X1. Reconnaissance Tools

- Host recon, network mapping, etc. # Recon Tool Curation ## Tools I've Created - [cybersader/WebsiteTechMiner-py: A little Python project to automate gathering website profiling data from "BuiltWith" & "Wappalyzer" for tech stack information, technographic data, website reports, website tech lookups, website architecture lookups, etc.](https://github.com/cybersader/WebsiteTechMiner-py) ## GitHub Lists - [paralax/awesome-internet-scanning: A curated list of awesome Internet port and host scanners, plus related components and much more, with a focus on free and open source projects.](https://github.com/paralax/awesome-internet-scanning) - [ad-si/awesome-scanning: A curated list of awesome projects to simplify and improve paper scanning.](https://github.com/ad-si/awesome-scanning) - [https://github.com/0xedward/awesome-infosec > recon](https://github.com/0xedward/awesome-infosec#recon) - [nateahess/awesome-recon-tools: A compiled list of tools for reconnaissance and footprinting](https://github.com/nateahess/awesome-recon-tools) - . ### Windows CLI - [nslookup](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup) - Command-line tool for querying the Domain Name System to obtain name or IP address mapping and other DNS records. - [tracert](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tracert) - Commmand-line tool for displaying a route and measuring transit delays of packets across an Internal Protocol network. ### Linux CLI // Kali - [dig](https://linuxhandbook.com/dig-command/) - Domain Information Groper - Queries the DNS of a given server. - [dnsrecon](https://tools.kali.org/information-gathering/dnsrecon) - Check NS Records for Zone Transfers, enumerate general DNS records, check cached DNS records, and more. - [dnstracer](https://tools.kali.org/information-gathering/dnstracer) - Determines where a given Domain Name Server gets its information from for a given hostname. - [Fierce](https://github.com/mschwager/fierce) - DNS reconnaissance tool for locating non-contiguous IP space. - [Ghost Eye](https://github.com/BullsEye0/ghost_eye) - Information gathering tool for Whois, DNS, EtherApe, Nmap, and more. - [recon-ng](https://github.com/lanmaster53/recon-ng) - Provides a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly. - [traceroute](https://www.commandlinux.com/man-page/man1/traceroute.db.1.html) - Print the route packets trace to network host. - [unicornscan](https://tools.kali.org/information-gathering/unicornscan) - Provides a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. - [whois](https://www.commandlinux.com/man-page/man1/whois.1.html) - Quick and easy client for the whois directory service. ## Misc - [DNS Dumpster](https://dnsdumpster.com/) - [Sublist3r](https://github.com/aboul3la/Sublist3r) - [Subfinder](https://github.com/subfinder/subfinder) - [Amass](https://github.com/OWASP/Amass) - [httprobe](https://github.com/tomnomnom/httprobe) - [dirsearch](https://github.com/maurosoria/dirsearch) - [webscreenshot](https://github.com/maaaaz/webscreenshot) - [cc.py](https://github.com/si9int/cc.py) - [@ITSecurityguard Visual Recon Guide](https://blog.it-securityguard.com/visual-recon-a-beginners-guide/) ## IP Address Discovery - [Mxtoolbox](https://mxtoolbox.com/BulkLookup.aspx): Bulk Domain/IP lookup tool - [Domaintoipconverter](http://domaintoipconverter.com/): Bulk domain to IP converter - [Massdns](https://github.com/blechschmidt/massdns): A DNS resolver utility for bulk lookups - [Googleapps Dig](https://toolbox.googleapps.com/apps/dig/): Online Dig tool by Google - [[IP Address Modules)](IP%20Address%20Modules)](https://github.com/DataSploit/datasploit/tree/master/ip): An OSINT Framework to perform various recon techniques - [Domain Dossier](https://centralops.net/co/domaindossier.aspx): Investigate domains and IP addresses - [Bgpview](https://bgpview.io/): Search ASN, IPv4/IPv6 or resource name - [Hurricane Electric BGP Toolkit](https://bgp.he.net/): Keyword to ASN lookup - [Viewdns](https://viewdns.info/): Multiple domain/IP tools - [Ultratools ipv6Info](https://www.ultratools.com/tools/ipv6Info): Multiple information related to IPv6 address - [Whois](https://manpages.debian.org/jessie/whois/whois.1.en.html): Command line utility usually used to find information about registered users/assignees of an Internet resource. - [ICANN Whois](https://whois.icann.org/en): Whois service by Internet Corporation for Assigned Names and Numbers (ICANN) - Nslookup [Linux](https://manpages.debian.org/jessie/dnsutils/nslookup.1.en.html) / [Windows](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup): Command line utility usually used for querying the DNS records - [bgp](https://bgp.he.net/) : Internet Backbone and Colocation Provider ... Hurricane Electric IP Transit. Our Global Internet Backbone provides IP Transit with low latency, access to thousands of networks, and dual-stack ## Port Scanners - [dscan](https://github.com/dugsong/dscan) - asynchronous TCP host scanner. - [gps](https://github.com/stanford-esrg/gps) - scanning platform that learns and predicts the location of IPv4 services across all 65K ports. - [lzr](https://github.com/stanford-esrg/lzr) - Internet-wide scanner that detects and fingerprints unexpected services on