DISCLAIMER

I am in no way responsible for any abuse, misuse, or any questionable actions in which someone uses these tools or methods below. OSINT is an information-gathering technique that can be used by ANYBODY and on ANYBODY! Also I'd like for anyone to be aware that some of the domains (such as exposed.lol) may be expired, if so check the curated list or the other links listed.

Any Suggestions

Place them under Issues

Why did I create this?

Now why did I make this readme you may ask?

People in the states at least trust their info way to much on the internet and seeing how the internet has now affected our daily lives it's practically indistinguishable from reality now; what's real is now fake - what's fake is now real. tit for tat basically. Do what you must with this readme file, spread this on the net for all I care really and feel free to contribute on either a fork or on your own project (even on my own projects listed). Feel free to clone and spread this info out there or to fork or maybe make a rentry document if you want.

OSINT/OPSEC Tools

A list of OSINT/OPSEC tools I made, forked, and/or use. First, let's talk about the definitions.

Table of Contents

1. OPSEC
   • How to OPSEC
2. Open Source Intelligence (OSINT)
3. Who uses Open-Source Intelligence (OSINT)?
4. Sources of OSINT
5. Real world examples of OSINT
   • 2016 Airstrike Coordination
   • 2017 Shia LaBeouf Protest
6. Tools
   • Toolchain Recommendations
7. People search tools (in the states)
8. Grey literature
9. Breached Data
10. Social Media
11. Curated lists
12. Archive tools

(Operations Security) is a systematic process for:

1. Identifying
2. Protecting and controlling critical information

It's a security discipline and operations function that involves a continuous cycle of:

• Identifying critical information and indicators (CII)
  • Critical information and indicators are essential components of Operations Security aimed at protecting sensitive data that could be exploited by adversaries. Critical Information includes unclassified or controlled unclassified information about activities, intentions, capabilities, or limitations that adversaries can use to gain an advantage. Indicators are observable actions or pieces of information that reveal critical details about operations, such as sudden changes in procedures or increased security measures. Protecting this information involves identifying vulnerabilities and implementing countermeasures to prevent unauthorized disclosure
• Analyzing potential threats and vulnerabilities
• Assessing risks
• Developing countermeasures to protect CII

is used to protect information and activities from adversaries. It helps identify and protect sensitive information that could give an adversary an advantage. OPSEC principles can be applied in daily life, such as not sharing personal information like a DOB, street address, email, phone number.

Examples of OPSEC mistakes include:

• Over-sharing personal information online
• Leaving unused social media profiles online
• Accidentally interacting with a target on social media

OPSEC supplements other security disciplines rather than replacing them.

How to OPSEC:

• Use services that can conceal your identity:

---

Category	Tool/Technique	Description	Pros	Cons/Limitations
Encrypted Messaging	Telegram	Cloud-based messaging with optional E2E ("Secret Chats")	Widely adopted, feature-rich	Not E2E by default; stores data on servers; requires phone number
	Simplex	No user identifiers (not even random numbers)	Maximum metadata privacy	Less user-friendly; smaller network
	Signal	E2E encrypted by default; minimal metadata retention	Gold standard for privacy; court-resistant	Requires phone number
Anonymity Networks	Tor	Routes traffic through encrypted nodes to hide IP	Free; robust against tracking	Slow; frequent CAPTCHAs
	Mullvad VPN	No-logs VPN accepting Monero (XMR) payments	Strong privacy; anonymous payment options	VPNs can’t fix poor OPSEC habits
Cryptocurrency	Monero (XMR)	Untraceable cryptocurrency	Private transactions	Requires mining/local node for full anonymity + time
Identity Management	Unique Usernames	Use different credentials per site	Prevents correlation attacks	Hard to manage without a password manager
	Word Spinners	Paraphrase text to avoid detection	Evades plagiarism/identity linking	May sound unnatural
	AI-Generated Faces	Fake profile pictures (e.g., ThisPersonDoesNotExist.com)	Hides real identity	May look unnatural
Self-OSINT	Opt-Out Guides	Remove personal data from people-search sites	Reduces digital footprint	Time-consuming; not all sites honor requests without payment
OPSEC Resources	Bad OPSEC Examples	List of pitfalls	Learn from others’ mistakes	N/A
	Good OPSEC Practices	Guidelines	Actionable tips	Requires discipline
Tool Lists	OPSEC Tools	Curated list	Comprehensive resource	May need updates

---

Key Takeaways

1. Messaging:

   • Signal > Simplex > Telegram for privacy.
   • Remember: E2E ≠ total anonymity (metadata leaks matter).

