| name | offensive-osint |
| description | Comprehensive OSINT methodology skill for offensive security, red team intelligence gathering, and bug bounty reconnaissance. Covers domain recon, email harvesting, social media profiling, GitHub/code leaks, Shodan/Censys enumeration, breach data lookup, employee profiling, infrastructure mapping, cryptocurrency tracing, geospatial intelligence, and AI-assisted analysis workflows. Use when performing reconnaissance against a target domain or organization, investigating a person or entity, tracing cryptocurrency flows, geolocating images or events, or building an attack-surface map. |
Offensive OSINT Methodology
Workflow
- Define target scope (domain, org, person, crypto address, or geo subject)
- Select applicable categories below based on scope
- Work top-down within each category; pivot on discovered artifacts
- Archive every key artifact: URL + timestamp + screenshot (PNG) + hash (SHA-256)
- Log findings in JSONL with a
run_id and tool versions for reproducibility
- Suggest next steps based on what each tool returns
General OSINT
Search Engines
Username & Email Investigation
Browser extensions: GetProspect, SignalHire
People Search
Phone Number OSINT
Social Media
Public Records & Company Information
RU/CN Registries
Russia: Rusprofile, Kontur.Focus (freemium), zakupki.gov.ru (procurement), EGRUL/EGRIP (official, captcha-gated)
China: GSXT (National Enterprise Credit), Qichacha/Tianyancha (freemium), MIIT ICP/Beian (ICP filings)
Sanctions & Compliance
Breach & Leak Data
Infrastructure & Attack-Surface OSINT
ASN/BGP & Internet Measurement
Certificates & CT Monitoring
- crt.sh — Search Certificate Transparency logs
- Censys Certificates — CT and x509 attribute pivots
- CertStream — Real-time CT feed via WebSocket
- Rapid7 Open Data — Sonar DNS/HTTP/SSL datasets
- Cert Spotter [Freemium] — CT monitoring and alerts
- Favicon hash (mmh3): cluster infrastructure; pair with Shodan/Censys favicon search
Threat Intel & IOCs
Malware Analysis & Sandboxes
Cryptocurrency OSINT
Blockchain Explorers
L2 Explorers: Arbiscan, Optimistic Etherscan, BaseScan, zkSync Era, L2Beat (risk/TVL comparison)
Transaction Tracking & Analytics
NFT & Exchange Intelligence
Bridge Monitoring
Media Intelligence
Reverse Image & Facial Search
Image Forensics
Video Analysis
Browser Extensions for Media
Geospatial Intelligence
Satellite Imagery & Mapping
Geolocation Tools
Street View: Google Street View, Apple Maps, Yandex Maps, Baidu Maps
Flight OSINT
Maritime OSINT
AI-Assisted OSINT
Warning: Never paste PII, sensitive IOCs, or unique pivots into cloud LLMs. They log inputs and may use them for training. Use local models (Ollama, LM Studio) for sensitive analysis.
| Tool | Strength |
|---|
| ChatGPT (paid) | Log parsing, dataset analysis, Code Interpreter for CSVs/JSON, GPT-4 Vision for image OCR |
| Claude (paid) | 200K token context for large document dumps and report synthesis |
| Gemini 1.5 Pro | 2M token context; Deep Research mode with citations |
| Perplexity Pro (paid) | Real-time web search + reasoning; multi-query synthesis |
Local/privacy-preserving: Ollama (Llama 3, Mistral), LM Studio, GPT4All
Commercial AI OSINT Platforms
Deepfake & Synthetic Media Detection
Archiving & Evidence Preservation
- archive.today — One-page content archiver with screenshot
- URLScan.io — On-demand webpage scan with resource map
- ArchiveBox — Self-hosted archiving (HTML, PDF, screenshots, media)
- Hunchly — Evidence capture for investigators (paid)
- Wayback SavePageNow API v3 — On-demand archiving with job IDs
- SingleFileZ — Browser extension for offline HTML archives
- Kasm Workspaces — Containerized OSINT workspace/browser isolation
Evidence handling:
- Capture: URL + timestamp + PNG screenshot + WARC/SingleFileZ archive
- Hash all downloaded files (SHA-256) and record in case notes
- Separate work profiles/containers per case; store evidence read-only
- Use JSONL (NDJSON) logs with
run_id and tool versions for reproducibility
Automation & Workflows
- n8n — Self-hosted workflow automation (e.g., RSS → scrape → alert pipelines)
- Huginn — Agent-based monitoring, scraping, alerting
- Playwright — Headless browser automation with stealth plugins
- Browsertrix Crawler — Archival crawling with WARC export
- Prefect / Apache Airflow — Workflow orchestration for data pipelines
Regional Search Engines
Telegram & Messaging Intelligence
- TGStat — Channel analytics and search
- Telemetr — Channel growth, overlaps, forwards
- Combot — Group analytics (partially paid)
- TelegramDB Search Bot — Basic Telegram OSINT
- Discord ID — Basic Discord account information
- Sogou Weixin search — WeChat Official Accounts content search
- View public Telegram channels:
https://t.me/s/<channel>