Questions? Comments? Need a CTF? Contact Us


Please let us know your name.
Please let us know your email address.
Please let us know your message.


Techniques by Bellebytes


This is part two of BelleBytes' OSINT guide. If you missed out on part one, you can find it here!

Part 2: Identified Personnel Reconnaissance

Web Searches

Online Databases

  • Pipl (preferred), Spokeo (preferred), Instant Checkmate, Truth Finder, Black Book Online, ThatsThem, Intellius, Peekyou, Advanced Check, Rootsweb,, John Doe, MelissaData, Radaris, UserSearch, FastPeople, Webmii, Zaba Search, PeopleFinder, ZoomInfo, etc.
  • More tools can be found here: and
  • These online databases have a monthly cost.
  • There are often additional fees for history records or pdf report generation

Search engines (this list is not all encompassing):

  • Google and Google Dorking techniques (see Google Dorking for more information)
  • Internet Archive/ Wayback Machine
  • AOL Search
  • Ask
  • Baidu
  • Bing
  • DuckDuckGo
  • Yahoo
  • Yandex

Public Records

  • Birth and Death Records
  • Marriage and Divorce Records
  • Criminal Records
  • Bankruptcy Records and lien information
  • Some Military Records
  • Voting Rolls
  • Newspaper Records
  • Some states also include: unemployment claims, campaign contributions, licenses and certifications, tax information, real estate transactions and deeds, census records, etc.

Automated Reconnaissance Scraping Tools

OSINT Tools (this list is not all encompassing, and all APIs need to be added prior):

  • Recon-ng modules for individuals (“add profiles” and “add contacts” or use the “import” feature prior to running the following modules)
    • Have I Been Pwned hibp_breach and hibp_paste credential modules
    • FullContact module
    • Profiler module
    • Linkedin_auth module (Bing LinkedIn cache)
    • Adobe module
    • Bozocrack module
    • Hashes_org module
    • Pgp_search module
    • Dev_diver module
    • Namechk module
    • Mailtester module
    • Geocode and Reverse geocode modules
    • Pushpins modules
    • Jigsaw and pwnlist modules (APIs need to be purchased beforehand)
    • Many other recon-ng modules such as the Shodan and Twitter modules can help add to this list as well
  • Maltego
  • DataSploit python script (
  • Belati python script (
  • Many other tools and scrapers can be found here: and

Social Media / Networking

Further Interests

Online Dating:

  • eHarmony,, Zoosk, Tinder, OKCupid, etc.

Online Gaming:

  • Miiverse, Playstation Network, Xbox Live, Twitch, Youtube, etc.


  • Google Groups, Yahoo Groups, Nextdoor, Alumni Groups, Meetups, etc.

Specific Interests:

  • Reverbnation, Sportstats, DeviantArt, Nike Running Club, etc.

Blogs & Reviews:

  • Blogger, Wordpress, Blogsearchengine, Notey, Yelp Reviews, Amazon Reviews, Google Reviews, etc.

Online Classifieds:

  • Amazon, Craigslist, Ebay, Geebo, Oodle, etc.

Family Tree:

  •,,,, etc.

Online Chat Communities:

  • HipChat, Slack, Skype, WhatsApp, Discord, IRC, etc.

Geolocation Searching

Scraping Tools for Geolocation Data:

  • Recon-ng modules for geolocation searches:
    • Geocode and Reverse_geocode modules
    • Pushpin modules (Flickr, Picasa, Shodan, Twitter, Youtube)
  • python script (
  • Google Maps APRS
  • Echosec
  • Social Bearing
    • geo: filter can be used with latitude and longitude coordinates that correlate with target individual’s physical address (results may vary in densely populated areas)

Dark Web and Breached Credentials

Pastebin Scrapers and Credential Dumps:

Dark Web Tools/Techniques:

Identified Personnel OSINT Checklist

Optional Sanity Checklist (Identified Personnel)


That's a ton to process, we know. Hopefully you can use this as a resource and reference when needed! (Hint: The checklist is functional!) A big shout out to BelleBytes for taking the time to compile this information.

Copyright © StormCTF, LLC | Design by Stitch