This workbook is restricted to enrolled students. Enter the access code provided by your instructor to continue.
A hands-on learning path from beginner to advanced — self-paced, free tools only
Passive recon (OSINT) — gathering info without touching the target system. No logs left. Examples: Googling a domain, checking WHOIS records.
Active recon — directly interacting with the target (port scanning, sending packets). Leaves traces and may be illegal without permission.
Visit osintframework.com — it is a visual tree of free OSINT tools organized by category (usernames, email, IP, social media, etc.). Each leaf node links directly to a working tool. Bookmark this as your primary reference directory.
Visit inteltechniques.com/tools — custom search forms that query multiple sources simultaneously. Also check his book Open Source Intelligence Techniques and his free podcast.
A free, community-maintained Google Sheet used by investigative journalists worldwide. Organised by category — geolocation, satellite imagery, social media, archiving, and verification. Less of a click-through tree than OSINT Framework; more of a working reference list you keep open in a tab.
| Tool | Purpose | URL | Cost |
|---|---|---|---|
| Namechk | Username availability across 100+ platforms | namechk.com | Free |
| Sherlock | CLI username hunt across social networks | GitHub | Free |
| HaveIBeenPwned | Check email in known data breaches | haveibeenpwned.com | Free |
| Google Images | Reverse image search | images.google.com | Free |
| TinEye | Reverse image search with history | tineye.com | Freemium |
| IntelTechniques Email | Multi-source email lookup | inteltechniques.com | Free |
| OSINT Industries | Real-time email/phone/username → linked account lookup | osint.industries | Freemium |
| Intelligence X | Searches leaks, dark web archives & historical records | intelx.io | Freemium |
scanme.nmap.org (maintained by Nmap for testing) or use your own domains.| Tool | Purpose | URL | Cost |
|---|---|---|---|
| Shodan | Search engine for internet-connected devices | shodan.io | Freemium |
| WHOIS | Domain registration info | domaintools.com | Free |
| DNSDumpster | DNS records and subdomain enumeration | dnsdumpster.com | Free |
| Censys | Internet-wide scan data, certificates | censys.io | Freemium |
| VirusTotal | Scan URLs/IPs/files for malware | virustotal.com | Free |
| Wayback Machine | View old versions of websites | web.archive.org | Free |
example.com for WHOIS practice — it is a public domain maintained by IANA specifically for documentation purposes.| Operator | Function | Example |
|---|---|---|
site: | Search only within a domain | site:example.com login |
filetype: | Find specific file types | filetype:pdf "confidential" |
intitle: | Words in page title | intitle:"index of" passwords |
inurl: | Words in URL | inurl:admin panel |
cache: | Google's cached version | cache:example.com |
"exact phrase" | Search exact string | "error: password incorrect" |
site:youruniversity.edu filetype:pdf| Tool | Purpose | URL | Cost |
|---|---|---|---|
| theHarvester | CLI — automates email, subdomain, employee discovery | GitHub | Free |
| Maltego CE | Visual link analysis across people, domains, IPs | maltego.com | Freemium |
| SpiderFoot | Automated OSINT collection from 100+ sources | GitHub | Free |
| Recon-ng | Modular CLI recon framework | GitHub | Free |
| DataSploit | Aggregates OSINT on companies, people, phones, crypto | GitHub | Free |
| OSRFramework | Combines OSINT sources — web, API & CLI output | GitHub | Free |
| GasMask | Search-engine-based target info gathering | GitHub | Free |
http://127.0.0.1:5001 in your browser.
show hosts. Try loading one more module from the marketplace (e.g. a contacts or companies module) and chain it onto the same workspace.mailfy module on a domain to enumerate likely email address formats. Note: this only checks plausible addresses, it does not confirm they're active.| Room | Focus | Difficulty | Link |
|---|---|---|---|
| OhSINT | Classic intro OSINT room — find info hidden in a photo | 🟢 Easy | Link → |
| Searchlight — OSINT | Social media, username, image OSINT | 🟢 Easy | Link → |
| Google Dorking | Practical Google dork challenges | 🟢 Easy | Link → |
| OSINT Fundamentals | Framework, tools, methodology | 🟡 Medium | Link → |
| WebOSINT | Domain, hosting, historical data | 🟡 Medium | Link → |
| Sakura Room | Full investigation — username, email, crypto, geolocation | 🟡 Medium | Link → |
| Category | Tool | What It Does | URL | Cost |
|---|---|---|---|---|
| Directories & Frameworks | ||||
| Directory | OSINT Framework | Visual tree of 500+ free OSINT tools by category | osintframework.com | Free |
| Directory | IntelTechniques | Aggregated search forms by Michael Bazzell (ex-FBI) | inteltechniques.com | Free |
| Directory | Bellingcat Toolkit ⭐ NEW | 500+ tools for journalism, geolocation & verification — Google Sheet | Google Sheet | Free |
| Username & Identity | ||||
| Username | Sherlock | CLI tool — hunts username across 300+ social networks | GitHub | Free |
| Username | Namechk | Username availability across 100+ platforms | namechk.com | Free |
| Username | WhatsMyName | Username search with verification links — more detailed than Namechk | whatsmyname.app | Free |
| Email & Breach Data | ||||
| HaveIBeenPwned | Check email address against known data breaches | haveibeenpwned.com | Free | |