2. Anonymity:

   • Tor + Mullvad VPN + XMR = layered protection.
   • Avoid logging into personal accounts while using these tools.
   • Pitfalls: you need to use TOR and Mullvad separately for maximum Anonymity, use a Virtual Machine.

3. Identity:

   • Unique usernames + AI faces + word spinning = harder to trace.

4. Self-Audit:

   • Regularly opt out of data brokers and OSINT yourself.

5. OPSEC Mindset:

   • Follow good OPSEC and avoid bad habits.

---

Pro Tips

• Signal Workaround: Use a burner phone number (e.g., Google Voice) for registration.
• Monero Mining: Run a local node to avoid centralized exchanges tracing purchases.

For full tool details, see the OPSEC Tools List.

Open Source Intelligence (OSINT)

What is it, how is this used and why is it important:

• OSINT is the practice of collecting and analyzing information from public sources to address specific intelligence needs. OSINT is used by government agencies and commercial organizations for various purposes, including:

  • Reconnaissance
  • Cyber crime investigations
  • Market trend analysis
  • Brand positioning analysis
  • Measuring risk to an organization
  • Understanding the actor, tactics, and targets
  • Gather real-time information
  • Make informed decisions
  • Receive early warnings of potential threats

Who uses Open-Source Intelligence (OSINT)?

• National Security and Intelligence Agencies, Law Enforcement, Businesses, Cybersecurity and Cyber-crime Groups, Privacy-Conscious People, Non-Governmental Organizations

  • The CIA, Defense Intelligence Agency (DIA), and Office of the Director of National Intelligence (ODNI) all use OSINT.
  • OSINT can protect citizens (private or otherwise) from identity theft, sexual violence, and abuse.
  • OSINT can monitor competitors, investigate new markets, and plan marketing activities.
  • OSINT can gather intelligence about specific targets online.
  • OSINT can check how outsiders can break into their computing devices.
  • OSINT can be used on oneself to secure privacy.
  • Bellingcat, the Center for Information Resilience, and Oryx use OSINT.
  • And you! Yes, you can use OSINT.

Sources of OSINT

OSINT can gather information from various sources, including:

• Public government data

  • Public data refers to all information made freely available by government bodies or local collectivities. This data is in the public domain. It is different to open data, which is a subset of public data. Open data is structured and well-maintained data that is therefore easier to understand, access and consume. By contrast public data can be difficult to find, or (in the case of public bodies), require the submission of a Freedom of Information Act to retrieve it.

• Professional and academic publications

  • Academic Publication means the publication of an abstract, article or paper in a journal or electronic repository, or its presentation at a conference or seminar.

• Commercial data

  • Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products offered by, the VS Business or L Brands Business, as applicable.

  • Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products or services offered by, the LoyaltyOne Business and/or ADS Business, as applicable.

  • Commercial Data means any and all data collected or otherwise processed by the Seller Entities relating to a customer of the Business.

• Grey literature

  • Grey literature is "Information produced on all levels of government, academics, business and industry in electronic and print formats not controlled by commercial publishing i.e. where publishing is not the primary activity of the producing body."

  • Grey literature can be useful for your research, but finding resources requires different tactics than you'd use for commercially published materials. This is because many types of grey literature are not indexed in some of the more common research tools like PubMed, CINAHL, Scopus, etc.

Real world examples of OSINT

In the year 2016, a basket weaving image board used OSINT to pay some supposed terrorist a vist from a govt in Russia resulting in airstrikes.

