Open Source Intelligence Tools – or OSINT tools – are not as intimidating as they sound. You see, we live in an age where the value of information, which is a commodity in its own rights, has continued to increase over time. Everyone, it seems, needs to have it.
And yet, surprisingly, the amount of information – about almost anything under the sun – that is available, to anyone who can be bothered to look, has also grown immensely. This is where the best OSINT tools we will soon see come into play as we learn to dig deep to uncover all this data.
Here’s our list of the best OSINT tools:
- Maltego EDITOR’S CHOICE This is a powerful open-source intelligence (OSINT) and link analysis tool, enabling users to map out complex relationships between people, organizations, websites, and more. It excels in visualizing data, conducting investigations, and gathering intelligence for cybersecurity, fraud detection, and digital forensics. Available for Windows, macOS, and Linux.
- OSINT Framework A website directory of data discovery and gathering tools for almost any kind of source or platform. This is a free index to a wide range of free and paid online systems that range from dating platforms to data analysis tools.
- Babel X This international search system uses AI to cross language barriers for any search term. This is a cloud-based service.
- Google Dorks OSINT data gathering method using clever Google search queries with advanced arguments.
- Shodan A search engine for online devices and a way to get insights into any weaknesses they may have.
- Metasploit An advanced open-source framework used for penetration testing and security auditing, offering tools to discover and exploit vulnerabilities in systems.
- Recon-ng An open-source web reconnaissance tool developed in Python and continues to grow as developers contribute to its capabilities.
- Aircrack-ng A wifi network security testing and cracking tool that can be used both defensively and offensively to find compromised networks.
What is OSINT?
OSINT – short for Open Source Intelligence – is the art of searching for, collecting, and summarizing information that is freely, and publicly, available on the Internet for the purpose of using it as a source of intelligence.
This public information can be about an individual, a business or corporate entity, a network, a nation, or any other source of relevant data. And, as the “open source” part of OSINT indicates, there is no need to employ sneaky or illegal tactics to obtain it.
After all, why would anyone want to resort to illegal activities when the data they need is freely available from Internet sources like websites, blog posts, social media platforms, search engine result pages (SERPs), and other public-facing digital assets, just to name a few?
Why would we need OSINT for business?
The scope of this article will be limited to a business and its network. The person doing the research is assumed to be an administrator trying to protect the network.
And so, as an administrator of a business network, the main reasons for using OSINT would be:
- Penetration testing: a great use for OSINT would be to gather all the information that is available out there and see if any of it can lead to an indication that your network has been compromised.
- Breach detection: if there is data out on the Internet that you didn’t share it could mean you have been hacked and have had data stolen. Monitoring the Internet using OSINT could give you an early start in damage control and even catch the people behind the data theft. Alternatively, it could simply be that a public-facing (or peripheral) device hasn’t been secured well enough and could be leaking data. Either way, an OSINT tool will give you a heads-up.
- Ethical hacking: turn the table and gather information on a source-target; find out everything you can about competitors and use it to gain an insight into their way of doing things. Remember, as long as you abide by the OSINT ethical hacking rules, you will be on the right side of the law. Never cross that line – no matter how strong the temptation is.
- Chatter monitoring: use OSINT to listen to what is being said about you and yours. Perhaps you have a reputation to maintain, a brand to protect, or a network to secure. Monitor traffic and packets to see what is being directed your way; use the tools to find out all you can before an attack happens.
Finally; remember it isn’t just businesses that use OSINT. Governments and their agencies also use it to gather data on undeclared assets that belong to persons or organizations of interest, for example. With the right tools, a business can find out if there are any such probes aimed their way by simply looking at the searches, queries, and any network penetration attempts that are being made.
What types of OSINT do we have?
OSINT tools can be divided into three main categories:
- Discovery tools: are used to search for the information that is out there. A great example would be Google. Although it may seem like it is a simple search engine, there is really nothing simple about the information it can discover when an OSINT expert has a go at it, as we will soon see.
