24 Top OSINT Search Engines Recommended + Practical Tutorial (with Links)

This article is carefully organized for open-source intelligence (OSINT) enthusiasts and is recommended for collection!

In the fields of cybersecurity and open-source intelligence (OSINT), information gathering is the most fundamental and critical step in penetration testing, red team operations, and security analysis.
This article will comprehensively outline 24 highly practical OSINT search engines, covering various directions such as server detection, vulnerability mining, email searching, code searching, and attack surface discovery, along with simple tutorials.

Type	Tool Examples
🌐 Server / Asset Search	Shodan, Censys, Onyphe, IVRE
🔍 Threat Intelligence Collection	GreyNoise, FOFA, ZoomEye, LeakIX, Pulsedive
🛡️ Vulnerability and Weakness Mining	Vulners, BinaryEdge, Shodan
💻 Code Search	Grep.app, Searchcode, PublicWWW
🧠 Comprehensive OSINT Platform	IntelX, Google Dorks
📧 Email & Personnel Collection	Hunter.io
📡 WiFi Network Map	Wigle
🔐 Certificate History Query	crt.sh
🧱 Attack Surface Management	Netlas, FullHunt, BinaryEdge

✅ Recommended Engines Detailed (with Links)#

01. Shodan.io[1]#

The world's leading device search engine, capable of searching for servers, cameras, databases, etc., quickly locating public assets and vulnerabilities.

🔧 Example Search:

port:22 country:"CN"

02. Google.com[2] + Dorks#

Utilizes advanced syntax combinations to achieve "information mining," capable of digging up logs, configuration files, hidden pages, etc.

🔍 Example:

intitle:"index of" site:example.com

👉 Recommended Resource: Google Hacking Database[3]

03. Wigle.net[4]#

A global WiFi map platform that supports searching WiFi records by location or SSID.

04. Grep.app[5]#

A full-text search engine for open-source code on GitHub, suitable for finding sensitive functions, plaintext passwords, etc.

05. BinaryEdge.io[6]#

Provides global asset scanning results, vulnerabilities, port information, etc., and is a strong complement to Shodan.

06. Onyphe.io[7]#

A cyberspace threat intelligence platform that supports multi-dimensional searches for IPs, domain names, file hashes, etc.

07. GreyNoise[8]#

Determines whether an IP is "background noise" (scanners, honeypots, researchers) or a genuine malicious actor.

08. Censys.io[9]#

An internet asset search engine, particularly skilled in SSL certificate analysis.

09. Hunter.io[10]#

Finds related public email addresses through corporate domain names, facilitating social engineering analysis.

10. FOFA.info[11]#

A powerful Chinese cyberspace search engine that supports subdomain, protocol, CMS identification, etc.

11. ZoomEye.org[12]#

Similar to Shodan, searches for globally open service ports, identifying honeypots, industrial control systems, etc.

12. LeakIX.net[13]#

A platform focused on data leaks, capable of discovering misconfigured databases / APIs, etc.

13. IntelX.io[14]#

Aggregates emails, IPs, documents, dark web, and data leak records, serving as a powerful comprehensive OSINT tool.

14. Netlas.io[15]#

Focuses on attack surface management and asset mapping, suitable for corporate asset monitoring.

15. Searchcode.com[16]#

Allows searching for source code across multiple code platforms, a secret weapon in security analysis.

16. URLScan.io[17]#

Visualizes the loading resources and script behaviors of URLs, a powerful tool for analyzing phishing websites.

17. PublicWWW.com[18]#

Searches web pages based on HTML snippets, capable of identifying websites that have embedded specific code.

18. FullHunt.io[19]#

A real-time attack surface discovery tool, useful for asset assessment from both red team and blue team perspectives.

19. SOCRadar.io[20]#

Provides threat intelligence, data leak monitoring, attack attribution, and other functions.

20. BinaryEdge.io (Main Site)[21]#

In addition to sub-site data platforms, it also provides access to product ecosystems, open APIs, and more.

21. IVRE.rocks[22]#

A self-built data visualization platform for asset scanning analysis.

22. crt.sh[23]#

Queries SSL certificate transparency logs to discover domain names, subdomains, historical certificates, etc.

23. Vulners.com[24]#

An aggregated search for vulnerability databases, suitable for security researchers looking for PoCs, patches, and other information.

24. Pulsedive.com[25]#

A threat intelligence platform that aggregates URL/IP/domain reputation and IOC data.

🧠 Practical Usage Suggestions#

The suggested steps for intelligence collection are as follows:

Personnel Profiling Analysis: Use hunter.io to obtain corporate email → Combine with intelx.io to check data leak records
Asset Discovery: Search corporate public hosts using fofa.info, shodan.io, netlas.io, etc.
Code Analysis: Use grep.app and searchcode.com to find sensitive information or hardcoded credentials
Vulnerability Matching: Search for corresponding asset CVE numbers and exploitation methods on vulners.com
Threat Verification: Use greynoise or pulsedive to identify whether there are any attack behaviors or IOC markers
Website Analysis: Conduct visual analysis of target site behavior through urlscan.io

Alternatives to the open-source intelligence framework "osintframework"

When I first ventured into the OSINT field, the first learning website recommended by my predecessors was osintframework.com. This site not only guided me into

osintframework is a web-based tool designed to help collect and process open-source intelligence (OSINT) across various fields and topics. It organizes resources in a hierarchical manner, providing researchers, investigators, and security professionals with a structured directory of OSINT tools and resources. The framework categorizes resources and tools into different themes, such as social media, domain names, IP addresses, personnel searches, etc., to assist in gathering publicly available information.

The framework does not directly host tools but serves as a directory linking to various online resources, tools, and websites that can be used for OSINT purposes. It is a valuable resource for those conducting investigations, cybersecurity analysis, background checks, and anyone interested in collecting information from public sources.

The OSINT framework is widely used in cybersecurity, journalism, law enforcement, and research to collect data from publicly accessible resources, supporting investigations or gathering intelligence on specific topics, companies, or individuals. The user interface is typically intuitive and easy to use, allowing users to browse different categories and find tools relevant to their needs.

Website: osintframework.com

Although the reasons are unclear, the project has not seen updates for a long time. In the rapidly evolving OSINT field, continuous updates of tools and methods are crucial to keep up with the times. This stagnation in updates may suggest a need for more community support or resource investment to continue pushing the project forward to meet the ever-changing demands of the industry.

Therefore, the author @malfratsind created his own version of the open-source intelligence framework.

https://map.malfrats.industries/

Website Screenshot

Unfortunately, @malfratsind's last code commit on Github was 9 months ago, and the X account has not been updated since last July. Many links on this site are still relevant, and OSINT enthusiasts can explore them.

📎 Conclusion#

Open-source intelligence is a comprehensive ability that integrates search techniques, associative reasoning, and information integration. The 24 tools recommended in this article cover almost all mainstream OSINT scenarios, suitable for both beginners and advanced users.

📌 It is recommended to bookmark this article for easy daily reference!

📣 If you have more private tools, feel free to leave a message for discussion, and let's build a knowledge map for the OSINT Chinese community together!

References

[1]

Shodan.io: https://shodan.io

[2]

Google.com: https://google.com

[3]

Google Hacking Database: https://www.exploit-db.com/google-hacking-database

[4]

Wigle.net: https://wigle.net

[5]

Grep.app: https://grep.app

[6]