CyberCheatsheets

OSINT Cheat Sheet

Open-source intelligence workflow: domains, emails, people, breaches, and infrastructure using Google dorks and free OSINT tools.

Reconnaissance & OSINTfootprintinginvestigationosintreconreconnaissanceUpdated 2026-06-17

Overview

OSINT gathers intelligence from public sources—no packets sent to the target. It's the first phase of any engagement: map the attack surface (domains, subdomains, employees, leaked credentials, exposed services) before touching anything. This sheet covers Google dorking and the go-to free tools for each data type.

Authorized and lawful use only. Respect privacy laws, terms of service, and engagement scope. Passive recon is still subject to legal and ethical limits.

Google dorks

Pages indexed for a domain

site:example.com

Find non-www subdomains

site:example.com -www

Exposed documents (metadata goldmine)

site:example.com filetype:pdf

Open directory listings

intitle:"index of" site:example.com

Login/admin panels

inurl:admin | inurl:login site:example.com

Leaked spreadsheets with emails

intext:"@example.com" filetype:xlsx

Domains & infrastructure

Registrar, dates, sometimes contacts

whois example.com

DNS records

dig example.com ANY +noall +answer

Subdomains from certificate transparency

curl -s 'https://crt.sh/?q=%25.example.com&output=json' | jq -r '.[].name_value' | sort -u

Enumerate subdomains and probe which are live

subfinder -d example.com -silent | httpx -silent

Search engines for exposed assets

Internet-exposed services for a domain

shodan search hostname:example.com

Open ports/banners for an IP

shodan host 1.2.3.4

Pivot on certificates, favicons, and banners

# Censys / FOFA web UIs

Emails, people & breaches

Harvest emails, names, and hosts from many sources

theHarvester -d example.com -b all

Find email formats and addresses for a domain

# Hunter.io / phonebook.cz

Check emails against known breaches (leaked passwords)

# haveibeenpwned.com / DeHashed

Check which sites an email is registered on

holehe user@example.com

Find a username across social networks

sherlock username

Frameworks & metadata

Automated OSINT correlation across 200+ modules

spiderfoot -l 127.0.0.1:5001

Modular OSINT framework with workspaces

recon-ng

Pull authors, software, and paths from file metadata

exiftool document.pdf

Historical pages, old endpoints, removed content

# Wayback Machine (web.archive.org)

Tips

  • Start passive: certificate transparency (crt.sh) and subfinder map the attack surface without touching the target.
  • Document file metadata (exiftool) — it leaks usernames, internal paths, and software versions.
  • Breach data reveals real password patterns for an org — invaluable for later spraying (within scope).
  • Keep OPSEC in mind: some 'OSINT' actions (port scans, logins) are active and out of passive scope.

References

Aide-mémoires similaires