Penetration testing commands for OSINT and Reconnaissance

Open-Source Intelligence (OSINT) and reconnaissance are vital stages in cybersecurity assessments, focusing on information gathering through publicly available sources and network exploration.

NameDescriptionPrice
alterxCustomizable subdomain wordlist generator using DSLFree
AmassDNS enumeration and network mapping tool suite: scraping, recursive brute forcing, crawling web archives, reverse DNS sweepingFree
AsnlookupLeverage ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes, then run port scanning on itFree
AttackSurfaceMapperSubdomain enumeratorFree
AutoReconMulti-threaded network reconnaissance tool which performs automated enumeration of servicesFree
badKarmaAdvanced network reconnaissance toolFree
BBOTOSINT framework; subdomain enumeration, port scanning, web screenshots, vulnerability scanningFree
BelatiOSINT tool, collect data and document actively or passivelyFree
BitcrookReconnaissance Apparatus; Information gathering, conglomerate of tools including custom algorithms, API wrappersFree
cariddiTakes a list of domains, crawls urls and scans for endpoints, secrets, api keys, file extensions, tokensFree
CertstreamIntelligence feed that gives real-time updates from the Certificate Transparency Log networkFree
DarkshotLightshot scraper with multi-threaded OCR and auto categorizing screenshotsFree
dataleaksSelf-hosted data breach search engineFree
datasploitOSINT framework, find, aggregate and export dataFree
DeadTrapTrack down footprints of a phone numberFree
DNSDumpsterDomain research tool that can discover hosts related to a domainFree
dnsenumDNS reconnaissance tool: AXFR, DNS records enumeration, subdomain bruteforce, range reverse lookupFree
dnsenum2Continuation of dnsenum projectFree
DNSReconDNS reconnaissance tool: AXFR, DNS records enumeration, TLD expansion, wildcard resolution, subdomain bruteforce, PTR record lookup, check for cached recordsFree
dnsxMulti-purpose DNS toolkit allow to run multiple DNS queriesFree
domainfinderFind a domain from an IP addressFree
DomainimDomain reconnaissance for organizational network scanningFree
EagleEyeImage recognition on instagram, facebook and twitterFree
EspionageDomain information gathering: whois, history, dns records, web technologies, recordsFree
eTools.chMetasearch engine, query 16 search engines in parallelFree
Facebook_OSINT_DumpOSINT tool, facebook profile dumper, windows and chrome onlyFree
FinalReconWeb reconnaissance scriptFree
FindomainFast subdomain enumeratorFree
FOCAOSINT framework and metadata analyserFree
Geolocation EstimationAutomatic GEOINT using deep learningFree
GHuntInvestigate Google accounts with emails and find name, usernames, Youtube Channel, probable location, Maps reviews, etc.Free
GitFiveInvestigate GitHub profiles; features: username history, email address to GitHub account, finds potential secondary GitHub accounts, dumps SSH public keys, etc.Free
gitGraberMonitor GitHub to search and find sensitive data in real time for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe, etc.Free
GitHoundFind sensitive information in git repositoriesFree
gittyleaksFind sensitive information (username, password, email) in git repositoriesFree
GooFuzzPassive reconaissance enumerating directories, files, subdomains or parameters using google dorksFree
GoreconReconnaissance toolkitFree
GoSeekUsername lookup comparable to Maigret/Sherlock, IP Lookup, License Plate & VIN Lookup, Info Cull, and Fake Identity GeneratorFree
gOSINTOSINT framework; find mails, dumps, retrieve Telegram history and info about hostsFree
h8mailEmail OSINT & Password breach hunting tool; supports chasing down related emailFree
HarpoonCLI tool; collect data and document actively or passivelyFree
holeheCheck if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password functionFree
Hunt3rAutomatic domain recognition (via amass) and vulnerability scan (via nuclei) platform with a WebUIFree
IgnorantCheck if a phone number is used on different sites like snapchat, instagramFree
IVREIVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks); network recon framework including tools ofr passive and active reconFree
kitphishrHunts for phishing kit source code by traversing URL folders and searching in open directories for zip files; supports list of URLs or PhishTankFree
KostebekTool to find firms domains by searching their trademark informationFree
LeakDBNormalize, deduplicate, index, sort, and search leaked data sets on the multi-terabyte-scaleFree
LeakIXSearch engine for devices and services exposed on the InternetFree
LeakLookerDiscover, browse and monitor database/source code leaksFree
leakScraperSet of tools to process and visualize huge text files containing credentialsFree
LinEnumSystem script for local Linux enumeration and privilege escalation checksFree
LinkedInDumperDump company employees from LinkedIn APIFree
