| name | pentest-osint |
| description | Passive OSINT (Open-Source Intelligence) gathering — domain enumeration, subdomain discovery, email harvesting, DNS analysis, WHOIS, Shodan queries, infrastructure mapping. Used at the START of every engagement.
|
| userInvocable | true |
| requiresBinaries | ["amass","whois","dig","nmap"] |
| tags | ["pentest","recon","osint"] |
| triggers | ["OSINT","open source intelligence","passive recon","domain enumeration","subdomain","Shodan","amass","whois","DNS","infrastructure mapping"] |
pentest-osint — Passive Intelligence Gathering
Overview
OSINT is Phase 0 — gather maximum intelligence without touching the target.
The goal: build a complete picture of the attack surface before any active probe.
Output directory: /root/kali-workspace/osint/<target>/
TARGET="<domain_or_org>"
mkdir -p /root/kali-workspace/osint/$TARGET
cd /root/kali-workspace/osint/$TARGET
Step 1 — Domain & IP Resolution
dig +short $TARGET A && dig +short $TARGET MX && dig +short $TARGET NS && dig +short $TARGET TXT
dig -x <IP>
nmap -sn --script dns-brute $TARGET
whois $TARGET | grep -E "Registrar|Registrant|Creation|Expiry|Name Server" | head -20
whois <IP> | grep -E "org-name|OrgName|country|CIDR|NetRange" | head -20
Step 2 — Subdomain Enumeration
amass enum -passive -d $TARGET -o /root/kali-workspace/osint/$TARGET/amass.txt
curl -s "https://crt.sh/?q=%25.$TARGET&output=json" \
| python3 -c "import sys,json; [print(e['name_value']) for e in json.load(sys.stdin)]" \
| sort -u | tee /root/kali-workspace/osint/$TARGET/crt-sh.txt
cat amass.txt crt-sh.txt 2>/dev/null | sort -u > all-subdomains.txt
echo "[*] Total unique subdomains: $(wc -l < all-subdomains.txt)"
cat all-subdomains.txt | xargs -I{} sh -c \
'host {} 2>/dev/null | grep "has address" && echo {}' \
| tee live-subdomains.txt
Step 3 — Email & Personnel Harvesting
theHarvester -d $TARGET -b google,bing,certspotter,crtsh -l 200 \
-f /root/kali-workspace/osint/$TARGET/harvester.html
Step 4 — Infrastructure Mapping
curl -s "https://api.hackertarget.com/aslookup/?q=$TARGET"
whatweb $TARGET --color=never | tee /root/kali-workspace/osint/$TARGET/whatweb.txt
curl -sI https://$TARGET | grep -iE "server:|x-powered-by:|x-generator:|via:"
Step 5 — GitHub & Code OSINT
curl -s http://$TARGET/.git/config | head -5
curl -s http://$TARGET/.env | head -5
curl -s "https://api.builtwith.com/free1/api.json?KEY=free&LOOKUP=$TARGET" \
| python3 -m json.tool 2>/dev/null || echo "BuiltWith API requires key"
Step 6 — Historical & Passive Sources
curl -s "http://web.archive.org/cdx/search/cdx?url=*.$TARGET&output=json&fl=original&collapse=urlkey&limit=100" \
| python3 -m json.tool | grep original | sort -u \
| tee /root/kali-workspace/osint/$TARGET/wayback.txt
Step 7 — Threat Intelligence
nslookup $TARGET.dbl.spamhaus.org 2>/dev/null || echo "Not blacklisted"
OSINT Summary Report Template
# OSINT Report — <Target>
Date: <date>
## Domain Info
- Registrar: <registrar>
- Created: <date>; Expires: <date>
- Nameservers: <ns1, ns2>
## Infrastructure
- Primary IP: <IP> — ASN: <ASN> — ISP: <ISP>
- IP Ranges: <CIDR blocks found>
- CDN/WAF: <detected or None>
## Subdomains Found (<count> total)
- mail.<domain> → <IP>
- vpn.<domain> → <IP>
- dev.<domain> → <IP>
...
## Technology Stack
- Web Server: <Apache/nginx/IIS version>
- Framework: <Laravel/Django/Spring>
- CMS: <WordPress/Drupal version>
- Certificates: <issued by, expiry>
## Email Format
- Pattern: <firstlast@domain or first.last@domain>
- Confirmed addresses: <list>
## People of Interest
- <name> — <title> — <LinkedIn/email>
## Exposed Files / Findings
- /.git/config ACCESSIBLE (code exposure risk)
- robots.txt disallows: <list of paths>
## Recommendations
- Monitor: mail.<domain> — MX exposed
- Investigate: dev.<domain> — likely staging environment
Quick-Win Checklist