- Scraping tools: once discovered, the data must be “scraped” and collected somewhere safe. These tools make sure only the required data is filtered for extraction to avoid bulky transfers (which could alert the source) and also avoid unnecessary data that could muck up the information that is to be extracted from it.
- Aggregation tools: once the data has been stored safely, it needs to be mined and sifted through to convert it into usable These tools are used to combine related data bits into a larger picture and present it in a way that will show relations and connections between datasets and bring it all together in a consumable format.
Of course, there are tools that have all three functionalities included in one package.
OSINT gathering tactics
There are three methods of OSINT intelligence gathering:
- Passive: this is the “normal” way of digging for information; usually done by scouring the web with applications like Google search, Bing Maps, and Yandex images. This method is hard to detect as no probing is involved and only archived information is collected.
- Semi-Passive: here too, scouring the Internet is involved, to find the data; but software solutions are also involved to non-intrusively gather information about a network, for example, and send the data off to collection servers. No brute force attacks or in-depth querying is involved.
- Active: in this scenario, the information is collected by directly extracting it from the target; although no malicious software is involved in breaching their security. Remember, although it is publicly available, just sitting unprotected on their servers and networks, it could still be perceived as hacking. This type of probing can be detected because it involves scanning of networks to find open ports, for example. Once the data has been discovered, the next step involves getting it into storage servers for further analysis.
This brings us to the point where we have to warn you about using OSINT tools without hiding your identity. Always assume that your target will find out about the intelligence probe and might even try to go after you – legally or otherwise. Learn how to hide your identity by using VPNs, fake accounts, and TOR, and other anonymity tactics.
What kind of information can you gather with OSINT?
To be honest, you could probably extract any information that is in digital format. There is no such thing as a secure online presence. Once a device is exposed to the Internet, someone, somewhere, could probably find a way to it.
The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards – and even then I have my doubts. – Gene Spafford
Search engines like Google can give you insights into data that is not only shared on the web but also, with the help of advanced arguments, allow you to delve deeper to find files and information that hasn’t been shared intentionally.
Then again, using tools like Google Earth, you can see some of the remotest parts of the planet and even accidentally uncover state secrets. On the other hand, you can also catch live events with the help of unsecured security cameras, unprotected CCTVs, and even a Google mapping car.
To put it all in perspective: all that is needed to start finding information on a person is a single phone number. Once we have that, it is easy for anyone to build an OSINT tool – from scratch – that can extract information like name, location, and social media account details which can then be used to dig further for even more personal or financial information.
The Best OSINT tools
Before we begin, we need to remind you: the information provided in this post is for informational purposes only; you – and only you – will be held responsible for any misuse of said information.
Our methodology for selecting an open-source intelligence system
We reviewed the market for OSINT tools and analyzed the options based on the following criteria:
- Search strategies with recommended data sources
- A data sorting and analysis function
- The ability to consolidate data from many sources
- A method to map and connect different data types
- A graphical data interpretation system or interoperability with a third-party visualization tool
- A free tool or a paid system with a free trial for a no-obligation assessment opportunity
- A paid tool that offers value for money or a free tool that is worth the time to learn
Using this set of criteria, we looked for OSINT tools that can collect, collate, visualize, and store pertinent research.
