Discover Three Key OSINT Tools – And How to Use Them by Gergo Varga


Open Source Intelligence (OSINT) can provide you with a wealth of useful, detailed and – perhaps most importantly – free data. Whether you seek to learn more about a company, an individual, or a specific website or computer system, OSINT gives you a host of ways to gather more information. 

Admittedly, OSINT can be (and is) used in two very different ways: Data that’s out there for the taking is as useful to malicious hackers as it is to those who work to combat them.

However you wish to make use of Open Source Intelligence, the first challenge is working out how to source, collate and organize the data. There’s a lot of it out there and a range of ways to access it, spanning all the way from manual online lookups to fully automated and integrated systems. 

In this article, we’ll examine three useful OSINT tools, and suggest ways to make use of them. 

But first, let’s have a quick run through the basics of how Open Source Intelligence works.

The Basics of OSINT

Most people, even “non-technical” people, have dipped into Open Source Intelligence – usually unknowingly. 

Having a nose around Facebook, looking up old school friends, enemies and exes, and finding out what information is “out there” about them is making use of OSINT data. Similarly, so is simple online research, such as Googling a future Tinder date. 

As the world becomes more privacy aware, some people are hesitant about sharing too much online information. Social networks like Facebook provide extensive guidance to users on this. However, all but those who completely shun the online world leave some kind of digital footprint.  

Of course, OSINT isn’t just about individuals being inquisitive about exes or potential suitors. Penetration testers and ethical hackers may be far more interested in gathering data on a company level, rather than an individual level. And businesses can use OSINT to do their due diligence on customers.

Regardless of the use case, it all follows the same basic principle. It’s about making use of data that’s freely available. This can include:

  • What people share on social media.
  • The data linked to email address(es) and phone number(s).
  • Website WHOIS, MX and DNS data. 
  • Information from publicly available databases.
  • Data dumps from system breaches. 
  • Public lists of compromised accounts. 
  • Published content, such as news articles and blog posts.

As you can imagine, this data is valuable to cybercriminals, for activities such as identity theft and breaching corporate systems. It’s equally valuable to cybersecurity and fraud prevention specialists, providing ways to verify that people are who they say they are, and to hone in on unpatched vulnerabilities

With so much data “in the wild,” the key challenge of OSINT is gathering it, sorting it, and spotting patterns of activity, instead of having to always conduct such research manually.

 That’s where OSINT tools come in useful. Here are three examples of tools that help to harness this abundance of data. 

SEON: OSINT for fraud prevention

SEON offers fraud prevention tools primarily aimed at protecting online businesses – and one of the ways to do this is by using OSINT data to facilitate both manual and automated investigations of the digital footprint linked to a certain email address or phone number. 

Simply put, the quickest way to find out whether or not someone is who they say they are is to check their emails and phone numbers on social media and other apps to see if they have corresponding accounts. SEON does that instantly with over 35 services, meaning that simple identity theft can be busted as they tend to use throwaway emails and not have the corresponding digital footprint.

This information can inform key business decisions and help to verify that everything about a customer “adds up”. 

Do they have an established email account that’s linked to social profiles? Is their phone number a “real” number, or a virtual one? Do they use any VoIP or IM apps with either? And so on.

One way to think about this is as an identity verification technique to replace or supplement other methods. As SEON explains, identity verification involves gathering available user data, checking that it’s valid (not faked nor stolen), and then performing ongoing authentication to confirm you’re always dealing with a genuine person. 

On the most basic level, you can do a manual lookup on an email address, phone number or IP address. There’s also the option of a browser extension. Taking it further, companies can use SEON’s API to integrate detailed OSINT checks with their other systems. For example, SEON can be built into an eCommerce store to help verify card payments and flag suspicious transactions, using the OSINT module in combination with device fingerprinting, velocity checks and machine learning monitoring.

From here, SEON’s data enrichment approach is available programmatically via an API, so it can be used for whatever you’re doing, and at scale, providing easy access to an extensive set of OSINT information. 

