#
Reconnaissance
#
Azure
- Greyhat Warfare - Search scanned archived AWS buckets.
- OpenBuckets - Search public or misconfigured Azure buckets and its contents.
#
Content Discovery/Fuzzers
- content-discovery - Tool to support with "Content Discovery" during mapping of a web applications/sites.
- dirble - Fast directory scanning and scraping tool.
- DirBuster - a multi threaded java application designed to brute force directories and files names on web/application servers.
- DirHunt - Find web directories without bruteforce.
- dirsearch - Web path scanner.
- Feroxbuster - A fast, simple, recursive content discovery tool written in Rust.
- ffuf - Fast web fuzzer written in Go.
- fuzzagotchi - Automatic web fuzzer.
- GoBuster - Directory/File, DNS and VHost busting tool written in Go.
- Hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
- HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages.
- IISRecon - IIS shortname scanner + bruteforce.
- Kiterunner - Contextual Content Discovery Tool.
- LinkFinder - A python script that finds endpoints in JavaScript files.
- ParamSpider - Mining parameters from dark corners of Web Archives.
- Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
- RecurseBuster - Rapid content discovery tool for recursively querying webservers.
- Scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration.
- UnChain - A tool to find redirection chains in multiple URLs.
- xnLinkFinder - A python tool used to discover endpoints for a given target.
- x8 - Hidden parameters discovery suite written in Rust.
#
DNS
- aiodnsbrute - Python 3.5+ DNS asynchronous brute force utility.
- dnsdumpter - dns recon & research, find & lookup dns records.
- dnssearch - A subdomain enumeration tool.
- dnsX - Fast and multi-purpose DNS toolkit allow to run multiple DNS queries.
- Fastsub - A custom built DNS bruteforcer with multi-threading, and handling of bad resolvers.
- Fierce - A DNS reconnaissance tool for locating non-contiguous IP space.
- MassDNS - A high-performance DNS stub resolver for bulk lookups and reconnaissance.
- Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
- SubBrute - A DNS meta-query spider that enumerates DNS records, and subdomains.
#
Domain/IP
- Altdns - Generates permutations, alterations and mutations of subdomains and then resolves them.
- Amass - In-depth Attack Surface Mapping and Asset Discovery.
- Assetfinder - Find domains and subdomains potentially related to a given domain.
- Chaos-Client - Go client to communicate with Chaos DNS API.
- crt.sh - Certificate search on domains.
- ctfr - Abusing Certificate Transparency logs for getting HTTPS websites subdomains.
- Discover - Custom bash scripts to automate various pentesting tasks including recon.
- findomain - The complete solution for domain recognition.
- findsubdomains.com (spyse) - subdomain finder in order to make your reconnaissance process faster and effortless.
- IPScout - Host information and threat aggregator for network administrators and security analysts.
- Knock - Knock Subdomain Scan.
- OneForAll - A powerful subdomain integration tool.
- Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
- Robtex - Robtex is used for various kinds of research of IP numbers, Domain names, etc.
- Scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration.
- sigurlfind3r - A reconnaissance tool, it fetches URLs from AlienVault's OTX, Common Crawl, URLScan, Github and the Wayback Machine.
- subfinder - Fast passive subdomian enumeration tool.
- sublist3r - Fast subdomains enumeration tool for penetration testers.
- Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains.
- Websitewatcher - Monitor webist domain for changes.
#
Dorking
- Dorkbot - Command line dorking tool.
#
Frameworks
- aut0rec0n - An automatic reconnaissance command-line tool for DNS, port scanning, and subdomains.
- FinalRecon - All In One Web Recon.
- Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning.
- ReconDog - Reconnaissance Swiss Army Knife.
- sn1per - Discover the attack surface and prioritize risks with our continuous Attack Surface Management.
#
Search Engines
- Censys - Highly-indexed Internet-wide scan data at scale.
- Google Dataset - Indexed datasets.
- Mamont - Open FTP Indexer.
- Napalm - Open FTP Indexer.
- OCCRP Aleph - Global archive of research material.
- OnionScan - TOR scanner.
- Shodan - The security search engine. Search everything IoT.
- Wayback Machine - Internet archive of saved web pages.
- OpenBuckets - Search public or misconfigured buckets and its contents from all cloud providers (AWS, GCP, IBM, Linode etc).
#
Wordlists
- API Endpoints & Objects - A list of 3203 common API endpoints and objects designed for fuzzing.
- Funny Fuzzing Wordlist - Funny Fuzzing Wordlist.
- Fuzz.txt - Directory & File List.
- SecLists - A collection of multiple types of lists used during security assessments, collected in one place.
- Secrets in Environment Variables - Awesome list of secrets in environment variables.