July 5, 2026
OSINT : A Practical Guide to Footprinting Targets
Disclaimer: The techniques discussed in this article are intended for authorized security assessments, penetration testing, bug bounty…

By Aditya Pandey
6 min read
Disclaimer: The techniques discussed in this article are intended for authorized security assessments, penetration testing, bug bounty programs, and educational purposes only. Always obtain proper permission before gathering information about any organization or individual.
Introduction
Before a penetration test ever begins, attackers and security professionals perform Open-Source Intelligence (OSINT). This phase involves collecting publicly available information about a target without directly interacting with its systems.
A successful OSINT investigation can reveal:
- Domains and subdomains
- Employee information
- Email addresses
- DNS infrastructure
- Network topology
- Technology stack
- Public documents
- Social media presence
- Historical website data
The more information gathered during reconnaissance, the more effective the later stages of an assessment become.
Let's explore the most practical techniques and tools used during the OSINT phase.
1. Discovering Domains and Subdomains
Subdomains often expose forgotten applications, development servers, VPN portals, APIs, and staging environments.
SubBrute
Performs DNS brute forcing using a large wordlist.
./subbrute.py example.com./subbrute.py example.com
Nmap DNS Brute Script
Nmap includes an NSE script for DNS enumeration.
nmap --script dns-brute www.example.comnmap --script dns-brute www.example.com
dnsmap
Attempts to discover common subdomains automatically.
dnsmap example.comdnsmap example.com
Fierce
A classic DNS reconnaissance tool.
fierce --domain example.comfierce --domain example.com
Sublist3r
Enumerates subdomains using multiple search engines.
python3 sublist3r.py -d google.com -p 80 -e Bingpython3 sublist3r.py -d google.com -p 80 -e Bing
2. Finding Similar or Typosquatted Domains
Organizations frequently become targets of typo-squatting attacks.
URLCrazy
Generates permutations of domain names.
urlcrazy -p microsoft.comurlcrazy -p microsoft.com
Useful for discovering:
- Phishing domains
- Brand impersonation
- Lookalike websites
3. Advanced Google Searching (Google Dorking)
Search engines index far more than most organizations realize.
Advanced operators help uncover hidden information.
Examples include:
site:example.com
filetype:pdf site:example.com
intitle:"index of"
inurl:adminsite:example.com
filetype:pdf site:example.com
intitle:"index of"
inurl:adminThese operators can reveal:
- Login portals
- Configuration files
- Public documents
- Backup archives
- Directory listings
Google Hacking Database (GHDB)
The Google Hacking Database contains hundreds of pre-built search queries for locating exposed information.
It is an excellent resource for learning effective Google Dorks.
SiteDigger
Automates the Google Hacking process.
Google Hacking Diggity Project
A collection of Google Dorks useful during security assessments.
4. Using Shodan for Internet Reconnaissance
Unlike Google, Shodan indexes Internet-connected devices instead of websites.
It can identify:
- Firewalls
- Routers
- Industrial Control Systems
- Web Servers
- IoT Devices
- Remote Desktop Services
- SSH Servers
Shodan provides valuable insight into an organization's exposed infrastructure.
5. Finding a Company's Physical Location
Sometimes physical locations become useful during social engineering assessments.
Useful services include:
- Google Maps
- Bing Maps
- MapQuest
- Waze
- Wikimapia
Nmap Geolocation Script
Nmap also includes several NSE scripts for IP geolocation.
Examples include:
- ip-geolocation-geoplugin
- ip-geolocation-ipinfodb
- ip-geolocation-maxmind
- ip-geolocation-map-google
- ip-geolocation-map-bing
- ip-geolocation-map-kml
These scripts estimate the physical location of IP addresses. [Currently not working]
6. Email Harvesting
Email addresses reveal usernames, naming conventions, and potential phishing targets.
theHarvester
One of the most popular OSINT tools.
theHarvester -d example.com -l 500 -b google -h results.htmltheHarvester -d example.com -l 500 -b google -h results.htmlIt can gather:
- Email addresses
- Hostnames
- IP addresses
- Employee information
Metagoofil
Searches public documents for metadata.
python metagoofil.py -d example.com -t pdf,doc,xls -l 100 -n 10 -o output -f report.htmlpython metagoofil.py -d example.com -t pdf,doc,xls -l 100 -n 10 -o output -f report.htmlMetadata often contains:
- Usernames
- Internal file paths
- Software versions
- Operating systems
7. Searching Breach Data
Public breach databases can reveal compromised email addresses.
Popular resources include:
- Have I Been Pwned
- Pastebin monitoring services
These findings should always be handled responsibly and ethically.
8. Identifying Employees
Employee information is widely available online.
Useful platforms include:
- PeopleFinder
- Pipl
Information gathered may include:
- Job titles
- Departments
- Technologies used
- Organizational hierarchy
9. Social Media Intelligence
Employees often unintentionally disclose valuable information.
