Open Source OSINT Tools - Page 3
Sort By:
OSINT Tools
View 5810 business solutions-
$300 in Free Credit Towards Top Cloud ServicesStart your project in minutes. After credits run out, 20+ products include free monthly usage. Only pay when you're ready to scale.
-
Gemini 3 and 200+ AI Models on One PlatformBuild generative AI apps with Vertex AI. Switch between models without switching platforms.
-
1
reconFTW
Automated framework for domain reconnaissance and vulnerability scans.
reconFTW is an open source automated reconnaissance framework created for security researchers, penetration testers, and bug bounty hunters. The tool streamlines the reconnaissance phase of security assessments by orchestrating numerous specialized tools to gather intelligence about a target domain. It performs multiple discovery and analysis tasks such as subdomain enumeration, OSINT collection, and vulnerability scanning in an automated workflow. The framework integrates many external security utilities and coordinates them to produce comprehensive reconnaissance results efficiently. Its modular design allows users to customize the process, enabling or disabling modules and adjusting settings according to their needs. reconFTW also provides configuration options for API keys, execution preferences, and tool paths through a dedicated configuration file. By automating complex recon tasks and combining outputs from many tools, it helps researchers quickly identify potential attacks. -
2
urlhunter
Search exposed URLs from shortener services using keyword filtering
urlhunter is an open source reconnaissance tool designed to help security researchers discover URLs that have been exposed through URL shortener services such as bit.ly and goo.gl. It works by analyzing large datasets generated from brute-forced short links that are publicly released by the URLTeam project. These datasets contain resolved long URLs that were originally hidden behind short links, which can sometimes reveal sensitive or previously unknown endpoints. urlhunter downloads these collections and allows users to search and analyze them using custom keywords or patterns. This capability makes it useful for identifying exposed resources such as documents, internal panels, or forgotten endpoints that may still be accessible online. urlhunter is written in Go and operates as a command-line utility, making it suitable for automation and integration into reconnaissance workflows. -
3
Situation Monitor
Real-time dashboard for monitoring global news and markets
Situation Monitor is an open-source real-time dashboard designed to aggregate and visualize global information streams related to news, financial markets, technology, and geopolitical developments. The project aims to provide a centralized situational awareness interface where users can observe multiple sources of high-signal information without constantly switching between separate applications or websites. Instead of functioning as a traditional news reader, the platform is designed more like an intelligence monitoring system that highlights important signals from diverse data feeds. The dashboard aggregates real-time updates about economic indicators, corporate developments, geopolitical events, and other macro-level signals that may influence markets or public discourse. Its architecture is implemented using modern frontend technologies, allowing data streams to update quickly while maintaining low resource consumption. -
4
paramspider
Mine parameterized URLs from web archives for security testing
ParamSpider is an open source command-line tool designed to discover URLs that contain parameters by mining historical data from web archives such as the Wayback Machine. It helps security researchers, penetration testers, and bug bounty hunters collect potential attack surfaces by automatically gathering archived URLs related to a specific domain. Instead of returning every discovered URL, the tool intelligently filters results to highlight parameterized endpoints that are more useful for vulnerability testing. These endpoints are commonly used during reconnaissance because parameters often expose inputs that may be vulnerable to issues like cross-site scripting, SQL injection, or server-side request forgery. ParamSpider automates the process of retrieving archived URLs, cleaning them, and preparing them for fuzzing or further probing. It can process a single domain or multiple domains from a list, making it useful for both targeted testing and large-scale reconnaissance. -
Custom VMs From 1 to 96 vCPUs With 99.95% UptimeLive migration and automatic failover keep workloads online through maintenance. One free e2-micro VM every month.
