Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

9 OSINT Tools For Your Reconnaissance Needs

Different types of monster arms reaching out


Looking to level up your open source intelligence (OSINT) efforts for your next security engagement?

There’s no shortage of OSINT tools, techniques, and other resources – in fact, there’s so much stuff, it’s a little overwhelming to try and sort through it all. Writing a “best of” or otherwise “cumulative” list would be a futile endeavor, so instead, we compiled 9 OSINT tools and other miscellaneous resources we find useful.

Disagree with our choices? Want to suggest another tool for us to check out? Hit Bishop Fox up on Discord, Reddit, or Twitter to tell us. We’ll be posting a comprehensive list of all kinds of security tools in November, and we’ll consider any recommendations we receive!

Tool #1: Trace Labs OSINT VM Version 2

Creator: Trace Labs (@TraceLabs)

Why We Like It: Trace Labs is a nonprofit that has quite the name in the OSINT world – the mission of the organization is to help find missing people and reunite them with their families (more on that here). They have other available OSINT resources, but we wanted to focus on the OSINT Virtual Machine (v2). This VM is the go-to for all OSINT engagements. The VM comes with an incredibly expansive list of tools that allow you to quickly and easily get up and running in a dedicated environment.

Tool #2: OSINT Framework

Creator: Justin Nordine (@jnordine)

Why We Like It: No OSINT tool list would be complete without the OSINT Framework. The OSINT Framework contains resources for finding information about targets via social networking, instant messaging, metadata, and more. From these categories, you can narrow your search further and even further. No matter what kind of information you’re seeking, the OSINT Framework more than likely has a resource for you.

Tool #3: email2phonenumber

Creator: Martin Vigo (@martin_vigo)

Why We Like It: The name of the tool says it all; you just need a target’s email address, and with that information alone, it’s possible to retrieve their phone number. The tool works several different ways. It scrapes websites for phone number digits (initiating password resets via the email address), generates phone numbers based on the country’s Phone Numbering Plan, and brute-forces by iterating over a list of numbers and initiating password resets to obtain associated email addresses.

9 OSINT Tools blog post figure 1
Figure 1 - Tool email2phonenumber in action

Like the other OSINT tools on this list, it depends on publicly available data. For more information on how email2phonenumber works, watch this BSides Las Vegas 2019 presentation

Tool #4: SpiderFoot

Creator: SpiderFoot (@SpiderFoot)

Why We Like It: Automation can be an invaluable asset in security (as this blog post from Zach Zeitlin illustrates). SpiderFoot applies automation to OSINT. It can make your OSINT efforts much faster and much more powerful; it even works while you sleep! Introduced to the world in 2005, SpiderFoot has kept foot (pun intended) with the times, as today’s attack surface is significantly vaster than the attack surface of nearly 20 years ago. There are two ways to use SpiderFoot; you can get the open source version or the HX version

Tool #5:

Creator: Intelligence X (@_IntelligenceX)

Why We Like It: With, you enter a website domain or subdomain – and voila! It returns a list of related email addresses. This is certainly a useful OSINT tool to have in your back pocket, especially if you’re on an engagement that requires social engineering prowess. Intelligence X, the security company behind Phonebook, is also responsible for several other OSINT tools that are worth your time.

Tool #6: sublist3r

Creator: Ahmed Aboul-Ela

Why We Like It: Have you ever needed to find the subdomains of a target domain? If so, this is the tool for the job. sublist3r is a Python-based tool that quickly enumerates subdomains. This tool is designed for security engineers and developers to identify assets that are otherwise unknown. sublist3r leverages search engines such as Google, Yahoo, and Bing to find subdomains that have been mapped on other websites. This tool also has the option to brute-force subdomains via a wordlist, which comes in handy for finding otherwise hidden subdomains!

Tool #7: theHarvester

Creator: Christian Martorella

Why We Like It: There are few OSINT tools – or pen testing tools in general – as well regarded in the security community as theHarvester. And with good reason; when provided a domain or company name, this tool proceeds to gather email addresses, names, subdomains, IPs, and URLs. All the information it grabs can be found on an organization’s external footprint.

Tool #8: GitGot

Creator: Jake Miller (@TheBumbleSec)

Why We Like It: Former Bishop Fox Researcher Jake Miller created several popular tools in his tenure here (such as GadgetProbe and RMIScout), and GitGot was his contribution to the world of OSINT. GitGot is a semi-automated, feedback-driven tool designed to scour public GitHub data for sensitive secrets. This tool can significantly reduce time spent searching for promising leads while testing, bringing you the information you need to get the most impact.

Tool #9: Karma_v2

Creator: Dheerajmadhukar (@Dheerajmadhukar)

Why We Like It: Karma touts that it offers pen testers and other security researchers the ability to comb through “deep information, more assets, WAF/CDN bypassed IPs, internal/external infra[structure], publicly exposed leaks” for info about a particular target. Leaks it searches in include WordPress, CloudFront, Jenkins, and Kubernetes. One caveat about Karma_v2 is that it requires premium Shodan access to use (which is helpful to have anyway, if you can spend the money).

Other OSINT Resources to Explore

Aside from these aforementioned tools, there are many other resources available to help enhance your OSINT skills. If you’re just starting out, give the CIA guide “Sailing the Sea of OSINT in the Information Age” a read. Also, be sure to read “Defining Second Generation Open Source Intelligence (OSINT) for the Defense Enterprise” by the Rand Corporation.

Finally, it’s worth iterating that OSINT is a discipline. There are plenty of techniques for finding people, assets, and information on the internet. The OSINT community is expansive, and used among security researchers, IT personnel, and even law enforcement. In fact, as alluded to earlier, OSINT is often used to help find missing people – making it an extremely beneficial discipline to add to your repertoire.

Happy (information) hunting!

Like This List? Check Out Our Other Pen Testing Tools Lists:

Even More Resources

OSINT Tools & Software for Passive & Active Recon & Security!

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Britt kemp

About the author, Britt Kemp

Community Manager

Britt Kemp is a Community Manager at Bishop Fox. Britt has been involved with the content, social media, and digital programs at the firm for the past several years. She has helped with some of the most popular Bishop Fox blog posts to date.

More by Britt

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.