OSINT Tools Directory — Programs, Scripts & GitHub Repos

By

Last updated:

Curated directory of 80+ open-source intelligence tools, Python scripts, CLI programs, and GitHub repositories for research and investigations. All linked, categorized, and actively maintained.

⚠️
Technical Content — Not for Every Researcher
Most tools listed here require command-line / terminal experience, Python or Go installation, and familiarity with GitHub. If you're new to OSINT, start with the browser-based tools in our Search Engine Directory or the Dork Generator before diving into these. Tools marked WEB or BROWSER are beginner-friendly.

🛠️OSINT Tools0 tools

What Are the Best Free OSINT Tools in 2026?

The best free OSINT tools in 2026 are Shodan for device discovery, Sherlock and Maigret for usernames, theHarvester and Holehe for email and domain recon, VirusTotal for file and URL reputation, and ExifTool for metadata. All are genuinely free, and most are open-source. The ranked list below covers the 20 free OSINT tools that do the most investigative work without a paid licence, grouped so you can pick by task.

How we ranked these: we weighed how much investigative work each tool does for free, the breadth of public data it reaches, accuracy (low false positives), and how quickly a newcomer can get a result — favouring open-source and no-cost tiers. The pricing label on each entry reflects its public plans as of 2026.

  1. Shodan — the search engine for internet-connected devices. Maps exposed servers, webcams, databases, and industrial systems worldwide; the fastest way to see a target's external attack surface. Cost: Freemium (free account; deeper queries paid).
  2. Sherlock — checks a username across 400+ platforms in one command. The standard first step in any username investigation. Pair it with our username search. Cost: Free, open-source.
  3. Maigret — Sherlock's deeper successor. Checks 3,000+ sites and extracts profile details into a structured dossier. Slower but far more thorough. Cost: Free, open-source.
  4. theHarvester — pulls emails, subdomains, hosts, and employee names from 30+ public sources. The classic opening move for domain reconnaissance. Cost: Free, open-source.
  5. Holehe — takes an email address and silently checks 120+ sites for registration via password-reset flows. Feed results into our email lookup. Cost: Free, open-source.
  6. OWASP Amass — the most complete free subdomain enumeration tool, combining DNS, scraping, APIs, and ML. Complements our domain OSINT. Cost: Free, open-source.
  7. VirusTotal — checks files, URLs, domains, and IPs against 70+ antivirus engines and adds passive DNS, WHOIS, and reputation data. The default for malware and link analysis. Cost: Freemium (free lookups; API tiers paid).
  8. ExifTool — reads and writes metadata across 400+ file formats, surfacing GPS coordinates, timestamps, and device fingerprints. The industry standard for file forensics. Cost: Free, open-source.
  9. SpiderFoot — automates broad reconnaissance across 200+ modules with a clean web GUI. Best when you want results without chaining tools manually. Cost: Freemium (open-source free; hosted HX paid).
  10. Censys — the leading Shodan alternative for attack-surface visibility: asset discovery, certificate tracking, and network insights, with daily scans. Cost: Freemium (~250 free queries/month).
  11. PhoneInfoga — the leading free phone-number recon tool. Identifies carrier, region, line type, and VoIP footprint. Works alongside our phone lookup. Cost: Free, open-source.
  12. WhatsMyName — a browser-based username enumerator across 732 community-vetted sites. No install, low false-positive rate — the easiest entry point for non-technical investigators. Cost: Free.
  13. Have I Been Pwned — checks an email or password against billions of breached records. The canonical breach reference. See our breach exposure tools. Cost: Free.
  14. DeHashed — goes beyond Have I Been Pwned, searching leaked credentials, names, addresses, and phone numbers across breach datasets. Cost: Freemium (preview free; full results paid).
  15. GHunt — investigates the public surface of a Google account from an email or document ID: profile, reviews, and linked services. Cost: Free, open-source.
  16. DNSDumpster — maps a domain's DNS records, subdomains, and hosting infrastructure into a clear visual, free and instant. A fast first pass before Amass. Cost: Free.
  17. ProjectDiscovery suite (subfinder · httpx · nuclei) — three free Go tools that chain into a pipeline: subfinder -d target.com | httpx | nuclei to discover subdomains, probe live hosts, and scan with community templates. Cost: Free, open-source.
  18. Google Earth Pro — for geolocation and visual verification: historical satellite imagery, a timeline slider, distance measurement, and 3D terrain to confirm where a photo was taken. Cost: Free.
  19. Maltego (Basic plan) — the standard for visual link analysis. The free Basic plan maps relationships between people, domains, and infrastructure, with capped monthly credits. See the Maltego section below. Cost: Free tier (paid upgrades).
  20. Recon-ng — a modular, scriptable recon framework with a marketplace of data modules. Suits analysts who want repeatable, automatable workflows. Cost: Free, open-source.

