documentation

mytools-osint / reference

Updated for v4.3.2. Authorised security testing only.

01 · install

Pick a platform. The one-line installers verify SHA-256 against the release manifest before extracting.

macOS + Linux (one-liner)

$ curl -fsSL https://raw.githubusercontent.com/Azizbek16l/mytools-osint/main/scripts/install.sh | bash

Pin a version with OSINT_VERSION=v4.3.2; pick a different install dir with OSINT_INSTALL_DIR=~/bin.

Windows (PowerShell, one-liner)

PS> irm https://raw.githubusercontent.com/Azizbek16l/mytools-osint/main/scripts/install.ps1 | iex

Installs to %LOCALAPPDATA%\Programs\mytools-osint\osint.exe, appends per-user PATH, no admin.

brew (macOS + Linux)

$ brew tap Azizbek16l/osint
$ brew install mytools-osint
$ brew upgrade mytools-osint   # later

scoop (Windows)

PS> scoop bucket add osint https://github.com/Azizbek16l/scoop-bucket
PS> scoop install mytools-osint
PS> scoop update mytools-osint   # later

winget (Windows, official)

PS> winget install Azizbek16l.mytools-osint

Each release requires Microsoft moderator approval (~1–3 days). For instant access, use scoop or the direct download.

Direct download

Pick a binary from the latest release, verify SHA-256 against SHA256SUMS-vX.Y.Z, drop on your $PATH, chmod +x.

Cold-start: The Nuitka onefile self-extracts on first launch (8–12 s). Subsequent runs are instant. To avoid the extract, install via pipx once published, or run from a long-lived shell.

02 · quickstart

Run osint with no arguments — it opens straight into a persistent, Claude-Code-style chat prompt (no menu). Type a target and press Enter to scan; the prompt returns when the scan completes. Tab completes targets, slash commands, and history; accepts the ghost-text suggestion. Slash commands handle navigation: /help, /modules, /profile <name>, /graph, /theme, /quit. Prefer the old menu-driven shell? Launch with --classic.

First scan

$ osint github.com

Kind is auto-detected (domain). 32 modules run in parallel. Live stream shows hits as they arrive. Final report includes module breakdown + entity graph delta.

By kind

$ osint temur                              # username
$ osint satya@microsoft.com                # email
$ osint +998 90 123 45 67                 # phone
$ osint @durov                             # telegram
$ osint 8.8.8.8                            # ip
$ osint 5d41402abc4b2a76b9719d911017c592   # hash (md5)

Profile bundle

$ osint github.com --profile domain-recon     # 18 modules
$ osint github.com --profile red-team --pivot 1 # 34 modules + auto-pivot

Reports

$ osint github.com --html  report.html
$ osint github.com --md    report.md
$ osint github.com --format jsonl --out report.jsonl

03 · cli reference

Top-level form: osint [value] [flags] [subcommand]. A "value" can be any kind (auto-inferred) or an explicit kind via --kind.

Output

flageffect
--format plain|json|jsonl|csvOutput format (default plain; jsonl auto-selected in --bulk)
--out FILEWrite to file instead of stdout
--html FILERender an HTML report with interactive Verlet graph (~45 KB)
--md FILERender a GitHub-flavoured Markdown report with ATT&CK technique links
--no-color / --no-bannerSuppress ANSI and the figlet banner
--no-splashSuppress the cold-start splash (also implied by --no-banner)

Module selection

flageffect
--profile NAMEApply a curated bundle (see §05)
--enable MOD / --disable MODToggle a single module on top of the profile
--min-severity {info,low,medium,high,critical}Drop hits below this severity
--per-sourceRender the per-source breakdown table at the end of a scan

Scaling

flageffect
--bulk FILERead one target per line; concurrent execution
--parallel NBulk concurrency (default 4)
--pivot DEPTHAuto-pivot to depth N via entity graph BFS
--no-saveDo not persist hits to the SQLite store

Safety / OPSEC

flageffect
--opsecSOCKS5 (127.0.0.1:9050), jitter, UA rotation; active modules refuse unless per-module override is set (see §06)
--debugSurface per-source error details and HTTP timings

