Introduction to Open Source Intelligence Gathering

July 12, 2022
Christian Bohren
5 min read


In this article, we will be learning about Open Source Intelligence (OSINT) and how we can utilize it for security purposes. While we can find information from newspapers, broadcasts, social media, domains, email addresses, we’ll see how we can use Shodan and Google dorks for further investigation.

OSINT with Shodan

Shodan can be basically called a deep search engine like Bing and Google, but search engines actually search for websites or information related to websites, where as Shodan can search for any device which is connected to the Internet whether it may be router, server, IOT device, monitors, CC Cameras etc..

Shodan is available for free and also paid plans starting from $59. You can easily register an account at their website and use many capabilities such as filters, on demand scans and reports. Once you get the hang of Shodan, you will be able to find that the best use Shodan is for searching CVE’s, exploits and finding hidden endpoints.  

If you want to use Shodan for OSINT, let’s take a look at some of Shodan’s important filters.

country: Find devices based on the country

product: Find devices based on product like Kafka

port: Find devices based on the ports like 80,443

server: Find servers like Apache , Nginx etc..

os: Search based on the operating system like XP , Windows 7  

org: Search based on organisations like Google , Facebook etc..

vuln: Search based on CVE’s

Now that we understand the filters, let’s try them out!

country: US port: 22 -  This filter will let you find any devices with port 22 in the United States country.

product:tomcat - This filter will let you find any tomcat devices connected to the Internet.

apache country:DE - This filter will let you find all the apache servers connected to the Internet in DE Country.

Os:windows 7 port: 445 - This filter will let you find all the devices running on Windows 7 and smb port 445

org:AWS port:3389 - The above filter will find all the devices which are owned by AWS with RDP port 3389 open. You can change the organization and find out which specific devices are connected to the internet.

Tip: You can also use Shodan CLI if you are more comfortable with the command line. All you have to do is have python installed and execute the following command :  pip install -U --user shodan

OSINT with Google Dorks

Search engines like Google and Bing make finding information easy, particularly if we want to shop, find an address, or look for a job. However, you can make advanced use of these search engines by utilizing search operators. Each search operator has its own function and can be combined for more filtering and better results.

There are various kinds of operators available :

inurl: / intitle: / intext: / site: / cache: / filetype: / | / - /OR / AND / Ext / map

Let’s see some examples of how we can use Google dorks to find information. inurl:login | inurl:signin | intitle:Login | intitle:"sign in" | inurl:auth

The above Google dork will find out all login pages for using the keywords login , signin, Login , sign in and auth. ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:env

If you are hunting for bug-bounty programs then you may want to find if there are any configuration files being disclosed.

inurl:security intext:vulnerability

This Google dork will get all the results with security in the URL and with vulnerability text present inside the security page. This dork is most used by bug-bounty hunters for finding more programs.

intext:"" alex

This Google dork will crawl through the Linkedin website with the name Alex and find out if Alex has any gmail accounts to which we can contact. filetype:PDF

This Google dork will find out all the PDF files from the website and you can easily download them for your use. You can change the filetype to any type you want.


You can try out Maltego if you are a fan of Graphs since Maltego gathers all the information from various sources and groups them into a graph which can be used very easily even by a basic computer specialist.  


Now you can use Shodan and Google dorks to perform open-source intelligence and gather sensitive information. Stay tuned to the writings, for more information check out our other posts below!

Let's Get Started

Book a time to chat about your security needs.
* Indicates a required field.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.