How To: Find Identifying Information from a Phone Number Using OSINT Tools

Find Identifying Information from a Phone Number Using OSINT Tools

Phone numbers often contain clues to the owner's identity and can bring up a lot of data during an OSINT investigation. Starting with a phone number, we can search through a large number of online databases with only a few clicks to discover information about a phone number. It can include the carrier, the owner's name and address, and even connected online accounts.

While a phone number may not seem like much information to give out, an OSINT researcher can quickly discover information that ties a phone number to a variety of other clues. The data can be used to detect whether a phone number is a throwaway VoIP number used to hide the owner's identity or a cell phone belonging to a real person. In the event of buying something online or replying to an apartment ad, this information is incredibly useful to know.

For a hacker, the ability to turn a phone number into multiple connected online accounts, email addresses, or screen names makes it a perfect starting point for bigger things to come. A quick scan to discover the carrier of a phone number can provide everything a hacker needs for a well-crafted phishing email pretending to be from the victim's carrier. Once a hacker can identify other details about the target that may be attached to the phone number, it's easy to identify the weakest link and attack the target using whatever information that's dug up.

Editor's note: The OSINT Tools by Mike Bazzel featured in this article was taken down from his website due to increased DDoS-style attacks, as well as DMCAs and cease-and-desists from some of the tools included. Phoneinfoga will still work in this guide, but for the others, you can try using each company's individual tool instead. You can see how it used to work, however, in the video and text below.

OSINT Tools for Phone Numbers

For quickly searching through phone numbers, we can use both command-line and browser-based tools. Command line tools give the advantage of simple operation and greater customization but require you to have Python installed and updated. Today, we'll be using a tool called Phoneinfoga to quickly determine if the number is associated with a disposable phone number.

___ _                       _____        __
   / _ \ |__   ___  _ __   ___  \_   \_ __  / _| ___   __ _  __ _
  / /_)/ '_ \ / _ \| '_ \ / _ \  / /\/ '_ \| |_ / _ \ / _` |/ _` |
 / ___/| | | | (_) | | | |  __/\/ /_ | | | |  _| (_) | (_| | (_| |
 \/    |_| |_|\___/|_| |_|\___\____/ |_| |_|_|  \___/ \__, |\__,_|
 PhoneInfoga Ver. v1.6.4
 Coded by Sundowndev

One of the best resources for OSINT is Mike Bazzel's IntelTechniques website, which we'll also be focusing on here. This website contains several custom tools that Bazzel had organized to be useful for researchers. Many of these tools are already in Buscador OS, a virtual machine that can be run to provide an operating system geared towards OSINT investigations.

The Scenario

As an example, we'll take a sample business listing from a classified ad. How would we verify this? If the ad claims to be from a licensed professional, could we track down a license attached to the phone number? A simple reverse phone number lookup may find something, but to see the real data, you have to dig deeper and utilize more than just one reverse number lookup tool.

Step 1: Install Phoneinfoga

To supplement the information you find online later, you can use a Python tool called Phoneinfoga, which allows you to search for details about phone numbers from the command line. To use Phoneinfoga, open a terminal window and enter the following four commands one by one or at the same time.

~$ git clone
~$ cd PhoneInfoga/
~/PhoneInfoga$ python3 -m pip install -r requirements.txt
~/PhoneInfoga$ cp

Cloning into 'PhoneInfoga'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (79/79), done.
remote: Total 886 (delta 43), reused 12 (delta 6), pack-reused 801
Receiving objects: 100% (886/886), 247.47 KiB | 550.00 KiB/s, done.
Resolving deltas: 100% (461/461), done.

