Minimum stack
Create a virtual environment
Activate the environment
source osint-env/bin/activate
Install dependencies
pip install twint-fork recon-ng selenium requests beautifulsoup4 shodan
Mini-OSINT script
The script below combines CRT.sh subdomain enumeration, IP resolution, and Shodan host lookups into a single pipeline.
Add import socket to the imports block to enable the hostname resolution in step 2.
#!/usr/bin/env python3
# mini_osint.py
import shodan, requests, json, sys
from bs4 import BeautifulSoup
API_KEY = 'YOUR_SHODAN_API'
s = shodan.Shodan(API_KEY)
domain = sys.argv[1]
# 1. Subdomains via CRT.sh
crt = requests.get(f'https://crt.sh/?q=%25.{domain}&output=json').json()
subs = sorted(set([r['name_value'] for r in crt]))
print('[+] Found subdomains:', len(subs))
# 2. IPs from resolution
ips = set()
for sub in subs[:20]: # demo limit
try:
ips.add(socket.gethostbyname(sub))
except:
pass
# 3. Shodan quick look
for ip in ips:
try:
info = s.host(ip)
print(ip, info['org'], info.get('vulns', 'N/A'))
except:
pass
Recon-ng workflow
recon-ng
> marketplace install all
> workspaces add target
> use domains-domains/brute_force
> set SOURCE target.com
> run
> use hosts-hosts/resolve
> run
> use reporting/csv
> run