• A video detailing the events

  • In 2016, during the complex Syrian Civil War, various rebel groups—some with good intentions and others with nefarious motives—sought to overthrow President Assad. The chaos allowed terrorist groups to flourish, prompting intervention from the United States and Russia, with the former supporting rebels and the latter aiding Assad. An anonymous user on 4chan's Syria General board (SG) claimed that a Syrian rebel group, Jaysh al-Izza, posted a video on YouTube revealing their secret encampment. The group, linked to Al-Qaeda, was seen by 4chan users as a target. A notable 4chan user, Ivan Sirenko, who had connections with the Russian military, received the coordinates from the 4chan community and tweeted them to the Russian Ministry of Defense. This led to an airstrike on the encampment. Two months later, the same rebel group posted another video showing a new training camp. 4chan users once again pinpointed the location using landmarks seen in the video. After thorough verification, they sent the coordinates to Ivan, who facilitated another Russian airstrike.

UPDATE: Turns out it was a really complex war the 4chan got involved in, still keeping this up as a key example however; the main issue is that they exposed their training locations with geographic locations to the internet like complete morons. Thus bad opsec.

In 2017, Shia LaBeouf had a protest due to Trumps election; this resulted in a basket weaving image board using OSINT and sky patterns to figure out where a flag is.

• In 2017, 4chan users managed to track down and replace Shia LaBeouf's "He Will Not Divide Us" protest flag. Using only the live-stream footage of the flag, they analyzed flight patterns, star positions, and a tweet to locate the flag in Greeneville, Tennessee. A local troll then honked his car horn until the sound was picked up on the live-stream, pinpointing the exact location. The flag was replaced with a Trump hat, marking the end of this elaborate trolling operation.

Tools

---

Category	Tool	Link	Functionality	Limitations/Notes
Search Engine Queries	Google-FU	GitHub	Advanced Google dorking for targeted searches	Rate limits apply; may trigger CAPTCHAs
Biometric Analysis	Facecheck.ID	GitHub	Reverse image search bypassing paywalls	Requires Tampermonkey; extracts source links only
Username/Email Search	Blackbird	GitHub	Fast cross-platform username/email lookup	CLI-only; lightweight
	Crow (GUI for Blackbird)	GitHub	GUI version of Blackbird	Same functionality as CLI
	Sherlock	GitHub	Comprehensive username search across 300+ sites	False positives (e.g., Imgur); CLI-based
	No-Shit-Sherlock (GUI)	GitHub	GUI wrapper for Sherlock	Inherits Sherlock’s limitations
	Maigret	GitHub	Finds username connections (Sherlock fork)	Focuses on profile linkages
	Maigret-Night (GUI)	GitHub	GUI for Maigret	Same as Maigret CLI
	Holehe	GitHub	Checks email usage across sites	Imgur false positives; CLI-based
Email Compromises	Hudson Rock Extractor	GitHub	Manual email breach checker (Flask-based)	Not automated; requires manual input
Geolocation	Google Maps	maps.google.com	Pinpoint locations/compare landmarks	Public data only; no advanced OSINT features
Generalized OSINT	OSINT Rocks	osint.rocks	Multi-tool: Hudson Rock, Holehe, GHunt (Gmail), phone/domain/username lookups	Web-based; combines multiple tools in one interface

---

Key Insights & Pro Tips

1. False Positives:

   • Sherlock/Holehe: Imgur often returns misleading results—verify manually.
   • Facecheck.ID: Extracts links but doesn’t analyze images; cross-reference with TinEye.

2. GUI vs. CLI:

   • CLI Tools (Blackbird, Sherlock, Maigret): Faster but require technical familiarity.
   • GUI Wrappers (Crow, No-Shit-Sherlock): Easier for beginners; same backend logic.

3. Email Investigations:

   • Combine Holehe (account detection) + Hudson Rock Extractor (breach data) for thorough checks; see Toolchain Recommendations.
   • For Gmail-specific OSINT, use GHunt (via OSINT Rocks).

4. Geolocation:

   • Use Google Maps Street View to verify addresses/landmarks from other tools (e.g., ClustrMaps).