Feature Comparison Table:
Product/Features | OSINT Framework | Babel X | Google Dorks | Shodan | Maltego | Metasploit | Recon-ng | Aircrack-ng |
---|---|---|---|---|---|---|---|---|
Network mapping | No | Yes | No | Yes | Yes | Yes | Yes | No |
Vulnerability detection | No | Yes | Yes | Yes | No | Yes | No | Yes |
Data harvesting | Yes | Yes | Yes | Yes | Yes | No | Yes | No |
Social Media Intelligence (SOCMINT) | Yes | Yes | No | No | Yes | No | Yes | No |
API availability | No | Yes | No | Yes | Yes | Yes | No | No |
Data visualization | No | Yes | No | Yes | Yes | No | No | No |
Customizable scripts | No | No | No | No | Yes | Yes | Yes | Yes |
Platform compatibility | Web-based | Web-based | Web-based | Web-based | Windows, Linux, macOS | Windows, Linux, macOS | Linux | Windows, Linux, macOS |
User interface (CLI/GUI) | Web UI | Web UI | Web UI | Web UI | GUI | CLI | CLI | CLI/GUI |
Free version available | Yes | No | Yes | Yes (Limited features) | Yes (Community version) | Yes | Yes | Yes |
1. Maltego
This OSINT tool is helpful in finding information on individuals as well as organizations. It can run on Linux, Windows, and macOS.
Key Features:
- Relationships Visualization: Maltego identifies and visualizes relationships between various data points, facilitating network analysis.
- Visual Data Map: It generates a visual data map, depicting connections and relationships between different entities.
- Multi OS Support: Maltego is compatible with multiple operating systems, including Windows, Linux, and macOS, ensuring accessibility across different platforms.
- Data Gathering Automation: Pre-built algorithms that gather data from external sources and automate information collection.
- Data Integration: Integrates with a wide range of external data sources, including DNS records, social media, and WHOIS databases.
Why do we recommend it?
Maltego is a truly unique tool but you would need to take a course in how to use it in order to even know how to start with an investigation. Those who have mastered the use of the tool get stunning results by tracking the links between identities to reveal the presence of an individual in different arenas and then track other people related to that person and identify their activities.
Although you need to register with Maltego Community to start digging for information, which is a mighty tool as it is, you can also buy the premium version for even more advanced features.
Once signed in, you get a “Graph” window where you do your research. The query results are displayed in the form of a bubble graph that shows the relations of each “transform” results – as Maltego query scripts are known.
To start the information-gathering process, you first enter the main entity you are researching – an individual, organization, phone number, etc. – and run the available transforms to see the results. For example, it can be used to map networks to see how the servers on it are linked and if, perhaps, they have been compromised. The resulting information can be filtered or further “transformed” for even more in-depth data analysis.
Who is it recommended for?
Maltego is a useful tool for private investigators and journalists. It can also be used by hackers to profile individuals and track their activities. Bellingcat uses Maltego extensively, for example, to reveal the identities of the Russian secret service agents behind the poisoning of Alexei Navalny.
Pros:
- Great for Mapping Complex Networks and Relationships: Maltego offers a highly visual interface, making it ideal for mapping complex networks and relationships.
- User-Friendly Interface: The interface of Maltego is detailed, providing in-depth information, yet it remains easy to learn and use for users of varying technical expertise.
- API Data Source: Maltego users can add new data sources via API, enhancing its flexibility and utility.
- Collaborative Features: Allow teams to share investigative results, workflows, and analyses.
- Real-time Data Access: Supports real-time data queries for manual investigations.
Cons:
- Cost-Prohibitive for SMBs: The paid versions of Maltego can be expensive, which may deter smaller organizations with limited budgets from accessing its full range of features and capabilities.
Although this tool is very easy to use, as you simply start from one piece of information and start to progressively build on it, it is also very powerful and never disappoints in its result delivery.
EDITOR'S CHOICE
Maltego is our top pick for an OSINT tool because this innovative system uses link analysis and personal or corporate associations to spot collaborations and clandestine activities. The tool is designed for cybersecurity professionals, investigators, and researchers. It enables users to gather, analyze, and visualize information from a wide variety of sources, such as social media, DNS records, domain names, and public databases. Maltego has a unique ability to map and visualize complex relationships between entities, such as people, organizations, websites, and other networked assets. This makes it an invaluable tool for digital forensics, threat intelligence, and fraud detection. The technology operates by leveraging pre-built algorithms that automate the process of extracting data from different sources. These transforms can be customized or extended to integrate with external APIs and data sets, allowing for deep, context-rich intelligence gathering. Maltego presents findings in an intuitive graphical format, making it easy to spot connections, patterns, and potential threats across large volumes of data. Maltego is particularly well-suited for investigations related to cybercrime, malware analysis, social engineering, and penetration testing. Its flexible, scalable platform offers both free and paid versions, suitable for individuals and enterprises alike.