LittleBrotherInformation gathering (OSINT) on a person (EU), checks social networks and Pages JaunesFree
MaigretCollect a dossier on a person by username from a huge number of sites, and extract details from themFree
Malfrat's OSINT MapA web-based collection of tools and resources for OSINT; successor of OSINT FrameworkFree
mantisCommand-line framework designed to automate the workflow of asset discovery, reconnaissance, and scanningFree
MassDNSHigh-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)Free
MetabigorSearching information about IP address, ASN and organization; doesn't require any API keyFree
mihariAggregates results from Shodan, Censys, VirusTotal, SecurityTrail, etc. and extracts artifacts (IP addresses, domains, URLs or hashes)Free
NetflipScrape sensitive information from paste sitesFree
NExfilFinding profiles by username over 350 websitesFree
NmmapperCybersecurity tools offered as SaaS: nmap, subdomain finder (Sublist3r, DNScan, Anubis, Amass, Lepus, Findomain, Censys), theHarvester, etc.Paid
nqntnqnqmbRetrieve information on linkedin profiles, companies on linkedin and search on linkedin companies/personsFree
OblivionData leak checker and monitoringFree
ODINObserve, Detect, and Investigate Networks, Automated reconnaissance toolFree
OmnibusOSINT framework; collection of toolsFree
OneForAllSubdomain enumeration toolFree
OnionSearchScript that scrapes urls on different .onion search enginesFree
OSINT FrameworkA web-based collection of tools and resources for OSINTFree
OsintgramInteractive shell to perform analysis on Instagram account of any users by their nicknameFree
OsmedeusAutomated framework for reconnaissance and vulnerability scanningFree
PhotonFast crawler designed for OSINTFree
PITTWeb browser loaded with links and extensions for doing OSINTFree
ProjectDiscoveryMonitor, collect and continuously query the assets data via a simple webUIFree
Recon-ngWeb-based reconnaissance toolFree
ReconDogMulti-purpose reconnaissance tool, CMS detection, reverse IP lookup, port scan, etc.Free
reconFTWPerform automated recon on a target domain by running set of tools to perform scanning and finding out vulnerabilitiesFree
ReconnoitreTool made to automate information gathering and service enumeration while storing resultsFree
ReconScanNetwork reconnaissance and vulnerability assessment toolsFree
RecsechWeb reconnaissance and vulnerability scanner toolFree
Red Team ArsenalAutomated reconnaissance scanner and security checksFree
RedscanMix of a security operations orchestration, vulnerability management and reconnaissance platformFree
reNgineAutomated recon framework for web applications; customizable scan engines & pipeline of reconnaissanceFree
SearchDNSNetcraft tool; Search and find information for domains and subdomainsFree
SherlockHunt down social media accounts by username across social networksFree
ShodanSearch devices connected to the internet; helps find information about desktops, servers, IoT devices; including metadata such as the software runningFree
shosubgoGrab subdomains using Shodan apiFree
shufflednsWrapper around massdns that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output supportFree
SiteBrokerTool for information gathering and penetration test automationFree
Sn1perAutomated reconnaissance scannerPaid
spiderfootOSINT framework, collect and manage data, scan targetFree
StalkerAutomated scanning of social networks and other websites, using a single nicknameFree
SubDomainizerFind subdomains and interesting things hidden inside, external Javascript files of page, folder, and GithubFree
subfinderDiscovers valid subdomains for websites, designed as a passive framework to be useful for bug bounties and safe for penetration testingFree
Sublist3rSubdomains enumeration toolFree
subzufDNS response-guided subdomain fuzzerFree
SudomySubdomain enumeration tool Free
TempestLeverage paste sites as a medium for discovery of objectionable/infringing materialsFree
Th3inspectorMulti-purpose information gathering toolFree
theHarvesterMulti-purpose information gathering tool: emails, names, subdomains, IPs, URLsFree
tinfoleakTwitter intelligence analysis toolFree
TotemRetrieve information about ads of a facebook page, retrieve the number of people targeted, how much the ad cost and a lot of other informationFree
trapeAnalysis and research tool, which allows people to track and execute intelligent social engineering attacks in real timeFree
TruffleHogFind secret information in git repositoriesFree
TWINTTwitter Intelligence Tool; Twitter scraping & OSINT tool that doesn't use Twitter's API, allowing one to scrape a user's followers, following, Tweets and more while evading most API limitationsFree
uncoverDiscover exposed hosts on the internet using multiple search enginesFree
waymoreFind links from Wayback Machine, Common Crawl, Alien Vault OTX and URLScan; download the archived responses for URLs on Wayback MachineFree
yarFind secret information (secrets, tokens, passwords) in git repositoriesFree