SKILL: OSINT Tools

Metadata

• Skill Name: osint-checklist
• Folder: offensive-osint
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/osint.md

Description

Practical OSINT checklist: domain recon, email harvesting, social media profiling, GitHub/code leaks, Shodan/Censys enumeration, breach data lookup, employee profiling, and infrastructure mapping. Use for bug bounty recon, red team intelligence gathering, or corporate OSINT.

Trigger Phrases

Use this skill when the conversation involves any of: OSINT, reconnaissance, domain recon, email harvesting, Shodan, Censys, GitHub recon, breach data, employee profiling, infrastructure mapping, corporate OSINT

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

Full Methodology

OSINT Tools

• Bookmarks: Comprehensive list of various OSINT bookmarks.
• OSINT Framework: A comprehensive collection of OSINT tools and resources.

General OSINT

• IntelTechniques Tools: A suite of OSINT tools for various investigative needs.
• Online Investigation Toolkit: A curated list of tools used by investigative journalists
• CyberSudo OSINT Toolkit: List of OSINT Websites
• GeoGuesser Top Tips: Top Tips and Tricks for Geolocation
• Google Dorks: Helps you search google more efficiently
• Country Specific Resources: To help you specifically look for things a certain country
• Distributed Denial of Secrets: Leaked Data

Search Engines

• Carrot2: organizes your search results into topics
• etools: metasearch engine
• PDF Search: searching for PDF files and viewing their table of content
• Kagi Search: privacy-first search with Lenses and non-personalized results
• Brave Search: independent index; Goggles for custom ranking
• Google Fact Check Explorer: cross-site fact-check search

Username and Email Investigation

• What's My Name: Search for usernames across multiple platforms.
• Maigret: Collect profiles from various sites by username.
• NameCheckup: Find Available Username
• Holehe: Check if an email is registered on online platforms.
• EmailRep: Check email reputation and associated data.
• Namechk: Check username availability across multiple platforms.
• Hunter.io: Find email addresses associated with a domain.
• Sherlock: Find usernames across social networks.
• PhoneInfoga: Information gathering framework for phone numbers
• ContactOut: Discover Email Addresses
• Emailable: Verify if Email exists
• GetProspect Extension
• SignalHire Extension
• OSINT Industries: Email/username/phone lookups
• Mugetsu: X/Twitter username history & meme coin lookups
• Epieos: Email address pivots and metadata (when available)
• RocketReach / Apollo / Dropcontact : Enrichment and email pattern guessing

People Search

• WhitePages: Find people and contact information
• TruePeopleSearch: Free people search in the U.S.
• Pipl: Deep web people search (Note: primarily a paid service).
• Spokeo: People search engine.
• Webmii: People search engine
• Clearbit: Data enrichment for companies and individuals.
• FaceCheck: Find people by their picture
• FaceSeek: another reverse search for faces

Social Media

• Search4Faces: search for a face in social media.
• Picuki: View Instagram profiles and posts without an account.
• snscrape: Actively‑maintained CLI scraper for X/Twitter, Reddit, Telegram, and more. Prefer this over Twint.
• Twint (unstable; breaks when APIs change) — use only if snscrape cannot cover a need.
• Social Blade: Analytics for YouTube, Twitch, Instagram, and more.
• Facebook Graph Search: Advanced Facebook search techniques.
• Facebook Friends: graph search alternative
• Facebook ID Lookup: to find ID of a user on Facebook
• Facebook Search: searching for posts
• Meta Content Library: Researcher‑gated content search (CrowdTangle successor)
• Tokboard: TikTok trend and profile analytics (APIs change frequently)
• Reveddit: View removed Reddit content for context
• RedTrack.social: Reddit user analysis and post history tracking
• Threads by Instagram: Use Instagram OSINT tools; Threads shares Instagram account infrastructure
• Bluesky/AT Protocol:
  • Firesky: Real-time firehose monitoring for keywords/hashtags
  • SkyView: Follower graphs and network analysis
  • Bluesky Directory: User directory and starter pack discovery
• Mastodon/Fediverse:
  • FediSearch: Cross-instance post search
  • Fediverse Observer: Instance enumeration and stats
  • Fediverse.party: Platform directory and network map
  • Fedifinder: Find Twitter/X users on Mastodon