Requirement already satisfied: requests==2.21.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.21.0)
Collecting bs4==0.0.1 (from -r requirements.txt (line 2))
Requirement already satisfied: html5lib==1.0.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (1.0.1)
Collecting phonenumbers==8.10.2 (from -r requirements.txt (line 4))
  Downloading (3.2MB)
    100% |████████████████████████████████| 3.2MB 381kB/s
Collecting argparse==1.2.1 (from -r requirements.txt (line 5))
  Downloading (69kB)
    100% |████████████████████████████████| 71kB 5.8MB/s
Collecting urllib3==1.24.2 (from -r requirements.txt (line 6))
  Downloading (131kB)
    100% |████████████████████████████████| 133kB 7.4MB/s
Collecting colorama==0.4.1 (from -r requirements.txt (line 7))
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from bs4==0.0.1->-r requirements.txt (line 2)) (4.7.1)
Building wheels for collected packages: bs4, argparse
  Running bdist_wheel for bs4 ... done
  Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472
  Running bdist_wheel for argparse ... done
  Stored in directory: /root/.cache/pip/wheels/30/35/38/aa7be52cca01ed539bd6f3789edb8489691cc7d9a010cbc982
Successfully built bs4 argparse
Installing collected packages: bs4, phonenumbers, argparse, urllib3, colorama
  Found existing installation: urllib3 1.24.1
    Not uninstalling urllib3 at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'urllib3'. No files were found to uninstall.
  Found existing installation: colorama 0.3.7
    Not uninstalling colorama at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'colorama'. No files were found to uninstall.
Successfully installed argparse-1.2.1 bs4-0.0.1 colorama-0.4.1 phonenumbers-8.10.2 urllib3-1.24.2

Next, you can run the program with the options displayed in the help file.

~/PhoneInfoga$ python3 -h

usage: -n <number> [options]

Advanced information gathering tool for phone numbers
( version v1.6.4

optional arguments:
  -h, --help            show this help message and exit
  -n number, --number number
                        The phone number to scan (E164 or international
  -i input_file, --input input_file
                        Phone number list to scan (one per line)
  -o output_file, --output output_file
                        Output to save scan results
  -s scanner, --scanner scanner
                        The scanner to use
  --recon               Launch custom format reconnaissance
  --no-ansi             Disable colored output
  -v, --version         Show tool version

Step 2: Search a Phone Number with Phoneinfoga

To search for a phone number, we just need to add the -n flag and then whatever number we want to search for. If you use the --recon argument, it will perform an advanced search.

~/PhoneInfoga$ python3 -n 1717███9539 --recon

    ___ _                       _____        __
   / _ \ |__   ___  _ __   ___  \_   \_ __  / _| ___   __ _  __ _
  / /_)/ '_ \ / _ \| '_ \ / _ \  / /\/ '_ \| |_ / _ \ / _` |/ _` |
 / ___/| | | | (_) | | | |  __/\/ /_ | | | |  _| (_) | (_| | (_| |
 \/    |_| |_|\___/|_| |_|\___\____/ |_| |_|_|  \___/ \__, |\__,_|
 PhoneInfoga Ver. v1.6.4
 Coded by Sundowndev

[!] ---- Fetching informations for 1717███9539 ---- [!]
[*] Running local scan...
[+] International format: +1 717-███-9539
[+] Local format: 717███9539
[+] Country found: United States (+1)
[+] City/Area: Pennsylvania
[+] Carrier:
[+] Timezone: America/New_York
[i] The number is valid and possible.
[*] Running scan...
[!] is not available
[*] Running OVH scan...
[*] Running custom format reconnaissance...
Footprint reconnaissance for 717███9539
[+] URL:███-9539
[+] URL:███-9539
[+] URL:███-9539
[+] URL:███9586
[+] URL:███/9
Footprint reconnaissance for 1 717███9539
Footprint reconnaissance for 1 717 ███9539
Footprint reconnaissance for 717 ███9539
[+] URL:███1704
Footprint reconnaissance for 717-███9539
[+] URL:███1704
Footprint reconnaissance for 717-███-9539
[+] URL:█████████-███-██-██-████
[+] URL:███-9539
[+] URL:███367
[+] URL:█████████-███
[+] URL:██████rauch
Footprint reconnaissance for +1 717-███-9539
[+] URL:███
[+] URL:███
[+] URL:███-95
[+] URL:███7777
[+] URL:███-95
Footprint reconnaissance for (+1)717-███-9539
[+] URL:███-9539
[+] URL:███-9XXX
[+] URL:███-9538
[+] URL:███%3Fpage%3D4%26thousand%3D9
[+] URL:███-95
Footprint reconnaissance for +1/717-███-9539
[+] URL:███-9539
[+] URL:███-95XX
[+] URL:███-9538
[+] URL:███%3Fpage%3D4%26thousand%3D9
[+] URL:███-95
Footprint reconnaissance for (717) ███9539
[+] URL:███1704
Footprint reconnaissance for (717) ███-9539
[+] URL:█████████-███-██-██-████
[+] URL:███-9539
[+] URL:███367
[+] URL:█████████-███
[+] URL:██████rauch
Footprint reconnaissance for (717) ███.9539
Footprint reconnaissance for (717)███9539
[+] URL:███1704
Footprint reconnaissance for (717)███-9539
[+] URL:█████████-███-██-██-████
[+] URL:███-9539
[+] URL:███367
[+] URL:█████████-███
[+] URL:██████rauch
Footprint reconnaissance for (717)███.9539
[*] Running OSINT footprint reconnaissance...
[i] Generating scan URL on
[+] Scan URL:███-9539
Would you like to use an additional format for this number ? (y/N)  n

