TOOLS REFERENCE
OpenOSINT exposes 14 intelligence-gathering modules. Each tool is an async Python wrapper around an external binary or API. All tools are available via the interactive REPL, the CLI, and the MCP server.
QUICK REFERENCE
| Tool | Method | What it finds | Requires |
|---|---|---|---|
search_email | holehe | Accounts linked to an email | holehe in PATH |
search_username | sherlock | Accounts across 300+ platforms | sherlock in PATH |
search_breach | HaveIBeenPwned API | Data breach exposure | HIBP_API_KEY |
search_whois | python-whois | Domain registration data | — |
search_ip | ipinfo.io | Geolocation, ASN, hostname | — |
search_domain | sublist3r | Subdomain enumeration | sublist3r in PATH |
generate_dorks | built-in | 12 targeted Google dork URLs | — |
search_paste | psbdmp.ws | Pastebin dump mentions | — |
search_phone | phoneinfoga | Carrier, country, line type | phoneinfoga in PATH |
search_censys | Censys API | Open ports, services, certs | CENSYS_API_ID + SECRET |
search_virustotal | VirusTotal API | URL / hash / IP analysis | VIRUSTOTAL_API_KEY |
search_shodan | Shodan API | Host banners, open ports | SHODAN_API_KEY |
search_ip2location | IP2Location API | Geo, ISP, VPN/Proxy/Tor detection | IP2LOCATION_API_KEY |
search_abuseipdb | AbuseIPDB v2 API | Abuse score, reports, ISP | ABUSEIPDB_API_KEY |
SEARCH_EMAIL
Enumerates online services linked to an email address using holehe. Works by sending password-reset probes — no login required on target services.
MCP parameter: email (string) | CLI: openosint email <address> [-t <seconds>]
Requires: pip install holehe
$ openosint email target@example.com -t 60 [+] Spotify https://open.spotify.com/user/target [+] WordPress https://wordpress.com/target [+] GitHub account exists
See the email OSINT guide for a full workflow.
SEARCH_USERNAME
Searches 300+ platforms using sherlock. Returns confirmed URLs for each platform where the username exists.
MCP parameter: username (string) | CLI: openosint username <handle> [-t <seconds>]
Requires: pip install sherlock-project
$ openosint username johndoe99 [+] GitHub https://github.com/johndoe99 [+] Reddit https://reddit.com/user/johndoe99
SEARCH_BREACH
Checks data breach exposure via HaveIBeenPwned v3 API. Returns breach name, date, and leaked data categories.
MCP parameter: email (string) | Requires: HIBP_API_KEY
Found in 2 breach(es): [+] LinkedIn (2016-05-05) — leaked: Email addresses, Passwords [+] Adobe (2013-10-04) — leaked: Email addresses, Password hints
SEARCH_WHOIS
Retrieves WHOIS registration data via python-whois. Returns registrar, creation date, name servers, and registrant (when not privacy-protected).
MCP parameter: domain (string) | No API key required
WHOIS results for 'example.com': [+] Registrar: ICANN [+] Created: 1995-08-14 [+] Name Servers: A.IANA-SERVERS.NET
SEARCH_IP
Retrieves geolocation and ASN data via ipinfo.io. Free tier supports 50,000 requests/month. Set IPINFO_TOKEN for higher limits.
MCP parameter: ip (string) | No API key required
IP intelligence for '8.8.8.8': [+] Hostname: dns.google [+] Org: AS15169 Google LLC [+] City: Mountain View, CA, US
SEARCH_DOMAIN
Enumerates subdomains via sublist3r. Uses multiple public sources: Google, Bing, VirusTotal, DNSdumpster, and more.
MCP parameter: domain (string) | Requires: pip install sublist3r
Subdomains found for 'example.com': [+] mail.example.com [+] dev.example.com [+] api.example.com
GENERATE_DORKS
Generates 12 targeted Google dork URLs for any query string. No network calls — pure URL generation. Open results in your browser for manual review.
MCP parameter: target (string) | No API key or binary required
Google dork URLs for 'johndoe': [+] "johndoe" site:linkedin.com [+] "johndoe" leaked OR breach OR dump
SEARCH_PASTE
Searches Pastebin dumps via psbdmp.ws. Returns URLs and timestamps of pastes mentioning the query.
MCP parameter: query (string) | No API key required
Found in 3 paste(s) for 'target@example.com': [+] https://pastebin.com/aB1cD2eF (2023-04-12)
SEARCH_PHONE
Phone intelligence via phoneinfoga. Accepts E.164 format (+14155552671). Returns country, carrier, and line type.
MCP parameter: phone (string) | Requires: phoneinfoga binary
Phone intelligence for '+14155552671': [+] Country: United States [+] Carrier: AT&T [+] Line type: Mobile
SEARCH_CENSYS
Queries the Censys API for host scan data: open ports, running services, TLS certificate history, and banner information.
MCP parameter: query (string) | Requires: CENSYS_API_ID + CENSYS_API_SECRET
SEARCH_VIRUSTOTAL
Queries the VirusTotal API for URL, file hash, or IP analysis. Returns detections across 70+ antivirus engines and threat intelligence feeds.
MCP parameter: target (string — URL, hash, or IP) | Requires: VIRUSTOTAL_API_KEY
SEARCH_SHODAN
Queries Shodan for host banners and keyword searches. Returns open ports, service fingerprints, hostnames, and CVE matches where available.
MCP parameter: query (string) | Requires: SHODAN_API_KEY
SEARCH_IP2LOCATION
Queries the IP2Location.io API (sponsored integration). Returns geolocation to city level, ISP, ASN, domain, and — on the Security Plan — VPN, proxy, Tor exit node, and datacenter classification.
MCP parameter: ip (string — IPv4 or IPv6) | Requires: IP2LOCATION_API_KEY
CLI: openosint ip2location <address> [-t <seconds>]
$ openosint ip2location 8.8.8.8 [IP2Location] Country: United States (US) [IP2Location] City: Mountain View [IP2Location] ISP: Google LLC [IP2Location] VPN: No | Proxy: No | TOR: No [IP2Location] Datacenter: Yes
See the IP reputation guide for usage patterns.
SEARCH_ABUSEIPDB
Checks an IP against the AbuseIPDB v2 API for crowd-sourced abuse reports. Returns confidence score (0–100%), report count, country, ISP, and last reported timestamp.
MCP parameter: ip (string — IPv4 or IPv6) | Requires: ABUSEIPDB_API_KEY
CLI: openosint abuseipdb <address> [-t <seconds>]
$ openosint abuseipdb 198.51.100.1 [AbuseIPDB] Abuse Confidence Score: 87% [AbuseIPDB] Total Reports: 143 ⚠️ HIGH ABUSE CONFIDENCE — flagged by AbuseIPDB
See the IP reputation guide for a detailed walkthrough.