unexpected ports - [masscan](https://github.com/robertdavidgraham/masscan) - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes. - [netscanner](https://github.com/R4yGM/netscanner) - netscanner - TCP/UDP scanner to find open or closed ports - [nmap](https://github.com/nmap/nmap) - the Network Mapper. Github mirror of official SVN repository. [https://svn.nmap.org/](https://svn.nmap.org/) - [sx](https://github.com/v-byte-cpu/sx) - Fast, modern, easy-to-use network scanner (ARP/TCP/UDP/SOCKS5, etc.) - [xmap](https://github.com/idealeer/xmap) - XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning - [zmap](https://github.com/zmap/zmap) - a fast single packet network scanner designed for Internet-wide network surveys. - [Smap](https://github.com/s0md3v/Smap) - is a port scanner built with shodan.io's free API. It takes same command line arguments as Nmap and produces the same output which makes it a drop-in replacament for Nmap. ## DNS Scanners - [dns-scanner](https://github.com/avin/dns-scanner) - fast asynchronous NS scanner to locate subdomains. - [massdns](https://github.com/blechschmidt/massdns) - high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration). ## Domain/Subdomain Discovery & Enumeration - [RedHunt Labs Attack Surface Recon API](https://devportal.redhuntlabs.com/home): RedHunt Labs' Recon API offers comprehensive domain intelligence and reconnaissance capabilities. With access to their extensive in-house database of over 6 billion records, including domains, subdomains, third-party SaaS, data leaks, and intelligent correlations, this API empowers you to enhance your Attack Surface Management and InfoSec workflows. - [SubFinder](https://github.com/subfinder/subfinder): SubFinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing. - [Amass](https://github.com/OWASP/Amass): A subdomain enumeration utility - [Sublist3r](https://github.com/aboul3la/Sublist3r): Subdomains enumeration tool with multiple sources - [Aiodnsbrute](https://github.com/blark/aiodnsbrute): Asynchronous DNS brute force utility - [LDNS](https://github.com/NLnetLabs/ldns): A DNS library useful for DNS tool programming - [Dns-nsec3-enum](https://nmap.org/nsedoc/scripts/dns-nsec3-enum.html): Nmap NSE Script for NSEC3 walking - [Nsec3map](https://github.com/anonion0/nsec3map): A tool to NSEC and NSEC3 walking - [Crt.sh](https://crt.sh/?a=1): Domain certificate Search - [Ct-exposer](https://github.com/chris408/ct-exposer): A tool to discovers sub-domains by searching Certificate Transparency logs - [Certgraph](https://github.com/lanrat/certgraph): A tool to crawl the graph of certificate Alternate Names - [Appsecco - The art of subdomain enumeration](https://github.com/appsecco/the-art-of-subdomain-enumeration): The supplement material for the book "The art of sub-domain enumeration" - [SSLScrape](https://github.com/jhaddix/sslScrape): A scanning tool to scrape hostnames from SSL certificates - [Wolframalpha](https://www.wolframalpha.com/): Computational knowledge engine - [Project Sonar](https://opendata.rapid7.com/sonar.fdns_v2/): Forward DNS Data - [Project Sonar](https://opendata.rapid7.com/sonar.rdns_v2/): Reverse DNS Data - [GoBuster](https://github.com/OJ/gobuster): Directory/File, DNS and VHost busting tool written in Go - [Bluto](https://github.com/darryllane/Bluto): Recon, Subdomain Bruting, Zone Transfers ## Internet Survey Data - [Project Resonance](https://redhuntlabs.com/project-resonance): RedHunt Labs’s Internet wide surveys to study and understand the security state of the Internet. - [Project Sonar](https://opendata.rapid7.com/): Rapid7’s internet-wide surveys data across different services and protocols - [Scans.io](https://scans.io/): Internet-Wide Scan Data Repository, hosted by the ZMap Team - [Portradar](https://portradar.packet.tel/): Free and open port scan data by packet.tel ## Nmap Tools - [dscan](https://github.com/0x4E0x650x6F/dscan) - Distributed Nmap, wrapper around Nmap to allow distributed network enumeration. - [goscan](https://github.com/marco-lancini/goscan) - Interactive Network Scanner. - [LazyMap](https://github.com/commonexploits/port-scan-automation) - Automate NMAP Scans and Generate Custom Nessus Policies Automatically. - [ObsidianSailboat](https://github.com/paralax/ObsidianSailboat) - Nmap and NSE command line wrapper in the style of Metasploit. - [nmap-bootstrap-xsl](https://github.com/honze-net/nmap-bootstrap-xsl) - Nmap XSL implementation with Bootstrap. - [python-libnmap](https://github.com/savon-noir/python-libnmap) - libnmap is a python library to run nmap scans, parse and diff scan results. It supports python 2.6 up to 3.4. - [Sandmap](https://github.com/trimstray/sandmap) - a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques. - [Scantron](https://github.com/rackerlabs/scantron) - A distributed nmap / masscan scanning framework with web GUI. - [WebMap](https://github.com/SabyasachiRana/WebMap) - Nmap Web Dashboard and Reporting. - [Zenmap](https://nmap.org/zenmap/) - the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application. ## Programs and Web Applications - [ARIN Whois/RDAP](https://arin.net/about/welcom/region) - A public resource that allows a user to retrieve information about IP number resources, organizations, and Points of