Same OSINT “Doxxing” Strategy as the Cyber Police: Find People, Companies, and Devices — Five Free Open Source Tools

I’ve shared several OSINT tools recently. Today, let’s walk through how to combine them.

Let me lay it all out at once — five tools covering almost every scenario you can think of for finding people, companies, and devices. You can technically “dox” anyone.

This article only covers the thought process, tool introductions, and hypothetical usage scenarios; it does not advocate actual application.

This toolkit is not meant for investigating others — it’s meant for protecting yourself.

First, What Each of the Five Tools Does

Blackbird (6300 Stars) — Searches both usernames and email addresses. Integrates with 600+ platforms. After searching, it can call an AI to generate a profile portrait and export to PDF with one click. Best for beginners.

Maigret (33000 Stars) — A specialized tool for searching by username across 3000+ platforms. Its core feature is recursive tracking — if it finds you have another alias on platform A, it automatically searches that alias, digging down the line.

SpiderFoot (18000 Stars) — The heavy hitter. Accepts phone numbers, emails, domains, and IPs. Deploys 200+ modules simultaneously to check data leaks, the dark web, subdomains, and produces a visual relationship graph.

theHarvester (16500 Stars) — Give it a domain, and it automatically scrapes employee email addresses, subdomains, IPs, and URLs from 40+ data sources like Google, Bing, LinkedIn, and DNS records. Specialized for investigating companies.

Shodan Python (2800 Stars) — Shodan is “Device Google” that scans the entire internet for cameras, routers, servers, and industrial control systems exposed to the public. This library lets you query the Shodan database programmatically.

Real-World Scenarios: How to Use the Five Tools

Scenario 1: Checking if Your Partner is Lying

Your partner says “I don’t use social apps,” but you only know their common nickname.

Step 1 – Blackbird: Throw the nickname in. It scans 600 platforms to check whether they have accounts on Momo, Soul, Tantan, Tinder, etc. The AI generates a portrait immediately.

Step 2 – Maigret relay: The account found by Blackbird might reveal another username. Feed that new username into Maigret, scan 3000 more platforms, and recursively track to the bottom.

Within five minutes you’ll have the answer. Whether you love them or slap them depends on fate.

Scenario 2: Investigating a Rival / Mistress / Stranger

You only have a username or email address.

First, use Blackbird for a quick overview, then Maigret for deep recursive digging to uncover all their aliases, post history, and communities they’ve been part of.

Then, throw the email into SpiderFoot to check if it appears in historical data breaches, and see if they’ve been “dumped.”

Scenario 3: Due Diligence on a Company

You plan to partner with a company and want to do background research first.

Step 1 – theHarvester: Enter their domain. It automatically extracts employee email lists from LinkedIn, Google, and DNS. You can see the email format pattern (e.g., [email protected]), along with subdomains and IPs.

Step 2 – SpiderFoot: Deep-dive the domain. Scan all subdomains and server info, check if any data leaks have occurred, and search the dark web for company data being sold.

Step 3 – Shodan: Feed the IP range into Shodan to see if the company has databases, admin panels, or security cameras directly exposed to the public internet — this detail reveals their technical level and security awareness.

Spending half an hour before cooperation saves you a ton of trouble.

Scenario 4: Checking Your Own Company’s Security & Reputation Management

Many companies don’t know what they’ve exposed online.

theHarvester checks the domain to show how many email addresses and subdomains are public. Shodan checks IP ranges to see if any server ports, cameras, or internal systems are exposed to the public internet.

Many small companies’ NAS, cameras, and printers have default configurations — you can find them directly on Shodan, often with factory-default passwords. Running this yourself reveals many unexpected vulnerabilities.

Scenario 5: Investigating a Competitor’s Tech Stack

Want to know what tech stack a competitor uses, where their servers are, and which cloud services they employ.

theHarvester scrapes their subdomain list, revealing product line distribution. Shodan checks IPs to identify what server software (and version) they use, and which cloud provider they’re deployed on.

Tech choices, team size, infrastructure — things you used to get from insiders can now be pieced together from public information.

Scenario 6: Checking Your Own Digital Footprint – Data Cleanup

Run your common usernames and email addresses through Blackbird and Maigret to see how many old accounts you’ve forgotten are still active on various platforms.

Then throw your email into SpiderFoot to check if it appears in any data breaches and which leaks you’ve been caught up in.

Knowing what’s exposed lets you clean up, delete accounts, and change passwords effectively.

How to Combine the Five Tools

Got a username → Blackbird (quick overview) → Maigret (recursive deep-dive)
Got an email → Blackbird (account + AI portrait) → SpiderFoot (leaks + dark web)
Got a domain → theHarvester (batch email/subdomain collection) → SpiderFoot (deep-dive)
Got an IP → Shodan (device & service exposure) → SpiderFoot (related intelligence)
Got everything → Use all, cross-validate

The only principle: First use the fastest to get the full picture, then use the deepest to dig further.

Installation — One Command per Tool

# Blackbird
git clone https://github.com/p1ngul1n0/blackbird && pip install -r requirements.txt
# Maigret
pip install maigret
# SpiderFoot
git clone https://github.com/smicallef/spiderfoot && pip install -r requirements.txt
# theHarvester
git clone https://github.com/laramies/theHarvester && uv sync
# Shodan Python
pip install shodan

Blackbird, Maigret, and SpiderFoot do not require API keys — they work out of the box.

theHarvester needs keys for some data sources (Google, Bing, etc.), but the basic features are free and sufficient.

Shodan requires a free account registration to get an API key, and the free tier is enough for daily use.

Final Words

These five tools together represent a mindset:

A person or a company can hide far less online than they think.

Accounts you thought you deleted, aliases you thought nobody knew, servers you thought were hidden — as long as they existed, they can most likely be found.

Once again: This toolkit is not meant for investigating others — it’s meant for protecting yourself.

Knowing what you’ve exposed is the first step.

Links to the Five Projects

• github.com/p1ngul1n0/blackbird
• github.com/soxoj/maigret
• github.com/smicallef/spiderfoot
• github.com/laramies/theHarvester
• github.com/achillean/shodan-python

Share this with anyone who needs it. 🚀

#OSINT #OpenSourceTools #OldYangShares