loading
loading
Recon
Command-line access to the BeVigil OSINT API.
overview
bevigil is the command-line client for the BeVigil OSINT API, a dataset built by indexing mobile applications. Where most recon starts from a domain, bevigil can also start from an app package name and return the hosts, URLs, S3 buckets, and parameters that app talks to, surfacing infrastructure that domain-only recon never sees.
You pick an asset type and the lookup key that matches it. Query subdomains and URLs for a domain, packages for a subdomain, or hosts, params, S3 buckets, and wordlists for an app package. Every request is authorized with a BeVigil API key, supplied to the node as a file input.
On Trickest, bevigil is a Recon node that takes a domain or package plus an asset type and an API key, then writes a file and a folder of results. Wire its subdomains and URLs into httpx for probing, or its S3 buckets into a bucket scanner further down the workflow.
use cases
Query the subdomains or urls asset type for a domain to add app-sourced names and endpoints to a recon dataset that passive crawlers miss.
Look up hosts, parameters, and S3 buckets for an app package to map the infrastructure that mobile app talks to.
Request the s3 asset type by keyword or package to surface storage buckets tied to the target, then hand them to a bucket scanner.
Pull params and wordlist asset types for a package to seed fuzzing and parameter-discovery stages with target-specific values.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| asset-type | STRING | · | Asset type: hosts, packages, params, s3, subdomains, urls, or wordlist. |
| domain | STRING | --domain | Domain to query (asset-type packages, subdomains, or urls). |
| package | STRING | --package | App package to request hosts for (asset-type host, params, s3, or wordlist). |
| subdomain | STRING | --subdomain | Subdomain to query (asset-type packages). |
| keyword | STRING | --keyword | Keyword to request S3 bucket info for (asset-type s3). |
| api_key | FILE | · | BeVigil API key file that authorizes the requests. |
Showing key inputs. bevigil exposes 6 inputs in total.
example
# app-sourced subdomains for a domainbevigil subdomains --domain example.com # S3 buckets tied to a keywordbevigil s3 --keyword example[*] Requesting subdomains for example.com from the BeVigil OSINT API api.example.comassets.example.comm.example.comstaging.example.comvpn.example.com [*] 5 subdomains written to bevigil/subdomains.txtguidance
Use bevigil to add app-sourced OSINT, subdomains, URLs, buckets, and parameters tied to mobile app packages, that domain-only tools miss. It needs a BeVigil API key. Feed its results into a prober or a bucket scanner. For passive subdomains without an API, use subfinder.
Passive subdomain discovery across many free sources. bevigil adds the mobile-app angle behind an API key.
Modular OSINT engine that can chain many sources. bevigil is a focused client for one rich dataset.
Pulls URLs straight from an APK file. A local sibling to bevigil's app-sourced URL data.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds bevigil, which pulls app-sourced subdomains and URLs from the BeVigil API and passes them to httpx so only the live ones land as output.
Facts on this page come from the live Trickest tool library.