Contact registered with ARIN. - [Aquatone](https://github.com/michenriksen/aquatone) - A tool for visual inspection of websites across a large amount of hosts. Very convenient for quickly gaining an overview of HTTP-based attack surfaces. - [Batch IP Converter](http://sabsoft.com/) - An award-winning network tool to work with IP addresses. Domain-to-IP Converter, Batch Ping, Tracert, Whois, and more. - [BuiltWith](https://builtwith.com/) - Scans for over 46,953 different web technologies. Discover what tools a site uses such as shopping carts, hosting, analytics, and more. - [Censys](https://censys.io/) - Mines a global internet dataset to enumerate assets that may compromise an attack surface. - [DataSploit](https://github.com/DataSploit/datasploit) - Performs automated OSINT on a domain/email/username/phone and finds relevant information from different sources. - [DNSDumpster](https://dnsdumpster.com/) - Can discover hosts related to a domain. Map an organizations attack surface with a virtual "dumpster dive." - [Domaintools](https://whois.domaintools.com/) - Find Whois information quickly and easily including registrar, name servers, and etc. - [FindSubDomains](https://findsubdomains.com/) - From Spyse. Awesome tool to find subdomains. - [FireCompass](https://firecompass.com/) - Discovers and organization's digital attack surface. - [Informer](https://website.informer.com/) - Retrieves a quick aggregated view of everything the Web can promptly tell you about a site. - [Maltego](https://maltego.com/) - Open Source Intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks. - [Netcraft](https://netcraft.com/) - Multiple tools from site report to DNS search. - [Professional Toolset](https://network-tools.com/) - Ping, Tracert, HTTP Headers, and more! - [Shodan](https://shodan.io/) - Shodan has servers around the world that crawl the internet 24/7 to provide the latest internet intelligence. - [SpiderFoot](https://www.spiderfoot.net/) - Automated OSINT collection! - [Traceroute NG](https://solarwinds.com/free-tools/traceroute-ng) - Continuous probing, detects path changes, supports IPv4 & IPv6, Creates a txt logfile. - [URL Fuzzer](https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files#) - Free light scan for hidden files and directories. - [VisualRoute](http://www.visualroute.com/) - Continuous trace routing, reverse tracing, port probing, route analysis, and much more! - [You Get Signal](https://yougetsignal.com/) - Port forwarding, network location, visual trace route, reverse IP domain check, and more! - [Wappalyzer](https://www.wappalyzer.com/) - Identify technologies on websites. Find out the technology stack of any website. - [WebShag](https://github.com/wereallfeds/webshag) - Multi-threaded, multi-platform web server audit tool. Gathers useful functionalities for web server auditing like website crawling, URL scanning, or file fuzzing. - [Wireshark](https://wireshark.org/) - The world's foremost and widely-used network protocol analyzer. - [Whois.net](https://whois.net/) - Quick and easy Whois lookup. Domain name search, registration and availability, and more. ## Google Dorking > Commands (or "dorks") for the world's most popular search engine - **cache** - this command will show you the cached version of any website. `cache: securitytrails.com` - **allintext** - searches for specific text contained on any web page. `allintext: hacking tools` - **allintitle** - exactly the same as allintext, but will show pages that contain titles with X characters. `allintitle:"Security Companies"` - **allinurl** - it can be used to fetch results whose URL contains all the specified characters. `allinurl client area` - **filetype** - used to search for any kind of file extensions, for example, if you want to search for jpg files you can use: `filetype: jpg` - **inurl** - this is exactly the same as allinurl, but it is only useful for one single keyword. `inurl: admin` - **intitle** - used to search for various keywords inside the title, for example, `intitle:security tools` will search for titles beginning with “security” but “tools” can be somewhere else in the page. - **inanchor** - this is useful when you need to search for an exact anchor text used on any links. `inanchor:"cyber security"` - **intext** - useful to locate pages that contain certain characters or strings inside their text. `intext:"safe internet"` - **link** - will show the list of web pages that have links to the specified URL. `link: microsoft.com` - **site** - will show you the full list of all indexed URLs for the specified domain and subdomain. `site:securitytrails.com` - ***** - wildcard used to search pages that contain “anything” before your word. For example, `how to * a website`, will return “how to…” design/create/hack, etc… “a website”. - **|** - this is a logical operator, for example, `"security" "tips"` will show all the sites which contain “security” or “tips,” or both words. - **+** - used to concatenate words, useful to detect pages that use more than one specific key. `security + trails` - **–** - minus operator is used to avoiding showing results that contain certain words, for example, `security -trails` will show pages that use “security” in their text, but not those that have the word “trails.”