OS: Windows, Linux, and macOS
2. OSINT Framework
Tested on: The Web
This is perhaps one of the most popular OSINT tools out there. The thing is that OSINT Framework is more of a website with a directory of tools rather than just one single tool. And, it is perhaps this ability to find all the tools you may need to dig up all the information on a target, in one place, that makes it the go-to option for information gathering.
Key Features:
- Online Tool: OSINT Framework is an online platform, accessible via web browsers, facilitating easy access for users.
- Directory of Information Sources: It provides a directory of various information sources, aiding users in conducting open-source intelligence (OSINT) research.
- Search Facilities: OSINT Framework offers search facilities, enabling users to quickly find relevant tools and resources.
- Data Collation: Users can collate data from various sources using the tools and resources available within the framework.
Why do we recommend it?
OSINT Framework is a directory of data sources and links through to handy tools for data discovery and sorting. This is a great resource but there are a lot of tools linked to in this list. You need to establish a search strategy that focuses on a particular type of data, such as vehicle registration or email addresses.
Another reason this is a popular collection is that many of the best OSINT tools are written or created for a Linux environment. This directory, meanwhile, has many tools that can be run from a browser and, even when the installation is needed, there are options for most major operating systems.
The collection of OSINT tools can help dig up information using anything from a simple telephone number, IP address, or email addresses. There are even options for venturing into the Dark Web or the ability to analyze malicious files. So, proceed with caution.
There are tutorials and games included to get beginners started with the digging-for-information game. Need a VM for a research campaign? You can find a list of software solutions under “Virtual Machines”.
Who is it recommended for?
OSINT Framework is a good starting point for anyone who has never performed a search of public data before because it has a training section. The guides explain methods to implement when conducting research. You can then use that knowledge to scan through a large number of tools and data sources in the list to perform a targeted research project.
Pros:
- Widely Recognized: OSINT Framework is widely recognized as a leading platform in the OSINT community, offering valuable resources and tools.
- New Tools Discovery: It serves as an excellent resource for discovering new tools and techniques for collecting open-source intelligence.
- Tools Sorting by Category: Users can sort tools by category, facilitating easy navigation and discovery of relevant tools.
- Completely Free: OSINT Framework is entirely free to use, eliminating any barriers to access for users.
Cons:
- Overwhelming for New Users: The vast array of tools and resources available within OSINT Framework can be overwhelming for new users who are not familiar with open-source intelligence techniques and methodologies.
Almost all of the tools that are linked to an OSINT Framework are free while the few remaining ones might ask for a small subscription fee.
3. Babel X
There are a number of social media scanning OSINT tools available now but probably the most successful of these is a system that most of its userbase doesn’t want to admit to having and that’s Babel X. For example, the FBI uses Babel X extensively but doesn’t shout about it.
Key Features:
- Social Media Search: Babel X enables users to conduct searches across various social media platforms, allowing for comprehensive social media monitoring.
- Thousands of Public Data Sources: It provides access to thousands of public data sources, allowing users to gather information from diverse sources.
- Multi-National Searches: Babel X supports multi-national searches, enabling users to gather information from different countries and regions.
Why do we recommend it?
Thanks to the internet, threats are now global, even when targeted at small businesses. There are several applications of this search system that crosses into 200 different languages in its data gathering. The Babel X system can be used to track the movements of terrorists or even armies – the system is currently tracking the movements of Russia’s army in the Ukraine. Right down to the small business level, data breaches put email addresses and other business personnel identifiers in the hands of miscreants who could be anywhere in the world. Tracking those hackers can help prevent an attack.