-
5
pwnedOrNot
Check breached emails and find exposed passwords from public dumps
pwnedOrNot is an open source OSINT tool designed to investigate whether an email address has been compromised in known data breaches and to identify exposed credentials associated with that account. The tool works by interacting with the HaveIBeenPwned (HIBP) API to determine if a given email address appears in breach databases. If the email is found in a breach, the tool proceeds to search for associated passwords within publicly available data dumps. This two-phase approach allows investigators, security professionals, and researchers to assess the exposure level of compromised accounts using publicly accessible breach information. The tool displays useful breach details such as the name of the breach, the affected domain, the breach date, and several status indicators related to the authenticity and status of the breach. pwnedOrNot can also analyze domains to determine whether they have been involved in breaches and can list all breached domains available through the HIBP database. -
6
AttackSurfaceMapper
Automated tool for mapping & expanding organization’s attack surface
AttackSurfaceMapper (ASM) is a reconnaissance and attack surface discovery tool designed to automate the process of mapping potential targets within an organization's infrastructure. It combines open source intelligence (OSINT) with selective active reconnaissance techniques to expand and analyze a target’s external attack surface. Users can supply domains, subdomains, or IP addresses as input, and applies multiple discovery methods to identify additional related assets such as new subdomains, associated IP ranges, and hosts within the same network ownership. It performs both brute-force and passive enumeration techniques to uncover infrastructure components that may not be immediately visible. After building an expanded list of targets, AttackSurfaceMapper collects intelligence such as screenshots of web applications, information about exposed services, and possible vulnerabilities identified through integrated services. It can also search for publicly exposed credentials. -
7
OnionSearch
Search multiple Tor .onion engines at once and collect hidden links.
OnionSearch is a Python-based command-line tool designed to collect and aggregate links from multiple search engines on the Tor network. The script works by scraping results from a variety of .onion search services, allowing users to perform a single query while gathering results from many sources at once. This approach helps researchers and investigators locate hidden services more efficiently without manually querying each individual search engine. It is primarily intended for educational use and open-source intelligence (OSINT) research involving the Tor network. OnionSearch supports multiple engines and can combine results into a single output, making it easier to analyze discovered onion links. It also offers flexible command-line options that allow users to limit results, choose which engines to query, and export collected data. By automating searches across several dark web search engines, OnionSearch simplifies the process of discovering information on hidden services. -
8
XRAY
XRay for recon, mapping and OSINT gathering from public networks
XRAY is a modular security toolset that helps developers and security professionals analyze, fuzz, and test web applications, protocols, and network services for vulnerabilities. It provides a framework for writing and executing inspection modules that can parse structured data (JSON, XML, HTML), traverse graphs of endpoints, and perform intelligent probing guided by discovered surface area. XRay is typically used as a reconnaissance and vulnerability discovery engine in red-team or app-security workflows: it leverages extensible plugins to adapt to different protocols, inject payloads, and detect common bug classes such as injection flaws, misconfigurations, and unsafe endpoints. The modular architecture means users can customize or extend the engine with new analyzers, fuzzers, or output formats tailored to specific testing environments. Rather than being a “one-size-fits-all” black box scanner, XRAY encourages interactive exploration and integrates with other tooling. -
9
Zynix-Fusion
zynix-Fusion is a framework for hacking
zynix-Fusion is a framework that aims to centralize, standardizeand simplify the use of various security tools for pentest professionals.zynix-Fusion (old name: Linux evil toolkit) has few simple commands, one of which is theinit function that allows you to define a target, and thus use all the toolswithout typing anything else. -
Enterprise-grade ITSM, for every businessFreshservice is an intuitive, AI-powered platform that helps IT, operations, and business teams deliver exceptional service without the usual complexity. Automate repetitive tasks, resolve issues faster, and provide seamless support across the organization. From managing incidents and assets to driving smarter decisions, Freshservice makes it easy to stay efficient and scale with confidence.