| Hunter.io | Find email addresses tied to a domain | hunter.io | Freemium | |
| Email / Identity | OSINT Industries ⭐ NEW | Real-time lookup — maps email/phone/username to connected accounts across Instagram, Telegram, CashApp & more | osint.industries | Freemium |
| Domain, DNS & Network | ||||
| Domain | WHOIS Lookup | Domain registration info — registrar, owner, dates | domaintools.com | Free |
| Domain | DNSDumpster | DNS records, subdomains, and visual domain mapping | dnsdumpster.com | Free |
| Domain | Sublist3r | CLI subdomain enumeration tool using multiple sources | GitHub | Free |
| IP / Devices | Shodan | Search engine for internet-connected devices — ports, services, CVEs | shodan.io | Freemium |
| IP / Devices | Censys | Internet-wide scan data, TLS certificates, attack surface mapping | censys.io | Freemium |
| Search Engines & Archives | ||||
| Web History | Wayback Machine | Historical snapshots of any website going back decades | web.archive.org | Free |
| Deep Search | Intelligence X ⭐ NEW | Searches leaked databases, dark web archives, and historical records using email/domain/IP/crypto identifiers | intelx.io | Freemium |
| Vulnerability DB | Google Hacking DB | Public repository of Google dorks for security research | exploit-db.com | Free |
| Images, Metadata & Geolocation | ||||
| Images | TinEye | Reverse image search — finds older instances than Google | tineye.com | Freemium |
| Images | ExifTool | Extract GPS, camera, and timestamp metadata from any file | exiftool.org | Free |
| Geolocation | GeoGuessr | Game that builds visual geolocation skills (Street View) | geoguessr.com | Freemium |
| Geolocation | GeoSpy AI | AI-powered image geolocation — upload photo to get location estimate | geospy.ai | Freemium |
| OSINT Suites (Free / Open Source) | ||||
| OSINT Suite | Maltego CE | Visual link analysis — maps relationships between people, domains, IPs | maltego.com | Freemium |
| OSINT Suite | SpiderFoot ⭐ NEW | Automated OSINT collection — scans IPs, domains, emails, usernames from 100+ sources | GitHub | Free |
| OSINT Suite | Recon-ng ⭐ NEW | Modular CLI recon framework — like Metasploit but for OSINT | GitHub | Free |
| OSINT Suite | DataSploit ⭐ NEW | Aggregates OSINT on companies, people, phone numbers, and crypto — outputs multiple formats | GitHub | Free |
| OSINT Suite | OSRFramework ⭐ NEW | Combines multiple OSINT sources — web interface, API, and CLI output | GitHub | Free |
| OSINT Suite | GasMask ⭐ NEW | Gathers target info from Google, Bing, Yandex, GitHub, YouTube, and Twitter | GitHub | Free |
| URL, File & Threat Analysis | ||||
| Threat | VirusTotal | Scan URLs, IPs, domains, and files against 70+ antivirus engines | virustotal.com | Free |
| Automation | theHarvester | CLI — automates email, subdomain, and employee discovery | GitHub | Free |
These platforms are enterprise-grade or require paid subscriptions. Not needed as a student, but worth knowing for career progression — especially if you move into threat intelligence, law enforcement, or corporate security roles.
Professional OSINT platform with 600+ data sources. Used by law enforcement and intelligence agencies. Offers social media tracking, link analysis, and threat actor monitoring at scale.
Enterprise threat intelligence platform (acquired by Mastercard in 2024). Monitors dark web, technical forums, and threat actor activity. Uses AI/ML for predictive risk scoring. Integrates with SIEMs and SOAR.
All-in-one OSINT platform integrating social media, public records, and dark web sources. User-friendly GUI. Positions itself as a faster, more visual alternative to manual investigation workflows.
The paid tiers of Maltego unlock full transform limits, commercial data integrations, team collaboration, and API access. The free Community Edition is sufficient for learning, but Pro is the industry standard for professional investigators.
Search engine for breach data — billions of records covering email, usernames, IPs, physical addresses, phone numbers. More comprehensive than HaveIBeenPwned but requires a paid subscription for full access.
Launched 2024. Combines social media, geospatial, cyber, and financial (cryptocurrency) OSINT in one platform. ISO 27001:2022 certified — trusted by governments and law enforcement for cross-discipline investigations.
AI-powered social media monitoring platform scanning 150M+ websites and 30+ social networks in 187 languages. Used by brands and government agencies for threat monitoring, sentiment analysis, and crisis prediction up to 90 days ahead.
Shodan's paid tiers unlock full search results (free is limited to 2 pages), continuous monitoring alerts, full historical data, and API access for automation. Essential for serious network intelligence work.
Beginner-friendly. Covers OSINT basics, security operations, Python scripting. Available on Coursera (~6 months). Good first cert.
Industry gold standard for entry level. Covers threats, OSINT concepts, network security. Recognized globally by employers.
Practical penetration testing. Includes recon phase. More affordable than OSCP. Good stepping stone.
The premium offensive security cert. 24-hour practical exam. Recognized by top security employers. Requires strong recon skills.
Covers OSINT, footprinting, and full hacking methodology. More theoretical but widely recognized in enterprises.
Free online guides from the world's top open-source investigators. Focuses on journalism and conflict investigation OSINT.