Pentest Methodology & Recon · beginner · ~11 min
Gather open-source intelligence responsibly: dorking, exposed secrets, metadata, and internet scan data.
OSINT is open-source intel: search dorking (site:/filetype:), leaked secrets in public repos, document metadata (authors, software, paths), and internet scan databases (Shodan/Censys). Mostly passive.
OSINT builds a target picture — exposed files, leaked credentials, software versions, naming conventions — cheaply and stealthily before active testing. It's also a defensive checklist: what's leaking about you?
Dorking. site:/filetype:/inurl: to find exposed material. Secret leaks. Keys/creds in public repos and history. Metadata. Authors/usernames/software in public docs. Shodan/Censys. Query pre-collected internet scan data (passive). Privacy ethics. Focus on assets, not people.
OSINT is open-source intelligence — what anyone can find from public sources. It's the bulk of passive recon.
Advanced operators narrow searches to exposed material: site:, filetype:, intitle:, inurl:. Used legally, dorking finds publicly exposed documents, login portals, and directory listings an org forgot were indexed.
Public repositories sometimes leak API keys, credentials, or internal hostnames in source or commit history. Awareness of this risk matters both offensively (in scope) and defensively (tell clients to scan their own repos and rotate leaked keys).
Office files and PDFs embed authors, usernames, software versions, and sometimes internal paths. Extracting metadata from public documents reveals usernames (useful for understanding account-naming conventions) and software in use.
Shodan and Censys continuously scan the internet and let you query their results: exposed services, banners, certificates, default-credential devices. Reading their data is passive — they did the scanning.
OSINT compiles public data, but compiling it about individuals raises privacy concerns. Stay focused on the authorized organisation and its assets, not personal profiling.
OSINT — dorking, leaked secrets, document metadata, and internet-scan databases — assembles a rich target picture from public sources, almost all passively. Keep it scoped to the organisation and mindful of privacy.