TL;DR: Open Source Intelligence (OSINT) tools let anyone with an internet connection investigate anyone else. Sherlock checks 400+ websites for your username. Maltego maps relationships between your accounts, domains, and contacts. Shodan finds every device you've connected to the internet. SpiderFoot automates all of it. These aren't secret government tools, they're free and open source. Journalists, hackers, stalkers, and law enforcement all use them. Here's how they work, so you can understand what you're up against.
What Is OSINT?
Open Source Intelligence is information gathered from publicly available sources. That includes:
- Social media profiles
- Public records
- Domain registrations
- Forum posts
- News articles
- Leaked databases
- Metadata in photos
- Internet-connected device information
OSINT tools automate the collection and analysis of this data. What would take humans weeks to compile manually, these tools do in minutes.
Who uses them:
- Journalists investigating sources
- Cybersecurity researchers mapping attack surfaces
- Law enforcement tracking suspects
- Private investigators
- Hackers doing reconnaissance before attacks
- Stalkers and abusers (unfortunately)
- Anyone curious about someone else
The tools don't care about intent. They just find information.
Sherlock: Find Usernames Everywhere
What it does: Searches 400+ websites for a specific username [1].
How it works: Sherlock constructs the expected profile URL for each site (like twitter.com/username or github.com/username) and checks if it exists. No API keys needed. No login required. Just brute-force URL checking.
What it finds:
- Social media accounts (Twitter, Instagram, TikTok, Reddit)
- Gaming platforms (Steam, Xbox, PlayStation, Roblox)
- Developer sites (GitHub, GitLab, Codecademy)
- Forums and communities
- Dating sites
- Professional networks
The reality: If you use the same username across multiple sites, Sherlock will find all of them. Even if you think an old forum account is forgotten, it's not.
Get it: github.com/sherlock-project/sherlock (free, open source)
Similar Tools
| Tool | Sites Checked | Notes |
|---|---|---|
| WhatsMyName | 640+ | Web-based, category filters, 94% accuracy claimed |
| Namechk | 100+ | Originally for brand availability checking |
| Blackbird | 150+ | Lightweight alternative |
Caveat: Same username doesn't mean same person. Investigators must verify. But it's a starting point that often leads to the right person.
Maltego: Map Relationships
What it does: Visualizes connections between entities, people, domains, emails, IP addresses, social accounts, phone numbers [2].
How it works: Start with one piece of information (an email, a domain, a name). Maltego runs "transforms", queries to various data sources, and builds a graph showing relationships. Each discovered entity can be expanded further.
Example investigation:
- Start with email: [email protected]
- Transform finds: domain example.com
- Transform finds: other emails @example.com
- Transform finds: social accounts linked to that email
- Transform finds: phone numbers, addresses, associates
- Result: A visual map of everything connected to that email
Data sources: Maltego integrates with hundreds of APIs, Shodan, VirusTotal, Have I Been Pwned, social media platforms, domain registrars, and commercial data brokers.
Who uses it: Law enforcement, corporate security teams, journalists (Bellingcat uses Maltego extensively), and penetration testers.
Cost: Community Edition is free (limited). Pro starts at $999/year. Enterprise pricing on request.
2025 updates: Better MITRE ATT&CK integration, new transform hubs for threat intelligence.
Shodan: The Search Engine for Devices
What it does: Indexes every internet-connected device it can find, servers, cameras, routers, industrial systems, smart home devices [3].
How it works: Shodan continuously scans the internet, connecting to devices and recording what they respond with. It catalogs: IP addresses, open ports, running services, software versions, and sometimes default credentials.
What you can find:
- Unsecured webcams (yes, really)
- Exposed databases
- Vulnerable servers
- Industrial control systems
- Smart home devices
- Network equipment
- Anything with an IP address
Example searches:
port:3389 country:US, Find US devices with Remote Desktop exposedwebcamxp, Find webcams running specific softwareorg:"Company Name", Find all devices belonging to an organizationcity:"New York" port:22, SSH servers in New York
Privacy implications: If you've ever set up a server, router, or IoT device with a public IP, Shodan has probably indexed it. All the default passwords you forgot to change? Shodan knows.
2025 updates: AI-assisted query suggestions, visual maps for rapid asset discovery.
Cost: Limited free searches. Membership starts at $49/month.
Website: shodan.io
SpiderFoot: Automated Reconnaissance
What it does: Automates OSINT gathering across 200+ data sources [4].
