# Reconnaissance

# Azure

  • Greyhat Warfare - Search scanned archived AWS buckets.
  • OpenBuckets - Search public or misconfigured Azure buckets and its contents.

# Content Discovery/Fuzzers

  • content-discovery - Tool to support with "Content Discovery" during mapping of a web applications/sites. last-commit
  • dirble - Fast directory scanning and scraping tool. last-commit
  • DirBuster - a multi threaded java application designed to brute force directories and files names on web/application servers. last-commit
  • DirHunt - Find web directories without bruteforce. last-commit
  • dirsearch - Web path scanner. last-commit
  • Feroxbuster - A fast, simple, recursive content discovery tool written in Rust.
  • ffuf - Fast web fuzzer written in Go. last-commit
  • fuzzagotchi - Automatic web fuzzer. last-commit
  • GoBuster - Directory/File, DNS and VHost busting tool written in Go. last-commit
  • Hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application. last-commit
  • HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages. last-commit
  • IISRecon - IIS shortname scanner + bruteforce. last-commit
  • Kiterunner - Contextual Content Discovery Tool. last-commit
  • LinkFinder - A python script that finds endpoints in JavaScript files. last-commit
  • ParamSpider - Mining parameters from dark corners of Web Archives. last-commit
  • Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning. last-commit
  • RecurseBuster - Rapid content discovery tool for recursively querying webservers. last-commit
  • Scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration. last-commit
  • UnChain - A tool to find redirection chains in multiple URLs. last-commit
  • xnLinkFinder - A python tool used to discover endpoints for a given target. last-commit
  • x8 - Hidden parameters discovery suite written in Rust. last-commit

# DNS

  • aiodnsbrute - Python 3.5+ DNS asynchronous brute force utility. last-commit
  • dnsdumpter - dns recon & research, find & lookup dns records.
  • dnssearch - A subdomain enumeration tool. last-commit
  • dnsX - Fast and multi-purpose DNS toolkit allow to run multiple DNS queries. last-commit
  • Fastsub - A custom built DNS bruteforcer with multi-threading, and handling of bad resolvers. last-commit
  • Fierce - A DNS reconnaissance tool for locating non-contiguous IP space. last-commit
  • MassDNS - A high-performance DNS stub resolver for bulk lookups and reconnaissance. last-commit
  • Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning. last-commit
  • SubBrute - A DNS meta-query spider that enumerates DNS records, and subdomains. last-commit

# Domain/IP

  • Altdns - Generates permutations, alterations and mutations of subdomains and then resolves them. last-commit
  • Amass - In-depth Attack Surface Mapping and Asset Discovery. last-commit
  • Assetfinder - Find domains and subdomains potentially related to a given domain. last-commit
  • Chaos-Client - Go client to communicate with Chaos DNS API. last-commit
  • crt.sh - Certificate search on domains.
  • ctfr - Abusing Certificate Transparency logs for getting HTTPS websites subdomains. last-commit
  • Discover - Custom bash scripts to automate various pentesting tasks including recon. last-commit
  • findomain - The complete solution for domain recognition. last-commit
  • findsubdomains.com (spyse) - subdomain finder in order to make your reconnaissance process faster and effortless.
  • IPScout - Host information and threat aggregator for network administrators and security analysts. last-commit
  • Knock - Knock Subdomain Scan. last-commit
  • OneForAll - A powerful subdomain integration tool. last-commit
  • Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning. last-commit
  • Robtex - Robtex is used for various kinds of research of IP numbers, Domain names, etc.
  • Scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration. last-commit
  • sigurlfind3r - A reconnaissance tool, it fetches URLs from AlienVault's OTX, Common Crawl, URLScan, Github and the Wayback Machine. last-commit
  • subfinder - Fast passive subdomian enumeration tool. last-commit
  • sublist3r - Fast subdomains enumeration tool for penetration testers. last-commit
  • Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains. last-commit
  • Websitewatcher - Monitor webist domain for changes. last-commit

# Dorking

  • Dorkbot - Command line dorking tool. last-commit

# Frameworks

  • aut0rec0n - An automatic reconnaissance command-line tool for DNS, port scanning, and subdomains. last-commit
  • FinalRecon - All In One Web Recon. last-commit
  • Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning. last-commit
  • ReconDog - Reconnaissance Swiss Army Knife. last-commit
  • sn1per - Discover the attack surface and prioritize risks with our continuous Attack Surface Management. last-commit

# Search Engines

  • Censys - Highly-indexed Internet-wide scan data at scale.
  • Google Dataset - Indexed datasets.
  • Mamont - Open FTP Indexer.
  • Napalm - Open FTP Indexer.
  • OCCRP Aleph - Global archive of research material.
  • OnionScan - TOR scanner. last-commit
  • Shodan - The security search engine. Search everything IoT.
  • Wayback Machine - Internet archive of saved web pages.
  • OpenBuckets - Search public or misconfigured buckets and its contents from all cloud providers (AWS, GCP, IBM, Linode etc).

# Wordlists