-
10
BlackWidow
Python web scanner for OSINT gathering and OWASP vulnerability fuzzing
BlackWidow is a Python-based web application scanning tool designed to crawl target websites and collect open-source intelligence (OSINT) while identifying potential security vulnerabilities. It functions as a web spider that systematically explores a site to gather valuable information such as URLs, dynamic parameters, subdomains, email addresses, and phone numbers associated with the target domain. By automatically extracting this data, BlackWidow helps security professionals and researchers build a clearer understanding of a website’s structure and publicly accessible information. In addition to information gathering, the project includes a built-in fuzzing component called Inject-X, which tests dynamic URLs for common vulnerabilities listed in the OWASP Top 10. The scanner analyzes parameters and injects payloads to detect issues such as SQL injection, cross-site scripting (XSS), and open redirect vulnerabilities. -
11
Buster
OSINT tool for discovering information linked to email addresses
Buster is an open source OSINT tool designed for email reconnaissance and information gathering. It helps investigators, security researchers, and penetration testers discover publicly available information related to email addresses and usernames. It can analyze an email address to identify associated social media accounts, references across the web, and potential data breaches linked to that email. It also performs reverse WHOIS lookups to discover domains that may have been registered using a specific email address. In addition to investigating existing addresses, Buster can generate possible email combinations and usernames based on personal details such as a person’s name, birthdate, or additional hints. Buster supports validating generated email addresses and retrieving contextual information about them. By combining multiple online sources and services, Buster helps automate the process of gathering intelligence related to digital identities. -
12
Findomain
Fast open source tool for discovering and monitoring domain subdomains
Findomain is an open source reconnaissance tool designed to discover and enumerate subdomains associated with a target domain. It focuses on speed and reliability by using Certificate Transparency logs and multiple well tested public APIs instead of relying solely on brute force scanning techniques. By querying multiple passive data sources in parallel, the tool can identify a large number of subdomains within a short time, making it useful for security researchers, penetration testers, and bug bounty hunters. Findomain aggregates information from various online services to provide a comprehensive list of discovered subdomains without directly attacking the target infrastructure. The tool also supports monitoring capabilities that allow users to track newly discovered subdomains and send alerts through integrations such as messaging platforms. Written in Rust, Findomain benefits from strong performance, safe concurrency, and cross platform compatibility. -
13
GooFuzz
OSINT fuzzing tool using Google dorks to find exposed resources
GooFuzz is an open source security tool designed to perform fuzzing using an OSINT-based approach by leveraging advanced Google search techniques. It is written in Bash and automates the use of Google Dorking queries to discover publicly accessible information related to a target domain. Instead of directly sending requests to the target server, GooFuzz gathers results through search engine indexing, allowing enumeration without leaving traces in the target’s server logs. This method enables the discovery of potentially sensitive files, directories, subdomains, and parameters that are already exposed on the web. By combining wordlists, search operators, and file extension filters, the tool helps security professionals locate misconfigured or unintentionally exposed resources. GooFuzz is commonly used in penetration testing, reconnaissance, and bug bounty research where passive information gathering is important. -
14
ISeeYou
Location tracking tool for social engineering and phishing tests
I-See-You is an open source Bash and JavaScript tool designed to capture the geographic location of a target during social engineering or phishing engagements. It works by generating a link that can be sent to a target as part of a phishing scenario, where the webpage requests permission to access the user’s location. When the user allows location access, I-See-You records the latitude and longitude coordinates and displays them in the terminal logs for the operator. These coordinates can then be used to determine the user’s approximate physical location using mapping services. It is intended for reconnaissance during security testing, allowing penetration testers or red team operators to gather contextual information about potential targets. It operates by exposing a locally hosted server to the internet so the target can access the generated page and trigger the location request. I-See-You is intended strictly for educational purposes and authorized testing environments. -
15
Phishing Catcher
Real-time phishing domain detection via Certificate Transparency logs