Phone Number

• TrueCaller: Caller ID and Spam Blocking App
• CallerIDTest: Phone Search
• Infobel: Phone search outside of USA
• ThatsThem: Reverse phone search
• Advanced Background Checks: shows all people that used the phone number
• FreeCarrierLookup: Carrier/type lookup for US numbers
• NumlookupAPI [Freemium]: Programmatic carrier/line-type checks

Public Records and Company Information

• OpenCorporates : World's largest open database of companies.
• SEC EDGAR: U.S. Securities and Exchange Commission's database for company filings.
• OpenOwnership Register: Beneficial ownership datasets
• EU Tenders (TED): EU public procurement notices
• World Bank Projects & Operations: Project and procurement records
• IFC Disclosure: Project disclosures and documents
• MuckRock: FOIA repository and request tracking

Leaks

• Have i been pwned
• PwdQuery
• LeakCheck
• Scattered Secrets
• Dehashed
• IntelX
• Phonebook
• LeakPeek: Database breach lookups
• Snusbase: Database breach lookups
• BreachDirectory: Search credentials exposed in recent breaches
• Snusmap: Visual browser for leaked‑data collections
• Cavalier (Hudson Rock): Infostealer lookups
• Pwned Passwords API: K‑anonymity password checks without revealing the full hash

Cryptocurrency OSINT

Blockchain Analysis

• Blockchain.com Explorer: Bitcoin and crypto search engine
• Etherscan: Ethereum blockchain explorer
• BSCScan: BNB Smart Chain explorer
• PolygonScan: Polygon PoS blockchain explorer
• OKLink [Freemium]: Multichain explorer and analytics
• Cielo: Multi-chain wallet tracking (EVM, Bitcoin, Solana, Tron, etc)
• Blockchair: Bitcoin block explorer
• Solscan: Solana blockchain explorer
• Dune: Analytics platform to query blockchain data
• MetaSuites: Chrome extension for additional data on block explorers
• Impersonator: Chrome extension to spoof login to dApps

Layer 2 / Rollup Explorers

• zkSync Era Explorer: zkSync Era (zkEVM) block explorer
• Polygon zkEVM Explorer: Polygon zkEVM rollup
• Arbiscan: Arbitrum One and Nova explorers
• Optimistic Etherscan: Optimism mainnet explorer
• BaseScan: Base (Coinbase L2) explorer
• Voyager / StarkScan: StarkNet block explorers
• Scroll Explorer: Scroll zkEVM explorer
• Blast Explorer: Blast L2 explorer
• L2Beat: Risk analysis, TVL, and technology comparison for all L2s
• Growthepie: L2 metrics and analytics aggregator

Wallet Investigation

• BitcoinAbuse: Track bitcoin addresses used for scams
• Wallet Explorer: Bitcoin wallet transaction clustering
• Chainalysis: Professional blockchain analysis platform
• Crystal Blockchain: Blockchain analytics and monitoring

Transaction Tracking

• Whale Alert: Track large crypto transactions
• BitQuery: Blockchain data analysis and APIs
• GraphSense: Cryptocurrency analytics platform
• CipherTrace: Cryptocurrency intelligence
• TRM: Create graphs for addresses/transactions
• Arkham: Multichain block explorer, entity labels, graphs, alerts
• MetaSleuth: Similar to TRM but intended for retail users
• CryptoTaxCalculator: Track PNL for an address
• Breadcrumbs [Freemium]: Visual graphing and labeling for crypto flows
• Bubblemaps: Holder concentration visualization; identify whale clusters
• Token Sniffer: Honeypot and scam token detection
• Dextools: DEX trading analysis and charts
• Nansen: On-chain analytics with Smart Money labels (paid; expensive)

Bridge Monitoring

• Range: CCTP bridge explorer
• Pulsy: Bridge explorer aggregator
• Socketscan: EVM bridge explorer
• L2Beat Bridges [Free]: Risk analysis for bridges and tokens