The Babel X system uses AI to link together events and postings on the internet and also skillfully translates statements between languages where words don’t always have a one-to-one mapping.
The system can be used to examine insider threats, pressure group campaigns, reputational damage attempts, and competitor slurs as well as international hacker campaigns. Once a suggestion of a threat to you or your business has been identified, the system can be used to map out associates and possible commissioners of hostel actions.
Forewarned is forearmed and so keeping constant track of threats and the people who are known to oppose you or your business helps you to strategize blocking tactics to get ahead of any gathering threat. You might be targeted by a rival but actually hit by an unknown overseas attacker. Drawing links between an attack and the true origin of that action can help you alert law enforcement to your opponents and support legal action to ensure the right people get punished.
Who is it recommended for?
Despite our mention of small businesses above, this tool isn’t affordable and so will probably only be used by government agencies and small businesses. Babel Street, the producers of Babel X doesn’t publish a price list but a report in Vice about the service, which was published in April 2017 noted that the US Army National Guard was paying $18,500 at that time for a one-year subscription.
Pros:
- Builds and Depicts Networks of Attackers: Babel X assists in building and depicting networks of attackers, aiding in threat intelligence analysis and investigation.
- Links Unrelated Events: It helps in linking together seemingly unrelated events, facilitating the identification of patterns and connections.
- AI Translation: Babel X offers search capabilities in 200 languages, utilizing AI for translation, ensuring comprehensive coverage and analysis.
Cons:
- Not Free: Babel X is not available for free, requiring users to pay for access to its features and capabilities.
Babel Street Babel X is a cloud-based system and you can investigate it by accessing a demo.
4. Google Dorks
Anyone who takes Google’s search capability for granted, or underestimates the power that lies behind this search engine’s capability to dig deep and come up with some interesting information, is a fool.
Key Features:
- Google Syntax: It utilizes simple Google search syntax to filter and refine search engine data, enabling users to find specific information efficiently.
- Not Produced by Google: Despite the name, Google Dorks is not produced or endorsed by Google; it’s a term used by the online community for certain search techniques.
- Utilize Advanced Search Queries: Google Dorks refers to a category of websites or online tools that utilize advanced search queries to extract specific information from search engine results.
Why do we recommend it?
Google Dorks are advanced search techniques that can be used in the Google search engine to perform research into vulnerabilities on a website or discover information about businesses that are not immediately apparent from surface searches. You can discover tips on good Google Dorks to try by looking through the Exploit Database.
With the right arguments, anyone can find files or documents that may seem securely stored. In fact, one of the first things to do during a penetration test is to use Google Dorks to see what can already be accessed without any data mining tools.
As you may have understood, Google Dorks is not a tool, per se. It is a data querying method that involves querying for information using advanced – and clever – search arguments in Google Search.
Here’s how it works: websites are automatically indexed when Google bots crawl them. Now, unless sites with sensitive data or folders specifically block the bots (using noindex meta tags), their contents will be made available as search results for specific Google queries.
The concept here is to enable any user to delve deep into a server’s annals to come up with data corresponding to various arguments. The beauty of it is that Google has a large list of arguments that can address queries for almost any type of data including usernames and passwords.
There is no one website to go for the ultimate compilation of clever Google syntaxes; that means you will need to do a Google search for that too. But, for your reference, we have one of the most popular Google Dorks sites: Google Hacking Database on Exploit Database. Enthusiasts from all over the world update this registry daily.
Again, be aware that this is a powerful OSINT tool that can uncover sensitive information that could get you in trouble simply because you downloaded, or even looked at it.
Who is it recommended for?
Google Dorks can be used for many purposes and therefore there are many different types of people who use them. They can be used by penetration testers to reveal security weaknesses in a website and hackers can use them, too, for the same purpose. Researchers can discover interesting information about a company on the back pages of a website that might have been left there in the belief that the public wouldn’t be able to access them.