phishing_catcher is a security monitoring tool designed to detect potential phishing domains in near real time by analyzing TLS certificate issuance events. It listens to Certificate Transparency (CT) logs through the CertStream API and evaluates newly issued certificates as they appear. Each certificate often contains one or more domain names, which the tool analyzes to determine whether they resemble suspicious or phishing-related domains. phishing_catcher applies a configurable scoring mechanism that assigns numeric values to certain keywords, patterns, or top-level domains found within certificate domain names. When a domain’s score exceeds predefined thresholds, it is flagged as potentially malicious and reported accordingly. It operates continuously, processing certificate updates as they arrive and displaying or logging domains that appear suspicious. This approach allows analysts, researchers, and security teams to identify phishing infrastructure early. -
16
Scope Sentry
Cyberspace asset mapping and vulnerability scanning platform
ScopeSentry is an open source cybersecurity tool designed for cyberspace asset mapping and automated security analysis. It helps security researchers and penetration testers discover, monitor, and analyze internet-facing assets belonging to a target scope. ScopeSentry combines multiple reconnaissance and vulnerability assessment capabilities such as subdomain enumeration, port scanning, directory scanning, and sensitive information detection. ScopeSentry can automatically identify assets and services, extract URLs, and crawl websites to collect useful security data for further analysis. It also includes vulnerability scanning and subdomain takeover detection to help identify common security weaknesses across web infrastructure. It supports distributed scanning with multiple nodes, allowing large scanning tasks to be performed efficiently across different systems. -
17
SiteDorks
Automate search engine dorking across hundreds of websites
SiteDorks is a command line tool designed to automate advanced search queries across multiple search engines and websites. It allows users to perform search engine “dork” queries against a large set of predefined domains, making it easier to discover publicly available information across different platforms. SiteDorks supports several major search engines including Google, Bing, Brave, Ecosia, DuckDuckGo, Yahoo, and Yandex. Instead of manually running the same query for many sites, SiteDorks generates and executes the queries automatically using lists of “dorkable” websites. A built-in dataset contains hundreds of websites grouped into categories such as cloud services, developer platforms, documentation sites, social platforms, and communication tools. Users can also supply custom domain lists or CSV files to tailor searches for tasks like penetration testing, bug bounty research, or OSINT investigations. -
18
Username Anarchy
Username generator for penetration testing and user enumeration
Username Anarchy is an open source command line tool designed to generate possible usernames for use in penetration testing and security assessments. It focuses on solving one of the common challenges in authentication attacks: identifying valid usernames before attempting password attacks. It generates large sets of potential usernames based on a person’s name and common naming conventions used in corporate or online systems. These generated username lists can then be used for activities such as username enumeration, password spraying, or brute force testing during security audits. Username Anarchy supports numerous formatting styles, allowing security testers to replicate patterns commonly used in enterprise environments such as first.last, flast, or firstinitiallastname. Username Anarchy can also utilize name sources gathered from OSINT techniques such as social networks or other public data to produce realistic username lists. -
19
Domain Digger
Domain analysis toolkit for DNS, IP, and WHOIS lookups
Domain Digger is an open source toolkit designed to help users analyze and explore domain-related information in a structured and visual way. It provides a centralized interface for investigating various technical details associated with a domain, including DNS records, IP information, and WHOIS data. By combining several domain intelligence features into a single platform, it simplifies the process of gathering and understanding domain infrastructure details. Domain Digger presents domain information through organized views and visual components, making it easier to interpret relationships between domains, DNS records, and network addresses. This can be useful for developers, security researchers, system administrators, and anyone working with domain infrastructure. Domain Digger aims to streamline domain analysis workflows by offering quick lookups and consolidated data sources in one environment. -
20
GitGot
Semi-automated tool for discovering exposed secrets in GitHub data
GitGot is an open source security tool designed to help users quickly search large amounts of public data on GitHub to identify potentially exposed secrets. It operates as a semi-automated, feedback-driven system that combines automated search capabilities with human guidance to refine results during investigation. GitGot leverages the GitHub Search API to perform queries across repositories, files, and gists, allowing security researchers and penetration testers to discover sensitive information that may have been unintentionally exposed in public code. During a search session, users review results and provide feedback that allows GitGot to filter out irrelevant or repetitive findings. This feedback is used to build blacklists that eliminate results based on repository names, file names, user names, or fuzzy matches of file content. The approach helps reduce noise while guiding the search process toward more relevant results. -