5. OPSEC Notes:

   • Rate Limits: Tools like Google-FU may trigger blocks—use proxies/VPNs.
   • Legality: Avoid scraping private data (e.g., Facebook profiles) without consent.

---

Toolchain Recommendations

• Quick Username Search: Crow (GUI for indepth) → Maigret (GUI for indepth) → Sherlock (CLI for depth).
• Email Breaches: LOLArchiver → Pentester → OSINT Rocks (Hudson Rock/Holehe) → Have I Been Pwned.
• Images: Facecheck.ID + TinEye/Google Reverse Image Search.

For niche tools, refer to the Curated Lists section.

People search tools (in the states):

DISCLAIMER: Most of the email info found on these sites appear to be from a databrech from long ago; subjects on these sites can and possibly will still use their email found on these sites as people will rarely change email providers due to TFA + password managers unless if the email itself has been compromised in any way, shape, or form OR if they've changed emails due to harrasment, spam, etc etc.

---

Tool	Lookup By	Returns	Notes
FastPeopleSearch	Name, Phone, Address	Age, Address, Phone, Email	Free; data may be outdated.
That's Them	Name, Email, IP, VIN, Phone	IP, Addresses, Phone, Email	Aggregates data from Intelius/Spokeo; some paid results.
Nuwber	Name, Phone, Email, Address	DOB, Address, Email, Phone	Detailed reports may require payment.
IDCrawl	Name, Username, Phone, Email	Names, Usernames, Phone, Email	Focuses on usernames/social media.
PeekYou	Name, Username, State	Age, Social Media, Emails, Addresses	Strong for social media profiling.
Webmii	First + Last Name	Social Media, Search Results	Lightweight; scans public web/social profiles.
PublicRecords	Name, Address, State	Name, Address, Partial Phone	Free directory; redirects to Intelius for paid details.
ClustrMaps	Name, Address	Addresses, Residents, Property, IP Data	Focuses on geolocation/demographics; may include ownership history.

---

Key Observations:

1. Free vs. Paid: Most tools offer basic info for free but upsell detailed reports (e.g., PublicRecords → Intelius).
2. Data Sources: Many pull from the same breaches/public records (emails/phones often outdated but still in use).
3. Specializations:
   • Social Media: PeekYou, IDCrawl.
   • Geolocation: ClustrMaps.
   • Comprehensive: FastPeopleSearch, Nuwber.

Disclaimer: Accuracy varies; users rarely update emails unless compromised. Use ethically!

• For additonal tools see Curated lists

Grey literature

Use this site; do not register, check a voter registration. Will probably need more info in some states; while other need less.

An automtic tool that I've made for pa voter services. Feel free to fork for other states.

Breached Data:

---

Tool	Lookup By	Returns	Limitations/Costs	Notes
Have I Been Pwned	Email, Phone	Breach names, dates, compromised data	Free; no passwords/raw data	Trusted source; alerts for new breaches.
BreachDirectory	Email, Username	Partial password hashes (SHA-1, first 4 chars), length	Free; no full passwords	Useful for credential stuffing checks.
Pentester	Email, Username	Full breach details (more than HIBP)	Free; no Tor needed	Unofficial but extensive; may include sensitive data.
Breach.vip	Email, Username	Minecraft-focused leaks (usernames, IPs)	Free; requires login	Niche for gaming accounts; "memey" but functional.
LeakPeek	Email, Username	Partial breach snippets (e.g., domains)	5 free searches; Tor bypass possible	Paid plans for full data; obfuscates results.
LOLArchiver	Email, Username	Full breach databases (e.g., emails, passwords)	Paid service only	For OSINT professionals; curated high-value leaks.
Hashes.com	Hash (MD5, SHA-1, etc.)	Decrypted passwords (if hash is cracked)	Free/paid cracking tools	Useful for reversing hashes from breaches.
Icebreaker	Local breach files	Parses/analyzes large breach datasets	Python/EXE; works best for <1000GB files	Demo script provided; use with caution (e.g., Facebook 533M leak).