Pros:
- Completely Free: Google Dorks is entirely free to use, eliminating any financial barriers for users.
- Great for OSINT Beginners: Google Dorks can serve as a useful starting point for beginners in open-source intelligence (OSINT), offering simple yet effective techniques for information gathering.
Cons:
- Limited to Google Search Engine: Google Dorks is limited to the Google search engine, restricting its scope compared to more comprehensive OSINT tools that can access multiple search engines and data sources.
5. Shodan
Shodan is a querying digital intelligence gathering tool. It is a search engine that can be used to find information on IP addresses, ports, and any Internet-connected devices. It can be used to gather information on servers belonging to businesses or even cities, for example.
Key Features:
- Proprietary Query Language: It utilizes a proprietary query language for searching and retrieving information from its database.
- Export and Reporting Feature: Shodan allows users to export search results and build reports directly within the tool, facilitating further analysis and documentation.
- Great User Interface: It features a great user interface, displaying metrics alongside a geographical map, enhancing data visualization and analysis.
Why do we recommend it?
Shodan is a search tool that details the equipment and other technologies, such as SSL certificates, used by a business. The company currently highlights its ability to list the IoT devices used by a company, including their locations and details about their configurations and other attributes.
To start using it, simply type in any business and you get information on the devices that the business uses including honeypot ICS, location, services (HTTP, etc.), and even any vulnerabilities the devices might have.
The results are grouped by network names or IP addresses. Host information includes what operating systems are being used, open ports, type of Internet server, website design language, and much more. Classless Inter-Domain Routing (CIDR), or IP range, network scanning for bulk information is also possible.
Some queries may only work for the US – but, there are plenty more tools that help search for information from the rest of the world. You can start by typing in a query for a country to get the number of unique IP addresses they have registered.
Using this tool becomes a breeze once you have learned the Shodan syntax which is similar to Google Search. For example, querying for “Org: Organization_Name” gives you the information related to the devices that belong to an organization.
With such commands, users can run a query to list open surveillance or web cameras and even grab snapshots from them.
Although the main purpose of this tool is for reconnaissance, some commands can be actually used to perform penetration testing. In the right hands, this is a powerful tool that can lay bare the weaknesses of a network.
Who is it recommended for?
Shodan is an essential tool for security professionals – both physical security consultants and cybersecurity analysts. This service lets you see what information is available about your systems. Naturally, hackers would benefit from this tool as well.
Pros:
- User-Friendly: Shodan is designed to be user-friendly, catering to both technical and non-technical users, enabling easy navigation and utilization.
- Web-based Service: Shodan operates as a web-based service, accessible through web browsers, providing ease of access for users.
- Free Edition: Shodan offers a free edition, allowing users to access certain features without any cost.
Cons:
- Paid Tool: Shodan is primarily a paid tool, with pricing starting at $59, which may be a barrier for some users.
- Offered as a Service: Shodan is offered as a service, similar to Google, meaning users cannot tinker with its inner workings or access its backend infrastructure, potentially limiting customization options.
6. Metasploit
There is nothing shy about this tool; on the contrary, it is a bold weapon that can be used to get all the required information on a target – be it a host or a network – and then exploit any vulnerability that may have been discovered. This is usually done by sending out a payload that executes commands.
Key Features:
- Penetration Testing Tool: Metasploit is primarily designed for penetration testing, allowing security professionals to assess the vulnerabilities of a system or network.
- Free and Commercial Use: Metasploit offers both free and commercial versions, providing flexibility for users with varying needs and budgets.
- Ethical Hacking Tools: Metasploit includes a wide range of hacking systems, tools, and payloads that can be used to exploit vulnerabilities in target systems.
Why do we recommend it?
Metasploit is a vulnerability scanner and penetration testing tool. The importance of this system is that it provides tools to probe a system and discover information about security components and possible ways into a network and then it automatically copies that data over to attack tools to implement a system breach.
