- The Hunter’s Book of OSINT
- HTTP Tools
- Unfurl: break down URLs to their components
- OSINT Tools | GitHub Curated Reference
- awesome-osint
- Yelp Threat Intel
- CertStream
- r3con1z3r
- Gotanda OSINT
- List of supported engines
- Hawk
- OSINT Online Services
- RiskIQ
The Hunter’s Book of OSINT
HTTP Tools
Unfurl: break down URLs to their components
- 2D version: https://dfir.blog/unfurl/
- 3D version: https://dfir.blog/unfurl-3d/
OSINT Tools | GitHub Curated Reference
awesome-osint
- URL: https://github.com/jivoi/awesome-osint
We need to start with awesome-osint because it contains a great list of public threat intel resources. {.is-success}
Yelp Threat Intel
- URL: https://github.com/Yelp/threat_intel
Amazing python tool that acts as a wrapper for useful APIs: Umbrella Investigate, VirusTotal API v2.0 and ShadowServer API
CertStream
- URL: https://github.com/huydhn/certstream-analytics
A great tool to perform analysis on domain strings: IDNA decoder, homoglyphs decoder, word segmentation, etc.
r3con1z3r
- URL: https://github.com/abdulgaphy/r3con1z3r
This tool allows for quick an easy to read reports on specific domains. By default, it outputs a HTML file with plain text information on the domain.
Gotanda OSINT
- URL: https://github.com/HASH1da1/Gotanda
Gotanda is OSINT(Open Source Intelligence) Web Extension for Firefox/Chrome. This Web Extension could search OSINT information from some IOC in web page (IP, Domain, URL, SNS, etc.).
List of supported engines
Name | URL | Category |
Domain Tools | https://whois.domaintools.com/ | whois Lookup |
Security Trails | https://securitytrails.com/ | whois lookup |
whoisds | https://whoisds.com/ | whois lookup |
ThreatCrowd | https://www.threatcrowd.org/ | Domain, IPv4 |
AbuseIPDB | https://www.abuseipdb.com/ | IPv4 |
HackerTarget | https://hackertarget.com/ | IPv4 |
Censys | https://censys.io/ | IP, Domain |
Shodan | https://shodan.io/ | IP, Domain |
FOFA | https://fofa.so/ | IP, Domain |
VirusTotal | https://virustotal.com/ | IP, Domain, URL,Hash |
GreyNoise | https://viz.greynoise.io/ | IPv4 |
IPAlyzer | https://ipalyzer.com/ | IPv4 |
Tor Relay Search | https://metrics.torproject.org/ | IP,Domain |
Domain Watch | https://domainwat.ch/ | Domain, Email,whois lookup |
crt.sh | https://crt.sh/ | SSL-certificate |
SecurityHeaders | https://securityheaders.com/ | URL, Domain |
DNSlytics | https://dnslytics.com/ | IPv4,IPv6,ASN |
URLscan | https://urlscan.io/ | URL |
Ultratools | https://www.ultratools.com/ | IPv6 |
Wayback Machine | https://web.archive.org | URL |
aguse | https://www.aguse.jp/ | URL |
check-host | https://check-host.net/ | URL |
CIRCL | https://cve.circl.lu/ | CVE |
FortiGuard | https://fortiguard.com/ | CVE |
Sploitus | https://sploitus.com/ | CVE |
Vulmon | https://vulmon.com/ | CVE |
CXSecurity | https://cxsecurity.com/ | CVE |
Vulncode-DB | https://www.vulncode-db.com/ | CVE |
Malshare | https://malshare.com/ | MD5 Hash |
ThreatCrowd | https://www.threatcrowd.org/ | IP,Domain |
Hybrid Analysis | https://www.hybrid-analysis.com/ | hash |
Twitter | https://twitter.com/ | SNS, w/TimeLine |
Qiita | https://qiita.com | SNS |
GitHub | https://github.com | SNS |
Facebook | https://www.facebook.com/ | SNS, w/TimeLine |
Instagram | https://www.instagram.com/ | SNS |
LinkedIn | https://linkedin.com/ | SNS |
Pinterest | https://www.pinterest.jp | SNS |
reddit | https://www.reddit.com/ | SNS |
Hawk
- URL: https://github.com/T0pCyber/hawk
Powershell Based tool for gathering information related to O365 intrusions and potential Breaches.
The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.
It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
OSINT Online Services
RiskIQ
Threat Intelligence Platform that allows you to connect multiple third party services and brings petabytes of internet intelligence directly to your fingertips. RiskIQ does offer a community edition which is free and allows you to gather information on different IOC either via the GUI or API. You can investigate threats by pivoting through attacker infrastructure data, understand your digital assets that are internet-exposed, and map and monitor your external attack surface.

- API Reference and Testing: https://api.riskiq.net.
Note: The API has two sections, the full RiskIQ platform section which uses an api_key and api_secret and the RiskIQ Community API section (aka PassiveTotal) where you can use your community account API base on user_name and api_key. The latter won’t work with the former.