What is good, OneHack community.
OSINT Masterclass β Zero-Cost Recon That Pays
What intelligence firms charge $500/hr for. Here it is free, complete, and dumb-proof.
This is what threat analysts do for a living β mapping people, companies, and infrastructure using nothing but public data.
No hacking. No illegal access. Every tool here is free. Everything it finds was already public β you just didnβt know where to look. This guide changes that.
π What Is OSINT β 60 Seconds to Get It
Think of OSINT like being a digital private investigator. Youβre not breaking into anything. Youβre reading what was already left unlocked on the internet β and most people leave a LOT unlocked.
OSINT stands for Open Source Intelligence. Intelligence agencies, law firms, and corporate security teams pay millions for OSINT platforms. This guide shows you how to do the same thing for free.
| Concept | Plain English |
|---|---|
| OSINT | Collecting information from publicly available sources |
| Digital footprint | Every account, post, photo, and record someone left online |
| Reconnaissance | Mapping everything about a target BEFORE doing anything else |
| Google Dorking | Special search operators that surface data Google hides by default |
| Credential breach | When a hacked siteβs login data ends up in a public dump β searchable by anyone |
| Identity resolution | Linking scattered data points (username, email, IP) into a single profile |
π° What You Can Actually Do With This
This isnβt just for hackers and investigators. Hereβs what real people use OSINT for β and some of it pays.
| Use Case | What It Looks Like | Worth It? |
|---|---|---|
| Bug Bounty Hunting | Map a companyβs digital attack surface β find exposed subdomains, leaked credentials, misconfigs β report it β get paid | $100β$100,000+ per valid finding on HackerOne, Bugcrowd |
| Romance Scam Detection | Someone on a dating app seems too good. Run their photo, username, and email through OSINT tools β verify in 10 minutes | Could save you from losing your savings |
| Freelance Investigations | Corporate due diligence, missing person leads, background checks | Legit niche with paying clients |
| CTF Competitions | OSINT is a core category in every major Capture the Flag β practice legally, win prizes | Skill-building with a scoreboard |
| Audit Your Own Footprint | Search yourself before someone else does. Find whatβs out there and lock it down | Priceless for anyone with a public presence |
| Journalism & Research | Expose shell companies, track disinformation, verify identities | Real investigative journalists use this daily |
Bug bounty programs paid out over $300M in rewards in 2023 alone. OSINT is how hunters find targets nobody else noticed.
πΊοΈ Step 1 β The Foundation: Google Dorking & OSINT Framework
Before touching any scripts, master the two free starting points that everyone skips.
Google Dorking is Google used properly. Most people type names and hope. Dorking lets you search for emails, exposed files, and hidden profiles with surgical precision. Itβs the first vector β and it almost always surfaces something.
OSINTFRAMEWORK.COM is the master directory. Hundreds of categorized tools for finding information on people, companies, domains, usernames, images, and more. Most OSINT tutorials skip this. Donβt.
| Tool | What It Does |
|---|---|
| Google Dorks | Uncover emails, names, exposed docs, and linked accounts using advanced operators |
| OSINT Framework | Categorized directory of hundreds of free tools β your starting map |
π€ Step 2 β Social Media Mapping: Sherlock Project
If a target uses the same username across platforms β and most people do β you can automate the hunt.
Sherlock-Project is the most efficient way to hunt down social media accounts by username across hundreds of networks simultaneously. One command, dozens of results.
| Tool | Use |
|---|---|
| Sherlock | Username β all associated accounts across social networks |
Pro tip: Pair Sherlock with WhatsMyName for broader coverage β they use different source lists.
ποΈ Step 3 β Deep Identity Resolution: Public Records
Public records databases are underused and underestimated. Address, phone number, occupation, full name, date of birth β all legally searchable. This is how investigators build profiles on adults.
OSINT Framework has the full list. These are the heavy hitters:
| Registry | What It Holds |
|---|---|
| clustrmaps.com | Address history, resident data |
| ancestry.com/search | Family trees, historical records, address chains |
| whitepages.com | Phone, address, relatives |
| publicdatadigger.com | Aggregated public records search |
π Step 4 β Credential Intelligence: Breach Databases
When sites get hacked, the data ends up somewhere public. Emails, usernames, passwords, addresses β all searchable. This is how you find what a target (or you) has already leaked.
| Category | Services |
|---|---|
| Clearnet Intel | haveibeenpwned.com Β· dehashed.com Β· intelx.io |
| Breach Monitors | monitor.firefox.com Β· spycloud.com Β· breachaware.com |
| Deep Web (.onion) | pwndb2am4tzkvold.onion Β· dumpedlqezarfife.onion |
Pro tip: Start with HaveIBeenPwned on any email youβre researching. If itβs been in a breach, every other tool becomes more useful instantly.
π Step 5 β Infrastructure Mapping: IP Resolvers
Understanding the network behind a target is critical for security audits and bug bounty work. IP resolvers pull real-world network data from platform identifiers.
A Skype resolver, for example, takes a Skype username and returns the clientβs IP address. Same concept applies to other platforms.
| Tool | What It Resolves |
|---|---|
| skypeipresolver.net | Skype username β IP address |
| webresolver.nl | Multi-platform resolver |
| steamid.io | Steam account β real name, linked accounts |
| steamidfinder.com/lookup | Steam profile deep lookup |
Note: Steam ID lookups can surface real names registered to the account and linked social profiles.
π· Step 6 β The Silent Observer: Image Metadata
This one is common in CTF competitions but almost never discussed in general recon guides. Every photo taken on a phone or camera embeds hidden data into the file β called EXIF metadata.
EXIF data can contain: GPS coordinates of where the photo was taken, device model and serial, timestamp, and sometimes even the ownerβs name.
Think of it as the photoβs secret receipt β it records everything the camera knew when the shutter clicked.
| Tool | Use |
|---|---|
| ExifTool | Extract full metadata from any image file |
| Jeffreyβs Exif Viewer | Browser-based EXIF reader β no install needed |
| pic2map.com | EXIF GPS coordinates β map location |
Pro tip: Before posting photos anywhere, strip EXIF data. Tools like ExifTool can remove metadata in one command.
Quick Hits
| Want | Do |
|---|---|
| β Sherlock + WhatsMyName | |
| β HaveIBeenPwned first, then Dehashed | |
| β OSINT Framework β public records tier | |
| β ExifTool β extract GPS β drop in maps | |
| β HackerOne or Bugcrowd β run recon, report bugs | |
| β Search yourself across all 6 steps above |
Use this strictly for auditing, securing your own perimeter, and executing βZero Day do Bem.β Execution is the only metric that matters.
!