Chapter 1 โ What is OSINT?
OSINT (Open-Source Intelligence) is the collection and analysis of information gathered from publicly available sources. In penetration testing, it forms the critical first phase โ the more you know about your target before scanning, the more focused and effective your attacks will be.
Good OSINT means your nmap scans are surgical, not noisy. You know what services to expect, which employees to target for phishing simulations, and which infrastructure is exposed before you send a single packet.
| OSINT Category | Examples | Key Tools |
|---|---|---|
| Network Intelligence | IP ranges, ASNs, DNS records | Shodan, Censys, DNSdumpster |
| Human Intelligence | Employees, org charts, emails | LinkedIn, Hunter.io, theHarvester |
| Web Intelligence | Tech stack, old pages, JS files | Wayback Machine, Wappalyzer, BuiltWith |
| Social Intelligence | Posts, photos, metadata | OSINT Framework, Maltego |
Chapter 2 โ The OSINT Framework
The OSINT Framework (osintframework.com) is the go-to reference for OSINT tools organized by category. Bookmark it. Before any engagement, work through the relevant branches: Username, Social Networks, Email Addresses, Domain Name, IP Address.
Chapter 3 โ Google Dorking
Google dorking uses advanced search operators to find information that should not be publicly accessible โ exposed files, login pages, misconfigured servers, and sensitive documents.
# Find login portals on a domain
site:target.com inurl:login
# Find exposed config files
site:target.com ext:conf OR ext:config OR ext:env
# Find open directories
intitle:"Index of" site:target.com
# Find specific file types
site:target.com filetype:pdf "confidential"
# Find subdomains
site:*.target.com -www
Chapter 4 โ Shodan & Censys
Shodan is a search engine for internet-connected devices. It continuously scans the entire internet and indexes banner information, certificates, and service data. Censys is similar with a focus on certificate transparency logs.
# Find all servers for an org
org:"Target Corporation"
# Find specific services
product:"Apache httpd" country:"US"
# Shodan CLI
shodan search --fields ip_str,port,org "apache country:US"
shodan host 192.168.1.1
Chapter 5 โ WHOIS & DNS Recon
DNS reconnaissance reveals infrastructure: subdomains, mail servers, name servers, and sometimes internal IP ranges leaking through misconfigured zone transfers.
# WHOIS lookup
whois target.com
# DNS enumeration
nslookup -type=MX target.com
dig +short target.com ANY
dig axfr target.com @ns1.target.com # zone transfer attempt
# Subfinder โ passive subdomain discovery
subfinder -d target.com -o subs.txt
# Amass โ comprehensive subdomain enum
amass enum -passive -d target.com
Chapter 6 โ Social Media OSINT
LinkedIn reveals org structure, job roles, and technologies in use. Twitter/X, GitHub, and forums reveal employee usernames, code snippets, and internal tooling. Job postings often list exact software versions ("AWS experience required", "Cisco ASA 5500 administration").
# theHarvester โ email + subdomain + person gathering
theHarvester -d target.com -b linkedin,twitter,google
# Recon-ng module
use recon/profiles-profiles/linkedin_crawl
Chapter 7 โ Email & Username Enumeration
# Hunter.io API (find emails by domain)
curl "https://api.hunter.io/v2/domain-search?domain=target.com&api_key=KEY"
# h8mail โ breach data correlation
h8mail -t target@company.com
# Verify email validity (SMTP probing)
smtp-user-enum -M VRFY -u user@target.com -t 192.168.1.10
Chapter 8 โ Maltego & Recon-ng
Maltego is a visual link analysis tool โ it transforms (queries) data sources and maps relationships between entities: domains, IPs, email addresses, people, organisations. Recon-ng is a modular CLI framework with 70+ modules covering every OSINT category.
# Recon-ng quick start
recon-ng
workspaces create target_corp
modules search recon/domains
modules load recon/domains-hosts/findsubdomains
options set SOURCE target.com
run
Chapter 9 โ Company & People Profiling
Build a target profile: identify key personnel (CEO, sysadmin, IT manager), map their emails using the email format discovered, check for password breaches using HaveIBeenPwned, and build a wordlist from their public social media for targeted password attacks.
# Build a custom wordlist from OSINT
cewl https://www.target.com -d 3 -m 6 -o target_wordlist.txt
# LinkedIn employee enumeration
linkedin2username -u youraccount -c "Target Corporation"
Chapter 10 โ Building Your Recon Report
Document everything before you touch a port. Your recon report should contain: IP ranges and ASNs, all discovered subdomains, email addresses and naming convention, key personnel and roles, technologies identified, and any exposed sensitive data found. This becomes your attack surface map for the engagement.