Scribd
Upload
256 views53 pages

Google Search Tips

The document provides a comprehensive list of OSINT (Open Source Intelligence) dorks and tools for finding personal and organizational information, including email addresses, social media accounts, and sensitive documents. It covers various techniques for searching through different platforms and databases, as well as automation tools for efficient data gathering. The content is structured into categories such as personal information, organizational data, leaks, and advanced search techniques.

Uploaded by

NEO
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
256 views53 pages

Google Search Tips

The document provides a comprehensive list of OSINT (Open Source Intelligence) dorks and tools for finding personal and organizational information, including email addresses, social media accounts, and sensitive documents. It covers various techniques for searching through different platforms and databases, as well as automation tools for efficient data gathering. The content is structured into categories such as personal information, organizational data, leaks, and advanced search techniques.

Uploaded by

NEO
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

OSINT Dorks for Finding Personal Information

📧 Email & Contact Information

 Find a person's email address:

"John Doe" "@[Link]" | "@[Link]" | "@[Link]" -www

 Find leaked email addresses in data breaches:

"John Doe" site:[Link] | site:[Link] | site:[Link]

 Look for email addresses from a specific domain:

site:[Link] "@[Link]"

 Search for phone numbers:

"John Doe" "phone" | "contact" | "mobile" | "WhatsApp"

 Find a person’s email in GitHub repositories:

site:[Link] "John Doe" "@[Link]"

 Find all social media accounts of a person:

"John Doe" site:[Link] | site:[Link] | site:[Link] |


site:[Link]

 Find someone’s Facebook profile even if hidden:

"John Doe" site:[Link]/public/

 Search for Instagram profiles:

site:[Link] "John Doe"

 Look for their posts on forums (Quora, Reddit, etc.):

"John Doe" site:[Link] | site:[Link] | site:[Link]

 Search for personal blogs and old web profiles:

"John Doe" site:[Link] | site:[Link] | site:[Link]

 Find their Amazon wishlist:

"John Doe" site:[Link] "wishlist"

 Look for mentions in news articles:

"John Doe" site:[Link] | site:[Link] | site:[Link]


 Find someone’s pictures across the web:

"John Doe" site:[Link] | site:[Link] | site:[Link]

📜 Resumes, CVs, & Work History

 Find someone's resume or CV:

"John Doe" filetype:pdf | filetype:doc "resume" | "curriculum vitae"

 Look for employment history on LinkedIn:

site:[Link]/in "John Doe"

 Find past job applications:

"John Doe" site:[Link] | site:[Link]

🔍 OSINT Dorks for Finding Organizational Information

🏢 Subdomains & Infrastructure

 Find all subdomains of a company:

site:*.[Link] -www

 Search for sensitive open directories:

intitle:"index of" site:[Link]

 Check for publicly accessible FTP servers:

inurl:ftp:// [Link]

 Find internal company documents:

site:[Link] ext:pdf | ext:doc | ext:ppt "confidential"

 Look for job postings to understand their tech stack:

site:[Link] "hiring" | "we are looking for"

 Check for network devices and login portals:

site:[Link] inurl:admin | inurl:dashboard | inurl:login

🔎 Leaks & Security Issues

 Search for past security incidents:

"[Link]" "data breach" | "leaked database"


 Look for exposed database files:

site:[Link] ext:sql | ext:db | ext:json

 Find security vulnerabilities related to the organization:

site:[Link] inurl:CVE- | intext:"vulnerability"

🔍 Finding Emails & Credentials

 Locate Publicly Available Emails

site:[Link] OR site:[Link] "@[Link]" OR "@[Link]"

 Search for Leaked Passwords

site:[Link] OR site:[Link] "password" "username"

 Find Corporate Email Addresses

site:[Link] "@[Link]"

📜 Finding Confidential Files

 Look for Sensitive PDF Documents

filetype:pdf OR filetype:docx "confidential" OR "internal"

 Discover Public Google Drive Links

site:[Link] "private" OR "restricted"

 Identify Open FTP Servers

intitle:"index of" "ftp" site:[Link]

📂 Exposed Databases

 Unprotected MongoDB Instances

inurl:27017 "_id"

 Open Elasticsearch Instances

inurl:9200 "_search"

 Public Firebase Databases

site:[Link]
‍♂️OSINT on People

🔍 Social Media Investigation

 Find Profiles Across Social Platforms

site:[Link] OR site:[Link] OR site:[Link] "John Doe"

 Search for Usernames on Websites

site:[Link] OR site:[Link] "username123"

 Find a Person’s Facebook Profile by Location

site:[Link] "John Doe" "New York"

📍 Geolocation Tracking

 Search Tweets from a Specific Area

site:[Link] "New York" geocode:40.7128,-74.0060,5km

 Extract GPS Data from Images

exiftool [Link]

 Perform Reverse Image Search


🔗 Google Reverse Image Search

📡 Dark Web & Leaked Data OSINT

🔑 Searching for Leaked Credentials

 Check if an Email is Breached


🔗 Have I Been Pwned

 Look for Exposed Passwords on Dark Web

site:[Link] "email@[Link]"

 Find Leaked Data on Pastebin

site:[Link] "password" OR "login"

📁 Discovering Exposed Files

 Search Government & Military Docs

site:gov OR site:mil filetype:pdf "confidential"


 Find Public AWS Buckets

site:[Link] "target"

 Look for API Keys in GitHub Repositories

site:[Link] "api_key" "secret"

🔍 OSINT on Organizations

🌎 Subdomain & Infrastructure Discovery

 Find Hidden Subdomains

subfinder -d [Link]

 Locate Public API Endpoints

site:[Link] "api/v1/"

🔗 Employee & Corporate Intelligence

 Look for Employee LinkedIn Profiles

site:[Link] "[Link]"

 Find Open Zoom Meetings

site:[Link] "join" "meeting"

 Discover Public Slack Channels

site:[Link] "company"

⚡ OSINT Automation Tools

🛠 Recon & Intelligence Gathering

 SpiderFoot – Automated OSINT tool

spiderfoot -s [Link]

 theHarvester – Gather emails & subdomains

theHarvester -d [Link] -b all

 Amass – Network mapping & reconnaissance

amass enum -d [Link]


 Metagoofil – Extract metadata from files

metagoofil -d [Link] -t pdf -o results/

📢 Social Media OSINT

 Sherlock – Locate Social Media Accounts

sherlock username

 Instagram Scraper – Extract Data from Instagram

instaloader --login username target_account

🌍 Geolocation & Image OSINT

 ExifTool – Extract Metadata from Images

exiftool [Link]

 Reverse Image Search on Google


🔗 Google Images

🔎 Advanced Google Dorks for People & Organizations

 Find Personal Information on a Website

site:[Link] intext:"phone number" OR "email" OR "address"

 Find Login Pages

site:[Link] inurl:login

 Find PDFs & Documents Containing Emails

filetype:pdf OR filetype:docx OR filetype:xls intext:"@[Link]"

 Find Public FTP Servers

intitle:"index of" "ftp" site:[Link]

📍 Find Hidden Data & Cached Info

 Search in Google Cache

cache:[Link]

 Find Deleted Pages via Wayback Machine

site:[Link] [Link]
 Search for Sensitive PDF Reports

site:gov OR site:mil OR site:edu filetype:pdf "confidential"

‍♂️OSINT on People (Personal Reconnaissance)

🔎 Find Someone's Digital Footprint

 People Search Engines

o 🔗 [Link]

o 🔗 [Link]

o 🔗 [Link]

 Find Phone Numbers & Emails

site:[Link] "phone number" OR "email"

 Reverse Email Lookup

site:[Link] OR site:[Link] "email@[Link]"

👀 Social Media Intelligence (SOCMINT)

 Find All Social Media Accounts for a Username

site:[Link] OR site:[Link] OR site:[Link] "username"

 Find Facebook Posts About Someone

site:[Link] "John Doe" "lives in New York"

 Find Instagram & TikTok Accounts via Google

site:[Link] "john_doe" OR site:[Link] "john_doe"

 Use Sherlock for Automated Social Media OSINT

sherlock username

📍 Geolocation OSINT

🔎 Track Location from Photos

 Extract GPS from Image Metadata

exiftool [Link]
 Search Google for Images from a Location

site:[Link] "New York City" "Times Square"

 Find Someone's Location via Twitter

site:[Link] "New York" geocode:40.7128,-74.0060,5km

🔎 Reverse Image Search

 Find Someone’s Profile Picture on Other


Sites 🔗 [Link]
🔗 [Link]

 Find Images in Cached Archives

site:[Link] "target image name"

💾 Leaked Database & Dark Web OSINT

🔑 Find Leaked Emails & Passwords

 Check if an Email is Breached 🔗 [Link]

 Find Leaked Databases on Pastebin

site:[Link] "password" "[Link]"

 Search for Leaked Credentials on the Dark Web

site:[Link] "email@[Link]"

📂 Find Exposed Databases

 Search for Open MongoDB

inurl:27017 "_id"

 Search for Open Elasticsearch Instances

inurl:9200 "_search"

 Find Firebase Databases

site:[Link]

📡 OSINT on Organizations
🔎 Subdomain & Infrastructure Recon

 Find Hidden Subdomains

subfinder -d [Link]

 Find Exposed API Endpoints

site:[Link] "api/v1/"

🔗 Find Employee Emails

 Find Company Email Patterns with [Link]


🔗 [Link]

 Search for Leaked Employee Emails

site:[Link] "@[Link]"

🔎 Detect Exposed Cloud Storage

 Find Public Google Drive Links

site:[Link] "confidential"

 Find Public AWS S3 Buckets

site:[Link] "target"

🚀 OSINT Automation Tools

🔎 Comprehensive OSINT Frameworks

 SpiderFoot – Automated OSINT tool

spiderfoot -s [Link]

 theHarvester – Gather emails & subdomains

theHarvester -d [Link] -b all

⚡ Fast Recon Tools

 Amass – Network mapping & reconnaissance

amass enum -d [Link]

 Metagoofil – Extract metadata from public files

metagoofil -d [Link] -t pdf -o results/


 Maltego – Visualize OSINT data connections
🔗 [Link]

📍 Find Deleted & Cached Information

 Wayback Machine (Internet Archive) – View old versions of


websites
🔗 [Link]

curl "[Link]

 Google Cache – View cached pages of deleted content

cache:[Link]

 Bing Cache – Alternative for Google Cache

inurl:cache:[Link]

🔍 Extract Content from Websites

 HTTrack – Clone websites for offline analysis

httrack [Link]

 wget – Download full websites

wget -r -np -k [Link]

 Scrapy – Python framework for web scraping

scrapy startproject target_spider

‍♂️OSINT on People (Personal Intelligence)

🔎 Find Hidden Personal Information

 People Search Engines

o 🔗 [Link]

o 🔗 [Link]

o 🔗 [Link]

o 🔗 [Link]

 Find Phone Numbers & Emails


site:[Link] "phone number" OR "contact email"

 Search for Social Security Numbers (SSNs)

filetype:xls OR filetype:csv "SSN"

 Username Lookups (Deep Search)

inurl:profile "username"

👤 Find Personal Email Addresses

 [Link] – Find email patterns from company domains


🔗 [Link]

 Holehe – Check if an email is linked to online accounts

holehe email@[Link]

 Email Permutator – Generate possible email variations

[Link] first last [Link]

📌 Find Geolocation & Address Details

📍 Extract GPS from Images

 ExifTool – Extract geolocation from images

exiftool [Link]

 Google Earth Historical Imagery – View past satellite images


🔗 [Link]

Find Someone’s Address

 WhitePages & PeopleFinders

o 🔗 [Link]

o 🔗 [Link]

 Reverse Address Lookup

site:[Link] "target address"

💾 Leaked Database & Credential Hunting


🔑 Find Leaked Passwords

 Have I Been Pwned? – Check if email is breached


🔗 [Link]

 H8mail – Search for leaked credentials

h8mail -t email@[Link]

 BreachForums (Mirror) – Search data leaks


🔗 [Link]

📂 Search for Exposed Databases

 Find Public MongoDB Databases

inurl:27017 "MongoDB"

 Search for Open Elasticsearch DBs

inurl:9200 "_search"

 Check for Firebase Data Leaks

site:[Link]

🔎 Deep Web & Dark Web OSINT

🛑 Search Hidden Onion Sites

 Ahmia – Search the dark web


🔗 [Link]

 TorBot – Automate OSINT on onion sites

git clone [Link]

 OnionSearch – Find stolen credentials

python3 [Link] target

📡 Scan Deep Web Data Leaks

 [Link] – Search dark web leaks


🔗 [Link]

 IntelX – Search breached data


🔗 [Link]
Subdomain & Website OSINT

🔎 Find Hidden Subdomains

 Subfinder – Collect subdomains

subfinder -d [Link]

 Amass – Map an organization's infrastructure

amass enum -d [Link]

🔗 Discover Public API Endpoints

 Find API Keys in GitHub

site:[Link] "api_key" "[Link]"

 Search for Publicly Accessible APIs

site:[Link] "api/v1/"

🚀 Automated OSINT Tools

🔎 OSINT Frameworks

 SpiderFoot – Full OSINT automation

spiderfoot -s [Link]

 Metagoofil – Extract metadata from public files

metagoofil -d [Link] -t pdf -o results/

⚡ Fast Data Gathering

 theHarvester – Find emails, subdomains, and metadata

theHarvester -d [Link] -b all

 Maltego – Visualize OSINT data connections


🔗 [Link]

📍 Find Hidden Data & Leaks


 Shodan – Search for exposed servers, IoT devices
🔗 [Link]

shodan search "Default password"

 Censys – Find exposed devices, certificates, open ports


🔗 [Link]

censys search [Link]

 ZoomEye – Chinese version of Shodan with more results


🔗 [Link]

 BinaryEdge – Advanced IP and port scanning


🔗 [Link]

📂 Data Breach & Credential Lookups

 WeLeakInfo (Mirror) – Search for exposed credentials


🔗 [Link]

 LeaksDB – Find leaked usernames and passwords


🔗 [Link]

 Snusbase – Advanced breach database


🔗 [Link]

 [Link] – Search credentials from past dumps


🔗 [Link]

Social Media Intelligence (SOCMINT)

🔍 Find Hidden Social Media Accounts

 WhatsMyName – Search username across multiple platforms


🔗 [Link]

 Sherlock – Find accounts linked to a username

python3 [Link] username

 Maigret – More powerful than Sherlock for finding social accounts

python3 [Link] username

📸 Reverse Image Search on Social Media


 Yandex – Best for finding hidden social media profiles
🔗 [Link]

 Google Lens – Identifies faces, places, and objects


🔗 [Link]

 PimEyes – AI-powered face recognition


🔗 [Link]

📍 Track Geolocation Data

 GeoCreepy – Extracts geolocation from social media posts

git clone [Link]

 ExifTool – Extracts GPS coordinates from photos

exiftool [Link]

 Google Earth Historical Imagery – View past satellite images


🔗 [Link]

🔑 Extract Metadata & Documents

📂 Hidden Metadata in Files

 FOCA – Extracts metadata from documents, PDFs


🔗 [Link]

 ExifTool – Extract hidden details from images and documents

exiftool [Link]

 Strings – Find hidden text in binary files

strings [Link]

 Metadata2Go – Online metadata extraction


🔗 [Link]

📡 Subdomain & Website Enumeration

🔍 Find Hidden Subdomains

 Subfinder – Finds subdomains via multiple sources

subfinder -d [Link]
 Findomain – Fast subdomain enumeration

findomain -t [Link]

 [Link] – Find SSL certificates linked to subdomains


🔗 [Link]

Find Exposed Directories

 GoBuster – Find hidden directories and files

gobuster dir -u [Link] -w [Link]

 Dirsearch – More advanced directory brute-forcing

python3 [Link] -u [Link] -e php,html,js

🔎 Google Dorks (More Advanced)

Find Exposed Databases

 Search for SQL dumps

inurl:.sql filetype:sql

 Find public Firebase databases

site:[Link]

 Locate public MongoDB instances

inurl:27017 filetype:log

📄 Find Sensitive Documents

 Find internal reports

site:[Link] filetype:pdf "confidential"

 Search for exposed .env files (credentials)

inurl:.env "DB_PASSWORD"

 Look for exposed config files

intitle:"index of" "[Link]"

💾 Data Breach & Credential Automation


📂 Check If an Email Is in a Breach

 Holehe – Check if an email is linked to social accounts

holehe email@[Link]

 H8mail – Find leaked passwords

h8mail -t email@[Link]

 GHunt – Extract data from Google accounts

python3 [Link] email@[Link]

🚀 Dark Web Data Mining

 TorBot – Automates OSINT on dark web sites

git clone [Link]

 OnionSearch – Searches dark web for stolen data

python3 [Link] target

🔎 People & Organization Searches

 Intelius – Background checks, addresses, phone numbers


🔗 [Link]

 PeekYou – Finds social media profiles and online presence


🔗 [Link]

 Pipl – Deep web search for emails, numbers, social links


🔗 [Link]

 Spokeo – Search for personal details, addresses, relatives


🔗 [Link]

📝 Leaked Data & Breach Searches

 Have I Been Pwned – Check if an email is in a data breach


🔗 [Link]

 DeHashed – Advanced search for breached credentials


🔗 [Link]

 LeakCheck – Finds leaked passwords, usernames, emails


🔗 [Link]
 IntelX – Search dark web leaks, emails, pastes
🔗 [Link]

Dark Web & Underground Searches

 Ahmia – Search the Tor network


🔗 [Link]

 OnionLand Search – Index of hidden .onion sites


🔗 [Link]

 DarkSearch – Crawls dark web marketplaces, forums


🔗 [Link]

 TorBot – Open-source dark web search tool

git clone [Link]

📎 Advanced Metadata & Document Analysis

🔑 Extract Metadata from Images & Documents

 ExifTool – Extract metadata from photos, PDFs, docs

exiftool [Link]

 strings – Find hidden text in binary files

strings [Link]

 pdf-parser – Search for hidden data in PDFs

pdf-parser [Link]

 OpenMetadata – Online metadata extractor


🔗 [Link]

🔍 Reverse Image & Facial Recognition

 Google Lens – Reverse image search


🔗 [Link]

 Yandex Images – More accurate than Google for faces


🔗 [Link]

 PimEyes – AI-powered face recognition


🔗 [Link]
 TinEye – Reverse image lookup
🔗 [Link]

🚀 Automated OSINT Tools

🐾 Subdomain & Website Enumeration

 Sublist3r – Find subdomains of a target

python [Link] -d [Link]

 Amass – Powerful OSINT reconnaissance tool

amass enum -d [Link]

 [Link] – Find SSL certificates revealing hidden subdomains


🔗 [Link]

📞 Phone Number Intelligence

 NumVerify – Check phone number validity


🔗 [Link]

 Truecaller – Find registered names of phone numbers


🔗 [Link]

 OSINTFramework – Collection of phone lookup resources


🔗 [Link]

🔍 Google Dorks (More Advanced)

 Find plaintext passwords

intext:"password" filetype:log

 Search for exposed email lists

site:[Link] "email" | "password"

 Locate hidden admin panels

site:[Link] inurl:admin

📧 Email & Contact Information


Find all email formats used by a company:

site:[Link] "@[Link]"

Search for leaked emails:

"[Link]@[Link]" site:[Link] | site:[Link]

📱 Phone Numbers & Messaging Apps

Look for leaked phone numbers:

"+123456789" site:[Link] | site:[Link]

Find if a number is linked to Telegram:

site:[Link] "+123456789"

🔗 Social Media & Online Presence

Find hidden social media profiles:

"John Doe" site:[Link] | site:[Link] | site:[Link]

Locate images of a person:

site:[Link] "John Doe" | site:[Link] "John Doe"

🏢 Company Subdomains & Infrastructure

Find all subdomains of a company:

site:*.[Link] -www

Check for open directories:

intitle:"index of" site:[Link]

🔑 API Keys & Credentials

Find API keys leaked in GitHub repositories:

site:[Link] "api_key" | "AWS_SECRET" | "password" [Link]

Search for environment files:

site:[Link] ext:env "DB_PASSWORD" | "SECRET_KEY"

Leaks & Security Issues

Find leaked internal documents:

site:[Link] ext:pdf | ext:doc "confidential"


Look for mentions of a company in hacking forums:

"[Link]" site:[Link] | site:[Link]

🔍 Google Dorks for Personal OSINT

 Find social media profiles:

"John Doe" site:[Link] | site:[Link] | site:[Link] |


site:[Link]

 Find email addresses linked to a person:

"John Doe" "@[Link]" | "@[Link]" | "@[Link]"

 Search for phone numbers:

"John Doe" "contact" | "phone" | "mobile" | "WhatsApp" site:[Link] |


site:[Link]

 Find resume or CV:

"John Doe" filetype:pdf | filetype:doc "resume" | "curriculum vitae"

 Look for mentions in data leaks:

"John Doe" site:[Link] | site:[Link] | site:[Link]

 Check for forum posts:

"John Doe" site:[Link] | site:[Link] | site:[Link]

 Search for person’s photos:

"John Doe" site:[Link] | site:[Link] | site:[Link]

 Find Amazon wishlists:

"John Doe" site:[Link] "wishlist"

🔍 Google Dorks for Organizations

 Find subdomains of a company:

site:*.[Link] -www

 Look for internal documents:


site:[Link] ext:pdf | ext:doc | ext:ppt "confidential"

 Search for employee emails:

"@[Link]" -www

 Find job postings to understand technology stack:

"hiring" | "we are looking for" site:[Link]

 Check for API keys and credentials on GitHub:

site:[Link] "[Link]" "api_key" | "password"

 Find exposed databases:

site:[Link] ext:sql | ext:db | ext:json

 Search for network devices and login portals:

site:[Link] inurl:login | inurl:admin

 Look for configuration files:

site:[Link] ext:conf | ext:ini | ext:log

 Check for past security incidents:

"[Link]" "data breach" | "leaked database"

🔍 Bing & Yandex Dorks for Personal & Organization OSINT

 Find person’s profiles on lesser-known sites:

"John Doe" site:[Link] | site:[Link] | site:[Link]

 Check for old cached pages:

site:[Link] cache:

 Find hidden directories:

intitle:"index of" site:[Link]

OSINT for Social Media

🛠 Automating OSINT with APIs & Scrapers


🚀 Twitter (X) Advanced OSINT

# Extract tweets, likes, and followers via API

twint -u username --followers --following --tweets

# Search for leaked credentials in tweets

twint -s "password OR API_KEY OR AWS_SECRET_ACCESS_KEY"

# Extract Twitter followers without rate limits

twint -u username --followers --csv -o [Link]

# Find accounts linked to a phone number

twint -s "+1234567890"

# Monitor target’s tweets in real-time

twint -u username --rt

# Find tweets with geotagged locations

twint -s "keyword" --near "New York"

📘 Facebook Advanced OSINT

# Find all Facebook groups a user is in

google "site:[Link]/groups username"

# Extract hidden friends list from a Facebook profile

curl -s "[Link]
access_token=YOUR_ACCESS_TOKEN"

# Scrape Facebook public posts by a user

facebook-scraper username --posts

# Search for leaked Facebook IDs in breaches

google "site:[Link] [Link]/[Link]?id="

# Find Facebook posts from a specific location

google "site:[Link] intext:'📍 New York'"


📸 Instagram Advanced OSINT

# Download all Instagram stories from a target

instaloader --stories username

# Extract Instagram metadata (location, device info, etc.)

instaloader --metadata-json username

# Find all Instagram profiles linked to an email

google "site:[Link] intext:email@[Link]"

# Extract geotagged Instagram posts

google "site:[Link] intext:'📍 London'"

# Find Instagram users with similar interests

google "site:[Link] intext:'#hacking #cybersecurity'"

💼 LinkedIn Advanced OSINT

# Scrape all employees from a company

linkedin-scraper -c "Google"

# Extract job postings and hidden email contacts

google "site:[Link]/jobs 'Cybersecurity Analyst' 'Remote'"

# Find LinkedIn profiles with leaked credentials

google "site:[Link]/in 'password' OR 'email@[Link]'"

# Identify LinkedIn users who worked for a company in the past

google "site:[Link]/in 'Worked at Google'"

# Find LinkedIn profiles linked to an IP address

shodan search "org:'LinkedIn Corp'"

📺 YouTube Advanced OSINT

# Download metadata from a YouTube channel

yt-dlp -J "[Link]
# Extract subtitles and hidden keywords from videos

yt-dlp --write-auto-sub --skip-download "[Link]


v=VIDEO_ID"

# Find YouTube videos from a specific geolocation

google "site:[Link] intext:'📍 New York'"

# Extract YouTube video analytics & insights

google "site:[Link] youtube username"

# Find deleted YouTube videos

google "site:[Link] [Link]/watch?v="

🎵 TikTok Advanced OSINT

# Scrape TikTok videos from a user

tiktok-scraper user username -n 50 -d

# Extract TikTok comments and engagement analytics

tiktok-scraper user username -t comments

# Find TikTok accounts linked to an email

google "site:[Link] intext:email@[Link]"

# Download TikTok videos and metadata

tiktok-scraper video VIDEO_ID

# Extract hashtags and trends from TikTok

google "site:[Link] intext:'#OSINT #Cybersecurity'"

🎯 Extra OSINT Techniques

# Reverse search social media profile pictures

google "site:[Link] inurl:result [Link]"

# Find deep-web social media leaks

google "site:[Link] OR site:[Link] 'email@[Link]'"


# Extract hidden metadata from social media images

exiftool [Link]

# Search for hidden social media accounts using an IP

shodan search "ip:[Link]"

General Social Media OSINT

# Find accounts linked to an email or phone

whatsmyname -u email@[Link]

# Check username presence across 500+ platforms

python3 sherlock username

# Scrape all social media links from a website

python3 [Link] -u [Link]

# Identify hidden social media accounts of a target

theHarvester -d [Link] -b all

# Check for social media accounts linked to an IP

shodan search "org:'Target ISP' [Link]:'Login'"

🐧 Twitter (X) OSINT

# Get all tweets from a specific time range

twint -u username --since 2024-01-01 --until 2024-03-01

# Extract user email from tweets (if leaked)

twint -u username --email

# Find accounts created in a specific year

twint --year 2010

# Get tweets containing geolocation data

twint -u username --geocode

# Identify all hashtags used by a user


twint -u username --hashtags

# Extract all retweets of a specific user

twint -u username --retweets

💘 Facebook OSINT

# Find a user’s Facebook ID

curl -s "[Link]
access_token=YOUR_ACCESS_TOKEN"

# Find Facebook pages associated with an email

google "site:[Link] intext:'email@[Link]'"

# Extract all friends of a target (if public)

google "site:[Link] intext:'Friends' username"

# Get public posts mentioning a keyword

google "site:[Link]/public keyword"

# Search for Facebook profiles linked to a phone number

google "site:[Link] intext:'+1234567890'"

📸 Instagram OSINT

# Find Instagram accounts linked to an email

google "site:[Link] intext:email@[Link]"

# Search for Instagram users by location

google "site:[Link] intext:'📍 Location'"

# Extract all captions from an Instagram profile

instaloader --comments --metadata-json profile_username

# Get all Instagram stories from a public account

instaloader --stories username

# Extract all tagged photos of a user


google "site:[Link] inurl:tags username"

💼 LinkedIn OSINT

# Find all employees of a company

theHarvester -d [Link] -b linkedin

# Extract LinkedIn profile email from commits

git log --pretty=format:"%ae" | sort -u

# Search for LinkedIn users by job title

google "site:[Link]/in 'Cybersecurity Researcher' 'India'"

# Extract all skills listed on a LinkedIn profile

google "site:[Link]/in username 'Skills'"

# Search for LinkedIn profiles linked to a phone number

google "site:[Link]/in intext:'+1234567890'"

📺 YouTube OSINT

# Find all videos uploaded by a user

google "site:[Link]/c/username"

# Extract metadata from a YouTube video

yt-dlp -J "[Link]

# Search for YouTube comments mentioning a keyword

google "site:[Link] 'keyword' 'comments'"

# Download all subtitles from a YouTube channel

yt-dlp --write-auto-sub --sub-lang en --skip-download


"[Link]

🎵 TikTok OSINT

# Scrape TikTok videos from a user


tiktok-scraper user username -n 50 -d

# Find TikTok videos based on geolocation

google "site:[Link] intext:'📍 New York'"

# Extract TikTok user bio information

tiktok-scraper user username -d --store

🐮 Reddit OSINT

# Search for deleted Reddit posts

google "site:[Link] user username"

# Find Reddit users discussing a keyword

google "site:[Link] 'keyword' 'thread'"

# Extract all posts made by a Reddit user

reddit-scraper -s "username"

# Find Reddit users who commented on a specific post

google "site:[Link] inurl:comments 'keyword'"

🦉 GitHub OSINT

# Search for exposed API keys in GitHub

google "site:[Link] intext:'AWS_SECRET_ACCESS_KEY'"

# Find GitHub repositories linked to an email

google "site:[Link] intext:'email@[Link]'"

# Extract GitHub commits mentioning a keyword

github-search "keyword"

# Search for leaked credentials in GitHub

google "site:[Link] intext:'password='"

📞 Telegram OSINT
# Search for Telegram groups related to a topic

google "site:[Link] keyword"

# Extract messages from a public Telegram group

telegram-history-dump -c "[Link]

📲 WhatsApp OSINT

# Find public WhatsApp groups

google "site:[Link] keyword"

# Check if a phone number is linked to WhatsApp

curl -s "[Link]

Advanced OSINT Tricks

# Reverse search social media profile pictures

google "site:[Link] inurl:result [Link]"

# Find data leaks related to an email

dehashed -q email@[Link]

# Extract EXIF metadata from social media images

exiftool [Link]

General Social Media Search:

# Search for a username across multiple social media platforms

curl -s "[Link] | grep -Eo '[Link]


=_-]+'

# Check if a username exists on multiple sites using Sherlock

python3 sherlock username

Twitter (X) OSINT:

# Search for tweets from a specific user containing a keyword


curl -s "[Link]

# Find all images posted by a Twitter user

twint -u username --media

# Search for email addresses in tweets

twint -s "@[Link] OR @[Link] OR @[Link]" --output


[Link] --csv

Facebook OSINT:

# Search for a Facebook profile by name

google "site:[Link] inurl:profile Name"

# Find Facebook posts mentioning a keyword

google "site:[Link]/posts keyword"

Instagram OSINT:

# Extract Instagram user information

instaloader --login your_username profile_username

# Find all tagged photos of a user

google "site:[Link]/tagged/ username"

LinkedIn OSINT:

# Search for employees of a company

google "site:[Link]/in company name"

# Extract LinkedIn profile data

python3 [Link] -u "Company Name"

Reddit OSINT:

# Search for a Reddit user’s posts

google "site:[Link]/user/username"

# Find comments from a user

curl -s "[Link]

YouTube OSINT:
# Find all videos uploaded by a user

google "site:[Link]/user OR site:[Link]/channel username"

# Extract YouTube video metadata

yt-dlp --get-title --get-id --get-description --get-duration --get-upload-date


"[Link]

TikTok OSINT:

# Search for a TikTok user's profile

google "site:[Link]/@username"

# Extract TikTok videos and metadata

tiktok-scraper user username -n 50 -d

Snapchat OSINT:

# Find public Snapchat stories

google "site:[Link] username"

# Search for Snapchat users by name

google "site:[Link] add username"

Pinterest OSINT:

# Find all Pinterest boards of a user

google "site:[Link]/username"

# Search for pins related to a keyword

google "site:[Link]/pin/ keyword"

GitHub OSINT:

# Search for sensitive data in a user's GitHub repo

google "site:[Link] username password OR api_key OR token"

# Find email addresses in GitHub commits

git log --pretty=format:"%ae" | sort -u

Telegram OSINT:

# Find Telegram groups related to a keyword


google "site:[Link] keyword"

# Check if a Telegram username exists

curl -s "[Link]

Discord OSINT:

# Find Discord servers related to a keyword

google "site:[Link] keyword"

# Search for Discord user profiles

google "site:[Link] users username"

WhatsApp OSINT:

# Search for public WhatsApp groups

google "site:[Link] keyword"

# Check if a phone number has a WhatsApp account

curl -s "[Link]

General OSINT Tools for Social Media:

# Find all social media profiles of a user

holehe username@[Link]

# Check username availability on multiple sites

python3 maigret username

# Extract metadata from an image (EXIF data)

exiftool [Link]

OSINT One-Liners for People Search & Email Investigation

🔍 People Search

 Find social media profiles using name & location:

site:[Link] "John Doe" "New York"

 Search for a username across multiple sites:

curl -s [Link] | grep -oP 'https?://\S+'


 Check if a username exists on social networks (Sherlock):

python3 sherlock username

 Google dork for public records:

"John Doe" site:[Link] OR site:[Link] OR site:[Link]

 Find someone’s name linked to a phone number:

site:[Link] "123-456-7890"

📧 Email Investigation

 Check if an email is in a data breach (Have I Been Pwned API):

curl -s
"[Link] -
H "hibp-api-key: YOUR_API_KEY"

 Find email format for a company:

[Link] "[Link]"

 Reverse lookup email to find associated accounts:

site:[Link] intext:"test@[Link]"

 Search for email leaks using Google dorks:

"test@[Link]" filetype:txt OR filetype:csv OR filetype:log

 Check email reputation (MXToolbox):

curl -s "[Link]
action=blacklist:test@[Link]"

 Find someone's old accounts via Wayback Machine:

curl -s
"[Link]
text&fl=original"

 Get full details of a phone number (Numverify API):

curl -s "[Link]
access_key=YOUR_API_KEY&number=+11234567890"

 Find all images of a person using face recognition (PimEyes):

site:[Link] "John Doe"


 Locate someone's forum activity using email hash (Gravatar):

curl -s "[Link] -n 'test@[Link]' |


md5sum | awk '{print $1}')"

 Find a person's connections & mentions on the web:

site:[Link] OR site:[Link] OR site:[Link] "John Doe"

 Reverse image search a profile picture (Google Images):

curl -F "encoded_image=@[Link]"
[Link]

💎 Email Investigation

 Find email aliases used by a person:

site:[Link] OR site:[Link] "JohnDoe@[Link]"

 Find an email in GitHub repositories:

site:[Link] "JohnDoe@[Link]"

 Search for breached email data (Dehashed API):

curl -u "user:password" -X GET "[Link]


query=test@[Link]"

 Check SPF, DKIM, and DMARC records for an email domain:

dig TXT [Link] | grep "spf"

dig TXT _dmarc.[Link] | grep "v=DMARC1"

 Find subdomains linked to an email provider (for company


investigation):

amass enum -d [Link]

 Extract emails from a webpage using regex (wget & grep):

wget -qO- "[Link] | grep -E -o "[a-zA-Z0-9._%+-]+@[a-zA-Z0-


9.-]+\.[a-zA-Z]{2,}"

 Generate possible email variations for a person:


echo "John Doe" | awk '{print tolower($1$2"@[Link]"),
tolower($1"."$2"@[Link]"),
tolower(substr($1,1,1)$2"@[Link]")}'

👤 Advanced People Search

 Find hidden social media profiles using Google dorks:

site:[Link] | site:[Link] | site:[Link] "John Doe" "New York"

 Find someone's aliases, old usernames, and accounts:

site:[Link] OR site:[Link] "JohnDoe"

 Check if a phone number is linked to an online account


(PhoneInfoga):

phoneinfoga scan -n "+11234567890"

 Check for leaked personal details on public databases:

site:[Link] "John Doe" "Los Angeles"

 Find associated domains with a name or business:

curl -s "[Link] | jq .

 Reverse lookup a street address to find past owners:

site:[Link] OR site:[Link] OR site:[Link] "123 Main St,


NY"

 Find images linked to a name (Google Reverse Image):

site:[Link] "John Doe"

📧 Advanced Email Investigation

 Extract emails from a website recursively:

theharvester -d [Link] -l 100 -b google

 Find all mentions of an email in forum posts:

site:[Link] OR site:[Link] "test@[Link]"

 Search for email leaks in plaintext files:


"test@[Link]" ext:txt OR ext:csv OR ext:log OR ext:sql

 Find old email addresses linked to a domain:

curl -s "[Link]

 Find the social media accounts linked to an email:

holehe test@[Link]

 Check if an email is linked to a PayPal account:

curl -s -X POST -d "cmd=_notify-


validate&receiver_email=test@[Link]" [Link]
bin/webscr

 Generate potential email variations for a target:

echo "John Doe" | awk '{print tolower($1$2"@[Link]"),


tolower($1"."$2"@[Link]"),
tolower(substr($1,1,1)$2"@[Link]")}'

 Check SPF, DKIM, and DMARC for an email domain:

nslookup -q=TXT [Link]

 Check if an email is being used in spam campaigns (Spamhaus


API):

curl -s "[Link]

 Find an old username linked to a person via Pastebin dumps:

site:[Link] "John Doe" OR "johndoe123"

 Find hidden profiles & associated links using WHOIS history:

curl -s "[Link]
apiKey=YOUR_API_KEY&domainName=[Link]"

 Discover someone’s political donations (USA only):

site:[Link] "John Doe" "New York"

 Check court records, arrest logs & criminal history:

site:[Link] OR site:[Link] OR site:[Link] "John Doe"

 Find if a person has been involved in a lawsuit:

site:[Link] "John Doe" lawsuit OR defendant OR plaintiff


 Reverse search job applications & résumés online:

site:[Link]/in OR site:[Link] "John Doe" "resume"

 Find possible relatives or family members linked to a person:

site:[Link] "John Doe" "New York"

 Get personal details leaked in public government databases:

site:[Link] "John Doe" OR "123-45-6789"

📧 Email Investigation - Advanced Tactics

 Find websites & domains registered with an email:

curl -s "[Link]

 Find hidden email leaks in public FTP servers:

intitle:"index of" "test@[Link]" ext:txt | ext:csv | ext:sql

 Check if an email is linked to an Apple ID:

curl -X POST "[Link] -d


"id=test@[Link]"

 Find metadata in email headers (SPF, DKIM, DMARC


validation):

exiftool [Link]

 Check for compromised accounts in combo lists:

grep -i "test@[Link]" [Link]

 Extract all emails from a PDF file:

pdfgrep -o "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" [Link]

 Find email-associated subdomains via DNS:

subfinder -d [Link]

 Check if an email is linked to cryptocurrency wallets:

site:[Link] OR site:[Link] "test@[Link]"

 Find disposable or temporary emails linked to a person:

site:[Link] OR site:[Link] "test@[Link]"


 Check for SMTP open relay on an email server:

swaks --to test@[Link] --server [Link] --data "Subject:


Test"

 Check if a person’s phone number is in a spam database:

curl -s "[Link]
number=+11234567890&apikey=YOUR_API_KEY"

 Find deleted social media posts (cached Google & Bing


results):

cache:[Link]/johndoe OR cache:[Link]/johndoe

 Search for user profiles in data breaches:

site:[Link] "John Doe" OR "test@[Link]"

 Find out if someone has a Medium or Substack account:

site:[Link] OR site:[Link] "John Doe"

 Check for public Amazon wishlists linked to a name:

site:[Link] "John Doe" wishlist

 Search property ownership records (USA only):

site:[Link] OR site:[Link] "123 Main St, NY"

 Check past travel history via flight logs (Private Jet owners):

site:[Link] OR site:[Link] "John Doe"

 Look for someone's online dating profiles (Tinder, Bumble,


etc.):

site:[Link] OR site:[Link] "John Doe"

 Find a person's reviews on websites (Amazon, Yelp, TrustPilot):

site:[Link] OR site:[Link] OR site:[Link] "John Doe"

 Check if a person has been mentioned in news articles:

site:[Link] OR site:[Link] OR site:[Link] "John Doe"

📧 Email Investigation - Pro Level

 Find alternate emails linked to a domain using [Link]:


curl -s "[Link]
domain=[Link]&api_key=YOUR_API_KEY"

 Extract email addresses from a CSV file:

awk -F, '{print $2}' [Link] | grep -E -o "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]


+\.[a-zA-Z]{2,}"

 Check if an email is linked to a Steam account:

curl -s
"[Link]

 Search old forum posts linked to an email (4chan, Reddit, etc.):

site:[Link] OR site:[Link] "test@[Link]"

 Find if an email is listed in PGP key databases:

gpg --search-keys test@[Link]

 Extract emails from a Word document (.docx):

strings [Link] | grep -E -o "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]


{2,}"

 Find subdomains linked to an email provider:

amass enum -d [Link]

 Check if an email is used in crypto forums (BitcoinTalk, etc.):

site:[Link] "test@[Link]"

 Check if an email is linked to a Patreon account:

site:[Link] "test@[Link]"

 Verify if an email has been involved in fraud cases:

site:[Link] OR site:[Link] "test@[Link]"

 Find a person’s past usernames across multiple platforms:

site:[Link] OR site:[Link] OR site:[Link]


"JohnDoe"

 Check if a person is registered on genealogy websites:

site:[Link] OR site:[Link] OR site:[Link] "John Doe"


 Look up past marriages & divorces (US only):

site:[Link] OR site:[Link] "John Doe"

 Check public campaign donations (US politicians & donors):

site:[Link] OR site:[Link] "John Doe"

 Find someone’s car registration details (some countries):

site:[Link] OR site:[Link] "John Doe"

 Search for hidden YouTube channels linked to a person:

site:[Link] "John Doe"

 Find someone’s frequently used locations via check-ins:

site:[Link] OR site:[Link] "John Doe"

 Look up private business records or LLC registrations:

site:[Link] "John Doe" OR "Doe Enterprises"

 Check if a person has published academic papers or research:

site:[Link] OR site:[Link] "John Doe"

 Find an author’s books, blog posts, or past writings:

site:[Link] OR site:[Link] OR site:[Link] "John Doe"

📧 Email Investigation - Next Level Tactics

 Check if an email is linked to a Facebook account:

curl -X POST -d "email=test@[Link]"


[Link]

 Find if an email is mentioned in Telegram groups:

site:[Link] OR site:[Link] "test@[Link]"

 Look up emails linked to an IP address using AbuseIPDB:

curl -s "[Link]
ipAddress=[Link]&apiKey=YOUR_API_KEY"

 Extract email addresses from HTML source code of a website:

curl -s "[Link] | grep -oP '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.


[a-zA-Z]{2,}'
 Find all emails ever used on a specific website:

site:[Link] "email"

 Search for past email leaks using HIBP API:

curl -s
"[Link]

 Generate common email permutations for OSINT scanning:

python3 [Link] -n "John Doe" -d [Link]

 Check if an email is linked to a Zoom account:

curl -X POST "[Link] -d "email=test@[Link]"

 Find if an email is associated with a LinkedIn account:

curl -X POST "[Link] -d


"session_key=test@[Link]"

 Discover if an email is linked to an Instagram account:

curl -X POST
"[Link] -d
"email_or_username=test@[Link]"

🚀 Twitter (X) Advanced OSINT

# Extract tweets, likes, and followers via API

twint -u username --followers --following --tweets

# Search for leaked credentials in tweets

twint -s "password OR API_KEY OR AWS_SECRET_ACCESS_KEY"

# Extract Twitter followers without rate limits

twint -u username --followers --csv -o [Link]

# Find accounts linked to a phone number

twint -s "+1234567890"

# Monitor target’s tweets in real-time

twint -u username --rt

# Find tweets with geotagged locations


twint -s "keyword" --near "New York"

📘 Facebook Advanced OSINT

# Find all Facebook groups a user is in

google "site:[Link]/groups username"

# Extract hidden friends list from a Facebook profile

curl -s "[Link]
access_token=YOUR_ACCESS_TOKEN"

# Scrape Facebook public posts by a user

facebook-scraper username --posts

# Search for leaked Facebook IDs in breaches

google "site:[Link] [Link]/[Link]?id="

# Find Facebook posts from a specific location

google "site:[Link] intext:'📍 New York'"

📸 Instagram Advanced OSINT

# Download all Instagram stories from a target

instaloader --stories username

# Extract Instagram metadata (location, device info, etc.)

instaloader --metadata-json username

# Find all Instagram profiles linked to an email

google "site:[Link] intext:email@[Link]"

# Extract geotagged Instagram posts

google "site:[Link] intext:'📍 London'"

# Find Instagram users with similar interests

google "site:[Link] intext:'#hacking #cybersecurity'"


💼 LinkedIn Advanced OSINT

# Scrape all employees from a company

linkedin-scraper -c "Google"

# Extract job postings and hidden email contacts

google "site:[Link]/jobs 'Cybersecurity Analyst' 'Remote'"

# Find LinkedIn profiles with leaked credentials

google "site:[Link]/in 'password' OR 'email@[Link]'"

# Identify LinkedIn users who worked for a company in the past

google "site:[Link]/in 'Worked at Google'"

# Find LinkedIn profiles linked to an IP address

shodan search "org:'LinkedIn Corp'"

📺 YouTube Advanced OSINT

# Download metadata from a YouTube channel

yt-dlp -J "[Link]

# Extract subtitles and hidden keywords from videos

yt-dlp --write-auto-sub --skip-download "[Link]


v=VIDEO_ID"

# Find YouTube videos from a specific geolocation

google "site:[Link] intext:'📍 New York'"

# Extract YouTube video analytics & insights

google "site:[Link] youtube username"

# Find deleted YouTube videos

google "site:[Link] [Link]/watch?v="

🎯 Extra OSINT Techniques

# Reverse search social media profile pictures


google "site:[Link] inurl:result [Link]"

# Find deep-web social media leaks

google "site:[Link] OR site:[Link] 'email@[Link]'"

# Extract hidden metadata from social media images

exiftool [Link]

# Search for hidden social media accounts using an IP

shodan search "ip:[Link]"

General Social Media OSINT

# Find accounts linked to an email or phone

whatsmyname -u email@[Link]

# Check username presence across 500+ platforms

python3 sherlock username

# Scrape all social media links from a website

python3 [Link] -u [Link]

# Identify hidden social media accounts of a target

theHarvester -d [Link] -b all

# Check for social media accounts linked to an IP

shodan search "org:'Target ISP' [Link]:'Login'"

🔧 Twitter (X) OSINT

# Get all tweets from a specific time range

twint -u username --since 2024-01-01 --until 2024-03-01

# Extract user email from tweets (if leaked)

twint -u username --email

# Find accounts created in a specific year

twint --year 2010

# Get tweets containing geolocation data


twint -u username --geocode

# Identify all hashtags used by a user

twint -u username --hashtags

# Extract all retweets of a specific user

twint -u username --retweets

👨‍👩‍👦 Facebook OSINT

# Find a user’s Facebook ID

curl -s "[Link]
access_token=YOUR_ACCESS_TOKEN"

# Find Facebook pages associated with an email

google "site:[Link] intext:'email@[Link]'"

# Extract all friends of a target (if public)

google "site:[Link] intext:'Friends' username"

# Get public posts mentioning a keyword

google "site:[Link]/public keyword"

# Search for Facebook profiles linked to a phone number

google "site:[Link] intext:'+1234567890'"

📸 Instagram OSINT

# Find Instagram accounts linked to an email

google "site:[Link] intext:email@[Link]"

# Search for Instagram users by location

google "site:[Link] intext:'📍 Location'"

# Extract all captions from an Instagram profile

instaloader --comments --metadata-json profile_username

# Get all Instagram stories from a public account


instaloader --stories username

# Extract all tagged photos of a user

google "site:[Link] inurl:tags username"

💼 LinkedIn OSINT

# Find all employees of a company

theHarvester -d [Link] -b linkedin

# Extract LinkedIn profile email from commits

git log --pretty=format:"%ae" | sort -u

# Search for LinkedIn users by job title

google "site:[Link]/in 'Cybersecurity Researcher' 'India'"

# Extract all skills listed on a LinkedIn profile

google "site:[Link]/in username 'Skills'"

# Search for LinkedIn profiles linked to a phone number

google "site:[Link]/in intext:'+1234567890'"

📺 YouTube OSINT

# Find all videos uploaded by a user

google "site:[Link]/c/username"

# Extract metadata from a YouTube video

yt-dlp -J "[Link]

# Search for YouTube comments mentioning a keyword

google "site:[Link] 'keyword' 'comments'"

# Download all subtitles from a YouTube channel

yt-dlp --write-auto-sub --sub-lang en --skip-download


"[Link]
🎵 TikTok OSINT

# Scrape TikTok videos from a user

tiktok-scraper user username -n 50 -d

# Find TikTok videos based on geolocation

google "site:[Link] intext:'📍 New York'"

# Extract TikTok user bio information

tiktok-scraper user username -d --store

💌 WhatsApp OSINT

# Find public WhatsApp groups

google "site:[Link] keyword"

# Check if a phone number is linked to WhatsApp

curl -s "[Link]

🔍 Advanced OSINT Tricks

# Reverse search social media profile pictures

google "site:[Link] inurl:result [Link]"

# Find data leaks related to an email

dehashed -q email@[Link]

# Extract EXIF metadata from social media images

exiftool [Link]

# Search for hidden social media accounts using an IP

shodan search "ip:[Link]"

📌 Extract Geolocation from Metadata

🔹 Check image metadata for GPS coordinates

exiftool [Link] | grep -i "GPS"

🔹 Extract metadata from videos (if available)


ffmpeg -i video.mp4 -f ffmetadata [Link]

🔹 Check metadata of PDFs for location info

pdfinfo [Link]

📍 IP Geolocation

🔹 Find location from an IP address

curl -s "[Link]

🔹 More detailed IP location data (including ISP & ASN)

curl -s "[Link]

🔹 Check IP geolocation with MaxMind

geoiplookup [Link]

🔹 Get approximate IP location from Shodan

shodan host [Link]

🗺 Reverse Geocoding & Mapping

🔹 Find address from GPS coordinates

curl -s "[Link]
format=json&lat=40.748817&lon=-73.985428"

🔹 Find nearby locations using OpenStreetMap

curl -s "[Link]
q=Eiffel+Tower&format=json"

🔹 Search places via Google Maps API

curl -s "[Link]
address=Eiffel+Tower&key=YOUR_API_KEY"

🔹 Find historical satellite images

[Link]

📌 Wi-Fi, Bluetooth, & Mobile Data OSINT


🔹 Find location from Wi-Fi BSSID (if known)

curl "[Link]

🔹 Check if a Wi-Fi SSID has been mapped

curl -s "[Link]
v=1.1&bssid=XX:XX:XX:XX:XX:XX"

🔹 Check Bluetooth device locations (if tracked)

[Link]
identifiers/

🔹 Check cell tower geolocation (for mobile tracking)

curl -s "[Link]
mcc=310&mnc=410&lac=7033&cellid=17811&key=YOUR_API_KEY"

📍 Social Media Geolocation OSINT

🔹 Find location from Instagram post (if geotagged)

[Link]

🔹 Find location from Twitter post (if enabled)

[Link]

🔹 Extract location from Facebook check-ins

[Link]

🔹 Reverse search a Snapchat map story

[Link]

🚗 Vehicle & Transport Tracking

🔹 Track Uber/Lyft rides (if shared link available)

[Link]

🔹 Look up a car’s geotagged photos (if available)

[Link]

🔹 Find ship locations (via AIS data)


[Link]

🔹 Find aircraft locations (real-time flight tracking)

[Link]

🛰 Satellite & Aerial OSINT

🔹 View live satellite imagery (if available)

[Link]

🔹 Search for satellite images from past years

[Link]

🔹 NASA Earth data for environmental tracking

[Link]

📌 Extract GPS from images (Exif metadata)

exiftool [Link] | grep -E "GPS Latitude|GPS Longitude"

📍 Reverse image search location (Google)

curl -F 'encoded_image=@[Link]'
[Link]

🗺 Find location from Wi-Fi BSSID

curl "[Link]

📍 Find location from an IP address

curl -s "[Link]

🌍 Get geolocation from phone number

python3 [Link] -n +1234567890

📌 Check Google Maps Timeline (if accessible)

[Link]

🛰 Get satellite images of a location

[Link]

📍 Reverse Geocode Coordinates


curl -s "[Link]
format=json&lat=LAT&lon=LON"

🚗 Track Uber/Lyft ride details (if link available)

[Link]

🌐 Find location from social media posts

[Link]

# Search for keywords on Ahmia (Tor Search Engine)

torify curl -s "[Link]

# Search on OnionLand (Dark Web Search Engine)

torify curl -s "[Link]

# Extract all .onion links from a webpage

torify curl -s "[Link] | grep -oP '(?<=href=")[Link]


+\.onion'

# Find indexed .onion sites on DuckDuckGo

torify curl -s "[Link] your_keyword"

# Check if a dark web site is online

torify curl -Is [Link] | head -n 1

Paste Sites OSINT One-Liners

# Search for leaked credentials on Pastebin

curl -s "[Link] your_keyword"

# Scrape Pastebin for recent pastes (requires API key)

curl -s "[Link]
# Check for mentions of an email in recent pastes

curl -s "[Link]
your_email@[Link]"

# Find pastes mentioning a specific domain

curl -s "[Link]
[Link]"

# Check for leaked credentials using DeHashed (API required)

curl -s "[Link] -u
"your_api_key"

You might also like