Passive
OSINT (short for Open-Source Intelligence Gathering) is a way of knowing your target without any sorts of direct contact or leaving any evidence of the recon.
The OSINT Process
OSINT reconnaissance can be further broken down into the following 5 Phases:

Source Identification: As the starting point, in this initial phase the attacker identifies potential sources from which information may be gathered from. Sources are internally documented throughout the process in detailed notes to come back to later if necessary.
Data Harvesting: In this phase, the attacker collects and harvests information from the selected sources and other sources that are discovered throughout this phase.
Data Processing and Integration: During this phase, the attacker processes the harvested information for actionable intelligence by searching for information that may assist in enumeration.
Data Analysis: In this phase, the attacker performs data analysis of the processed information using OSINT analysis tools.
Results Delivery: In the final phase, OSINT analysis is complete and the findings are presented/reported to other members of the Red Team.
Workflow of OSINT Cheatsheet





DNS Harvesting
Email Harvesting
GitHub Dorks
We can use GitHub advanced search keywords and dorks to find sensitive data in repositories.
filename:bashrc
extension:pem
langage:bash
Some examples of GitHub search keywords:
extension:pem private # Private SSH Keys
extension:sql mysql dump # MySQL dumps
extension:sql mysql dump password # MySQL dumps with passwords
filename:wp-config.php # Wordpress config file
filename:.htpasswd # .htpasswd
filename:.git-credentials # Git stored credentials
filename:.bashrc password # .bashrc files containing passwords
filename:.bash_profile aws # AWS keys in .bash_profiles
extension:json mongolab.com # Keys/Credentials for mongolab
HEROKU_API_KEY language:json # Heroku API Keys
filename:filezilla.xml Pass # FTP credentials
filename:recentservers.xml Pass # FTP credentials
filename:config.php dbpasswd # PHP Applications databases credentials
shodan_api_key language:python # Shodan API Keys (try others languages)
filename:logins.json # Firefox saved password collection (key3.db usually in same repo)
filename:settings.py SECRET_KEY # Django secret keys (usually allows for session hijacking, RCE, etc)
Open Job Requisitions
Job requisitions can help us get information about the information technology products used in a target organization, such as:
Web Server Type
Web Application Development Environment
Firewall Type
Routers
Google searches to find job requisitions
site: [ companydomain ] careers Q , Keyword or Title 9
site: [ companydomain ] jobs .
site: [ companydomain ] openings
Also, searches of job-related sites such as LinkedIn
PGP Public Key Servers
Organizations maintain servers that provide public PGP keys to clients. You can query these to reveal user email addresses and details.
Cloudflare / Tor IP Detection
Some tips to find real IP addresses hiding behind Cloudflare and Tor
Identify Host Sharing
See if a single server or ip is hosting multiple websites/domains:
# Bing dorks to identify host sharing
ip:xxx.xxx.xxx.xxx
Shodan
Search engine for the Internet of everything.
Shodan is the world's first search engine for Internet-connected devices including computers, servers, CCTV cameras, SCADA systems and everything that is connected to the internet with or without attention.
Shodan can be used both as a source for gathering info about random targets for mass attacks and a tool for finding weak spots in a large network of systems to attack and take the low-hanging fruit.
Shodan has a free and commercial membership and is accessible at shodan.io.
The search syntax in the search engine is somehow special and can be found in the help section of the website.
With Shodan you can search for specific systems, ports, services, regions and countries or even specific vulnerable versions of a software or OS service running on systems like SMB v1 and much more.
Here the keywords that are mostly used in Shodan search queries:
Other OSINT Websites
I have put together a list of the most used OSINT sources that will usually cover about 90% of your needs in a regular pentest.
Remember there are endless ways to find Intel about your target.
The OSINT process is limited to your own imagination.
Top sources ( most used )
Image search
Username and people search
IOT and device search
Dark web engines
pubpeer.com
scholar.google.com
arxiv.org
guides.library.harvard.edu
deepdotweb.com
Core.onion
OnionScan
Tor Scan
ahmia.fi
not evil
Monitoring and alerting
Google Alerts
HaveIBeenPwned.com
Dehashed.com
Spycloud.com
Ghostproject.fr
weleakinfo.com/
social-analyzer
For analyzing and finding a person's profile across 800+ social media websites
python3 -m pip install social-analyzer
social-analyzer --username "johndoe" --metadata --extract --mode fast
TWINT
Advanced Twitter scraping tool written in Python that allows for scraping Tweets from Twitter profiles without using Twitter's API.