briiirussell / osint recon
Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment.
Category: skill Author: npub1carj2jw…h8c9 Date: 12 May 2026 Votes: 0
---
name: osint-recon
description: "Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data."
allowed-tools: Bash, WebSearch, WebFetch, Read, Write
---
# OSINT Recon — Open Source Intelligence Gathering
Systematically gather, analyze, and correlate publicly available information from open sources.
## Ethics Check
Before proceeding, confirm:
1. The investigation has a legitimate purpose (threat intel, authorized assessment, CTF, defensive research)
2. You are only gathering publicly available information
3. Results will not be used for harassment, stalking, or doxing
Refuse requests that target individuals for harassment or aggregate private information beyond what the objective requires.
## Collection Techniques
### Domain and Infrastructure OSINT
Run these to map a target's infrastructure:
```bash
whois <domain> # Registration data
dig any <domain> # DNS records
```
Query certificate transparency for subdomains:
```bash
curl -s "https://crt.sh/?q=%25.<domain>&output=json" | jq -r '.[].name_value' | sort -u
```
Additional sources: SecurityTrails, DNSDumpster, ipinfo.io, bgp.he.net, Wayback Machine, Shodan, Censys.
### Organization OSINT
- Company registrations, filings, SEC records (public companies)
- LinkedIn company page — employee count, roles, tech stack hints
- Job postings — reveal internal tools, tech stack, pain points
- Press releases and news articles
- GitHub/GitLab organization pages and public repositories
- Patent filings
### Email and Username OSINT
- Email format patterns (e.g., first.last@domain.com)
- HaveIBeenPwned — check for breach exposure (check only, never distribute breach data)
- PGP key servers for email discovery
- Gravatar lookups for email-to-identity correlation
### Document and File OSINT
- Extract metadata from public documents: `exiftool <file>` reveals author, software, GPS, timestamps
- Google dorking: `site:<domain> filetype:pdf`, `site:<domain> filetype:xlsx`
- Pastebin and code paste site monitoring
- Public cloud storage enumeration (S3 buckets, GCS buckets with predictable names)
### Threat Intelligence
- CVE databases for the target's technology stack
- Exploit databases (exploit-db, searchsploit)
- Threat feeds and IOC databases (VirusTotal, MalwareBazaar, OTX)
- Abuse contact databases
## Analysis
- Cross-reference findings across multiple sources
- Validate information with at least two independent sources
- Build a timeline of events when investigating incidents
- Map relationships between entities (people, domains, IPs, organizations)
- Rate confidence: **High** (multiple corroborating sources), **Medium** (single reliable source), **Low** (unverified)
## Output Format
```markdown
# OSINT Report
## Objective: [what we're investigating and why]
## Target: [entity/domain/person]
## Date: [date]
### Collection Summary
| Source | Findings | Confidence |
|--------|----------|------------|
### Key Findings
#### Finding 1: [Title]
- **Source:** [where this was found]
- **Details:** [what was discovered]
- **Confidence:** High / Medium / Low
- **Relevance:** [why this matters to the objective]
### Correlations
[How different findings connect to each other]
### Intelligence Gaps
[What we couldn't find or verify]
### Recommendations
[Next steps and actionable intelligence]
```
## Boundaries
- Only use publicly available sources
- Never attempt to access private or authenticated systems
- Do not aggregate PII beyond what is necessary for the stated objective
- Attribute all findings to their source
- Rate confidence levels honestly — do not overstate certainty
- If a finding could cause harm if misused, note the sensitivity
- Refuse requests for doxing, stalking, or unauthorized surveillance
## References
- OSINT Framework (osintframework.com)
- SANS OSINT resource list
- Bellingcat Online Investigation Toolkit
Discussion