Recon

aiodnsbrute

A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously. It's fast. Benchmarks on small VPS hosts put around 100k DNS resolutions at 1.5-2mins. An amazon M3 box was used to make 1 mil requests in just over 3 minutes. Your mileage may vary. It's probably best to avoid using Google's resolvers if you're purely interested in speed. Trickest currently supports only json output for aiodnsbrute.

Recon

amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

Recon

amass-intel

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

Recon

amass-json

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. This version produces JSON output

Recon

analyticsrelationships

Get related domains / subdomains by looking at Google Analytics IDs

Recon

assetfinder

Find domains and subdomains potentially related to a given domain.

Recon

bbot

OSINT automation for hackers

Recon

bevigil

bevigil-cli provides a unified command line interface and python library for using BeVigil OSINT API

Recon

bigip-scanner

Determine the running software version of a remote F5 BIG-IP management interface

Recon

ccpy

Extracting URLs of a specific target based on the results of commoncrawl.org.

Recon

cdncheck

A utility to detect various technology for a given IP address.

Recon

cero

Scrape domain names from SSL certificates of arbitrary hosts

Recon

certsh-subdomains

Connect to the crt.sh database and get the subdomains of a domain

Recon

chaos-client

Go client to communicate with Chaos DB API.

Recon

chronos

Extract pieces of info from a web page's Wayback Machine history

Recon

cloud-enum

Multi-cloud enumeration utility

Recon

crosslinked

LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping

Recon

csprecon

Discover new target domains using Content Security Policy

Recon

dmut

A tool written in golang to perform permutations, mutations and alteration of subdomains and brute force the result.

Recon

dnsrecon

Author description - DNSRecon is a Python port of a Ruby script that I wrote to learn the language and about DNS in early 2007. This time I wanted to learn about Python and extend the functionality of the original tool and in the process re-learn how DNS works and how could it be used in the process of a security assessment and network troubleshooting. This tool provides the ability to perform: Check all NS Records for Zone Transfers; Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT); Perform common SRV Record Enumeration; Top Level Domain (TLD) Expansion; Check for Wildcard Resolution; Brute Force subdomain and host A and AAAA records given a domain and a wordlist; Perform a PTR Record lookup for a given IP Range or CIDR; Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.

Recon

dnsx

dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.

Recon

dorky

A tool to automate dorking of GitHub/GitLab

Recon

favfreak

FavFreak takes a list of urls from stdin, fetches favicon.ico , calculate tha hash value and matches the calculated favicon hashes with the favicon hashes present in the fingerprint dictionary

Recon

findomain

The complete solution for domain recognition. Supports screenshotting, port scan, HTTP check, data import from other tools, subdomain monitoring.

Recon

get-acq

GET-ACQ is a python tool used to gather all companies acquired by a given company domain name. It is done by calling SecurityTrails API.

Recon

gh-downloader

Process GitHub Archive URLs and generate unique repositories and users CSV files

Recon

gh-enhancer

Process GitHub Archive URLs and generate unique repositories and users CSV files

Recon

gh-investigator

Use the generated CSV files to get interesting information.

Recon

gh-scraper

Process GitHub Archive URLs and generate unique repositories and users CSV files

Recon

github-endpoints

Find endpoints on GitHub

Recon

github-subdomains

Find subdomains on GitHub

Recon

goaltdns

GoAltdns is a permutation generation tool that can take a list of subdomains, permute them using a wordlist, insert indexes, numbers, dashes and increase your chance of finding that estoeric subdomain that no-one found during bug-bounty or pentest.

Recon

gobuster-dns

A tool used to brute-force DNS subodmains(with wildcard support)

Recon

gorks

Search google dorks in the specified GCSE id

Recon

gotator

Gotator is a tool to generate DNS wordlists through permutations.

Recon

hakrevdns

Small, fast, simple tool for performing reverse DNS lookups en masse. You feed it IP addresses, it returns hostnames. This can be a useful way of finding domains and subdomains belonging to a company from their IP addresses.

Recon

haktrails

Golang client for querying SecurityTrails API data

Recon

hosthunter

A tool to efficiently discover and extract hostnames providing a large set of target IP addresses. HostHunter utilises simple OSINT techniques to map IP addresses with virtual hostnames. It generates a CSV or TXT file containing the results of the reconnaissance.

Recon

jldc-subdomains

Get subdomains from jldc.me.

Recon

massdns

MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.

Recon

mksub

Make subdomains using a wordlistRead a wordlist file (lowercase, remove [^a-zA-Z0-9-_.]+), filter unique words and generate subdomains.

Recon

nrich

Analyze a list of IP addresses and see which ones have open ports/vulnerabilities through Shodan

Recon

oneforall

Multi-featured subdomain recon tool

Recon

puredns

Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.

Recon

second-order

Crawler and second-order subdomain takeover scanner

Recon

securitytrails-subdomains

Get subdomains for root domain from SecurityTrails.

Recon

shuffledns

shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.

Recon

spiderfoot

OSINT for threat intelligence and attack surface mapping

Recon

subbrute

SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

Recon

subdomainizer

SubDomainizer is a tool designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL.

Recon

subfinder

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. Subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

Recon

sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask.

Recon

sudomy

Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting

Recon

theharvester

E-mails, subdomains and names enumeration tool

Recon

tlsx

Fast and configurable TLS grabber focused on TLS based data collection.

Recon

vhostscan

A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.

Recon

vita

Vita is a tool to gather subdomains from passive sources.

Recon

waymore

Find way more from the Wayback Machine

Recon

whatwaf

Detect and bypass web application firewalls and protection systems

Recon

whoisninja

Reverse WHOIS lookup script

Recon

whois-with-ripe

Get whois data through ripe.net

Recon

xsubfind3r

xsubfind3r is designed to efficiently identify known subdomains of given domains by tapping into a multitude of curated online passive sources.

Recon

zdns

Fast CLI DNS Lookup Tool

Recon

zgrab2-http

Fast Go Application Scanner

Recon

zgrab2-http-simple

Fast Go Application Scanner, parsed to print out title status and content length

Recon

zgrab2-multiple

Fast Go Application Scanner

Recon

zgrab2-tls

Fast Go Application Scanner

WorkflowsTools