We briefly explained and discussed OSINT techniques and tools using practical scenarios that involve extracting public information from Domain names, social media websites (LinkedIn, Reddit,etc) and even location information using Google hangouts and Foursquare.

Blue Team Study Notes

The Complete Practical Web Application Penetration Testing Course


What is OSINT?

OSINT is the process of gathering information about the target’s system, network and defenses using passive methods. OSINT includes collecting and gathering data from publicly available sources, such as DNS registrars, web searches, security-centric search engines like Shodan and Censys, Social media websites such as Facebook, Instagram,Reddit,Linkedin,etc.

Another type of open source intelligence is information about vulnerabilities and other security flaws, including sources like the Common Vulnerabilities and Exposures (CVE) and
Common Weakness Enumeration (CWE) resources.

Examples of information that can be gathered using OSINT

  • Domain names and subdomains
  • IP Address ranges
  • Email addresses
  • Physical locations
  • Staff list and organization chart.
  • Documents’ meta data.
  • Social media information
  • Technologies and infrastructure.


  • Recon-ng is a example framework that helps automate the OSINT work.
  • OSINT Framework
  • Maltego

Commands used in DNS enuemration

nslookup -type=text secure-startup.com

nslookup -type=txt_dmarc.secure-startup.com

dig secure-startup.com ANY

In the third case, the location of the email owner was found opening Google hangouts, inspecting the page and looking for “jsdata” till the pattern of numbers was found.

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles