OSINT Deep Dive
Challenge Gallery
Quick Reference
| Command | What It Does |
|---|---|
whois example.com |
Domain registration details |
dig example.com ANY |
All DNS record types |
dig +short example.com TXT |
SPF/DKIM/verification records |
curl -s https://web.archive.org/web/*/example.com |
Check Wayback Machine availability |
exiftool photo.jpg |
Extract file metadata (GPS, camera, author) |
exiftool document.pdf |
Extract document metadata |
Google Dork Operators
| Operator | What It Does | Example |
|---|---|---|
site: |
Restrict to a domain | site:example.com |
filetype: |
Restrict to file type | filetype:pdf |
inurl: |
Term must appear in URL | inurl:admin |
intitle: |
Term must appear in page title | intitle:"index of" |
intext: |
Term must appear in page body | intext:password |
cache: |
View Google’s cached version | cache:example.com |
"exact phrase" |
Match exact wording | "internal use only" |
-term |
Exclude a term | site:example.com -www |
OSINT Tools
| Tool | Purpose |
|---|---|
| whois | Domain registration records |
| dig / nslookup | DNS queries |
| theHarvester | Emails, names, subdomains from public sources |
| Shodan | Search engine for internet-connected devices |
| Maltego | Visual link analysis for OSINT data |
| Recon-ng | Modular OSINT framework |
| Hunter.io | Find email addresses by domain |
| Wayback Machine | Historical website snapshots |
| Google Dorks | Advanced search operators |
| FOCA | Metadata extraction from documents |
Email Header Fields
| Header | What It Reveals |
|---|---|
Received: |
Each server the email passed through (read bottom to top) |
From: |
Display sender (easily spoofed) |
Return-Path: |
Where bounces go (harder to spoof) |
X-Originating-IP: |
Sender’s IP address (if present) |
Authentication-Results: |
SPF and DKIM pass/fail status |
X-Mailer: |
Email client software used |
Message-ID: |
Unique ID — domain part reveals sending infrastructure |