Useful platforms include:
- X
Information commonly discovered:
- Office locations
- Internal technologies
- Company events
- Email formats
- Employee names
10. Identifying Network Technologies
Job postings often reveal the organization's infrastructure.
Useful search examples:
Cisco ASA company_nameCisco ASA company_nameor
Palo Alto site:linkedin.comPalo Alto site:linkedin.comJob portals such as Indeed, Dice, Monster, and CareerBuilder frequently disclose:
- Firewalls
- Cloud platforms
- SIEM solutions
- VPN technologies
- Network vendors
11. Email Header Analysis
Email headers reveal routing information.
Tools like EmailTrackerPro can identify:
- Sending IP
- Mail servers
- Relay information
- Approximate sender location
12. Website Analysis
A company's own website often leaks valuable information.
Areas to inspect include:
- Contact pages
- About pages
- HTML comments
- JavaScript files
- robots.txt
- sitemap.xml
Also examine:
- Posting patterns
- Revision history
- Developer comments
Archive.org
The Wayback Machine stores historical versions of websites.
Old snapshots may reveal:
- Removed employee names
- Old admin portals
- Legacy applications
- Forgotten documents
Website Watcher
Useful for monitoring website changes over time.
13. DNS Interrogation
DNS provides one of the richest sources of infrastructure intelligence.
Whois Lookup
whois microsoft.comwhois microsoft.comWhois records provide:
- Domain registration
- Registrar
- Name servers
- Registration dates
Whois using Nmap
nmap -sn --script whois-* www.microsoft.comnmap -sn --script whois-* www.microsoft.comUseful NSE scripts include:
- whois-domain
- whois-ip
Finding DNS Records
dnsrecon
dnsrecon -d microsoft.comdnsrecon -d microsoft.com
dnsenum
dnsenum -enum google.comdnsenum -enum google.com
dig
Retrieve DNS records:
dig google.comdig google.comIP only:
dig google.com +shortdig google.com +shortSOA:
dig google.com -t SOAdig google.com -t SOAMX:
dig google.com -t MXdig google.com -t MXIPv6:
dig google.com -t AAAAdig google.com -t AAAANSLookup
nslookup
set type=ns
microsoft.comnslookup
set type=ns
microsoft.com
Useful for querying:
- A
- AAAA
- MX
- NS
- TXT
- CNAME records
14. Reverse DNS Lookup
Reverse lookups determine which domain belongs to an IP address.
Example:
dnsrecon -r 162.240.0.0-162.241.255.255dnsrecon -r 162.240.0.0-162.241.255.255Online services such as YouGetSignal can also perform reverse IP lookups.
15. DNS Zone Transfer Testing
Misconfigured DNS servers may expose entire DNS databases.
Using dig:
dig ns example.comdig ns example.com
Attempt zone transfer:
dig axfr @ns1.example.com example.comdig axfr @ns1.example.com example.com
Using dnsrecon:
dnsrecon -t axfr -d example.comdnsrecon -t axfr -d example.com
Using dnsenum:
dnsenum example.comdnsenum example.com
Always perform zone transfer testing only against systems you are authorized to assess.
16. Traceroute Analysis
Traceroute maps the network path between your machine and the target.
Linux:
traceroute microsoft.comtraceroute microsoft.com
Windows:
tracert microsoft.comtracert microsoft.com
Nmap:
nmap --traceroute --script traceroute-geolocation example.comnmap --traceroute --script traceroute-geolocation example.comThis can reveal:
- Intermediate routers
- ISPs
- Network latency
- Geographic routing
17. Network Mapping
Tools such as Gliffy help visualize network relationships discovered during reconnaissance.
Alternatively use Cisco Packet Tracer to visualize network relationships discovered during reconnaissance.
Creating diagrams simplifies later attack planning and reporting.
18. Automating OSINT
Several frameworks combine multiple reconnaissance tools into one workflow.
Popular choices include:
Maltego
Visual link analysis platform.
FOCA
Excellent for metadata extraction from public documents.
fsociety
Collection of penetration testing modules.
PentMenu
Terminal-based reconnaissance toolkit.
19. Document Everything
Reconnaissance without documentation quickly becomes overwhelming.
Record:
- Domains
- Subdomains
- DNS records
- Email addresses
- Technologies
- Employee names
- IP ranges
- Screenshots
- Timeline of discoveries
Well-organized notes significantly improve the efficiency of later penetration testing phases.
Final Thoughts
OSINT is often underestimated because it involves no exploitation, yet it can expose an astonishing amount of information using only public sources. Every domain, employee profile, DNS record, leaked document, or archived webpage contributes another piece to the puzzle.
For penetration testers, OSINT provides the foundation for effective engagements. For defenders, it serves as a reminder that the organization's public footprint is part of its attack surface. Regularly auditing what information is exposed online helps reduce unnecessary risk and strengthens overall security posture.
The best recon professionals aren't always the ones running the loudest scans. They're the ones who know where to look, how to connect seemingly unrelated clues, and when to stop because they've gathered enough actionable intelligence.
Happy hunting, and always stay within the bounds of ethics and authorization. 🛡️