loading
loading
Every tool you can run in a Trickest workflow, 311 in total. Each page covers what it does, its real inputs and outputs, the skills it belongs to, and a runnable example.
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
OSINT automation for hackers.
Command-line access to the BeVigil OSINT API.
Determine the running software version of a remote F5 BIG-IP management interface.
Extract URLs for a specific target from the results of commoncrawl.org.
A utility to detect CDN, WAF, and cloud technology for a given IP address.
Scrape domain names from the SSL certificates of arbitrary hosts.
Connect to the crt.sh certificate transparency database and get a domain's subdomains.
A Go client that pulls subdomains from the Chaos DB API.
Extract pieces of info from a web page's Wayback Machine history.
A multi-cloud enumeration utility for AWS, Azure, and GCP.
List assets from multiple cloud providers in one inventory.
LinkedIn enumeration that extracts employee names through search engine scraping.
Discover new target domains using Content Security Policy.
Permute, mutate, and alter subdomains, then brute-force the results.
Multi-technique DNS enumeration for security assessments.
A fast, multi-purpose DNS toolkit that runs multiple probers with custom resolvers.
A tool to automate dorking of GitHub and GitLab.
Hash favicons across a URL list and match them against a fingerprint dictionary.
The complete solution for domain recognition.
List the companies a target has acquired, straight from SecurityTrails.
Process GitHub Archive URLs into unique repository and user CSV files.
Turn raw GitHub Archive events into clean, deduplicated repository and user lists.
Mine scraped GitHub archive CSVs for the repos and users worth a closer look.
Turn raw GitHub Archive logs into deduplicated repository and user CSV files.
Find endpoints belonging to a domain across public GitHub code.
Find subdomains belonging to a domain across public GitHub code.
Generate subdomain permutations to surface hosts others miss.
Brute-force DNS subdomains with wildcard support.
Search Google dorks in a specified Custom Search Engine id.
Generate DNS wordlists through permutations.
A fast, simple tool for performing reverse DNS lookups en masse.
A Golang client for querying SecurityTrails API data from the command line.
An OSINT tool that maps IP addresses to virtual hostnames at scale.
Get subdomains from jldc.me.
A simple high-performance DNS stub resolver for resolving domains at massive scale.
Make subdomain candidates from a wordlist for DNS resolution.
Analyze a list of IP addresses and see which ones have open ports and known vulnerabilities through Shodan.
A multi-featured subdomain reconnaissance tool.
A fast domain resolver and subdomain bruteforcing tool that filters out wildcards and poisoned entries.
Crawler and second-order subdomain takeover scanner.
Get subdomains for a root domain straight from SecurityTrails.
A massdns wrapper in Go for active subdomain brute force and resolution with wildcard handling.
OSINT automation for threat intelligence and attack surface mapping.
A fast, accurate subdomain enumeration tool that brute-forces names through open resolvers.
Find hidden subdomains and secrets in webpages, external JavaScript, and GitHub.
A subdomain discovery tool that finds valid subdomains using passive online sources.
Enumerate subdomains using OSINT across many search engines.
Subdomain enumeration tool that runs automated reconnaissance for bug hunting and pentesting.
Emails, subdomains, and names enumeration tool from public OSINT sources.
Fast and configurable TLS grabber focused on TLS-based data collection.
A virtual host scanner that detects catch-all scenarios, aliases, and dynamic default pages.
Gather subdomains from passive sources.
Find way more URLs and archived responses from the Wayback Machine and beyond.
Detect and bypass web application firewalls and protection systems.
Identify websites: CMS, servers, libraries, analytics, and embedded devices.
Get WHOIS data through ripe.net.
Reverse WHOIS lookup script.
Efficiently identify known subdomains from curated passive sources.
Fast CLI DNS lookup tool.
Fast Go application scanner.
Fast Go application scanner, parsed to print out title, status, and content length.
Fast Go application scanner.
Fast Go application scanner.
Fast Go application scanner.
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
Crawl a list of domains and scan for endpoints, secrets, API keys, file extensions, tokens, and more.
Discover the origin host behind a reverse proxy, useful for bypassing cloud WAFs.