With Metasploit, users can upload, download, listen to, or alter files they have found. In the case of mobile devices, they can even capture screenshots and activate the camera and microphone for remote eavesdropping.
This is a no-nonsense tool that can cause real damage – and get you in trouble – if abused. It has seven modules that can be used for different intelligence gathering campaigns: auxiliary, payloads, evasion, encoders, exploits, post, and NOP.
These modules tackle specific issues like getting past defenses (encoders), running scripts, and code by exploiting buffer overflows (NOP), or performing tasks after compromising a system (post), for example.
Once someone has access to a system, they can practically own every single device on it. The scary thing about this OSINT tool is that it can deliver payloads to devices running almost any type of operating system out there: Windows, macOS, Linux, Android, and many more.
Who is it recommended for?
Metasploit is one of the most highly-recommended hacker tools – both for white hat and black hat hackers.
Pros:
- Security Framework: Metasploit is one of the most widely used security frameworks, trusted by security professionals globally.
- Community Support: It boasts one of the largest communities in the cybersecurity domain, ensuring continuous support and frequent updates to keep up with emerging threats.
- Highly Customizable: Metasploit is highly customizable, allowing users to tailor it to their specific requirements by integrating various open-source applications and modules.
- Free Version: Metasploit offers a free version that provides essential functionality for security testing purposes.
Cons:
- Technical Complexity: Metasploit caters to more technical users, which may pose a steep learning curve for beginners in the security field.
Metasploit, itself, can be run from Linux, macOS, and Windows.
7. Recon-ng
Here is another tool that is great at getting information from open, public records. Although the interface could appear to be a bit daunting at first – because of the CLI – it really is an easy tool to master after spending a few days playing around with it.
On the contrary, anyone that is proficient at working in a Unix/Linux environment will find this to be a familiar tool.
Key Features:
- Linux Command-line Tool: Recon-ng is a command-line tool specifically designed for Linux operating systems, providing a platform for reconnaissance activities.
- Free to Use: Recon-ng is freely available for use, making it accessible to a wide range of users without any cost barriers.
- Community Plug-ins: It supports community-supplied plug-ins, allowing users to extend its functionality by integrating additional modules and tools.
Why do we recommend it?
Recon-ng is good at crawling the Web for specific information – whatever word/name/address you give it to search for. All discovered records are inserted into a database. This is a command line tool and Linux expert users will find it easy to use.
Recon-ng has default modules that are also open source, and then there is a marketplace to add even more features. And because it is an open-source tool, it continues to evolve and grow as the developer community continues to contribute to it. Written in Python, Recon-ng is designed exclusively for web-based open source reconnaissance. Therefore, it can’t be used for exploits.
But, still, once the information has been collected, it is stored in a database which can then be used to generate insightful custom reports.
Who is it recommended for?
Recon-ng is a research tool. Anyone who is good at investigating but not so good at using the Linux command line will struggle with this tool. You would need to partner up with a technician to use this utility. You also need to export the data from the database and import it into some other data visualization tool in order to analyze it, which isn’t an easy task.
Pros:
- Open Source and Free: Recon-ng is open-source software, providing users with complete freedom to modify, distribute, and use it without any licensing costs.
- Strong Community Support: It benefits from a robust community of users and developers, making it one of the most popular OSINT (Open Source Intelligence) tools available.
- User-Friendly Interface: Recon-ng offers a user-friendly interface that is reminiscent of Metasploit, enhancing user experience and ease of navigation.
Cons:
- Learning Curve: Due to its highly detailed nature, Recon-ng may require significant time and effort to fully explore and utilize all its features and capabilities.
8. Aircrack-ng
Aircrack-ng is a wireless network security penetration testing tool that has four main functions:
- Packet monitoring – capturing of frames and collecting WEP IVs (Initialization Vectors); if a GPS is added, it can log the position of APs (access points).
