OSINT Cheatsheet — Open Source Intelligence Gathering
Quick reference for commands and tools used in open source intelligence gathering.
1. Domain information
| Tool | Command | Description |
|---|
whois | whois example.com | Shows registrant, dates, and name servers |
nslookup | nslookup example.com | Basic DNS query |
dig | dig example.com ANY | Detailed DNS query |
dig | dig +short MX example.com | Query MX records |
| Tool | Command | Description |
|---|
theHarvester | theHarvester -d example.com -b google,bing | Searches for emails, subdomains, hosts |
amass | amass enum -d example.com | Subdomain enumeration |
crt.sh | https://crt.sh/?q=example.com | SSL certificates associated with the domain |
hunter.io (web) | — | Public emails associated with domains |
| Tool | Command | Description |
|---|
exiftool | exiftool file.jpg | Extracts metadata from images, PDFs, etc. |
| Web | https://www.metadata2go.com/ | Quick analysis without a terminal |
strings | strings document.docx | Extracts hidden text or plain metadata |
4. Visualization with Maltego CE
| Action | Description |
|---|
| Create entity | Domain, email, IP, etc. |
| Transformations | Use free ones (e.g., Shodan or DNS) |
| Export graph | Right-click → Export → as image |
| Tool | Command | Description |
|---|
Sherlock | python3 sherlock username123 | Searches for profiles with that alias across dozens of networks |
| Web | https://namecheckup.com/ | Checks alias availability |
7. Ethics and legality
| Guideline | Reason |
|---|
| Do not interact with real targets without permission | May be considered illegal or invasive |
| Do not perform fuzzing or active attacks | This class covers passive reconnaissance only |
| Always indicate source and limitations | To avoid incorrect conclusions |
Navigation: ← OSINT | Home