aiodnsbrute

A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously. It's fast. Benchmarks on small VPS hosts put around 100k DNS resolutions at 1.5-2mins. An amazon M3 box was used to make 1 mil requests in just over 3 minutes. Your mileage may vary. It's probably best to avoid using Google's resolvers if you're purely interested in speed. Trickest currently supports only json output for aiodnsbrute.

amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

amass-intel

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

amass-json

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. This version produces JSON output

analyticsrelationships

Get related domains / subdomains by looking at Google Analytics IDs

assetfinder

Find domains and subdomains potentially related to a given domain.

bbot

OSINT automation for hackers

bevigil

bevigil-cli provides a unified command line interface and python library for using BeVigil OSINT API

bigip-scanner

Determine the running software version of a remote F5 BIG-IP management interface

ccpy

Extracting URLs of a specific target based on the results of commoncrawl.org.

cdncheck

A utility to detect various technology for a given IP address.

cero

Scrape domain names from SSL certificates of arbitrary hosts

certsh-subdomains

Connect to the crt.sh database and get the subdomains of a domain

chaos-client

Go client to communicate with Chaos DB API.

chronos

Extract pieces of info from a web page's Wayback Machine history

cloud-enum

Multi-cloud enumeration utility

crosslinked

LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping

csprecon

Discover new target domains using Content Security Policy

dmut

A tool written in golang to perform permutations, mutations and alteration of subdomains and brute force the result.

dnsrecon

Author description - DNSRecon is a Python port of a Ruby script that I wrote to learn the language and about DNS in early 2007. This time I wanted to learn about Python and extend the functionality of the original tool and in the process re-learn how DNS works and how could it be used in the process of a security assessment and network troubleshooting. This tool provides the ability to perform: Check all NS Records for Zone Transfers; Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT); Perform common SRV Record Enumeration; Top Level Domain (TLD) Expansion; Check for Wildcard Resolution; Brute Force subdomain and host A and AAAA records given a domain and a wordlist; Perform a PTR Record lookup for a given IP Range or CIDR; Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.

dnsx

dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.

dorky

A tool to automate dorking of GitHub/GitLab

favfreak

FavFreak takes a list of urls from stdin, fetches favicon.ico , calculate tha hash value and matches the calculated favicon hashes with the favicon hashes present in the fingerprint dictionary

findomain

The complete solution for domain recognition. Supports screenshotting, port scan, HTTP check, data import from other tools, subdomain monitoring.

get-acq

GET-ACQ is a python tool used to gather all companies acquired by a given company domain name. It is done by calling SecurityTrails API.

gh-downloader

Process GitHub Archive URLs and generate unique repositories and users CSV files

gh-enhancer

Process GitHub Archive URLs and generate unique repositories and users CSV files

gh-investigator

Use the generated CSV files to get interesting information.

gh-scraper

Process GitHub Archive URLs and generate unique repositories and users CSV files

github-endpoints

Find endpoints on GitHub

github-subdomains

Find subdomains on GitHub

goaltdns

GoAltdns is a permutation generation tool that can take a list of subdomains, permute them using a wordlist, insert indexes, numbers, dashes and increase your chance of finding that estoeric subdomain that no-one found during bug-bounty or pentest.

gobuster-dns

A tool used to brute-force DNS subodmains(with wildcard support)

gorks

Search google dorks in the specified GCSE id

gotator

Gotator is a tool to generate DNS wordlists through permutations.

hakrevdns

Small, fast, simple tool for performing reverse DNS lookups en masse. You feed it IP addresses, it returns hostnames. This can be a useful way of finding domains and subdomains belonging to a company from their IP addresses.

haktrails

Golang client for querying SecurityTrails API data

hosthunter

A tool to efficiently discover and extract hostnames providing a large set of target IP addresses. HostHunter utilises simple OSINT techniques to map IP addresses with virtual hostnames. It generates a CSV or TXT file containing the results of the reconnaissance.

jldc-subdomains

Get subdomains from jldc.me.

massdns

MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.

mksub

Make subdomains using a wordlistRead a wordlist file (lowercase, remove [^a-zA-Z0-9-_.]+), filter unique words and generate subdomains.

nrich

Analyze a list of IP addresses and see which ones have open ports/vulnerabilities through Shodan

oneforall

Multi-featured subdomain recon tool

puredns

Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.

second-order

Crawler and second-order subdomain takeover scanner

securitytrails-subdomains

Get subdomains for root domain from SecurityTrails.

shuffledns

shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.

spiderfoot

OSINT for threat intelligence and attack surface mapping

subbrute

SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

subdomainizer

SubDomainizer is a tool designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL.

subfinder

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. Subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask.

sudomy

Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting

theharvester

E-mails, subdomains and names enumeration tool

tlsx

Fast and configurable TLS grabber focused on TLS based data collection.

vhostscan

A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.

vita

Vita is a tool to gather subdomains from passive sources.

waymore

Find way more from the Wayback Machine

whatwaf

Detect and bypass web application firewalls and protection systems

whoisninja

Reverse WHOIS lookup script

whois-with-ripe

Get whois data through ripe.net

xsubfind3r

xsubfind3r is designed to efficiently identify known subdomains of given domains by tapping into a multitude of curated online passive sources.

zdns

Fast CLI DNS Lookup Tool

zgrab2-http

Fast Go Application Scanner

zgrab2-http-simple

Fast Go Application Scanner, parsed to print out title status and content length

zgrab2-jarm

Fast Go Application Scanner

zgrab2-multiple

Fast Go Application Scanner

zgrab2-tls

Fast Go Application Scanner