Manually seeking data from all of the sources SEON checks would be unfeasibly time-consuming, of course. But running manual checks for each email address or phone number is not easy to scale up either. That’s where data enrichment comes in to automate the process, making this a great way to gather intelligence on people’s digital footprint or “shadow”, an alternative term mentioned by Kaspersky.  

How to Use It

You can gain an immediate insight into how SEON works by using the free lookup tool on the official website. Submitting an IP, phone number or email address will return a host of information, such as data from over 35 linked social media and web platform accounts, including Twitter, Pinterest and Facebook. It also looks at domain information and data breach history, among other data points.

SEON’s paid services give you access to the full set of information and functionality. This includes API access, a range of SDK libraries, and full use of the company’s browser extension. 

Maltego: OSINT for forensic (and other) research

Maltego is the market leader in OSINT. This is a graphical link analysis tool that takes OSINT data and helps you spot patterns, relationships and commonalities in a user-friendly way. It’s often used for investigations and law enforcement. 

The nature of Open Source Intelligence data means that there’s often a lot of it – especially if you’re pulling from multiple sources. Reams of text-based data and Excel spreadsheets do not lend themselves well to easy analysis – a problem that Maltego’s automation and graphical approach seeks to solve. 

Maltego links data together in clusters and maps relationships. As well as making use of OSINT data sources, Maltego can also take data from commercial feeds, such as threat intelligence platforms, business risk services and intelligence collection platforms. It’s also possible to enhance the data further by integrating internal data sets.  

How to Use It

Maltego is a great platform for complex investigative and legal work. The desktop application runs in Java and therefore works in Windows, Mac and Linux. 

Despite the ability to integrate multiple sets of complex data, the system has a relatively simple graphical user interface. Using a system of pre-published “Transforms”, you can pull from both free datasets and commercial sources. The library of standard Transforms includes access to things like social networks, DNS servers and search engines. 

Maltego is free for non-commercial use via its trimmed-down “Community” version, with access to additional features and commercial Transforms in its paid iterations. 

Recon-ng: OSINT for web domain investigations

Recon-ng is a full framework for OSINT information gathering, with a focus on data around web domains. It’s Python-based and completely open-source. It’s fair to say that it’s the least “beginner friendly” option here – but it provides scope for deep integration with bespoke systems. 

A wide range of modules is available for Recon-ng, including the InfoSploit module, which gives the system full WHOIS capabilities. 

Domain WHOIS data can provide a rich set of information around everything from domain ownership to IP details, registration and renewal dates, server locations and MX records for email. It’s worth noting that the exact information available can depend on whether domain owners opt for privacy protection, as explained here by Bluehost.

Billed as a reconnaissance tool, Recon-ng is a great example of an OSINT tool that can be utilized either ethically or maliciously. It’s extremely useful for penetration testers, with modules that can scan for specific vulnerabilities, and for which software products and technologies are used on any given website. 

How to Use It

Recon-ng is a command line interface-based tool that can be configured exactly as needed and integrated into any workflow. Its modular approach comes with an inevitable learning curve, however, the product is well regarded for having a good standard of interactive help and documentation. 

Simple command line inputs allow you to make use of various built-in lookup functions. For example, you can query domain contacts and DNS records for a specific domain. 

You can also check if individual email addresses are listed in the HIBP (Have I been Pwned) exploit database. The profiler commands can be used to drill down into a company’s social media presence, checking multiple sites ranging from mainstream to more obscure.

A Recon-ng search can start from a morsel of information such as a domain name. By utilizing the various different modules, you can gather information from a range of different OSINT sources and build a growing picture of a domain, organization or individual. 

Summing Up

As you can see, while there’s some crossover between these tools, they all take a unique approach. In many cases, your purposes may dictate the need for more than one OSINT tool. 

Thankfully, API integrations can allow you to construct a system that makes the most of all the tools you need. You can then whittle down the abundance of OSINT data to something useful and actionable for your needs.

About the Author


Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He's the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager/Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what's happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.


April 25, 2022


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023