Penetration testing commands for OSINT and Reconnaissance
Open-Source Intelligence (OSINT) and reconnaissance are vital stages in cybersecurity assessments, focusing on information gathering through publicly available sources and network exploration.
| Name | Description | Price |
|---|---|---|
| alterx | Customizable subdomain wordlist generator using DSL | Free |
| Amass | DNS enumeration and network mapping tool suite: scraping, recursive brute forcing, crawling web archives, reverse DNS sweeping | Free |
| Asnlookup | Leverage ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes, then run port scanning on it | Free |
| AttackSurfaceMapper | Subdomain enumerator | Free |
| AutoRecon | Multi-threaded network reconnaissance tool which performs automated enumeration of services | Free |
| badKarma | Advanced network reconnaissance tool | Free |
| BBOT | OSINT framework; subdomain enumeration, port scanning, web screenshots, vulnerability scanning | Free |
| Belati | OSINT tool, collect data and document actively or passively | Free |
| Bitcrook | Reconnaissance Apparatus; Information gathering, conglomerate of tools including custom algorithms, API wrappers | Free |
| cariddi | Takes a list of domains, crawls urls and scans for endpoints, secrets, api keys, file extensions, tokens | Free |
| Certstream | Intelligence feed that gives real-time updates from the Certificate Transparency Log network | Free |
| Darkshot | Lightshot scraper with multi-threaded OCR and auto categorizing screenshots | Free |
| dataleaks | Self-hosted data breach search engine | Free |
| datasploit | OSINT framework, find, aggregate and export data | Free |
| DeadTrap | Track down footprints of a phone number | Free |
| DNSDumpster | Domain research tool that can discover hosts related to a domain | Free |
| dnsenum | DNS reconnaissance tool: AXFR, DNS records enumeration, subdomain bruteforce, range reverse lookup | Free |
| dnsenum2 | Continuation of dnsenum project | Free |
| DNSRecon | DNS reconnaissance tool: AXFR, DNS records enumeration, TLD expansion, wildcard resolution, subdomain bruteforce, PTR record lookup, check for cached records | Free |
| dnsx | Multi-purpose DNS toolkit allow to run multiple DNS queries | Free |
| domainfinder | Find a domain from an IP address | Free |
| Domainim | Domain reconnaissance for organizational network scanning | Free |
| EagleEye | Image recognition on instagram, facebook and twitter | Free |
| Espionage | Domain information gathering: whois, history, dns records, web technologies, records | Free |
| eTools.ch | Metasearch engine, query 16 search engines in parallel | Free |
| Facebook_OSINT_Dump | OSINT tool, facebook profile dumper, windows and chrome only | Free |
| FinalRecon | Web reconnaissance script | Free |
| Findomain | Fast subdomain enumerator | Free |
| FOCA | OSINT framework and metadata analyser | Free |
| Geolocation Estimation | Automatic GEOINT using deep learning | Free |
| GHunt | Investigate Google accounts with emails and find name, usernames, Youtube Channel, probable location, Maps reviews, etc. | Free |
| GitFive | Investigate GitHub profiles; features: username history, email address to GitHub account, finds potential secondary GitHub accounts, dumps SSH public keys, etc. | Free |
| gitGraber | Monitor GitHub to search and find sensitive data in real time for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe, etc. | Free |
| GitHound | Find sensitive information in git repositories | Free |
| gittyleaks | Find sensitive information (username, password, email) in git repositories | Free |
| GooFuzz | Passive reconaissance enumerating directories, files, subdomains or parameters using google dorks | Free |
| Gorecon | Reconnaissance toolkit | Free |
| GoSeek | Username lookup comparable to Maigret/Sherlock, IP Lookup, License Plate & VIN Lookup, Info Cull, and Fake Identity Generator | Free |
| gOSINT | OSINT framework; find mails, dumps, retrieve Telegram history and info about hosts | Free |
| h8mail | Email OSINT & Password breach hunting tool; supports chasing down related email | Free |
| Harpoon | CLI tool; collect data and document actively or passively | Free |
| holehe | Check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function | Free |
| Hunt3r | Automatic domain recognition (via amass) and vulnerability scan (via nuclei) platform with a WebUI | Free |
| Ignorant | Check if a phone number is used on different sites like snapchat, instagram | Free |
| IVRE | IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks); network recon framework including tools ofr passive and active recon | Free |
| kitphishr | Hunts for phishing kit source code by traversing URL folders and searching in open directories for zip files; supports list of URLs or PhishTank | Free |
| Kostebek | Tool to find firms domains by searching their trademark information | Free |
| LeakDB | Normalize, deduplicate, index, sort, and search leaked data sets on the multi-terabyte-scale | Free |
| LeakIX | Search engine for devices and services exposed on the Internet | Free |
| LeakLooker | Discover, browse and monitor database/source code leaks | Free |
| leakScraper | Set of tools to process and visualize huge text files containing credentials | Free |
| LinEnum | System script for local Linux enumeration and privilege escalation checks | Free |
| LinkedInDumper | Dump company employees from LinkedIn API | Free |