Ready to start? Browse the full tools directory below, generate advanced queries with the Dork Generator, and widen coverage with the Search Engine Directory.

What Are the Most Important OSINT Tools in 2026?

OSINT tools have evolved from simple scripts into reconnaissance platforms used by 82% of cybersecurity professionals (SANS 2024 OSINT Survey). The global OSINT market is projected to reach $29.19 billion by 2029 (MarketsandMarkets). This directory catalogs the most actively maintained tools by category.

Reconnaissance Frameworks

Full-stack recon frameworks like SpiderFoot, Maltego, and Recon-ng automate the process of gathering intelligence from hundreds of data sources simultaneously. SpiderFoot scans IPs, domains, emails, and usernames across 200+ modules with a web GUI. Maltego provides powerful visual link analysis — mapping relationships between entities that would be invisible when examining data separately. reconFTW chains together 50+ tools to perform comprehensive domain reconnaissance in a single command.

FrameworkSourcesInterfaceBest For
SpiderFoot200+ modulesWeb GUIAutomated broad reconnaissance
MaltegoTransforms + HubDesktop (Java)Visual link analysis, relationship mapping
Recon-ngMarketplace modulesCLI (Python)Modular, scriptable recon workflows
reconFTW50+ chained toolsCLI (Bash)Full-auto domain reconnaissance

Username & Social Media OSINT

Sherlock and Maigret are the two dominant username enumeration tools. Sherlock checks 400+ platforms quickly and simply. Maigret goes deeper — checking 2,500+ sites and extracting profile data to build comprehensive dossiers. WhatsMyName provides a web-based alternative. For platform-specific analysis, Instaloader downloads Instagram content with metadata, Toutatis extracts private Instagram data via API, and Osintgram provides a full Instagram reconnaissance toolkit.

Email & Phone Intelligence

Holehe checks whether an email is registered on 120+ platforms by probing password reset functions. theHarvester gathers emails, subdomains, and hosts from 30+ public sources. GHunt provides offensive Google account investigation. For phone numbers, PhoneInfoga scans international numbers for carrier, location, and VoIP data, while Ignorant checks phone number registration across platforms.

Domain & Infrastructure

OWASP Amass — part of the OWASP (Open Worldwide Application Security Project) suite — performs deep subdomain enumeration using DNS, web scraping, APIs, and machine learning. Subfinder handles passive subdomain discovery. httpx probes discovered hosts for status codes, titles, and technology detection. Nuclei scans for vulnerabilities using community-maintained templates. Shodan and Censys index internet-connected devices globally, revealing exposed servers, webcams, and industrial systems. These tools are often chained together: subfinder | httpx | nuclei.

Metadata, Geolocation & Scraping

ExifTool, created by Phil Harvey, is the industry standard for extracting metadata from over 400 file formats from images, PDFs, and documents — including GPS coordinates, timestamps, and device information. Metagoofil extracts metadata from documents found on target domains. FOCA maps network infrastructure from document metadata. For geolocation, Creepy gathers location data from social media, while GeoSpy uses AI to estimate photo locations. Web scraping frameworks like Scrapy and Playwright enable custom data extraction at scale.

Building an OSINT Workflow

Effective OSINT investigations chain multiple tools together. A typical workflow might begin with email enumeration (Holehe, theHarvester), expand to username discovery (Sherlock, Maigret), map the target's digital infrastructure (Amass, Shodan), extract metadata from discovered content (ExifTool, Metagoofil), and visualize connections (Maltego). Use the Dork Generator for advanced search queries, the Search Engine Directory for multi-engine coverage, and the News & Media Archives for journalistic sources.