NFT Analysis

• OpenSea: NFT marketplace explorer
• NFTScan: Multi-chain NFT explorer
• Nansen: NFT analytics platform
• DappRadar: Track NFT sales and marketplace activity
• Reservoir [Freemium]: Unified NFT metadata and market data API
• Alchemy NFT API [Freemium]: NFT metadata and ownership APIs

Exchange Intelligence

• CoinGecko: Cryptocurrency market data
• CoinMarketCap: Price tracking and market analysis
• Binance Intelligence: Exchange activity monitoring
• Glassnode: On-chain market intelligence

Media Intelligence

Image Analysis

• Google reverse image search: reverse image search engine.
• TinEye: reverse image search.
• Yandex images: effective for Russian and eastern European content.
• PimEyes: change a picture and then search
• Forensically: ToolSet for digital image forensics.
• Getty
• Shutterstock
• Alamy

Browser Extensions

• Fake News Debunker by InVID & WeVerify: Verifies images and videos.
• RevEye Reverse Image Search: Reverse image search extension.
• EXIF Viewer Pro: View EXIF data in-browser.
• Wayback Machine Extension: Quick access to archived web pages.
• Search by Image: reverse image search tool, with support for various search engines

Video Analysis

• YouTube Data Viewer: Extract metadata from YouTube videos.
• InVID & WeVerify Video Verification Tool: Browser extension for video verification.
• Frame-by-Frame Video Player: Analyze videos frame by frame.
• YouTube Geo Tag: Find location of a video via geo tags
• Snap Map (public stories) for area/event context

Metadata Extraction

• Jimpl
• ExifTool: Read, write, and edit metadata.
• Jeffrey's image metadata viewer: online image metadata viewer.
• MediaInfo: Technical and tag information about video or audio files.
• FOCA: Analyze metadata and hidden information in documents.
• Metagoofil: Extract metadata from public documents.

GeoSpatial Intelligence

Satellite Imagery and Mapping

• Google Maps: Mapping and satellite imagery.
• Bing Maps: Alternative mapping service.
• NOAA Maps: Coastal imagery.
• NASA FIRMS: Fire data and HotSpots.
• OpenStreetMap: Open-source map of the world.
• Sentinel Hub EO Browser: Access to satellite imagery from Sentinel and Landsat.
• NASA Worldview: Satellite imagery from NASA.
• Zoom Earth : Live satellite images and weather data.
• Wayback Imagery : Historical satellite images.
• Windy: Live weather map.
• Open Infrastructure Map: Visualize global infrastructure(Water, Power, Gas, etc) networks
• Memento Timemap: Aggregate archive index for any URL (for map UIs and tiles)

Tools and Applications

• Mapillary: CrowdSourced street-level imagery.
• KartaView: Open-source street-level imagery.
• Overpass Turbo: Advanced querying of OpenStreetMap data.
• SunCalc: Sun position calculator for Chronolocation.
• PeakVisor: Identify mountain peaks.
• GeoNames: Geographical database.
• SAS Planet: Satellite imagery viewing application.
• Marble: Virtual globe and world atlas.
• C2PA Verify: Verify embedded content credentials

Street View

• Google Street View: Street-level imagery.
• Apple Maps: Alternative mapping service.
• Yandex Maps: Russian mapping service with street view.
• Baidu Maps: Chinese mapping service.

Flight OSINT

• FlightRadar
• FlightAware
• RadarBox
• ADSBExchange: Unfiltered community ADS‑B flight tracking feed
• AirFrames
• Planespotters: Fleet/airframe history and photos by tail number
• JetPhotos: Spotter photos for visual confirmation

Maritime OSINT

• MarineTraffic: Live AIS vessel tracking
• VesselFinder: Global ship movements and port calls
• FleetMon: Historical AIS data and analytics
• Global Fishing Watch: Fishing vessel behavior and AIS gap analysis

AI‑Assisted OSINT Platforms

Commercial/Enterprise AI Tools

• Cylect: AI‑powered entity extraction and link‑analysis workspace
• Fivecast Matrix: Generative‑AI triage and risk scoring for large social‑media datasets
• Recorded Future: AI-driven threat intelligence and entity tracking
• DarkOwl Vision: AI-powered darknet data collection and analysis

AI-Powered Analysis

[!WARNING] Never paste PII, sensitive IOCs, or unique pivots into cloud LLMs; they log inputs and may use for training. Prefer local models (Ollama, LM Studio) for sensitive analysis.