Spider and scrape targets in search of cloud resources.
A powerful browser crawler for web vulnerability scanners.
Web path scanner.
Find exposed API keys based on regex and get exploitation methods for the ones found.
Find All Parameters: crawl pages, find potential parameters, and generate a custom parameter wordlist.
A fast, simple, recursive content discovery tool written in Rust.
A URL fuzzing tool that finds critical backup files by building a dynamic wordlist from the domain.
Fetch known URLs from AlienVault OTX, the Wayback Machine, and Common Crawl for any domain.
A modified version of gau that pulls known URLs for a domain from public web archives.
A tool to extract all the JavaScript files from a set of given URLs.
Hunt for credentials and secrets leaked across public GitHub.
Download .git repositories from web servers without directory listing.
Download a .git directory and recover the repository in one pass.
Recover incomplete git repositories from dumped .git folders.
Identify websites with publicly accessible .git repositories.
Brute-force directories and files on web servers with a wordlist.
A minimal JavaScript endpoint extractor for HTML and embedded scripts.
A fast web spider written in Go.
A website screenshot utility that drives headless Chrome to capture web interfaces.
A gowitness variant that screenshots web interfaces and outputs a SQLite database.
A gowitness variant that screenshots web services found in an nmap XML scan.
Take a list of URLs and return their HTTP response codes.
A fast Go web crawler for gathering URLs and JavaScript file locations.
Take screenshots of live web hosts with httpx's headless rendering at scale.
Capture web host screenshots with httpx and export them to a zip archive.
Extract URLs, paths, secrets, and other interesting bits from JavaScript.
A next-generation crawling and spidering framework.
Lightning-fast content discovery that also brute-forces routes and endpoints in modern applications.
Discover endpoints and their parameters in JavaScript files.
Identify websites with publicly accessible .git repositories across a large host list.
LinkFinder wrapped to mine endpoints from a whole list of JavaScript URLs.
A tool for fetching lots of URLs while staying 'nice' to servers.
Runs port scans through public websites that scan a target on your behalf.
Query the SecurityTrails API and embed the SQL queries you want to run.
Extract JavaScript source trees from Sourcemap files.
A tool for auditing endpoints defined in exposed Swagger and OpenAPI definition files.
A high-speed tool for passively gathering URLs for web asset discovery.
Search archives of URLs exposed via shortener services.
Identify the technologies running on websites, from CMS to JavaScript frameworks.
Enumerate old versions of robots.txt from the Wayback Machine for content discovery.
A Go port of Wappalyzer built to fingerprint huge lists of hosts fast.
Screenshot a list of websites for fast visual triage.
WitnessMe grab mode for pulling links and page content from targets.
WitnessMe screenshot mode for visual web inventory.
Discover endpoints and potential parameters for a target.
Identify known URLs of given domains by tapping into a multitude of curated online passive sources.
Import, export, and link workflow data with Airtable.
Decode Android APK files into smali sources and resources.
Check a file's values against conditions and exit with a matching code.
Extract all hosted zones from AWS Route53.
Output file lines by batch size, given START_LINE and END_LINE.
Extract a batch range from a file's lines or a folder's files, with parallel processing.
Organize all the community Nuclei templates from across the ecosystem in one place.
A Ruby app that spiders a URL and returns a wordlist for password crackers.
Clean up a wordlist by running a series of regexes against it.
Diff an input file against a file from your Trickest file storage.
Generate domain name combinations from input domains using a wordlist.
Execute a custom script for a provided Docker image.
Take a list of URLs and filter or extract domains by level.
Remove duplicates from a wordlist without sorting it to maintain order of probability.
Manage attack surface data on Elasticsearch.
Execute a Node.js script.
Export a file or folder to Azure Blob Storage.
Fgrep content in files by an input string.
Generate a YAML report from the outputs of multiple tools.
Get a file from your Trickest file storage.
A deprecated utility that downloaded Trickest workflow outputs by node id.
A wrapper around grep to avoid typing common patterns.
Make JSON greppable.
A command-line HTTP client that makes interacting with web services as human-friendly as possible.
