OSINT — Recon Mindmap.

People

• Name → email. Hunter.io, Apollo, RocketReach for paid; theHarvester, emailrep.io for free. Validate via SMTP recipient probe (RCPT TO) or Microsoft GetCredentialType endpoint for O365 tenants.
• Email → presence. HaveIBeenPwned (breach list), Skype/Teams presence ping, Spotify public profile, GitHub no-reply email match.
• Name → social handles. sherlock, maigret for username sweep across 350+ sites. Cross-reference profile pictures for face match.
• Name → role. LinkedIn (primary); GitHub org pages; conference speaker bios; SEC filings for execs of US public companies.
• Cross-correlation. Same username across 3+ unrelated sites + 1 photo match = confident identity. Reverse-image search via Yandex (best for faces), Google, TinEye.

Organizations

• Corporate structure. Handelsregister (DE), Companies House (UK), SEC EDGAR (US), OpenCorporates (multi-jurisdiction). Reveals subsidiaries, directors, beneficial owners.
• Job postings. Single most underused recon source. Job postings list internal tech stack ("experience with Splunk and Crowdstrike"), team names, reporting lines.
• Press releases & case studies. Vendor case studies disclose customer's internal architecture details verbatim. site:vendor.com "$TARGET".
• Procurement portals. Government contracts show technology investments, vendors, project timelines.

Infrastructure

• IP space. ARIN/RIPE/APNIC whois → org netblocks. asnlookup, BGP toolkit for the ASN graph.
• CT logs. crt.sh?q=%25.target.com for every cert ever issued under the domain. Historical certs reveal old subdomains and conventions.
• Third-party SaaS dependencies. builtwith.com, DNS MX/SPF records (MX = mail provider, SPF authorized senders = SaaS list).
• Shodan / Censys / FOFA. org:"Target Corp", ssl:"Target", http.title:"Target Admin".
• Subdomain enumeration. Already documented in recon entry; CT logs + DNS bruteforce + JS scraping in parallel.

Code

• GitHub. org:target-corp + secrets search. github.com/search?q=org%3Atarget+AWS_SECRET_KEY. Watch contributors' personal repos — secrets often leak in personal projects copied from work.
• GitLab self-hosted. gitlab.target.com often public-visible repos by accident.
• npm / PyPI. Published packages reveal internal package names → potential dependency-confusion attack surface.
• Docker Hub. hub.docker.com/u/targetcorp. Layers may contain leaked secrets, internal IPs, build scripts.
• Mobile app stores. Pull APK/IPA, run secret-scanner. Companion apps frequently leak API keys.

Leaks & breach data

• HaveIBeenPwned. Per-account breach exposure check. Doesn't reveal passwords; reveals which breaches an account is in.
• Dehashed, Snusbase, Leak-Lookup. Paid services with searchable plaintext from public dumps. Engage only within written legal scope.
• Combolists. Aggregated credential lists circulating on cybercrime forums. Most are recycled stuffing fodder, not fresh breaches.
• Cross-corroboration. A "fresh breach" claim that doesn't appear on any reputable index after 2 weeks is usually fake or repackaged.
• Legal posture. Use breach data for engagement-relevant analysis only (e.g. confirming a target's email is in a breach to score phishing realism). Don't store full breach datasets unless contract explicitly permits.