24 Top OSINT Search Engines Recommended + Practical Tutorial (with Links)

This article is carefully organized for open-source intelligence (OSINT) enthusiasts and is recommended for collection!

In the fields of cybersecurity and open-source intelligence (OSINT), information gathering is the most fundamental and critical step in penetration testing, red team operations, and security analysis.
This article will comprehensively outline 24 highly practical OSINT search engines, covering various directions such as server detection, vulnerability mining, email searching, code searching, and attack surface discovery, along with simple tutorials.

Type	Tool Examples
🌐 Server / Asset Search	Shodan, Censys, Onyphe, IVRE
🔍 Threat Intelligence Collection	GreyNoise, FOFA, ZoomEye, LeakIX, Pulsedive
🛡️ Vulnerability and Weakness Mining	Vulners, BinaryEdge, Shodan
💻 Code Search	Grep.app, Searchcode, PublicWWW
🧠 OSINT Comprehensive Platform	IntelX, Google Dorks
📧 Email & Personnel Collection	Hunter.io
📡 WiFi Network Map	Wigle
🔐 Certificate History Query	crt.sh
🧱 Attack Surface Management	Netlas, FullHunt, BinaryEdge

✅ Recommended Engine Details (with links)#

01. Shodan.io[1]#

The world's leading device search engine that can search for servers, cameras, databases, etc., quickly locating public assets and vulnerabilities.

🔧 Example Search:

port:22 country:"CN"

02. Google.com[2] + Dorks#

Utilizes advanced syntax combinations to achieve "information mining," capable of uncovering logs, configuration files, hidden pages, etc.

🔍 Example:

intitle:"index of" site:example.com

👉 Recommended Resource: Google Hacking Database[3]

03. Wigle.net[4]#

A global WiFi map platform that supports searching WiFi records by location or SSID.

04. Grep.app[5]#

A full-text search engine for open-source code on GitHub, suitable for finding sensitive functions, plaintext passwords, etc.

05. BinaryEdge.io[6]#

Provides global asset scanning results, vulnerabilities, port information, etc., and is a strong complement to Shodan.

06. Onyphe.io[7]#

A cyberspace threat intelligence platform that supports multi-dimensional searches for IPs, domains, file hashes, etc.

07. GreyNoise[8]#

Determines whether an IP is "background noise" (scanners, honeypots, researchers) or a true malicious actor.

08. Censys.io[9]#

An internet asset search engine, particularly skilled in SSL certificate analysis.

09. Hunter.io[10]#

Finds related public email addresses through corporate domains, facilitating social engineering analysis.

10. FOFA.info[11]#

A powerful Chinese cyberspace search engine that supports subdomain, protocol, and CMS identification.

11. ZoomEye.org[12]#

Similar to Shodan, searches for globally open service ports, identifying honeypots, industrial control systems, etc.

12. LeakIX.net[13]#

A platform focused on data leaks, capable of discovering misconfigured databases / APIs, etc.

13. IntelX.io[14]#

Aggregates emails, IPs, documents, dark web, and data leak records, serving as a powerful comprehensive OSINT tool.

14. Netlas.io[15]#

Focuses on attack surface management and asset mapping, suitable for enterprise asset monitoring.

15. Searchcode.com[16]#

Can search source code across multiple code platforms, a secret weapon in security analysis.

16. URLScan.io[17]#

Visualizes the loading resources and script behaviors of URLs, a powerful tool for phishing website analysis.

17. PublicWWW.com[18]#

Searches web pages based on HTML snippets, capable of finding websites that have embedded specific code.

18. FullHunt.io[19]#

A real-time attack surface discovery tool, usable for asset assessment from red team and blue team perspectives.

19. SOCRadar.io[20]#

Provides threat intelligence, data leak monitoring, attack attribution, and other functions.

20. BinaryEdge.io (Main Site)[21]#

In addition to sub-site data platforms, it also provides access to product ecosystems, open APIs, and more.

21. IVRE.rocks[22]#

A self-built data visualization platform for asset scanning analysis.

22. crt.sh[23]#

Queries SSL certificate transparency logs, discovering domains, subdomains, historical certificates, etc.

23. Vulners.com[24]#

A vulnerability database aggregation search, suitable for security researchers looking for PoCs, patches, and other information.

24. Pulsedive.com[25]#

A threat intelligence platform that aggregates URL/IP/domain reputation and IOC data.

🧠 Practical Usage Suggestions#

The suggested steps for intelligence gathering are as follows:

Personnel Profiling Analysis: Use hunter.io to obtain corporate emails → Combine with intelx.io to check data leak records
Asset Discovery: Search corporate public hosts using fofa.info, shodan.io, netlas.io, etc.
Code Analysis: Use grep.app and searchcode.com to find sensitive information or hardcoded credentials
Vulnerability Matching: Search for corresponding asset CVE numbers and exploitation methods on vulners.com
Threat Validation: Use greynoise or pulsedive to identify whether there are attack behaviors or IOC markers
Website Analysis: Conduct visual analysis of target site behavior through urlscan.io

Alternatives to the open-source intelligence framework "osintframework"

When I first entered the OSINT field, the first learning website recommended to me by my seniors was osintframework.com. This website not only guided me into

osintframework is a web-based tool designed to help collect and process open-source intelligence (OSINT) across various fields and topics. It organizes resources in a hierarchical manner, providing researchers, investigators, and security professionals with a structured directory of OSINT tools and resources. The framework categorizes resources and tools into different themes, such as social media, domains, IP addresses, personnel searches, etc., to assist in gathering publicly available information.

The framework does not directly host tools but serves as a directory linking to various online resources, tools, and websites that can be used for OSINT purposes. It is a valuable resource for those conducting investigations, cybersecurity analysis, background checks, and anyone interested in collecting information from public sources.

The OSINT framework is widely used in cybersecurity, journalism, law enforcement, and research to collect data from publicly available resources, supporting investigations or gathering intelligence about specific topics, companies, or individuals. The user interface is typically intuitive and easy to use, allowing users to browse different categories and find tools relevant to their needs.

Website: osintframework.com

Although the reasons are unclear, the project has not seen updates for a long time. In the rapidly evolving OSINT field, continuous updates of tools and methods are crucial to keep pace with the times. This stagnation in updates may indicate a need for more community support or resource investment to continue pushing the project forward to meet the ever-changing demands of the industry.

Therefore, the author @malfratsind created their version of the open-source intelligence framework.

https://map.malfrats.industries/

Website Screenshot

Unfortunately, @malfratsind's last code commit on GitHub was 9 months ago, and their X account has not been updated since last July. Many links on this website are still relevant, and OSINT enthusiasts can explore them.

📎 Conclusion#

Open-source intelligence is a comprehensive ability that integrates search techniques, associative reasoning, and information integration. The 24 tools recommended in this article cover almost all mainstream OSINT scenarios, suitable for both beginners and advanced users.

📌 It is recommended to bookmark this article for easy daily reference!

📣 If you have more hidden tools, feel free to leave a comment for discussion, and let's work together to build a knowledge graph for the OSINT Chinese community!

References

[1]

Shodan.io: https://shodan.io

[2]

Google.com: https://google.com

[3]

Google Hacking Database: https://www.exploit-db.com/google-hacking-database

[4]

Wigle.net: https://wigle.net

[5]

Grep.app: https://grep.app

[6]