osint::cheatsheet

OSINT recon · dorking social · geolocation
Start HereServicesSearch OrderOperatorsWorkflow
01Start Here
OSINT mindset
Good OSINT is:
- source-driven
- date-aware
- pivot-based
- validated by at least one other source

Bad OSINT is:
- random searching
- trusting screenshots without provenance
- ignoring archive / timeline context
Seed types
- username / handle
- email address
- domain
- company / org name
- phone number
- IP / ASN
- image
- document metadata
- repo / package name
Default order
1. normalize the seed
2. exact-match search
3. alias / variant search
4. archive / historical search
5. technical pivots
6. social / content pivots
7. verify
8. document findings + source + date
02Best Services by Goal
General discovery
Google / Bing / Brave
Use:
- exact phrase search
- operators
- cached snippets
- pivoting from unique strings

Wayback Machine
Use:
- old pages
- deleted content
- previous endpoints
- old staff / contact pages
Infra / domain OSINT
crt.sh         # subdomains via CT logs
Shodan         # banners / exposed services
Censys         # cert / host pivots
SecurityTrails # DNS / historical DNS if available
ViewDNS        # reverse IP / DNS helpers
User / handle OSINT
Sherlock / WhatsMyName
Use:
- username reuse

GitHub
Use:
- commits
- emails
- repos
- gists
- issue comments

LinkedIn
Use:
- company context
- role names
- employee naming patterns
03What to Search, in What Order
Starting from a domain
1. exact search for domain
2. RDAP / WHOIS
3. crt.sh for subdomains
4. Wayback for old paths / robots.txt / JS
5. GitHub search for domain / secrets / emails
6. Shodan / Censys for exposed services
7. docs / PDFs / press releases / old job ads
Starting from a username
1. exact search with quotes
2. Sherlock / WhatsMyName
3. search with site names
4. GitHub / GitLab / package registries
5. avatar / bio / profile reuse
6. related domains / emails / aliases
7. timeline check to verify same person
Starting from an email
1. exact search
2. Git commits / repo leaks
3. archived contact pages
4. local-part reused as usernames
5. breach / paste references
6. gravatar / avatar reuse
7. linked company and domain context
04Search Operators and Pivots
Core operators
"exact phrase"
site:example.com
filetype:pdf company name
intitle:"index of" backup
inurl:admin
-noise
Useful pivot searches
"user@example.com" site:github.com
"example.com" "API_KEY"
"target" site:pastebin.com
"handle" ("discord" OR "telegram")
site:example.com filetype:pdf "confidential"
Recording notes
Track:
- source URL
- date seen
- screenshot if fragile
- exact pivot used
- confidence level
- next pivot candidate
05Practical Workflows
Company recon
Goal:
- subdomains
- public docs
- employee names / naming patterns
- tech stack
- old brands / acquisitions
- exposed services

Sequence:
domain → CT logs → archive → GitHub → Shodan/Censys → public docs
CTF-style OSINT
1. identify exact seed
2. search quotes first
3. inspect metadata / EXIF / commits
4. reverse image if relevant
5. archive deleted content
6. pivot to usernames / domains / companies
7. verify before submitting
Fast priority list
If you only have 5 minutes:
1. exact search
2. Wayback
3. GitHub
4. crt.sh / Shodan if technical
5. one second-source verification