Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nateahess/awesome-recon-tools

A compiled list of tools for reconnaissance and footprinting
https://github.com/nateahess/awesome-recon-tools

List: awesome-recon-tools

awesome awesome-list cybersecurity footprinting recon reconnaissance red-team security

Last synced: 3 months ago
JSON representation

A compiled list of tools for reconnaissance and footprinting

Awesome Lists containing this project

README 

        

![header-image](https://github.com/nahberry/Recon-Tools/blob/main/Logo/Recon-Tools.PNG)



# Recon Tools [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)

 > A compiled list of tools for reconnaissance and footprinting.





  


    

      Tweet

    

  





## Contents



* [Domain and Network Recon](#Domain-and-Network-Recon) - Tools for grabbing network related information.



* [Personal Information and Email Footprinting](#Personal-Information-and-Email-Footprinting) - Tools for finding personal information such as social networks and emails as well as footprinting tools for mail.



* [Hacking with Google](#Hacking-with-Google) - Use Google commands to your advantage



## Domain and Network Recon

> Robust tools for gathering domain and network information.



### Programs and Web Applications



* [ARIN Whois/RDAP](https://arin.net/about/welcom/region) - A public resource that allows a user to retrieve information about IP number resources, organizations, and Points of Contact registered with ARIN.



* [Aquatone](https://github.com/michenriksen/aquatone) - A tool for visual inspection of websites across a large amount of hosts. Very convenient for quickly gaining an overview of HTTP-based attack surfaces.



* [Batch IP Converter](http://sabsoft.com) - An award-winning network tool to work with IP addresses. Domain-to-IP Converter, Batch Ping, Tracert, Whois, and more.



* [BuiltWith](https://builtwith.com) - Scans for over 46,953 different web technologies. Discover what tools a site uses such as shopping carts, hosting, analytics, and more.



* [Censys](https://censys.io) - Mines a global internet dataset to enumerate assets that may compromise an attack surface.



* [DataSploit](https://github.com/DataSploit/datasploit) - Performs automated OSINT on a domain/email/username/phone and finds relevant information from different sources.



* [DNSDumpster](https://dnsdumpster.com) - Can discover hosts related to a domain. Map an organizations attack surface with a virtual "dumpster dive."



* [Domaintools](https://whois.domaintools.com) - Find Whois information quickly and easily including registrar, name servers, and etc.



* [FindSubDomains](https://findsubdomains.com) - From Spyse. Awesome tool to find subdomains.



* [FireCompass](https://firecompass.com) - Discovers and organization's digital attack surface.



* [Informer](https://website.informer.com/) - Retrieves a quick aggregated view of everything the Web can promptly tell you about a site.



* [Maltego](https://maltego.com) - Open Source Intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.



* [Netcraft](https://netcraft.com) - Multiple tools from site report to DNS search.



* [Professional Toolset](https://network-tools.com) - Ping, Tracert, HTTP Headers, and more!



* [Shodan](https://shodan.io) - Shodan has servers around the world that crawl the internet 24/7 to provide the latest internet intelligence.



* [SpiderFoot](https://www.spiderfoot.net/) - Automated OSINT collection!



* [Traceroute NG](https://solarwinds.com/free-tools/traceroute-ng) - Continuous probing, detects path changes, supports IPv4 & IPv6, Creates a txt logfile.



* [URL Fuzzer](https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files#) - Free light scan for hidden files and directories.



* [VisualRoute](http://www.visualroute.com) - Continuous trace routing, reverse tracing, port probing, route analysis, and much more!



* [You Get Signal](https://yougetsignal.com) - Port forwarding, network location, visual trace route, reverse IP domain check, and more!



* [Wappalyzer](https://www.wappalyzer.com) - Identify technologies on websites. Find out the technology stack of any website.



* [WebShag](https://github.com/wereallfeds/webshag) - Multi-threaded, multi-platform web server audit tool. Gathers useful functionalities for web server auditing like website crawling, URL scanning, or file fuzzing.



* [Wireshark](https://wireshark.org) - The world's foremost and widely-used network protocol analyzer.



