Penetration testing commands for OSINT and Reconnaissance
Open-Source Intelligence (OSINT) and reconnaissance are vital stages in cybersecurity assessments, focusing on information gathering through publicly available sources and network exploration.
Name | Description | Price |
---|---|---|
alterx | Customizable subdomain wordlist generator using DSL | Free |
Amass | DNS enumeration and network mapping tool suite: scraping, recursive brute forcing, crawling web archives, reverse DNS sweeping | Free |
Asnlookup | Leverage ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes, then run port scanning on it | Free |
AttackSurfaceMapper | Subdomain enumerator | Free |
AutoRecon | Multi-threaded network reconnaissance tool which performs automated enumeration of services | Free |
badKarma | Advanced network reconnaissance tool | Free |
BBOT | OSINT framework; subdomain enumeration, port scanning, web screenshots, vulnerability scanning | Free |
Belati | OSINT tool, collect data and document actively or passively | Free |
Bitcrook | Reconnaissance Apparatus; Information gathering, conglomerate of tools including custom algorithms, API wrappers | Free |
cariddi | Takes a list of domains, crawls urls and scans for endpoints, secrets, api keys, file extensions, tokens | Free |
Certstream | Intelligence feed that gives real-time updates from the Certificate Transparency Log network | Free |
Darkshot | Lightshot scraper with multi-threaded OCR and auto categorizing screenshots | Free |
dataleaks | Self-hosted data breach search engine | Free |
datasploit | OSINT framework, find, aggregate and export data | Free |
DeadTrap | Track down footprints of a phone number | Free |
DNSDumpster | Domain research tool that can discover hosts related to a domain | Free |
dnsenum | DNS reconnaissance tool: AXFR, DNS records enumeration, subdomain bruteforce, range reverse lookup | Free |
dnsenum2 | Continuation of dnsenum project | Free |
DNSRecon | DNS reconnaissance tool: AXFR, DNS records enumeration, TLD expansion, wildcard resolution, subdomain bruteforce, PTR record lookup, check for cached records | Free |
dnsx | Multi-purpose DNS toolkit allow to run multiple DNS queries | Free |
domainfinder | Find a domain from an IP address | Free |
Domainim | Domain reconnaissance for organizational network scanning | Free |
EagleEye | Image recognition on instagram, facebook and twitter | Free |
Espionage | Domain information gathering: whois, history, dns records, web technologies, records | Free |
eTools.ch | Metasearch engine, query 16 search engines in parallel | Free |
Facebook_OSINT_Dump | OSINT tool, facebook profile dumper, windows and chrome only | Free |
FinalRecon | Web reconnaissance script | Free |
Findomain | Fast subdomain enumerator | Free |
FOCA | OSINT framework and metadata analyser | Free |
Geolocation Estimation | Automatic GEOINT using deep learning | Free |
GHunt | Investigate Google accounts with emails and find name, usernames, Youtube Channel, probable location, Maps reviews, etc. | Free |
GitFive | Investigate GitHub profiles; features: username history, email address to GitHub account, finds potential secondary GitHub accounts, dumps SSH public keys, etc. | Free |
gitGraber | Monitor GitHub to search and find sensitive data in real time for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe, etc. | Free |
GitHound | Find sensitive information in git repositories | Free |
gittyleaks | Find sensitive information (username, password, email) in git repositories | Free |
GooFuzz | Passive reconaissance enumerating directories, files, subdomains or parameters using google dorks | Free |
Gorecon | Reconnaissance toolkit | Free |
GoSeek | Username lookup comparable to Maigret/Sherlock, IP Lookup, License Plate & VIN Lookup, Info Cull, and Fake Identity Generator | Free |
gOSINT | OSINT framework; find mails, dumps, retrieve Telegram history and info about hosts | Free |
h8mail | Email OSINT & Password breach hunting tool; supports chasing down related email | Free |
Harpoon | CLI tool; collect data and document actively or passively | Free |
holehe | Check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function | Free |
Hunt3r | Automatic domain recognition (via amass) and vulnerability scan (via nuclei) platform with a WebUI | Free |
Ignorant | Check if a phone number is used on different sites like snapchat, instagram | Free |
IVRE | IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks); network recon framework including tools ofr passive and active recon | Free |
kitphishr | Hunts for phishing kit source code by traversing URL folders and searching in open directories for zip files; supports list of URLs or PhishTank | Free |
Kostebek | Tool to find firms domains by searching their trademark information | Free |
LeakDB | Normalize, deduplicate, index, sort, and search leaked data sets on the multi-terabyte-scale | Free |
LeakIX | Search engine for devices and services exposed on the Internet | Free |
LeakLooker | Discover, browse and monitor database/source code leaks | Free |
leakScraper | Set of tools to process and visualize huge text files containing credentials | Free |
LinEnum | System script for local Linux enumeration and privilege escalation checks | Free |
LinkedInDumper | Dump company employees from LinkedIn API | Free |
