How to make

How to Make Your Own OSINT Tool Using Python (Step-by-Step Guide)

spyboy's avatarPosted by

If you’re serious about cybersecurity, bug bounties, ethical hacking, or digital investigations, learning how to build your own OSINT tool is a game-changer.

Open-Source Intelligence (OSINT) is everywhere — usernames, domains, emails, metadata, leaked credentials, exposed services. But here’s the difference between beginners and professionals:

Beginners use tools.
Professionals build them.

In this guide, you’ll learn how to make your own OSINT tool using Python, step by step. Not just theory. Not just vague explanations. We’ll design, structure, and implement a practical reconnaissance tool that collects publicly available intelligence — ethically and legally.

What Is OSINT?

Open-Source Intelligence (OSINT) refers to collecting intelligence from publicly available sources. These sources include:

  • Websites
  • Social media
  • DNS records
  • Metadata
  • Search engines
  • Public APIs
  • Breach databases (legal ones)
  • Public documents

Government agencies, journalists, cybersecurity analysts, and ethical hackers use OSINT daily.

Some popular OSINT tools you may have heard of:

  • Maltego
  • theHarvester
  • Recon-ng
  • Shodan

But today, we’re not just using them.

We’re building our own.

Why Build Your Own OSINT Tool?

Here’s why creating your own reconnaissance tool is powerful:

1. Customization

You control what data gets collected.

2. Automation

Manually checking usernames across 50 sites? Waste of time.

3. Learning

You understand how intelligence gathering actually works.

4. Bug Bounty Advantage

Custom scripts give you edge cases others miss.

5. Portfolio Building

A GitHub OSINT tool positions you as a builder.

If you’re running a cybersecurity blog or building tools like reconnaissance scanners, this is foundational knowledge.

What We’re Going to Build

By the end of this tutorial, you will have a Python-based OSINT tool that can:

  • ✔️ Check username availability across platforms
  • ✔️ Extract domain information
  • ✔️ Perform DNS lookups
  • ✔️ Fetch IP information
  • ✔️ Grab metadata from files
  • ✔️ Save results to a structured output file

We’ll design it modularly so you can expand it later.

Step 1: Setting Up Your Environment

First, install Python 3.10+.

Then install required libraries:

pip install requests beautifulsoup4 dnspython whois colorama

Libraries we’ll use:

  • requests – HTTP requests
  • BeautifulSoup – HTML parsing
  • dnspython – DNS lookups
  • whois – Domain information
  • colorama – Colored terminal output

Step 2: Creating the Project Structure

Create a folder:

osint_tool/
├── main.py
├── modules/
│   ├── username_checker.py
│   ├── domain_lookup.py
│   ├── dns_lookup.py
│   └── metadata_extractor.py
└── output/

Modular design makes your tool scalable.

Step 3: Building a Username Checker Module

Many platforms expose public profiles via predictable URLs.

For example:

  • https://github.com/username
  • https://twitter.com/username
  • https://instagram.com/username

We’ll check if these pages return HTTP 200.

username_checker.py

import requests
platforms = {
    "GitHub": "https://github.com/{}",
    "Twitter": "https://twitter.com/{}",
    "Instagram": "https://instagram.com/{}",
    "Reddit": "https://reddit.com/user/{}"
}
def check_username(username):
    results = {}
    
    for platform, url in platforms.items():
        target_url = url.format(username)
        try:
            response = requests.get(target_url, timeout=5)
            if response.status_code == 200:
                results[platform] = "Found"
            else:
                results[platform] = "Not Found"
        except:
            results[platform] = "Error"
    
    return results

This is basic but effective OSINT enumeration.

Step 4: Building a Domain Lookup Module

WHOIS records provide:

  • Registrar
  • Creation date
  • Expiry date
  • Name servers

domain_lookup.py

import whois
def lookup_domain(domain):
    try:
        domain_info = whois.whois(domain)
        return domain_info
    except Exception as e:
        return str(e)

Step 5: Building DNS Lookup Module

DNS records reveal infrastructure.

We can pull:

  • A record
  • MX record
  • NS record
  • TXT record

dns_lookup.py

import dns.resolver
def dns_records(domain):
    records = {}
    types = ["A", "MX", "NS", "TXT"]
    for record_type in types:
        try:
            answers = dns.resolver.resolve(domain, record_type)
            records[record_type] = [str(r) for r in answers]
        except:
            records[record_type] = "No record found"
    return records

DNS reconnaissance is critical in bug bounty.

Step 6: Metadata Extraction Module

Metadata leaks can expose:

  • GPS coordinates
  • Device model
  • Author name
  • Software version

Install:

pip install Pillow

metadata_extractor.py

from PIL import Image
from PIL.ExifTags import TAGS
def extract_metadata(image_path):
    metadata = {}
    try:
        image = Image.open(image_path)
        info = image._getexif()
        if info:
            for tag, value in info.items():
                decoded = TAGS.get(tag, tag)
                metadata[decoded] = value
    except:
        metadata["Error"] = "Unable to extract metadata"
    
    return metadata

Step 7: Creating the Main Controller

main.py

from modules.username_checker import check_username
from modules.domain_lookup import lookup_domain
from modules.dns_lookup import dns_records
def main():
    print("=== Spyboy OSINT Tool ===")
    choice = input("1. Username Check\n2. Domain Lookup\n3. DNS Lookup\nChoose option: ")
    if choice == "1":
        username = input("Enter username: ")
        results = check_username(username)
        print(results)
    elif choice == "2":
        domain = input("Enter domain: ")
        print(lookup_domain(domain))
    elif choice == "3":
        domain = input("Enter domain: ")
        print(dns_records(domain))
if __name__ == "__main__":
    main()

Now you have a functional OSINT tool.

How Hackers Abuse OSINT Tools

This is important.

OSINT itself is legal. But malicious actors use it for:

  • Social engineering
  • Phishing personalization
  • Infrastructure mapping
  • Target profiling

Example:
An attacker gathers:

  • Target’s LinkedIn
  • Email format
  • Company DNS
  • Technology stack

Then launches spear phishing.

That’s why understanding OSINT helps you defend.

How to Expand This Tool (Advanced Ideas)

If you want to make this tool next-level:

Add:

  • Shodan API integration
  • Subdomain enumeration
  • Email pattern guessing
  • Have I Been Pwned API (with permission)
  • JSON output logging
  • Multithreading
  • CLI arguments via argparse

You can even convert it into a full framework.

Legal and Ethical Warning

Only collect publicly available information.

Do NOT:

  • Bypass authentication
  • Access private accounts
  • Scrape against platform ToS aggressively
  • Attack systems without permission

Use this for:

  • Learning
  • Defensive security
  • Bug bounty (authorized scope only)

Final Thoughts

Building your own OSINT tool gives you:

  • A practical cybersecurity skill
  • Recon advantage
  • Portfolio credibility
  • Deeper understanding of digital footprints

And once you build one tool, you’ll start thinking differently.

You’ll no longer ask:

“What tool should I use?”

You’ll ask:

“How can I build something better?”

That shift is what separates script kiddies from cybersecurity engineers.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.