21
Gitrob
Scans GitHub repositories for potentially sensitive files
Gitrob is an open source reconnaissance tool designed to identify potentially sensitive files that have been committed to public GitHub repositories. It helps security professionals, researchers, and organizations detect accidental data exposure by scanning repositories associated with specific GitHub users or organizations. The tool works by cloning repositories and analyzing their commit history to search for files that match predefined signatures of sensitive data. These signatures are used to flag items such as credentials, private keys, configuration files, and other materials that may expose confidential information. By automatically inspecting repository histories, Gitrob simplifies the process of identifying security risks that might otherwise remain unnoticed in publicly accessible codebases. The results of the scan are presented through a built-in web interface that allows users to browse findings, review flagged files, and analyze potential leaks more efficiently. -
22
IPRanges
Daily updated lists of cloud, bot, and service IP ranges
ipranges is an open source repository that provides continuously updated lists of IP address ranges associated with major cloud providers, search engine crawlers, and online services. ipranges collects IP ranges from publicly available sources and organizes them into structured files that can be easily used in security, networking, and automation workflows. It includes address ranges from providers such as Google Cloud, Amazon AWS, Microsoft, Oracle Cloud, and DigitalOcean, as well as well known service platforms like GitHub, Facebook, Twitter, and Telegram. It also tracks IP ranges used by search engine bots and automated agents including Googlebot, Bingbot, and OpenAI’s GPTBot. Lists are published in both IPv4 and IPv6 formats and are regularly updated through automated processes to keep the data current. In addition to provider specific lists, the project also offers merged and combined datasets that aggregate ranges from multiple sources into a single file. -
23
Inventory
Asset inventory dataset for public bug bounty program targets
Trickest Inventory is an open source dataset and workflow collection designed to provide an extensive asset inventory for public bug bounty programs. The repository tracks and organizes security-relevant assets for more than 800 companies participating in public vulnerability disclosure and bug bounty initiatives. It collects information such as DNS records and web server data, helping security researchers better understand the attack surface of these programs. It aims to streamline reconnaissance for bug bounty hunters by providing ready-to-use asset information so researchers can quickly begin testing new targets. It also helps security teams gain clearer visibility into their exposed infrastructure and publicly reachable systems. Much of the data in the repository is generated automatically through workflows that gather, transform, and consolidate bug bounty program data from multiple sources. -
24
OWASP Maryam
Modular OSINT framework for automated open-source intelligence gatheri
Maryam is an open source intelligence (OSINT) framework designed to automate the process of gathering and analyzing publicly available information from the internet. It provides a modular environment that enables users to collect data from search engines, open data sources, and various online services for reconnaissance and investigative purposes. Written in Python, Maryam is built to provide a flexible and extensible framework for harvesting information quickly and efficiently from open sources. Maryam helps security researchers and analysts streamline routine data-gathering tasks that typically involve searching multiple sources such as Google, Bing, or other online platforms. Maryam organizes its functionality into several modules that focus on different aspects of intelligence gathering, including footprint analysis, OSINT data extraction, and general search operations. -
25
SocialPwned
OSINT tool to collect emails from social networks and find leaks
SocialPwned is an OSINT tool designed to gather publicly exposed email addresses from social networks and analyze them for potential credential leaks. It helps security researchers and penetration testers identify vulnerable targets during the footprinting phase of ethical hacking engagements. It collects email addresses associated with individuals or organizations from platforms such as Instagram, LinkedIn, and Twitter. Once emails are discovered, SocialPwned searches for leaked credentials using breach databases like PwnDB and Dehashed to determine whether those accounts have appeared in data leaks. SocialPwned also integrates with GHunt to retrieve additional public information related to Google accounts linked to the discovered emails. By combining social media intelligence with breach data analysis, SocialPwned helps investigators identify reused passwords and patterns that may indicate potential security weaknesses.