• OpenAI ChatGPT [Paid for Advanced Data Analysis]: Parse logs, analyze datasets, geo-inference, timeline reconstruction
  • Code Interpreter: Upload CSVs, logs, JSON for automated analysis
  • GPT-4 Vision: Image analysis, OCR, visual geolocation hints
  • Warning: OpenAI logs all inputs; do not use for sensitive cases
• Anthropic Claude [Paid for Claude 3.5 Sonnet]: Long context (200K tokens) for processing large document dumps, report synthesis
  • Claude Artifacts: Generate interactive visualizations and tools
  • Warning: Anthropic logs prompts; sanitize before use
• Google Gemini:
  • Gemini 1.5 Pro: 2M token context (largest available); good for massive log analysis
  • Deep Research mode: Multi-step research automation with citations
  • Warning: Google integration risk; assume correlation with search/Gmail data
• Perplexity Pro [Paid]: Real-time web search + reasoning; excellent for context pivots and background research
  • Focus mode: Academic, Reddit, YouTube, or general web
  • Pro search: Deep research with multi-query synthesis
• Microsoft Copilot: Bing-integrated search; good for generic queries
• Local LLM alternatives (privacy-preserving):
  • Ollama: Run Llama 3, Mistral, Qwen locally
  • LM Studio: GUI for local model inference
  • GPT4All: Privacy-focused local LLM runner

Specialized AI OSINT Tools

• C2PA Verify: Verify Content Credentials and AI provenance metadata
• Adobe Content Credentials Verify: Alternative C2PA verifier
• Hive Moderation: AI content moderation and CSAM detection
• CarNet: Identify car models via AI (useful for geolocation)
• FingerprintJS: Browser fingerprinting and bot detection
• Sensity AI: Deepfake detection and synthetic media analysis
• Reality Defender: Deepfake and AI-generated content detection

Archiving & Snapshots

• archive.today: One‑page content archiver with screenshot capability
• Memento Timemap: Aggregate index of web archives for any URL
• URLScan.io: On‑demand webpage scan with full resource map and screenshot
• Wayback SavePageNow API v3: On‑demand archiving with submission status and job IDs
• WACZ packaging (Webrecorder): Portable, verifiable web archives for replay
• ArchiveBox: Self-hosted web archiving; captures HTML, PDF, screenshots, media
• SingleFileZ: Browser extension for offline single-file HTML archives
• Hunchly: Evidence capture tool for investigators (paid)
• Kasm Workspaces: Containerized OSINT workspace images (browser isolation)

Automation & Workflows

• n8n: Self-hosted workflow automation for OSINT pipelines (e.g., monitor RSS → scrape → alert)
• Huginn: Agent-based automation for monitoring, scraping, alerting
• Cronicle: Distributed task scheduler for recurring OSINT jobs
• Apache Airflow: Workflow orchestration for complex data pipelines
• Prefect: Modern workflow orchestration; easier than Airflow

Additional Tools

IP and Network Analysis

• Spur: IP lookups and tracking
• Robtex: Passive DNS and infrastructure pivots
• BinaryEdge, FOFA, ZoomEye: Infra pivots complementing Shodan/Censys

ASN/BGP & Internet Measurement

• Hurricane Electric BGP Toolkit: ASN, prefix, peers, and IRR data
• RIPEstat: IP/ASN history, routing, geolocation, abuse contacts
• BGPView: ASN and prefix explorer
• PeeringDB: Facility and peering info for networks
• RADb, RIPE IRR: Routing policy and contacts
• RPKI Validators: Route origin and ROA status checks
• bgp.tools [Free]: Clean ASN/IX views, routing details

