Show Menu

OSINT and Tools Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Google Search Engine Directives

Limits results ot a target site or domain
Searches for keywords within the URL of a page
Searches for keywords within the title of a page.
Identifies sites that link to our target, providing info that is useful for social engine­ering and related attacks
Searches for files with an identi­fiable extension
Bing also supports site:, inurl:, intitle: and the filetype: direct­ives.

Google Modifiers

"­sur­roung strings in double quotes­"
Literal matches for the string
- = hyphen, -site:­­mai­, or -omitted
omits pages or pages with specific strings
* = asterick
Used as a keyword wildcard
Bing uses Not instead of the "­-"

Google Hacking Database (GHDB)

Is a repository for search syntax, known as "­Google Dorks", which can find intere­sting inform­ation. Works with most search engines with proper syntax adjust­ments.

Automate Google Searches

Google SOAP API key required for some automation tools but Google stopped issuing new keys in 12/06
Google Shunning begins with banning you from a particular search, to a 2 hour ban, to an IP ban.

SPUD by SensePost

Converts Google SOAP API requests into general searches of the Google website.
Uses "­scr­een­-sc­rap­ing­" to collect, parse, and return the results.
Violates Google's ToS.
Originally SenseP­ost's Aura but that was deprec­ated.


"The world's first search engine for Intern­et-­con­nected device­s."
A plethora of devices can be found on Shodan including medical devices, traffic management systems, automotive controls, traffic light controls, HVAC/e­nvi­ronment controls, power regula­tor­s/UPSs, securi­ty/­access controls including CCTV and webcams, serial port servers and data radios.


Search all documents in a domain
Download them
Analyze them
Produce list of metadata
Metadata collected includes users, folders, printers, software, emails, OS, password, and servers.
Supports numerous document types: doc, ppt, pps, xls, docx, pptx, ppsx, xlsx, sxw, scx, sxi, odt, ods, odg, odp, pdf, wpd, svg, svgz, indd, rdp and ica
Finger­pri­nting Organi­zations with Collected Archives is primarily a document metadata search tool, Pro is now called "­Final Versio­n."


Gathers inform­ation from target domains via public inform­ation sources including email addresses, IP addresses and domain names, and ports and banners.
Uses search engines, PGP key servers and Shodan
Uses screen scraping and API calls to pull results from search engines.


Inform­ation mapping tool that finds relati­onships among people, sites and companies
Uses "­tra­nsf­orm­s" to build a hierarchy of related inform­ation
Starting points include domain, person's name, phone number, etc.
Domain to PGP keys, Person to email, Domain to phone number
Community Edition limita­tions: not for commercial use, max 12 results per transform, need to register on website to use, API keys expire every couple days, runs slower, no encryp­tion, not updated until next major version, no end user support, no updates of transforms on server sdie, only discover from Paterva servers.


>50 modules available
0 modules overtly for mapping phase
Cache Snoop checks the DNS cache for previously resolved names, Intere­sting Files looks for files of interest associated with the target
XPATH and Command Injection attacks available
Web reconn­ais­sance framework including dozens of modules that interact with Internet services to obtain inform­ation. Reporting modules consol­idate and export results, as well as discovery and exploi­tation modules. Some modules require API keys which may cost money. Use show info to get inform­ation about a module. 4.x update provides a signif­icant overhaul especially of the layout and structure.