---

Key Takeaways:

1. Free vs. Paid:

   • Free: HIBP, BreachDirectory, Pentester, Hashes.com.
   • Limited Free: LeakPeek (5 searches), Breach.vip (login required).
   • Paid: LOLArchiver, LeakPeek plans.

2. Specializations:

   • Password Recovery: Hashes.com (decrypt hashes), BreachDirectory (partial hashes).
   • Gaming Leaks: Breach.vip (Minecraft).
   • Local Analysis: Icebreaker (Python tool for large datasets).

3. Ethical/Legal Notes:

   • Many tools provide partial data (e.g., first 4 chars of passwords) to comply with ethics.
   • Use Tor with LeakPeek to bypass search limits.
   • Avoid misuse: Some tools (e.g., Pentester) may expose sensitive data.

4. For Large Datasets:

   • Icebreaker + Facebook 533M (no passwords) for bulk analysis.

---

Additional Resources:

• Curated Lists: Check Curated Lists for more niche tools.
• Demo Scripts: Icebreaker includes a demo for testing.

social media

---

Platform	Tool	URL	Functionality	Limitations/Notes
General	Social Searcher	social-searcher.com	Searches multiple platforms at once	Free tier has limited searches
Snapchat	Snapchat Map	map.snapchat.com	View public Snapchat location stories	Requires Snapchat account
Instagram	Dumpor	dumpor.com	View profiles/stories anonymously	May have rate limits
Twitter	Sotwe	sotwe.com	Anonymous Twitter browsing	No login required
	Xcancel	xcancel.com	Alternative Twitter viewer	Lightweight interface
	Nitter	nitter.net	Privacy-focused Twitter front-end	Avoids Twitter tracking
Facebook	Facebook Search	facebook.com/search	Native Facebook search tool	Limited without login
	WhoPostedWhat	whopostedwhat.com	Search Facebook posts by date/keyword	Requires precise queries, public accounts
reddit	r00m101.com	r00m101	Get info from an active or deleted reddit account	Pricing for full scope possibly

---

Pro Tips & Workarounds

1. Facebook Private Accounts:

   • Method 1: Create a fake account (difficult due to Facebook's verification)
   • Method 2: Use browser's Inspect Element → Device Simulator (or mobile phone) + direct URL
   • Always try logged out or in private mode first

2. LinkedIn Limitations:

   • If profiles don't load:
     • Wait 1-2 minutes (cookie/IP rotation)
     • Create a basic account (avoid looking suspicious)
   • HWID/IP tracking may block repeated searches

3. Twitter Alternatives:

   • Use Nitter/Xcancel to avoid rate limits/tracking
   • Sotwe work without login

4. Instagram:

   • Dumpor bypasses some privacy settings
   • Quick Use https://dumpor.io/v/USERNAME replace USERNAME with the user you are trying to see
   • Will not work with private accounts

---

Key Takeaways

• Anonymity: Tools like Nitter/Dumpor avoid platform tracking

• Mobile Tricks: Simulating mobile devices often works better for restricted content

• Persistence: Some platforms (LinkedIn/Facebook) require patience or account creation

• For additonal tools see the Curated Lists section below.

Curated lists

• Awesome OSINT - a curated list of OSINT tools, blogs, and videos

• OSINT Framework - a larger list of tools

• OSINT Resources - Collection of OSINT resources that seems to be more up to date (includes NSFW)

  • Archive

• A whole reddit wiki from the OSINT community

• A list of social media, maps, domains, etc also listed in cipher387's OSINT collection.

OPT OUT

• A whole big ass list to opt out and to compare info.

• inteltechniques opt out workbook

Archive tools that I've made

• link extractor and archive uses archive.ph - useful on basic webpages. Requires manual intervention (text edits FIND+REPLACE).

Additonal tools:

• For additonal tools see the curated-lists above

Donations:

If you find this useful feel free to donate to this monero address:

8BPdcsLtA5iWLNTWvYzUVyTWtQkM62e8r7xqAuwjXTSC4RcoSWqpmtyLsMYvz3QNZtT1rbgPUnmVpMAudhxTn6zkRxUFcZN