Certificates & CT Monitoring

• crt.sh: Search Certificate Transparency logs
• Censys Certificates: CT and x509 attribute pivots
• CertStream: Real‑time CT feed (via WebSocket)
• Rapid7 Open Data: Sonar datasets (DNS/HTTP/SSL)
• Favicons/mmh3: Hash favicons to cluster infra; pair with Shodan/Censys favicon search
• Cert Spotter [Freemium]: CT monitoring and alerts
• Let's Debug [Free]: Diagnose certificate issuance issues

Social Media Intelligence

• Discord ID: Basic Discord account information
• TelegramDB Search Bot: Basic Telegram OSINT
• TGStat: Channel statistics and message search
• Bluesky explorers (e.g., SkyView), Mastodon handle/instance resolvers

Telegram & Messaging Analytics

• TGStat: Channel analytics and search
• Telemetr: Channel growth, overlaps, forwards
• Combot: Group analytics (partially paid)
• t.me/s/<channel>: Public channel feed view (replace with channel name)
• WeChat OA search via Sogou Weixin: Search WeChat Official Accounts content

Infrastructure & Attack‑Surface OSINT

• Shodan: Search engine for internet‑connected devices and services
• Censys: Enumerate hosts and digital certificates across the internet
• GreyNoise: Distinguish background internet noise from targeted scans
• SecurityTrails: Passive DNS records and asset discovery
• SpiderFoot: Automated OSINT reconnaissance and correlation (self‑host or SaaS)
• theHarvester: Subdomain, email, and metadata harvesting
• Recon‑ng: Web‑based recon framework
• BuiltWith: Tech stack enumeration; useful for pivoting to third‑party assets
• Netlas: Large‑scale HTTP/DNS/certificates pivots
• Amass / Subfinder [Free]: Passive subdomain discovery (use responsibly)
• RiskIQ PassiveTotal: Passive DNS/cert/host pivots

Threat Intel & IOCs

• Vendor & CERT advisories: CISA/NSA/CSA joint advisories, CERT‑EU, NCSC‑UK, JPCERT/CC, CERT‑UA
• MISP Project and public MISP feeds
• OpenCTI: Knowledge graph for CTI (self‑host or SaaS)
• Malpedia: Malware families, YARA, references
• abuse.ch ThreatFox, URLHaus, SSLBL
• MalwareBazaar: Sample sharing (hash‑based queries)
• PhishTank, OpenPhish

Malware Analysis & Sandboxes

• Static: pefile, FLOSS, capa
• Similarity: SSDEEP, TLSH
• Sandboxes: ANY.RUN, Hybrid Analysis, CAPE, Tria.ge
• Intelligence: Intezer (code reuse), VirusTotal (be cautious—uploads become public)
• YARA: yara, community rules via Malpedia/GitHub repos
• TLS Fingerprints: JA3, JA4

RU/CN Corporate & Registries

• Russia: EGRUL/EGRIP (official registries, captcha‑gated), Rusprofile, Kontur.Focus (freemium), zakupki.gov.ru (procurement)
• Russia media/social: VK, OK.ru, Rutube
• China: GSXT (National Enterprise Credit Info), Qichacha / Tianyancha (freemium), MIIT ICP/Beian (ICP filings)
• China platforms: Weibo, Bilibili, Zhihu, Douyin

Regional Search Engines

• Russia/CIS: Yandex, Mail.ru Search
• China: Baidu, Sogou, 360 Search

Sanctions & Compliance

• OFAC SDN List
• EU Sanctions Map
• UK Sanctions List (OFSI)
• OpenSanctions: Aggregated persons/entities datasets
• OCCRP Aleph: Investigative documents, leaks, company records

Automation & Headless Browsing

• Playwright: Headless browser automation with stealth plugins
• Browsertrix Crawler: Archival crawling with WARC export

Evidence Handling

• Capture URLs, timestamps, and page snapshots (PNG + WARC/SingleFileZ) for every key artifact.
• Hash downloaded files (SHA‑256) and record in your case notes.
• Avoid cross‑contamination: separate work profiles/containers per case; store evidence read‑only.
• Prefer JSONL (NDJSON) logs with a run_id and tool versions for reproducibility.