- Penetration testing – by performing packet injection attacks, fake access points, replay attacks, and more to test a network’s security.
- Performance analysis – testing wifi and driver capabilities.
- Password security testing – password cracking on WEP and WPA PSK (WPA 1 and 2).
Although the tool was developed primarily for Linux, there are versions for Windows, OS X, and FreeBSD. The fact that it is a fully CLI tool means that it can be easily tweaked to meet unique requirements using custom scripts.
Key Features:
- Wi-Fi Security: Aircrack-ng is capable of auditing Wi-Fi security configurations and can also be used to crack weak wireless encryption, providing comprehensive security assessment capabilities.
- Cross-platform Compatibility: It runs on various operating systems including Linux, FreeBSD, macOS, and Windows, ensuring flexibility and accessibility for users across different platforms.
Why do we recommend it?
Aircrack-ng is a very well-known hacker tool that can scan wireless systems and, theoretically crack captured data. So, this is a snooping tool rather than a scanner of open source intelligence.
Who is it recommended for?
Hackers use Aircrack-ng a lot. However, its power is greatly diminished by effective transmission encryption. Although you will find it difficult to reap the contents of transmissions, if information about which devices are connected to the wireless network is of use, you will find a benefit from this tool. Penetration testers and system security managers can use this tool to confirm that transmission security is adequate.
Pros:
- Huge Community Support: It is one of the most widely supported wireless security tools, benefiting from a large community of users and developers who contribute to its development and maintenance.
- Free to Use: Aircrack-ng is freely available for use, enabling users to perform wireless security assessments without any cost barriers.
Cons:
- Not an AIO Tool: Aircrack-ng may not be the best option for users seeking an all-in-one security tool that encompasses a wide range of security assessment functionalities beyond wireless security.
Honorable mentions
Here are a selection of tools that can further enhance the performance and reach of the tools we have seen above:
1. Wireshark
Wireshark – this popular free, open source packet sniffing tool is one of the best penetration testing applications that lets you see if there are any unprotected protocols like FTP, Telnet, and SSH travelling in a network.
2. Nmap
Nmap – this is another popular “old-timer” that is still used to keep an eye on network security; it can be used for discovery or testing purposes to see host statuses and gather information like shared data, operating systems, and much more to uncover vulnerabilities. As time goes by, it has gotten more powerful and now has a GUI (Zenmap).
3. PhoneInfoga
PhoneInfoga – squeeze as much information as possible from a phone number; this tool works globally, for phone numbers from across the world. The only catch: it needs Python.
4. TinEye
TinEye – in a world where the problem of fake news is being exacerbated with expert Photoshop manipulations, this reverse search engine uses image identification instead of keywords or metadata. It is a simple, browser-based tool.
We would like to hear about other OSINT tools you use or think should be on this list. Tell us about them; leave a comment below.
OSINT FAQs
What are OSINT tools?
OSINT is short for Open Systems Intelligence and OSINT tools are utilities that either seek out information from public sources or organize that data into a meaningful format that identifies deeper information in the form of a collection than can be gleaned from individual data instances. OSINT can be used for academic research, for stalking and profiling in a phishing campaign, or for an investigation into criminal activity, political intrigue, or cybersecurity threats.
Do hackers use OSINT?
OSINT is a research strategy and anyone can use it for good or revil. So, OSINT can be used by hackers and it can also be used to track the activity of hackers.
Is OSINT free?
OSINT mines public sources of information, which usually means the Web, where most information is free. Some data collections and news sources might require a subscription for access. The tools used for OSINT range from a straightforward Web search to complicated data mapping tools. Most tools are free to use. Some have both free and paid versions.
Are OSINT tools Legal?
OSINT accesses data that is accessible by the public. There is no snooping or data theft involved. Therefore, it is not illegal to search through this data. If you are a company and you work with personally identifiable information on members of the public, storage of the data that you gather might be subject to data protection rules, such as GDPR.