Do
:world_map: Find everything about a username β†’ Sherlock + WhatsMyName
:locked_with_key: Check if an email was breached β†’ HaveIBeenPwned first, then Dehashed
:classical_building: Build a full identity profile β†’ OSINT Framework β†’ public records tier
:camera: Find where a photo was taken β†’ ExifTool β†’ extract GPS β†’ drop in maps
:money_bag: Get paid to do this β†’ HackerOne or Bugcrowd β€” run recon, report bugs
:shield: Audit your own exposure β†’ Search yourself across all 6 steps above

Use this strictly for auditing, securing your own perimeter, and executing β€œZero Day do Bem.” Execution is the only metric that matters.

osint.txt

16 Likes

Thank you for golden share @Guile much appreciated

Thank you Sir. Nice info!!

useful share, thanks

*Note Considery suport in Api/Service/Account for Working Resultings.
[email protected] Tks!!
guthub? my - https://github.com/guitriloco?tab=repositories