Library
- Trickest Library
- Modules
- Attack Surface Management
- Cloud Storage
- Containers
- Content Discovery
- Discovery
- Fuzzing
- Machine Learning
- Misconfiguration
- Network
- OSINT
- Passwords
- Recon
- Scanners
- Secret Discovery
- Social Engineering
- Static Code Analysis
- Threat Intelligence
- Utilities
- Vulnerabilities
- Vulnerability Scanning
Recon Tools
Explore a collection of powerful and efficient tools in the Recon category to enhance your productivity and security.
aiodnsbrute
A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously. It's fast. Benchmarks on small VPS hosts put around 100k DNS resolutions at 1.5-2mins. An amazon M3 box was used to make 1 mil requests in just over 3 minutes. Your mileage may vary. It's probably best to avoid using Google's resolvers if you're purely interested in speed. Trickest currently supports only json output for aiodnsbrute.
amass
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
amass-intel
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
amass-json
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. This version produces JSON output
analyticsrelationships
Get related domains / subdomains by looking at Google Analytics IDs
assetfinder
Find domains and subdomains potentially related to a given domain.
bbot
OSINT automation for hackers
bevigil
bevigil-cli provides a unified command line interface and python library for using BeVigil OSINT API
bigip-scanner
Determine the running software version of a remote F5 BIG-IP management interface
ccpy
Extracting URLs of a specific target based on the results of commoncrawl.org.
cdncheck
A utility to detect various technology for a given IP address.
cero
Scrape domain names from SSL certificates of arbitrary hosts
certsh-subdomains
Connect to the crt.sh database and get the subdomains of a domain
chaos-client
Go client to communicate with Chaos DB API.
chronos
Extract pieces of info from a web page's Wayback Machine history
cloud-enum
Multi-cloud enumeration utility
crosslinked
LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping
csprecon
Discover new target domains using Content Security Policy
dmut
A tool written in golang to perform permutations, mutations and alteration of subdomains and brute force the result.
dnsrecon
Author description - DNSRecon is a Python port of a Ruby script that I wrote to learn the language and about DNS in early 2007. This time I wanted to learn about Python and extend the functionality of the original tool and in the process re-learn how DNS works and how could it be used in the process of a security assessment and network troubleshooting. This tool provides the ability to perform: Check all NS Records for Zone Transfers; Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT); Perform common SRV Record Enumeration; Top Level Domain (TLD) Expansion; Check for Wildcard Resolution; Brute Force subdomain and host A and AAAA records given a domain and a wordlist; Perform a PTR Record lookup for a given IP Range or CIDR; Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.
dnsx
dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.
dorky
A tool to automate dorking of GitHub/GitLab
favfreak
FavFreak takes a list of urls from stdin, fetches favicon.ico , calculate tha hash value and matches the calculated favicon hashes with the favicon hashes present in the fingerprint dictionary
findomain
The complete solution for domain recognition. Supports screenshotting, port scan, HTTP check, data import from other tools, subdomain monitoring.
get-acq
GET-ACQ is a python tool used to gather all companies acquired by a given company domain name. It is done by calling SecurityTrails API.
gh-downloader
Process GitHub Archive URLs and generate unique repositories and users CSV files
gh-enhancer
Process GitHub Archive URLs and generate unique repositories and users CSV files
gh-investigator
Use the generated CSV files to get interesting information.
gh-scraper
Process GitHub Archive URLs and generate unique repositories and users CSV files
github-endpoints
Find endpoints on GitHub
github-subdomains
Find subdomains on GitHub
goaltdns
GoAltdns is a permutation generation tool that can take a list of subdomains, permute them using a wordlist, insert indexes, numbers, dashes and increase your chance of finding that estoeric subdomain that no-one found during bug-bounty or pentest.
gobuster-dns
A tool used to brute-force DNS subodmains(with wildcard support)
gorks
Search google dorks in the specified GCSE id
gotator
Gotator is a tool to generate DNS wordlists through permutations.
hakrevdns
Small, fast, simple tool for performing reverse DNS lookups en masse. You feed it IP addresses, it returns hostnames. This can be a useful way of finding domains and subdomains belonging to a company from their IP addresses.
haktrails
Golang client for querying SecurityTrails API data
hosthunter
A tool to efficiently discover and extract hostnames providing a large set of target IP addresses. HostHunter utilises simple OSINT techniques to map IP addresses with virtual hostnames. It generates a CSV or TXT file containing the results of the reconnaissance.
jldc-subdomains
Get subdomains from jldc.me.
massdns
MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.
mksub
Make subdomains using a wordlistRead a wordlist file (lowercase, remove [^a-zA-Z0-9-_.]+), filter unique words and generate subdomains.
nrich
Analyze a list of IP addresses and see which ones have open ports/vulnerabilities through Shodan
oneforall
Multi-featured subdomain recon tool
puredns
Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.
second-order
Crawler and second-order subdomain takeover scanner
securitytrails-subdomains
Get subdomains for root domain from SecurityTrails.
shuffledns
shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.
spiderfoot
OSINT for threat intelligence and attack surface mapping
subbrute
SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.
subdomainizer
SubDomainizer is a tool designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL.
subfinder
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. Subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.
sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask.
sudomy
Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
theharvester
E-mails, subdomains and names enumeration tool
tlsx
Fast and configurable TLS grabber focused on TLS based data collection.
vhostscan
A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
vita
Vita is a tool to gather subdomains from passive sources.
waymore
Find way more from the Wayback Machine
whatwaf
Detect and bypass web application firewalls and protection systems
whoisninja
Reverse WHOIS lookup script
whois-with-ripe
Get whois data through ripe.net
xsubfind3r
xsubfind3r is designed to efficiently identify known subdomains of given domains by tapping into a multitude of curated online passive sources.
zdns
Fast CLI DNS Lookup Tool
zgrab2-http
Fast Go Application Scanner
zgrab2-http-simple
Fast Go Application Scanner, parsed to print out title status and content length
zgrab2-jarm
Fast Go Application Scanner
zgrab2-multiple
Fast Go Application Scanner
zgrab2-tls
Fast Go Application Scanner