How it works: Give it a target (domain, IP, email, phone number, username, name). SpiderFoot queries all relevant sources automatically and compiles the results.
Data sources include:
- Shodan
- VirusTotal
- Have I Been Pwned
- DNS records
- WHOIS data
- Social media platforms
- Paste sites
- Dark web monitoring
Use cases:
- Red teams: Map an organization's attack surface before a penetration test
- Blue teams: Find what information about your organization is publicly exposed
- Investigations: Gather everything about a target from one interface
Versions:
- SpiderFoot (Open Source): Free, self-hosted, command line or web GUI
- SpiderFoot HX: Cloud-hosted, commercial, more features
Get it: github.com/smicallef/spiderfoot
theHarvester: Email and Domain Reconnaissance
What it does: Collects emails, subdomains, IPs, and URLs from public sources [5].
How it works: Scrapes search engines, PGP key servers, and domain databases for information about a target domain or organization.
Data sources (30+):
- Search engines (Google, Bing, DuckDuckGo)
- Certificate transparency logs
- DNS databases
- Shodan
- GitHub
Typical output:
- Email addresses: [email protected], [email protected]
- Subdomains: mail.company.com, vpn.company.com, dev.company.com
- IP addresses associated with the domain
- Employee names from LinkedIn
Why it matters: This is often the first tool used in reconnaissance. Find emails → find employees → find attack vectors.
Get it: Pre-installed on Kali Linux or github.com/laramies/theHarvester
Specialized OSINT Tools
Image Analysis
| Tool | Purpose |
|---|---|
| ExifTool | Extract metadata from images (GPS coordinates, camera model, date) |
| TinEye | Reverse image search, find where an image appears online |
| Google Lens | Identify objects, locations, and find similar images |
| PimEyes | Facial recognition search (controversial, requires payment) |
Social Media
| Tool | Purpose |
|---|---|
| Twint | Scrape Twitter without API limits |
| Instaloader | Download Instagram profiles, stories, metadata |
| Social Analyzer | Analyze social media profiles across platforms |
Network and Infrastructure
| Tool | Purpose |
|---|---|
| Censys | Like Shodan, indexes internet-connected devices |
| Recon-ng | Web reconnaissance framework with modular design |
| Amass | Subdomain enumeration and network mapping |
People Search
| Tool | Purpose |
|---|---|
| Pipl | People search engine (commercial) |
| That's Them | Free people search |
| 411.com | Phone and address lookup |
How an OSINT Investigation Actually Works
Here's a realistic example of how these tools chain together:
Target: Find everything about someone with username "coolhacker42"
- Sherlock/WhatsMyName: Search for "coolhacker42" across 400+ sites. Find accounts on GitHub, Reddit, Steam, an old forum.
- Profile analysis: GitHub profile has real name in bio. Reddit posts mention city. Steam profile links to Discord.
- theHarvester: Search for the real name + domain from GitHub. Find email addresses.
- Have I Been Pwned: Check if those emails appear in data breaches. Find password patterns, other accounts.
- Maltego: Map all discovered entities. Find connections between accounts, domains, phone numbers.
- Shodan: If any personal servers/devices were found, check for vulnerabilities.
- Image analysis: Download profile photos. Check EXIF data. Reverse image search to find other uses.
Result: From one username, an investigator might uncover: real name, email, phone number, home city, employer, interests, associates, and technical vulnerabilities.
This takes hours, not days. The tools do the heavy lifting.
Why You Should Know This
Understanding OSINT tools helps you:
- Audit your own exposure: Run these tools on yourself. See what's findable.
- Make informed decisions: Know that usernames connect accounts. Know that photos contain metadata. Know that old forum posts persist.
- Protect yourself: Once you understand the attack surface, you can reduce it.
- Recognize threats: If someone's stalking or harassing you, understand how they might be finding information.
The tools aren't going away. They're getting better. The only defense is awareness.
The Bottom Line
OSINT tools turn scattered public information into actionable intelligence. Sherlock finds your usernames. Maltego maps your relationships. Shodan indexes your devices. SpiderFoot automates everything.
These tools are free. They're legal to use on public information. Journalists, investigators, hackers, and stalkers all have access to them.
The information about you that's "out there" isn't just out there, it's queryable, mappable, and connectable. Understanding how these tools work is the first step to protecting yourself from them.