Is Maltego Free? The Free Tier, Limits, and Best Free Alternatives

Yes — Maltego has a free tier. As of 2026 it is called the Basic plan (the former "Community Edition"), and it stays free with a registered Maltego ID. It is genuinely useful for visual link analysis, but it is capped: expect up to 24 results per transform, around 200 data credits per month, and limited access to data providers, with no breach data. Many free transform providers also cap pivots at roughly 15–20 requests per month, so heavy investigations quickly hit a wall.

Is Maltego worth it?

For mapping relationships between entities — people, emails, domains, infrastructure — Maltego's graph view is hard to beat, and the free Basic plan is a fine way to learn it. The catch is setup: many transforms require their own API keys (even on free tiers), so it is not an out-of-the-box solution. If you mainly need data collection rather than visual analysis, a lighter free tool will get you there faster.

Best free alternatives to Maltego, ranked

  1. SpiderFoot — the closest free, open-source equivalent. Automates 200+ modules and visualises results in a web GUI, with no per-transform credit cap.
  2. Recon-ng — modular, scriptable recon when you prefer a CLI workflow over a graph. Free and fully open-source.
  3. Our OSINT tools directory — for targeted lookups (people, email, username, domain) without installing or registering anything, start here and pivot between tools.
  4. theHarvester + Amass — chain these two free tools for the email/subdomain/infrastructure mapping that Maltego transforms typically perform.

How do you install Maltego?

Installing Maltego takes a few minutes and the free tier costs nothing:

  1. Download the installer for your operating system (Windows, macOS, or Linux) from the official Maltego website. On Kali Linux you can skip this — Maltego ships pre-installed.
  2. Launch Maltego and create a free Maltego ID when prompted.
  3. Choose the free Maltego Basic product (the former Community Edition) to start without paying.
  4. Let the client download its entity and transform data, and you are ready to build your first graph.

How do you use Maltego in Kali Linux?

On Kali Linux, Maltego is included by default — launch it from the Applications menu under Information Gathering, or run maltego in a terminal. You still sign in with a free Maltego ID and select the Basic plan; everything after that is identical to other platforms. Kali is popular for Maltego because the other tools you will pivot into (theHarvester, Recon-ng, Amass) are already installed alongside it.

How do you use Maltego? (the basics)

To run a first investigation: create a new graph, drag an entity (such as Domain, Person, or Email Address) from the palette onto the canvas, and enter your target value. Right-click the entity and run a transform — Maltego queries a data source and draws the results as connected entities on the graph. Keep pivoting from the new entities (a domain reveals subdomains, an email reveals breaches or accounts) to expand the picture. On the free Basic plan, expect up to 24 results per transform and a monthly credit cap, so start with your most important pivots first.

Yes — using OSINT to collect publicly available information is legal in most countries, because it relies on data anyone can lawfully access: public records, social profiles, WHOIS, and news. What you do with that information is where the law draws lines. Accessing non-public data — hacking, stolen credentials, or paywalled and private systems — is illegal, and a pattern of targeted attention that makes someone fear for their safety is stalking or harassment regardless of how public the underlying data was.

Is Google dorking illegal?

Using search operators is legal — you are querying a public search engine. It becomes illegal if you knowingly access data you are not authorised to, such as exposed databases, private documents, or login pages that dorking surfaces. Looking is generally fine; accessing or downloading protected data is not.

Is it illegal to find someone's address or phone number?

No. Looking up publicly listed contact information is legal. It crosses the line when the information is used to harass, stalk, intimidate, or show up uninvited — the act, not the lookup, is what is unlawful.

Is facial recognition search legal?

It varies. Facial recognition is broadly legal at the US federal level but restricted by state biometric laws such as Illinois' BIPA, and the EU's GDPR and AI Act limit it heavily. See our face-search guidance for the practical limits.

When does OSINT become stalking?

When it shifts from gathering public information to a sustained pattern of targeting a specific person that would make a reasonable person fear for their safety, or to covert monitoring of their movements. Intent and effect matter more than whether each individual data point was public.

This is general information, not legal advice; laws vary by jurisdiction.

OSINT Tools — Frequently Asked Questions

Is it legal to look someone up online?