Convert complex JSON data to an HTML table representation.
A small Go script that merges two wordlists into combined entries.
Make URL paths from a wordlist to seed content discovery.
Stream tool output and publish it to your chat and alerting platforms.
A CLI utility for interacting with OpenAI and generating a response from a file input.
A script written as a substitute for masscan.
Add a prefix string to each line in files.
A command-line tool for processing HTML with CSS selectors.
Upload a file or files into your Trickest file storage.
Accept URLs on stdin and replace every query-string value with a supplied value.
Write strings to a file.
Add a suffix string to each line in files.
Execute a Trickest workflow from the command line.
Download the output of a Trickest workflow.
Pull out bits of URLs provided on stdin.
Ungrep content in files by input string.
Quickly deduplicate a list of URLs by path and query-string shape.
Retrieve files over HTTP, HTTPS, FTP, and FTPS, with recursive mirroring.
Verify a target organization from WHOIS results and extract its IP ranges.
A CLI utility to pull out bits of URLs.
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
Accurately fingerprint and detect Netscaler and Citrix ADC versions vulnerable to CVE-2023-3519.
A fast, powerful parameter analysis and XSS scanner based on a Go DOM parser.
Subdomain takeover tool for attackers, bug bounty hunters, and the blue team.
Damn Small SQLi Scanner: a SQL injection vulnerability scanner in under 100 lines of code.
Damn Small XSS Scanner: a cross-site scripting vulnerability scanner in under 100 lines of code.
Discover and exploit Local/Remote File Inclusion and directory traversal vulnerabilities automatically.
Find CVE proof-of-concept exploit repositories across GitHub.
Find potential DOM-based XSS across a URL list, fast.
A Python tool that detects HTTP request smuggling across a target or a list of targets.
A toolkit for validating, forging, scanning, and tampering JWTs (JSON Web Tokens).
Find unfiltered special characters reflected from URLs.
A fully automated, accurate, and extensive scanner for finding the Log4Shell RCE, CVE-2021-44228.
A fast NoSQL injection scanner and injector, with a focus on MongoDB.
An asynchronous open redirect fuzzer.
A Python tool that finds open redirection vulnerabilities by fuzzing a URL.
High-fidelity detection for the RSC/Next.js RCE flaws CVE-2025-55182 and CVE-2025-66478.
Command-line search across the Exploit-Database archive of exploits and shellcodes.
An HTTP request smuggling and desync testing tool written in Python 3.
Automate detecting and exploiting SQL injection flaws and taking over database servers.
A tool to find Server-Side Request Forgery vulnerabilities.
Subdomain takeover tool driven by response fingerprints from can-i-take-over-xyz.
Detect and take over subdomains with dead DNS records.
Server-side template injection and code injection detection and exploitation tool.
Host header injection scanning tool that also checks for CORS misconfiguration.
XSS scanner built on Ruby gems.
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A simple Node.js network scanner.
Node.js simple network scanner with a wrapper to run on a list of targets.
A standalone utility for service discovery on open ports.
A ping-like tool that sends ICMP echo requests to many hosts at once to find which are alive.
Get the announced IP prefixes for an autonomous system number.
Takes a list of domains and probes for working HTTP and HTTPS servers.
A fast and multi-purpose HTTP toolkit that runs multiple probers with reliable, high-throughput results.
The command-line client for the IPinfo API: geolocation and network data for IP addresses.
Perform multiple operations for a given subnet or CIDR range.
An Internet-scale port scanner that sends 10 million packets per second from a single machine.
An internet-scale asynchronous port scanner that emits structured JSON, sweeping huge IP ranges at millions of packets per second.
A fast and reliable port scanner that enumerates open ports for hosts.
Automate security assessment of large networks across SMB, LDAP, WinRM, and more.
Scan an IP or CIDR range for open ports and live hosts.
A fast network scanner optimized for internet-wide scanning, inspired by Masscan and Zmap.
A fast SNMP scanner that tries community strings against many hosts.
Print the IP addresses in a given range.
Print the IP addresses in a given range.
