Tools for reconnaissance and footprinting
Recon Tools
A compiled list of tools for reconnaissance and footprinting.
Contents
-
Domain and Network Recon - Tools for grabbing network related information.
-
Personal Information and Email Footprinting - Tools for finding personal information such as social networks and emails as well as footprinting tools for mail.
-
Hacking with Google - Use Google commands to your advantage
Domain and Network Recon
Robust tools for gathering domain and network information.
Programs and Web Applications
-
ARIN Whois/RDAP - A public resource that allows a user to retrieve information about IP number resources, organizations, and Points of Contact registered with ARIN.
-
Aquatone - A tool for visual inspection of websites across a large amount of hosts. Very convenient for quickly gaining an overview of HTTP-based attack surfaces.
-
Batch IP Converter - An award-winning network tool to work with IP addresses. Domain-to-IP Converter, Batch Ping, Tracert, Whois, and more.
-
BuiltWith - Scans for over 46,953 different web technologies. Discover what tools a site uses such as shopping carts, hosting, analytics, and more.
-
Censys - Mines a global internet dataset to enumerate assets that may compromise an attack surface.
-
DataSploit - Performs automated OSINT on a domain/email/username/phone and finds relevant information from different sources.
-
DNSDumpster - Can discover hosts related to a domain. Map an organizations attack surface with a virtual "dumpster dive."
-
Domaintools - Find Whois information quickly and easily including registrar, name servers, and etc.
-
FindSubDomains - From Spyse. Awesome tool to find subdomains.
-
FireCompass - Discovers and organization's digital attack surface.
-
Informer - Retrieves a quick aggregated view of everything the Web can promptly tell you about a site.
-
Maltego - Open Source Intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.
-
Netcraft - Multiple tools from site report to DNS search.
-
Professional Toolset - Ping, Tracert, HTTP Headers, and more!
-
Shodan - Shodan has servers around the world that crawl the internet 24/7 to provide the latest internet intelligence.
-
SpiderFoot - Automated OSINT collection!
-
Traceroute NG - Continuous probing, detects path changes, supports IPv4 & IPv6, Creates a txt logfile.
-
URL Fuzzer - Free light scan for hidden files and directories.
-
VisualRoute - Continuous trace routing, reverse tracing, port probing, route analysis, and much more!
-
You Get Signal - Port forwarding, network location, visual trace route, reverse IP domain check, and more!
-
Wappalyzer - Identify technologies on websites. Find out the technology stack of any website.
-
WebShag - Multi-threaded, multi-platform web server audit tool. Gathers useful functionalities for web server auditing like website crawling, URL scanning, or file fuzzing.
-
Wireshark - The world's foremost and widely-used network protocol analyzer.
-
Whois.net - Quick and easy Whois lookup. Domain name search, registration and availability, and more.
Windows CLI
-
nslookup - Command-line tool for querying the Domain Name System to obtain name or IP address mapping and other DNS records.
-
tracert - Commmand-line tool for displaying a route and measuring transit delays of packets across an Internal Protocol network.
Linux CLI // Kali
-
dig - Domain Information Groper - Queries the DNS of a given server.
-
dnsrecon - Check NS Records for Zone Transfers, enumerate general DNS records, check cached DNS records, and more.
-
dnstracer - Determines where a given Domain Name Server gets its information from for a given hostname.
-
Fierce - DNS reconnaissance tool for locating non-contiguous IP space.
-
Ghost Eye - Information gathering tool for Whois, DNS, EtherApe, Nmap, and more.
-
recon-ng - Provides a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.
-
traceroute - Print the route packets trace to network host.
-
unicornscan - Provides a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network.
-
whois - Quick and easy client for the whois directory service.
Personal Information and Email Footprinting
Tools for gathering personal information, social networks, and email footprinting.
Programs and Web Applications
-
BeenVerified - Background checks with loads of information.
-
eMailTrackerPro - Pull detailed information from an email header. Also includes spam filtering.
-
Followerwonk - Information scraped from Twitter.
-
Infoga - Gather email OSINT. Domains, sources, breaches, and more.
-
Jigsaw - OSINT-X Intelligence Collection Tool from Jigsaw allows for the collection of data from RSS feeds, the dark web, Twitter, Facebook, and other sources.
-
PeekYou - Locate personal information from family members to social media accounts.
Linux CLI // Kali
-
sherlock - Crawls the web for social profiles.
-
theHarvester - Pulls a list of email addresses of a specific domain from multiple search engines.
Hacking with Google
Commands (or "dorks") for the world's most popular search engine
-
cache - this command will show you the cached version of any website.
cache: securitytrails.com
-
allintext - searches for specific text contained on any web page.
allintext: hacking tools
-
allintitle - exactly the same as allintext, but will show pages that contain titles with X characters.
allintitle:"Security Companies"
-
allinurl - it can be used to fetch results whose URL contains all the specified characters.
allinurl client area
-
filetype - used to search for any kind of file extensions, for example, if you want to search for jpg files you can use:
filetype: jpg
-
inurl - this is exactly the same as allinurl, but it is only useful for one single keyword.
inurl: admin
-
intitle - used to search for various keywords inside the title, for example,
intitle:security tools
will search for titles beginning with “security” but “tools” can be somewhere else in the page. -
inanchor - this is useful when you need to search for an exact anchor text used on any links.
inanchor:"cyber security"
-
intext - useful to locate pages that contain certain characters or strings inside their text.
intext:"safe internet"
-
link - will show the list of web pages that have links to the specified URL.
link: microsoft.com
-
site - will show you the full list of all indexed URLs for the specified domain and subdomain.
site:securitytrails.com
-
* - wildcard used to search pages that contain “anything” before your word.
For example,how to * a website
, will return “how to…” design/create/hack, etc… “a website”. -
| - this is a logical operator, for example,
"security" "tips"
will show all the sites which contain “security” or “tips,” or both words. -
+ - used to concatenate words, useful to detect pages that use more than one specific key.
security + trails
-
– - minus operator is used to avoiding showing results that contain certain words, for example,
security -trails
will show pages that use “security” in their text, but not those that have the word “trails."