4 min read

Tools for reconnaissance and footprinting

Tools for reconnaissance and footprinting
Photo by Muha Ajjan / Unsplash

Recon Tools

A compiled list of tools for reconnaissance and footprinting.

Contents

Domain and Network Recon

Robust tools for gathering domain and network information.

Programs and Web Applications

  • ARIN Whois/RDAP - A public resource that allows a user to retrieve information about IP number resources, organizations, and Points of Contact registered with ARIN.

  • Aquatone - A tool for visual inspection of websites across a large amount of hosts. Very convenient for quickly gaining an overview of HTTP-based attack surfaces.

  • Batch IP Converter - An award-winning network tool to work with IP addresses. Domain-to-IP Converter, Batch Ping, Tracert, Whois, and more.

  • BuiltWith - Scans for over 46,953 different web technologies. Discover what tools a site uses such as shopping carts, hosting, analytics, and more.

  • Censys - Mines a global internet dataset to enumerate assets that may compromise an attack surface.

  • DataSploit - Performs automated OSINT on a domain/email/username/phone and finds relevant information from different sources.

  • DNSDumpster - Can discover hosts related to a domain. Map an organizations attack surface with a virtual "dumpster dive."

  • Domaintools - Find Whois information quickly and easily including registrar, name servers, and etc.

  • FindSubDomains - From Spyse. Awesome tool to find subdomains.

  • FireCompass - Discovers and organization's digital attack surface.

  • Informer - Retrieves a quick aggregated view of everything the Web can promptly tell you about a site.

  • Maltego - Open Source Intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.

  • Netcraft - Multiple tools from site report to DNS search.

  • Professional Toolset - Ping, Tracert, HTTP Headers, and more!

  • Shodan - Shodan has servers around the world that crawl the internet 24/7 to provide the latest internet intelligence.

  • SpiderFoot - Automated OSINT collection!

  • Traceroute NG - Continuous probing, detects path changes, supports IPv4 & IPv6, Creates a txt logfile.

  • URL Fuzzer - Free light scan for hidden files and directories.

  • VisualRoute - Continuous trace routing, reverse tracing, port probing, route analysis, and much more!

  • You Get Signal - Port forwarding, network location, visual trace route, reverse IP domain check, and more!

  • Wappalyzer - Identify technologies on websites. Find out the technology stack of any website.

  • WebShag - Multi-threaded, multi-platform web server audit tool. Gathers useful functionalities for web server auditing like website crawling, URL scanning, or file fuzzing.

  • Wireshark - The world's foremost and widely-used network protocol analyzer.

  • Whois.net - Quick and easy Whois lookup. Domain name search, registration and availability, and more.

Windows CLI

  • nslookup - Command-line tool for querying the Domain Name System to obtain name or IP address mapping and other DNS records.

  • tracert - Commmand-line tool for displaying a route and measuring transit delays of packets across an Internal Protocol network.

Linux CLI // Kali

  • dig - Domain Information Groper - Queries the DNS of a given server.

  • dnsrecon - Check NS Records for Zone Transfers, enumerate general DNS records, check cached DNS records, and more.

  • dnstracer - Determines where a given Domain Name Server gets its information from for a given hostname.

  • Fierce - DNS reconnaissance tool for locating non-contiguous IP space.

  • Ghost Eye - Information gathering tool for Whois, DNS, EtherApe, Nmap, and more.

  • recon-ng - Provides a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.

  • traceroute - Print the route packets trace to network host.

  • unicornscan - Provides a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network.

  • whois - Quick and easy client for the whois directory service.

Personal Information and Email Footprinting

Tools for gathering personal information, social networks, and email footprinting.

Programs and Web Applications

  • BeenVerified - Background checks with loads of information.

  • eMailTrackerPro - Pull detailed information from an email header. Also includes spam filtering.

  • Followerwonk - Information scraped from Twitter.

  • Infoga - Gather email OSINT. Domains, sources, breaches, and more.

  • Jigsaw - OSINT-X Intelligence Collection Tool from Jigsaw allows for the collection of data from RSS feeds, the dark web, Twitter, Facebook, and other sources.

  • PeekYou - Locate personal information from family members to social media accounts.

Linux CLI // Kali

  • sherlock - Crawls the web for social profiles.

  • theHarvester - Pulls a list of email addresses of a specific domain from multiple search engines.

Hacking with Google

Commands (or "dorks") for the world's most popular search engine

  • cache - this command will show you the cached version of any website.
    cache: securitytrails.com

  • allintext - searches for specific text contained on any web page.
    allintext: hacking tools

  • allintitle - exactly the same as allintext, but will show pages that contain titles with X characters.
    allintitle:"Security Companies"

  • allinurl - it can be used to fetch results whose URL contains all the specified characters.
    allinurl client area

  • filetype - used to search for any kind of file extensions, for example, if you want to search for jpg files you can use:
    filetype: jpg

  • inurl - this is exactly the same as allinurl, but it is only useful for one single keyword.
    inurl: admin

  • intitle - used to search for various keywords inside the title, for example,
    intitle:security tools will search for titles beginning with “security” but “tools” can be somewhere else in the page.

  • inanchor - this is useful when you need to search for an exact anchor text used on any links.
    inanchor:"cyber security"

  • intext - useful to locate pages that contain certain characters or strings inside their text.
    intext:"safe internet"

  • link - will show the list of web pages that have links to the specified URL.
    link: microsoft.com

  • site - will show you the full list of all indexed URLs for the specified domain and subdomain.
    site:securitytrails.com

  • * - wildcard used to search pages that contain “anything” before your word.
    For example, how to * a website, will return “how to…” design/create/hack, etc… “a website”.

  • | - this is a logical operator, for example, "security" "tips" will show all the sites which contain “security” or “tips,” or both words.

  • + - used to concatenate words, useful to detect pages that use more than one specific key.
    security + trails

  • - minus operator is used to avoiding showing results that contain certain words, for example, security -trails will show pages that use “security” in their text, but not those that have the word “trails."