The modern port scanner that finds ports quickly and pipes them into a scripting engine.
RustScan wired to iterate over a file of targets and run its scripting engine on each.
Quickly discover exposed hosts on the internet using multiple search engines.
ZMap is a fast single-packet network scanner designed for internet-wide network surveys.
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
The Swiss Army knife for automated Web Application Testing.
OWASP Joomla! Vulnerability Scanner for detecting flaws and misconfigurations in Joomla deployments.
High-performance scanner for the MongoBleed MongoDB memory disclosure flaw.
A web server scanner that runs comprehensive tests for known issues.
Run nikto across a list of hosts (deprecated, use nikto directly).
Bypass 403/40X restrictions through smart request manipulation.
A fast, customizable vulnerability scanner based on a simple YAML-based DSL.
Run a Nuclei scan and export the results in Markdown format.
A multi-purpose brute forcer with a modular design and flexible usage.
Crawl a website and find broken social media links that can be hijacked.
A fast and powerful SSL/TLS scanner.
A tiny web auditor with strong opinions.
A tiny web auditor with strong opinions, run over a list.
Identify and fingerprint Web Application Firewall products protecting a website.
A web application vulnerability scanner written in Python3.
An open-source black-box web application security scanner.
WordPress security scanner for testing the security of WordPress sites.
WordPress security scanner run across a list of sites.
Run a full scan against an API defined by OpenAPI/Swagger, SOAP, or GraphQL using ZAP.
Run ZAP via a single YAML file.
Run a full scan against a target URL using ZAP.
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
Inspect Go source code for security problems by scanning the Go AST.
General purpose JavaScript deobfuscator.
Search for leaks in a GitHub org or in the responses of URLs.
Find secrets and sensitive information in text and Git history.
A Python tool that searches a Git repository's commit history for high-entropy strings like API keys.
Scanner that detects the use of JavaScript library versions with known vulnerabilities.
Runs a regex ruleset across a directory or GitHub repository and saves matched secrets as JSON.
Python tool that discovers API keys, tokens, and other secrets inside JavaScript files.
Lightweight static analysis for many languages, with patterns that look like source code.
Find credentials all over the place.
Look up DNS records on DNSDumpster.
Look up a host on DNSDumpster.
Find lookalike domains adversaries use for typosquatting, phishing, and brand impersonation.
List all public repositories for valid GitHub usernames.
Look up the real IP of a host starting from its favicon and using Shodan.
Gather email account intelligence from public sources and check it against breach data.
Collect a dossier on a person by username across thousands of sites.
Search for strings in paste sites.
Search the web for a domain's public files and extract their metadata.
Download compressed json.gz banner data from Shodan.
Shodan is a search engine for internet-connected devices, where you search for hosts instead of pages.
Accurate and fast checks for email and username usage across online platforms.
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, packaged for virtual host discovery.
Fastest recursive HTTP fuzzer, like a Ferrari.
Find URL parameters from the web archives of a domain.
An IIS short filename enumeration tool.
A flexible web fuzzer for hidden content, parameters, and brute forcing.
Find hidden parameters that other hunters miss.
A fast tool to scan for CRLF vulnerabilities, written in Go.
Leak git repositories from misconfigured sites and rebuild their contents.
A host header injection vulnerability checker for batches of URLs.
Find files on web servers that should not be public and can pose a security risk.
A Go subdomain takeover tool that scans subdomains concurrently to find hijackable ones.
Quickly enumerate a pre-compiled list of AWS S3 buckets using DNS instead of HTTP.
Converts S3 bucket references in many formats into one consistent format for bug bounty and testing.
Finds open S3 buckets and dumps their contents.
Scans URLs with multiple HTTP methods and basic exploit modules to surface easy bugs.
A fast, flexible, parallelized login cracker that supports numerous protocols to attack.
A tool built to brute-force phpMyAdmin authentication.
A powerful dictionary builder for brute-force attacks.
Secure Shell Bruteforcer: a faster and simpler way to brute-force SSH servers.
Social Engineering
2 toolsEmail OSINT and breach hunting across multiple breach and reconnaissance services.
Find usernames across many social networks.