Subcommands

commandpurpose
osint graph <show|export|rebuild|stats|forget>Entity-graph operations
osint export <kind> <value> --to <target>SIEM/MISP exporter (Splunk/Elastic/syslog/MISP)
osint serve [--port N]Local web dashboard (stdlib HTTP + SSE)
osint watch <add|list|remove|run>Watchlist daemon · re-scan on schedule, Telegram alert on diff
osint diff <kind> <value> [--from ID --to ID]Diff two stored scans of the same target
osint config <wizard|show|edit|set|unset>Settings (API keys, Telegram, paths)
osint cache <stats|clear|clear-expired>HTTP cache control
osint completion <bash|zsh|fish>Emit shell completion script
osint cert-watch <pattern> [--max N]Live tail Certificate Transparency
osint opsec-check [--opsec]Verify Tor exit + UA + jitter discipline
osint self-update [--check]Pull latest release binary (SHA-256 verified)
osint mcpStart MCP server over stdio (Claude / Cursor)

04 · modules

47 modules across passive + active recon. Run osint --list-modules for the live registry with health + 7-day sparkline.

identity (6)

  • username — Sherlock + WhatsMyName across 1,008 sites
  • email — HIBP, Gravatar, Adobe, breach catalog
  • email_extras — emailrep.io reputation + role mailbox detection
  • phone — libphonenumber + Telegram MTProto (with API key)
  • telegram — t.me deep-link probe + bot resolver
  • whatsapp — wa.me deep-link existence check

network (10)

  • ip — reverse DNS, rDNS, AbuseIPDB (with key), ipinfo
  • ip_extras — GreyNoise community, Spamhaus DROP, Team Cymru bogons
  • domain — WHOIS, A/AAAA/MX/NS/TXT/SOA, parked detection
  • discovery — Google dorks + Wayback CDX
  • patterns — Username variation generator (1024 candidates)
  • adjacency — Cross-platform identity pivots (Keybase, GitHub, blog)
  • ssl_tls — Cert chain, SAN list, days-to-expiry, key strength
  • http_headers — Security headers + caching + CSP analysis
  • asn_bgp — Cymru + BGPView ASN holder + prefix
  • tech_fingerprint— ~30 CDN / framework / CMS signatures via headers + HTML

threat intel (4)

  • internetdb — Shodan InternetDB (free, no key): ports, CVEs, tags
  • threat_intel — PhishTank, ThreatFox, URLhaus (latter two need free abuse.ch key)
  • takeover — Generic CNAME-dangling + service-suffix sniff (legacy)
  • web_recon — robots.txt, sitemap.xml, security.txt, common paths

defense surface (8)

  • email_security — SPF / DMARC / DKIM / DMARC report URI parsing
  • typosquat — 100+ permutations + DNS-resolve sweep
  • pgp_keys — keys.openpgp.org + keyserver.ubuntu.com
  • tor_check — Onionoo exit list (degrades if Tor unreachable)
  • github_leaks — GitHub user-search + (with token) code-search
  • cloud_buckets — S3 / GCS / Azure Blob common-name probe
  • hibp_passwords — k-anonymity password breach lookup (password never leaves host)
  • malware_bazaar — abuse.ch sample lookup (needs key)

hardening (4)

  • web_hardening — HSTS, X-Frame-Options, CSP, COOP / COEP / CORP
  • well_known — /.well-known/* paths (24 checks)
  • subdomain_brute— 288-candidate DNS resolve sweep
  • passive_dns — AlienVault OTX + HackerTarget DNS history

active recon (7) — refuses in --opsec unless overridden

  • route_discover — dirsearch-style; 218 paths × 10 categories; 3-baseline soft-404
  • subdomain_permute— altdns-style; 40 patterns × known labels
  • port_scan — Top-50 TCP-connect + 256 B banner grab
  • waf_detect — 11 WAF/CDN signatures via headers
  • cms_detect — WordPress / Drupal / Joomla generator + manifests
  • graphql_probe — Introspection probe on /graphql, /graphiql, /api/graphql, /v1, /v2 (401/403/422 detected)
  • source_maps — 13 common bundler .js.map paths (Vite, webpack, CRA, Next.js)

v4.2 free sources (6) — new

  • favicon_hash — Shodan MMH3 favicon pivot (in-tree, no mmh3 dep). Rejects RFC1918 / loopback / metadata IPs.
  • wayback_urls — Wayback CDX historical URLs + forgotten subdomains
  • certspotter — Independent CT-log subdomain enum (crt.sh fallback)
  • ripestat — RIPE Data API · ASN/prefix/abuse-contact. Private IP gate.
  • hackertarget — Free-tier hostsearch + reverse-IP
  • subdomain_takeover— CNAME + direct-A vs 24 can-i-take-over-xyz fingerprints (HIGH/CRITICAL on body match)