LittleBrother | Information gathering (OSINT) on a person (EU), checks social networks and Pages Jaunes | Free |
Maigret | Collect a dossier on a person by username from a huge number of sites, and extract details from them | Free |
Malfrat's OSINT Map | A web-based collection of tools and resources for OSINT; successor of OSINT Framework | Free |
mantis | Command-line framework designed to automate the workflow of asset discovery, reconnaissance, and scanning | Free |
MassDNS | High-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) | Free |
Metabigor | Searching information about IP address, ASN and organization; doesn't require any API key | Free |
mihari | Aggregates results from Shodan, Censys, VirusTotal, SecurityTrail, etc. and extracts artifacts (IP addresses, domains, URLs or hashes) | Free |
Netflip | Scrape sensitive information from paste sites | Free |
NExfil | Finding profiles by username over 350 websites | Free |
Nmmapper | Cybersecurity tools offered as SaaS: nmap, subdomain finder (Sublist3r, DNScan, Anubis, Amass, Lepus, Findomain, Censys), theHarvester, etc. | Paid |
nqntnqnqmb | Retrieve information on linkedin profiles, companies on linkedin and search on linkedin companies/persons | Free |
Oblivion | Data leak checker and monitoring | Free |
ODIN | Observe, Detect, and Investigate Networks, Automated reconnaissance tool | Free |
Omnibus | OSINT framework; collection of tools | Free |
OneForAll | Subdomain enumeration tool | Free |
OnionSearch | Script that scrapes urls on different .onion search engines | Free |
OSINT Framework | A web-based collection of tools and resources for OSINT | Free |
Osintgram | Interactive shell to perform analysis on Instagram account of any users by their nickname | Free |
Osmedeus | Automated framework for reconnaissance and vulnerability scanning | Free |
Photon | Fast crawler designed for OSINT | Free |
PITT | Web browser loaded with links and extensions for doing OSINT | Free |
ProjectDiscovery | Monitor, collect and continuously query the assets data via a simple webUI | Free |
Recon-ng | Web-based reconnaissance tool | Free |
ReconDog | Multi-purpose reconnaissance tool, CMS detection, reverse IP lookup, port scan, etc. | Free |
reconFTW | Perform automated recon on a target domain by running set of tools to perform scanning and finding out vulnerabilities | Free |
Reconnoitre | Tool made to automate information gathering and service enumeration while storing results | Free |
ReconScan | Network reconnaissance and vulnerability assessment tools | Free |
Recsech | Web reconnaissance and vulnerability scanner tool | Free |
Red Team Arsenal | Automated reconnaissance scanner and security checks | Free |
Redscan | Mix of a security operations orchestration, vulnerability management and reconnaissance platform | Free |
reNgine | Automated recon framework for web applications; customizable scan engines & pipeline of reconnaissance | Free |
SearchDNS | Netcraft tool; Search and find information for domains and subdomains | Free |
Sherlock | Hunt down social media accounts by username across social networks | Free |
Shodan | Search devices connected to the internet; helps find information about desktops, servers, IoT devices; including metadata such as the software running | Free |
shosubgo | Grab subdomains using Shodan api | Free |
shuffledns | Wrapper around massdns that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support | Free |
SiteBroker | Tool for information gathering and penetration test automation | Free |
Sn1per | Automated reconnaissance scanner | Paid |
spiderfoot | OSINT framework, collect and manage data, scan target | Free |
Stalker | Automated scanning of social networks and other websites, using a single nickname | Free |
SubDomainizer | Find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github | Free |
subfinder | Discovers valid subdomains for websites, designed as a passive framework to be useful for bug bounties and safe for penetration testing | Free |
Sublist3r | Subdomains enumeration tool | Free |
subzuf | DNS response-guided subdomain fuzzer | Free |
Sudomy | Subdomain enumeration tool | Free |
Tempest | Leverage paste sites as a medium for discovery of objectionable/infringing materials | Free |
Th3inspector | Multi-purpose information gathering tool | Free |
theHarvester | Multi-purpose information gathering tool: emails, names, subdomains, IPs, URLs | Free |
tinfoleak | Twitter intelligence analysis tool | Free |
Totem | Retrieve information about ads of a facebook page, retrieve the number of people targeted, how much the ad cost and a lot of other information | Free |
trape | Analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time | Free |
TruffleHog | Find secret information in git repositories | Free |
TWINT | Twitter Intelligence Tool; Twitter scraping & OSINT tool that doesn't use Twitter's API, allowing one to scrape a user's followers, following, Tweets and more while evading most API limitations | Free |
uncover | Discover exposed hosts on the internet using multiple search engines | Free |
waymore | Find links from Wayback Machine, Common Crawl, Alien Vault OTX and URLScan; download the archived responses for URLs on Wayback Machine | Free |
yar | Find secret information (secrets, tokens, passwords) in git repositories | Free |