[i] ---- Web pages footprints ----
[i] Searching for footprints on web pages... (limit=10)
[+] Result found:███-9539
[+] Result found:███-9539
[+] Result found:███0000
[+] Result found:███9999_all2.htm
[+] Result found:███.htm
[+] Result found:███
[+] Result found:███0000
[+] Result found:███0000
[+] Result found:███0000
[i] Searching for documents... (limit=10)
[i] ---- Reputation footprints ----
[i] Searching for reputation report on
[i] Searching for phone fraud footprints...
[i] Searching for reputation report on
[i] Searching for reputation report on
[i] Searching for reputation report on
[i] Searching for reputation report on
[i] Searching for reputation report on
[i] Searching for reputation report on
[i] Searching for reputation report on
[i] Searching for reputation report on
[i] Generating URL on
Would you like to search for temporary number providers footprints ? (Y/n) n

[i] ---- Social media footprints ----
[i] Searching for footprints on
[i] Searching for footprints on
[i] Searching for footprints on
[i] Searching for footprints on
[i] ---- Phone books footprints ----
[i] Generating URL on True People...
[i] Searching for footprints on
[i] Searching for footprints on
[i] Searching for footprints on
[i] Searching for footprints on
[i] Searching for footprints on
[i] Searching for footprints on
[i] Searching for footprints on

Would you like to rerun OSINT scan ? (e.g to use a different format) (y/N) n

[i] Scan finished.

Sometimes, this tool can get you temporarily blacklisted from Google searches because of the way it's programmed. It's annoying but easily resolved with a Google abuse exemption, detailed at the end of the video above.

As you can see above, there are lots of links to dive into, and right away the name and business associated with the phone number are available in the output.

Step 3: Access the IntelTechniques OSINT Portal

Now, let's concentrate on the web tools that are free on Bazzel's website since they're a little bit easier to work with than with the command line tool above. To follow along, you can go to, then click on the "Telephone Number" tab.

A submenu appears when you click on "Telephone Number," and you'll need to select the "Telephone Search Tool" to bring up the page that will allow us to search many tools at once.

As you can see, it's a healthy mix of people-searching tools, phonebook directories, scam reporting websites, and social media connections. These are free, public resources combined into one easy-to-use search tool, allowing anyone with a browser and internet connection to begin researching who is on the other end of a phone number.

We can input a number into each tool one by one, but the easiest way is to enter the number into the field at the top, and click "Populate All."

Step 4: Search a Phone Number on IntelTechniques

In the search tool, enter the number into the field next to the "Populate All" button, then click the button to auto-populate the number into the rest of the fields. Next, select "Submit All" under the list of services to run all searches on the phone number. All of the services will open up in different tabs or pop-ups with the search already submitted (you may need to allow pop-ups in your browser).

Step 5: Search Results for Clues & Patterns

Now, check out some of the resources loaded from the search. Here, some of the people searching services have turned our phone number into a name.

Along with the person's name is a startling amount of information, the most important of which is a location and address for us to tie together further details. We found a lot of results with the name, making a pretty strong likelihood that this is the person behind our ad. So how would we prove they are a licensed professional?

Step 6: Locate Information That Can Be Verified

On another search site result, we can see the name of a business associated with the phone number, which is what we're looking for! If we can tie the name of a company and the name we've found associated with the number, we can look up a source we trust, like a state listing of active businesses, to determine whether this is a real business. Here, we have a name, address, and business name; everything we need to verify whether a business exists.

Step 7: Verify with Primary Source Data

To check out the information we found, we should look for some primary source information that backs up our discovery. In our case, the best database to search is the Department of State business database for the state we discovered the business in. Here, we were able to pull a valid business listing, one which matches the address we previously found. It appears the person behind the online advertisement is honest — they are a licensed professional after all.