new data kinds (5) — new

  • wallet — Crypto/blockchain recon: blockchain.info + Blockchair (BTC/ETH balance, tx count, ages) + bitcoinabuse / cryptoscamdb scam reports. No keys.
  • image — Hand-rolled EXIF/IFD0/GPS parser (no Pillow) + reverse-image pivots. URL fetched via the SSRF-guarded client (25 MB cap) or local path.
  • dorks — Search-engine dorking over DuckDuckGo HTML + Bing. Small per-target request budget; defensive regex parsing.
  • leaks — Paste + ransomware-leak monitoring: Pastebin (PRO-gated, skipped anon), GitHub gist code-search (needs GITHUB_TOKEN), api.ransomware.live (free).
  • business — OpenCorporates records: company name, jurisdiction, incorporation date, status, address, first officers. Anon rate-limited; 429 → UNAVAILABLE.

05 · profiles

A profile is a named module bundle. Apply with --profile NAME; per-flag --enable/--disable still overrides.

namecountintent
default / all / deep44Everything (tier-A + tier-B + v4.2 sources)
quick20Tier-A only — fast triage, never noisy
person10username, email, phone, telegram, whatsapp, patterns, pgp, github_leaks, discovery
domain-recon18DNS + CT + ASN + Wayback + RIPE + tech stack
red-team34domain-recon + active probes + v4.2 modules
active-recon10Just the loud probes (route_discover, port_scan, etc.)
blue-team12Exposed surface + reputation + hardening
ioc5"is this IP/domain known-bad?" minimal noise
creds3password/hash/username breach triage
leak-hunt4repos + buckets + waybacks + well-known
 
$ osint github.com --profile quick             # ~5 s
$ osint github.com --profile red-team --pivot 1 # ~30 s + 1 auto-pivot depth

06 · opsec mode

Activate with --opsec (or env OSINT_OPSEC=1). Effects:

  • HTTP routed via SOCKS5 (127.0.0.1:9050 by default — adjust via OSINT_TOR_PROXY)
  • Per-request 250–1500 ms jitter
  • UA rotation across a pool of 12 desktop browsers
  • AI explain disabled — findings never leave the host
  • Active modules refuse to run by default

Per-module override

Each refusing module honours a dedicated env var. Set both OSINT_OPSEC=1 AND the override:

moduleoverride env
route_discoverOSINT_ROUTE_DISCOVER_OVER_TOR=1
port_scanOSINT_PORT_SCAN_OVER_TOR=1
favicon_hashOSINT_FAVICON_HASH_OVER_TOR=1
subdomain_takeoverOSINT_SUBDOMAIN_TAKEOVER_OVER_TOR=1
Reasoning: high-volume active probing through Tor is slow AND loud at the exit node. Prefer a dedicated VPS for active recon behind OPSEC. The override env is an opt-in escape valve, not a default.

Verify OPSEC is leak-free

$ osint opsec-check --opsec
 egress IP differs from clearnet
 Tor exit detected: 185.220.101.32
 UA rotation: 5 distinct UAs across 5 calls
 jitter stdev: 480 ms

07 · entity graph

Every scan derives entities from hits and stores them in the local SQLite DB. The graph has 19 entity types (DOMAIN, IP, ASN, CERT, BUCKET, EMAIL, USERNAME, …) and 33 edge types (RESOLVES_TO, ANNOUNCES, ALIASES, CONTROLS, BREACHED_IN, EXPOSES_PORT, …).

Inspect

$ osint graph stats
  entities: 1,847
  edges:    3,201
  db:       ~/Library/Application Support/mytools-osint/mytools.sqlite3

$ osint graph show domain github.com --depth 2

Export

$ osint graph export domain github.com --format gexf      # Gephi
$ osint graph export domain github.com --format graphml   # yEd, Cytoscape
$ osint graph export domain github.com --format cytoscape # JSON

Auto-pivot

Use --pivot DEPTH on any scan to expand from discovered entities, bounded by per-edge cost budget (default total budget = 12.0, per-kind cap = 8).

$ osint github.com --profile red-team --pivot 2

GDPR-style erasure

$ osint graph forget domain github.com
  forgot 1 entity (cascade-deleted 47 edges)

08 · ai explain (optional)

Pass --explain to forward hits to Claude (haiku by default; --explain-model sonnet for deeper). Requires ANTHROPIC_API_KEY. Disabled in --opsec mode for privacy.