| LittleBrother | Information gathering (OSINT) on a person (EU), checks social networks and Pages Jaunes | Free |
| Maigret | Collect a dossier on a person by username from a huge number of sites, and extract details from them | Free |
| Malfrat's OSINT Map | A web-based collection of tools and resources for OSINT; successor of OSINT Framework | Free |
| mantis | Command-line framework designed to automate the workflow of asset discovery, reconnaissance, and scanning | Free |
| MassDNS | High-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) | Free |
| Metabigor | Searching information about IP address, ASN and organization; doesn't require any API key | Free |
| mihari | Aggregates results from Shodan, Censys, VirusTotal, SecurityTrail, etc. and extracts artifacts (IP addresses, domains, URLs or hashes) | Free |
| Netflip | Scrape sensitive information from paste sites | Free |
| NExfil | Finding profiles by username over 350 websites | Free |
| Nmmapper | Cybersecurity tools offered as SaaS: nmap, subdomain finder (Sublist3r, DNScan, Anubis, Amass, Lepus, Findomain, Censys), theHarvester, etc. | Paid |
| nqntnqnqmb | Retrieve information on linkedin profiles, companies on linkedin and search on linkedin companies/persons | Free |
| Oblivion | Data leak checker and monitoring | Free |
| ODIN | Observe, Detect, and Investigate Networks, Automated reconnaissance tool | Free |
| Omnibus | OSINT framework; collection of tools | Free |
| OneForAll | Subdomain enumeration tool | Free |
| OnionSearch | Script that scrapes urls on different .onion search engines | Free |
| OSINT Framework | A web-based collection of tools and resources for OSINT | Free |
| Osintgram | Interactive shell to perform analysis on Instagram account of any users by their nickname | Free |
| Osmedeus | Automated framework for reconnaissance and vulnerability scanning | Free |
| Photon | Fast crawler designed for OSINT | Free |
| PITT | Web browser loaded with links and extensions for doing OSINT | Free |
| ProjectDiscovery | Monitor, collect and continuously query the assets data via a simple webUI | Free |
| Recon-ng | Web-based reconnaissance tool | Free |
| ReconDog | Multi-purpose reconnaissance tool, CMS detection, reverse IP lookup, port scan, etc. | Free |
| reconFTW | Perform automated recon on a target domain by running set of tools to perform scanning and finding out vulnerabilities | Free |
| Reconnoitre | Tool made to automate information gathering and service enumeration while storing results | Free |
| ReconScan | Network reconnaissance and vulnerability assessment tools | Free |
| Recsech | Web reconnaissance and vulnerability scanner tool | Free |
| Red Team Arsenal | Automated reconnaissance scanner and security checks | Free |
| Redscan | Mix of a security operations orchestration, vulnerability management and reconnaissance platform | Free |
| reNgine | Automated recon framework for web applications; customizable scan engines & pipeline of reconnaissance | Free |
| SearchDNS | Netcraft tool; Search and find information for domains and subdomains | Free |
| Sherlock | Hunt down social media accounts by username across social networks | Free |
| Shodan | Search devices connected to the internet; helps find information about desktops, servers, IoT devices; including metadata such as the software running | Free |
| shosubgo | Grab subdomains using Shodan api | Free |
| shuffledns | Wrapper around massdns that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support | Free |
| SiteBroker | Tool for information gathering and penetration test automation | Free |
| Sn1per | Automated reconnaissance scanner | Paid |
| spiderfoot | OSINT framework, collect and manage data, scan target | Free |
| Stalker | Automated scanning of social networks and other websites, using a single nickname | Free |
| SubDomainizer | Find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github | Free |
| subfinder | Discovers valid subdomains for websites, designed as a passive framework to be useful for bug bounties and safe for penetration testing | Free |
| Sublist3r | Subdomains enumeration tool | Free |
| subzuf | DNS response-guided subdomain fuzzer | Free |
| Sudomy | Subdomain enumeration tool | Free |
| Tempest | Leverage paste sites as a medium for discovery of objectionable/infringing materials | Free |
| Th3inspector | Multi-purpose information gathering tool | Free |
| theHarvester | Multi-purpose information gathering tool: emails, names, subdomains, IPs, URLs | Free |
| tinfoleak | Twitter intelligence analysis tool | Free |
| Totem | Retrieve information about ads of a facebook page, retrieve the number of people targeted, how much the ad cost and a lot of other information | Free |
| trape | Analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time | Free |
| TruffleHog | Find secret information in git repositories | Free |
| TWINT | Twitter Intelligence Tool; Twitter scraping & OSINT tool that doesn't use Twitter's API, allowing one to scrape a user's followers, following, Tweets and more while evading most API limitations | Free |
| uncover | Discover exposed hosts on the internet using multiple search engines | Free |
| waymore | Find links from Wayback Machine, Common Crawl, Alien Vault OTX and URLScan; download the archived responses for URLs on Wayback Machine | Free |
| yar | Find secret information (secrets, tokens, passwords) in git repositories | Free |