Offensive OSINT — External Red-Team Arsenal

Companion skill: osint-methodology (the "how to think" skill). This skill is the "what to reach for." Use them together.

0. When to use / When NOT

Use this skill when:

• You need concrete probe paths, wordlists, regexes, payloads, scoring rules, or tool URLs.
• You're executing reconnaissance and need the actual technical reference (vs. methodology).
• You're building a recon automation and need specific lists to seed it.

Do NOT use this skill when:

• The user is asking for active exploitation, post-exploitation, or anything past reconnaissance.
• The user is asking for defensive / blue-team detections.
• The target's authorization isn't established — see §1.

---

1. Authorization & Legal Posture

For assets the operator owns or has written authorization to assess. Soft scope check before acting against an unverified third-party target — see methodology skill §1 for the full posture.

---

2. Confidence Levels

• TENTATIVE — plausible based on indirect evidence (snippet-only dork match, single-source asset, inferred email pattern).
• FIRM — directly observed (subdomain resolves, HEAD-confirmed bucket exists, banner returned).
• CONFIRMED — verified via independent corroboration OR direct verification (live PMAK validation, multiple sources agree, listable bucket with object retrieval).

---

3. Output Format Conventions

Findings should carry: id, module, asset_key, category, severity (info/low/medium/high/critical), confidence, title, description, evidence (url + UTC timestamp + sha256 + raw ≤ 2 KiB), references, remediation. UTC timestamps everywhere.

---

4. Source Hygiene & Citations

URL + UTC timestamp + SHA-256 + tool version + run_id, every artifact. PNG screenshots, JSONL run logs, raw HTTP captures capped at 2 KiB body.

---

5. Do NOT

• Don't paste creds/PII/session tokens into cloud LLMs.
• Don't run destructive probes outside DEEP/--aggressive.
• Don't use validated credentials for anything except read-only liveness check.
• Don't single-source attribute.
• Don't assume vendor labels are ground truth.

---

6. General OSINT (curated tool refs)

• OSINT Bookmarks — comprehensive bookmarks.
• OSINT Framework — tool/resource directory.
• IntelTechniques Tools — investigative suite.
• Bellingcat Toolkit — investigative journalism.
• CyberSudo OSINT Toolkit — OSINT websites list.
• Google Dorks — efficient Google searching.
• Distributed Denial of Secrets — leaked datasets.
• Country-Specific Resources — country-targeted OSINT.

7. Search Engines

| Tool | Notes | |------|-------| | Carrot2 | Clusters results by topic | | etools | Metasearch | | Kagi | Privacy-first, non-personalized | | Brave Search | Independent index; Goggles for custom ranking | | PDF Search | PDF + table of contents | | Google Fact Check Explorer | Cross-site fact-check |

---

8. Username & Email Investigation

| Tool | Purpose | |------|---------| | Sherlock | Username search across social networks | | Maigret | Profile collector by username | | What's My Name | Username search | | Holehe | Email registration check | | Epieos | Email pivots and metadata | | OSINT Industries | Email/username/phone lookups | | Hunter.io | Domain → emails | | EmailRep | Email reputation | | Emailable | Email verification | | Mugetsu | X/Twitter username history | | RocketReach / Apollo | Email enrichment + pattern guessing | | PhoneInfoga | Phone number intelligence |

Browser extensions: GetProspect, SignalHire.

---

9. People Search

• TruePeopleSearch — free U.S. people search.
• WhitePages, Spokeo, Webmii, Pipl (paid).
• [Clearbit](https