$ osint github.com --explain
$ osint github.com --explain --explain-model sonnet
Local-first: AI calls receive only the hit titles + details + URLs. The raw target value is never forwarded unless it appears verbatim in a hit detail.

09 · siem export

Push stored findings to your existing pipeline. Four targets supported:

$ osint export domain github.com --to splunk      # env: SPLUNK_HEC_URL, SPLUNK_HEC_TOKEN
$ osint export domain github.com --to elastic     # env: ELASTIC_URL, ELASTIC_API_KEY
$ osint export domain github.com --to syslog      # env: SYSLOG_HOST, SYSLOG_PORT
$ osint export domain github.com --to misp        # env: MISP_URL, MISP_KEY

Each hit becomes a structured event with module, source, category, severity, title, detail, url, extra JSON, and MITRE ATT&CK technique IDs when known.

10 · web dashboard

A local HTTP + SSE dashboard that streams hits as they land and renders the entity graph as an interactive Verlet force-graph (vanilla JS, ~21 KB).

$ osint serve --port 8765
  serving on http://127.0.0.1:8765 — open in browser

Zero external deps. stdlib asyncio HTTP server. Bind explicitly to 127.0.0.1; never exposed on a wildcard interface.

11 · themes

Press Shift+T in the main menu to open the picker. 7 palettes:

  • github-dark — default; classic blue accent
  • github-light — Primer-style
  • dracula — purple accent, lime greens
  • nord — cool slate
  • tokyo-night — warm blue + pink
  • catppuccin-mocha — pastel mocha
  • high-contrast — WCAG AAA

Persisted to ~/.config/mytools-osint/theme. Env override:

$ BLUETM_THEME=dracula osint

Env wins over persistence (UNIX convention) — use it for one-shot overrides.

12 · config + api keys

Default: all 47 modules run on free APIs with no keys. A handful become more useful with optional free-tier keys:

env varmodule(s)get key from
ABUSE_CH_API_KEYthreat_intel · malware_bazaarauth.abuse.ch (free)
SHODAN_API_KEYshodan_internetdb (extended)shodan.io (free 100 req/mo)
ANTHROPIC_API_KEY--explainconsole.anthropic.com
GITHUB_TOKENgithub_leaks (code-search)github.com personal-token
TELEGRAM_API_ID + TELEGRAM_API_HASHphone (Telegram MTProto)my.telegram.org/apps

Configure via the wizard:

$ osint config wizard

13 · troubleshooting

First launch is slow (8–12 s)

Nuitka onefile self-extracts to a per-user temp dir. Subsequent runs are instant. To skip the extract, install via brew / scoop (still onefile) or, when published, pipx install mytools-osint.

SmartScreen / antivirus flags the .exe

Nuitka onefile binaries are a known false-positive source. SHA-256 in SHA256SUMS-vX.Y.Z matches the GitHub Actions build. Submit a clean-file report to your AV if needed.

--opsec fails with socksio not installed

The Nuitka onefile bundles httpx[socks] as of v4.2.2; older builds did not. Upgrade with brew upgrade mytools-osint or re-run the one-line installer.

wayback_urls times out

Wayback CDX is genuinely slow for busy targets. The per-call timeout is capped at 12 s and timeouts surface as NO_DATA (never ERROR).

Skip the splash on the brew binary

Pass --no-splash, --no-banner, or pipe stdout (the splash is auto-suppressed for non-TTY).

14 · faq

Is this legal to run against any host?

No. You are responsible for ensuring you have authorisation to investigate every target you submit. Passive modules (CT logs, RIPE, Wayback) query public records and are widely considered safe. Active modules (route_discover, port_scan, favicon fetch, takeover probe) make probes against the target — only run them on hosts you own or are authorised to test.

Does this tool exfiltrate findings?

No. Findings are stored locally in ~/Library/Application Support/mytools-osint/mytools.sqlite3 (macOS) / ~/.local/share/mytools-osint/ (Linux) / %APPDATA%\mytools-osint\ (Windows). No telemetry. AI explain is opt-in and disabled in --opsec.

Why MIT?

Default to permissive. Use the tool, fork it, ship downstream. The disclaimer in SECURITY.md covers liability.

Will you accept module contributions?

Yes — open an issue first to discuss scope. Required: free API or local computation, MIT/BSD/Apache deps, no telemetry, no GPL.

Where do I report a security issue?

Open a private security advisory on GitHub: github.com/.../security/advisories/new. Critical scope: bypass of --opsec SOCKS routing, credential / data exfiltration, SSRF, RCE.