Yes — looking up publicly available information about someone is legal in most countries, since it uses data anyone can access. It becomes illegal when you access non-public data (hacking, stolen credentials) or use the information to harass, stalk, or intimidate. The lookup is legal; the misuse is not.

Is Google dorking illegal?

Using Google search operators is legal — you are querying a public search engine. It can become illegal if you knowingly access data you are not authorised to view, such as exposed databases or private files that a dork surfaces. Searching is fine; accessing protected data is not.

How do I install Maltego on Kali Linux?

You do not need to — Maltego comes pre-installed on Kali Linux. Launch it from the Applications menu under Information Gathering, or run maltego in a terminal, then sign in with a free Maltego ID and choose the Basic plan.

Is Maltego hard to use for beginners?

The basics are approachable: create a graph, drop an entity (a domain, person, or email) onto the canvas, and run a transform to pull connected data. The learning curve comes from managing transforms and data-source API keys. Beginners are usually productive within an hour on the free Basic plan.

What is the single best free OSINT tool?

There is no one tool for every job, but Shodan is the most useful free starting point for infrastructure and exposed devices, while Sherlock and Maigret lead for username investigations. The right choice depends on whether you are investigating people, email, domains, or images.

Are these free OSINT tools actually free, or just free trials?

Most on this list are fully free and open-source (Sherlock, Maigret, theHarvester, Holehe, Amass, ExifTool, Recon-ng, the ProjectDiscovery suite). Shodan and SpiderFoot have free tiers plus paid upgrades, and Maltego's Basic plan is free with capped monthly data credits.

Is Maltego free to use?

Yes. Maltego's free Basic plan (formerly Community Edition) requires a free Maltego ID and offers visual link analysis with limits — about 24 results per transform and roughly 200 data credits per month. Free open-source alternatives include SpiderFoot and Recon-ng.

What are the best free OSINT tools online?

The right OSINT tool depends on what you’re investigating — people, email, domain, social media, or images. This directory categorizes 80+ free, browser-based tools so you can find the right one fast.

What are the best free OSINT tools for beginners?

Start with web-based tools that require no installation: OSINT Framework (resource directory), Shodan (device search), and Have I Been Pwned (breach checks). Then progress to CLI tools: Sherlock (username search), theHarvester (email/domain recon), and Wappalyzer (browser extension for tech detection). SpiderFoot and Maltego Community Edition offer graphical interfaces for those not comfortable with command lines.

Do I need Python to use these tools?

Many tools require Python 3.8+ and pip. Some (like Amass, Subfinder, httpx) are written in Go and distributed as standalone binaries. Browser extensions (Wappalyzer, Mitaka) need no programming. Web-based tools (Shodan, Censys, Have I Been Pwned) work from any browser. If you're learning, install Python first and start with pip-installable tools like Sherlock and Holehe.

What is the difference between Sherlock and Maigret?

Both search for usernames across social media, but Maigret checks 2,500+ sites (vs Sherlock's 400+) and extracts detailed profile information from web pages. Sherlock is faster and simpler. Maigret builds comprehensive dossiers with extracted data. Many investigators use both — Sherlock for quick checks and Maigret for deep investigations.

Are these OSINT tools legal to use?

OSINT tools that collect publicly available information are generally legal. However, how you use the data may be subject to local privacy laws (GDPR, CCPA, etc.). Some tools access data in gray areas. Always ensure you have proper authorization, follow applicable laws, and use tools responsibly. Never access private systems or data without explicit permission.

How do I chain OSINT tools together?

Most CLI tools accept piped input. A common domain recon chain: subfinder -d target.com | httpx -silent | nuclei. For people investigations: start with Holehe (email → platforms), then Sherlock/Maigret (username → profiles), then ExifTool (image metadata → geolocation). reconFTW automates 50+ tools in a single workflow. Maltego and SpiderFoot provide GUI-based tool chaining with visual output.

Dork Generator

Generate advanced search queries (dorks) for 9 engines with 130+ templates.

Search Engine Directory

Browse 75+ active search engines worldwide — no technical skills required.

Domain OSINT

Research domains with DNS, WHOIS, SSL, technology detection, and more.

Threat Intelligence

Search threat databases, malware repos, and vulnerability trackers.