Phone Numbers Can Tie Everything Together

As a starting point, a phone number can provide everything you need to locate information about a target. With tools like Phoneinfoga, you can quickly discover whether a phone number is a throwaway or a legitimate number. If the number is real, the IntelTecniques website tools can piece together clues to build a picture of the person behind the phone number, sometimes quite literally.

With the right tools, a single phone number can lead you from clue to clue, piecing together everything you need to learn about a target.

I hope you enjoyed this guide to using phone numbers in an OSINT investigation! If you have any questions about this tutorial on phone number recon, or if you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.

Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy Now (90% off) >

Other worthwhile deals to check out:

Cover photo by Justin Meyers/Null Byte; Screenshots by Kody/Null Byte

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.


i am getting these erros both kali and windows

C:\x> -v
Traceback (most recent call last):
File "C:\x\", line 21, in <module>
from scanners.footprints import osintScan
File "C:\x\scanners\", line 12, in <module>
from lib.googlesearch import search
File "C:\x\lib\", line 14, in <module>
from config import *
ModuleNotFoundError: No module named 'config'


thanks for the solution for this error

Same problem occuring in my machine. please help if you get solution.

I got the same then used pip install config and it worked but now i get NameError: name 'googleapikey' is not defined

Thank you for the post . works well.

but all above methods are not able to find information of indian number. so plz anyone help me.....

the tools whiuch u r ginven website is not working

Yes, I also tried, That tool is not working.

IntelTechniques OSINT Portal this website is not working and not accepting registration of new users,,,,,,,plz help

I get NameError: name 'googleapikey' is not defined

When I type the commands to search the number it asks for an additional format and if I type no it brings a bunch of errors and if I type yes it will let me put a extra format

selenium.common.exceptions.WebDriverException: Message: invalid argument: can't kill an exited process
How should i fix this error?

NameError: name 'googleapikey' is not defined

File "", line 17, in <module>
from lib.googlesearch import closeBrowser
File "/home/oli/PhoneInfoga/lib/", line 17, in <module>
from selenium import webdriver
ModuleNotFoundError: No module named 'selenium'

Anyone have a solution?

Error while fetching Google search API. Maybe usage limit ? Please verify your keys.

{'code': 403, 'message': 'The supplied API key is not configured for use from this client.', 'errors': {'message': 'The supplied API key is not configured for use from this client.', 'domain': 'global', 'reason': 'forbidden'}, 'status': 'PERMISSION_DENIED'}

help me to fix and also understand

It sounds like you need to go get a Google API key for developers and add it in to the code.

ok i also understand this statement .. i already put google api on it .. it didn't work .. tell me something else ... thank you

im getting an error which is
an error occured parsing .skipping

phoneinfoga ls in no requriments

python3 -m pip install -r requirements.txt gives the following error:
ERROR: Could not open requirements file: Errno 2 No such file or directory: 'requirements.txt'

this Phoneinfoga is not working on --recon command ,{that showed this message error: unrecognized arguments: --recon}...and that tool not showing the informations like on your picture.there're a bit of informations like :- carrier,time zone...also that given link is not working i surf for another link and got this tool.please attend to this errors.Thank you love your tools and tutorials.

sir can we find the gmail accounts linked to the phone number using the phone info ga tool

getting a couple of exceptions,
FileNotFoundError: Errno 2 No such file or directory: 'geckodriver'
selenium.common.exceptions.WebDriverException: Message: 'geckodriver' executable needs to be in PATH.
Thanks for any help with this

I tried to make a real good alternative for phoneinfoga as it lacks some real useful features like tracing the exact social media accounts of the users and if anyone wanna give it a try here's the link :

The link gives a 404 - Page not found error now.. is it still maintained?

someone who can help me to find some scam ip please? they are distroit life to many people. i can give the number thanks

where is the requirements.txt file

V1 has been updated and v2 does not have the requirements.txt file

does it still work?

"The public forum and free online tools were shut down in May of 2019 due to abuse and legal demands. These were replaced with an offline version which is included with each copy of the new OSINT book."

Straight from the link that is provided in this article.

what do I do about the "requirements.txt "thing?

Share Your Thoughts

  • Hot
  • Latest