OSINT for Beginners: Building a Target Profile Legally

By /

Site: lancegrover.com
Category: Tools & Techniques
Schedule: 2026-06-14 08:00 MDT

Open source intelligence — OSINT — is the practice of collecting and analyzing information from publicly available sources to build a picture of a target. In security research, it is the starting point for nearly every engagement: before you scan a network, before you test an application, before you attempt social engineering, you gather intelligence. The quality of your OSINT determines the quality of everything that follows.

This guide covers the methodologies and tools for building a target profile using only publicly available information — conducted legally, on targets you are authorized to research.

What OSINT Is and Is Not

OSINT is limited to information that is publicly accessible without authentication, hacking, or social engineering. Public websites, social media profiles, domain registration records, court filings, job postings, news archives, and government databases are all OSINT sources. Accessing private accounts, scraping behind authentication walls, or using data obtained through unauthorized means is not OSINT — it is unauthorized access.

The legal boundary matters practically: a well-executed OSINT investigation on a target organization produces significant intelligence without creating legal exposure. Organizations are often surprised by how much is visible before a single packet has been sent.

Starting Point: Define Your Objective

Unfocused OSINT produces overwhelming and disorganized results. Before starting, define what you are trying to learn:

  • Technical infrastructure: IP ranges, domains and subdomains, hosting providers, email infrastructure, SSL certificates
  • Personnel: Key employees, their roles, contact information, professional history, online presence
  • Technology stack: What software, frameworks, and services the organization uses
  • Physical presence: Office locations, facilities, physical security posture
  • Public exposure: What an attacker looking at this organization from the outside would find

Each objective drives different tools and sources.

Domain and Infrastructure Intelligence

WHOIS data. Historical WHOIS records — even when current registration is privacy-protected — often contain real contact information from before privacy protection was applied. Tools like ViewDNS.info maintain historical records. Current WHOIS at least identifies the registrar and registration dates.

Passive DNS. Services like SecurityTrails, RiskIQ, and PassiveTotal maintain records of which IPs have served a domain over time, and what subdomains have existed. Subdomains frequently reveal internal infrastructure that is not intended to be public.

Certificate transparency logs. Every SSL/TLS certificate issued is logged in public certificate transparency logs. Querying crt.sh for a target domain reveals every subdomain for which a certificate has been issued — including internal applications that may be unintentionally accessible.

Shodan. Searching Shodan for an organization’s IP ranges reveals internet-facing services, software versions, and configuration details. A Shodan search for an organization frequently uncovers services that were not intended to be public or are running outdated software.

ASN lookups. Organizations with their own IP ranges register an Autonomous System Number. Querying the ASN reveals all IP ranges associated with the organization — the complete scope of their internet presence.

Personnel Intelligence

LinkedIn. The most information-dense single source for organizational structure. LinkedIn reveals employee names, roles, tenures, prior employers, and often enough detail to understand team structure. The technology stack can frequently be inferred from job postings and employee skill listings.

Job postings. Current and historical job postings are rich intelligence sources. A posting for a “Senior AWS Security Engineer” tells you the organization uses AWS. A posting specifying “experience with Splunk and CrowdStrike” tells you what their security stack includes. Archive services like Wayback Machine preserve old postings even after they are taken down.

GitHub. Employee GitHub profiles frequently contain code, configuration files, and commit history that reveals technical practices, internal tooling, and sometimes credentials or infrastructure details left in public repositories. Searching GitHub for an organization’s domain in email addresses or code strings is a standard OSINT step.

Email format discovery. Once you have a few verified email addresses for an organization, the pattern becomes clear (firstname.lastname@company.com, first_initial+lastname, etc.). This is useful for social engineering phase targeting.

Tools That Accelerate the Process

Maltego: A relationship mapping tool that automates the process of building connection graphs between people, organizations, domains, and infrastructure. The community edition is free with limitations; the full version is expensive but powerful for complex investigations.

theHarvester: Command-line tool for gathering emails, subdomains, hosts, and employee names from public sources. Useful for automated collection before manual analysis.

Recon-ng: A reconnaissance framework similar in structure to Metasploit — modular, with individual modules for different intelligence sources. More technical than theHarvester but more flexible.

SpiderFoot: Automated OSINT collection that runs multiple queries simultaneously against dozens of sources and presents results in a relationship graph. Good for rapid initial coverage before deep-dive investigation.

Google dorks. Advanced Google search operators (site:, filetype:, inurl:, intitle:) surface content that standard searches miss. site:company.com filetype:pdf returns all indexed PDFs from a domain. site:company.com inurl:admin returns pages with “admin” in the URL. A comprehensive dork list is worth maintaining.

Organizing What You Find

OSINT investigations generate large volumes of disconnected data. Organization discipline is what separates useful intelligence from noise.

Maintain a structured notes document organized by category (infrastructure, personnel, technology, physical). Record sources for everything. Cross-reference findings — an email address found in a data breach combined with a LinkedIn profile and a GitHub account is more valuable than any single data point alone.

The synthesis is where the real work happens: connecting findings to identify the most likely attack vectors, the highest-value targets, and the gaps that warrant further investigation.

The essential reference: Open Source Intelligence Techniques by Michael Bazzell is the practitioner standard — updated annually with current tools, sources, and methods. Required reading for anyone doing serious OSINT work.

Sources:

  1. Michael Bazzell, Open Source Intelligence Techniques — the standard practitioner reference

  2. Bellingcat OSINT Toolkit — bellingcat.com

  3. OSINT Framework — osintframework.com

  4. crt.sh certificate transparency search — crt.sh

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top