* [Whois.net](https://whois.net) - Quick and easy Whois lookup. Domain name search, registration and availability, and more.



### Windows CLI



* [nslookup](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup) - Command-line tool for querying the Domain Name System to obtain name or IP address mapping and other DNS records.



* [tracert](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tracert) - Commmand-line tool for displaying a route and measuring transit delays of packets across an Internal Protocol network.



### Linux CLI // Kali



* [dig](https://linuxhandbook.com/dig-command/) - Domain Information Groper - Queries the DNS of a given server.



* [dnsrecon](https://tools.kali.org/information-gathering/dnsrecon) - Check NS Records for Zone Transfers, enumerate general DNS records, check cached DNS records, and more.



* [dnstracer](https://tools.kali.org/information-gathering/dnstracer) - Determines where a given Domain Name Server gets its information from for a given hostname.



* [Fierce](https://github.com/mschwager/fierce) - DNS reconnaissance tool for locating non-contiguous IP space.



* [Ghost Eye](https://github.com/BullsEye0/ghost_eye) - Information gathering tool for Whois, DNS, EtherApe, Nmap, and more.



* [recon-ng](https://github.com/lanmaster53/recon-ng) - Provides a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.



* [traceroute](https://www.commandlinux.com/man-page/man1/traceroute.db.1.html) - Print the route packets trace to network host.



* [unicornscan](https://tools.kali.org/information-gathering/unicornscan) - Provides a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network.



* [whois](https://www.commandlinux.com/man-page/man1/whois.1.html) - Quick and easy client for the whois directory service.



## Personal Information and Email Footprinting

> Tools for gathering personal information, social networks, and email footprinting.



### Programs and Web Applications



* [BeenVerified](https://beenverified.com) - Background checks with loads of information.



* [eMailTrackerPro](https://emailtrackerpro.com) - Pull detailed information from an email header. Also includes spam filtering.



* [Followerwonk](https://followerwonk.com) - Information scraped from Twitter.



* [Infoga](https://github.com/m4ll0k/infoga) - Gather email OSINT. Domains, sources, breaches, and more.



* [Jigsaw](https://www.jigsawsecurityenterprise.com/) - OSINT-X Intelligence Collection Tool from Jigsaw allows for the collection of data from RSS feeds, the dark web, Twitter, Facebook, and other sources.



* [PeekYou](https://peekyou.com) - Locate personal information from family members to social media accounts.



### Linux CLI // Kali  



* [sherlock](https://github.com/sherlock-project/sherlock) - Crawls the web for social profiles.



* [theHarvester](https://tools.kali.org/information-gathering/theharvester) - Pulls a list of email addresses of a specific domain from multiple search engines.



## Hacking with Google

> Commands (or "dorks") for the world's most popular search engine



* __cache__ - this command will show you the cached version of any website.

`cache: securitytrails.com`



* __allintext__ - searches for specific text contained on any web page.

`allintext: hacking tools`



* __allintitle__ - exactly the same as allintext, but will show pages that contain titles with X characters.

`allintitle:"Security Companies"`



* __allinurl__ - it can be used to fetch results whose URL contains all the specified characters.

`allinurl client area`



* __filetype__ - used to search for any kind of file extensions, for example, if you want to search for jpg files you can use:

`filetype: jpg`



* __inurl__ - this is exactly the same as allinurl, but it is only useful for one single keyword.

`inurl: admin`



* __intitle__ - used to search for various keywords inside the title, for example,

`intitle:security tools` will search for titles beginning with “security” but “tools” can be somewhere else in the page.



* __inanchor__ - this is useful when you need to search for an exact anchor text used on any links.

`inanchor:"cyber security"`



* __intext__ - useful to locate pages that contain certain characters or strings inside their text.

`intext:"safe internet"`



* __link__ - will show the list of web pages that have links to the specified URL.

`link: microsoft.com`



* __site__ - will show you the full list of all indexed URLs for the specified domain and subdomain.

`site:securitytrails.com`



* __*__ - wildcard used to search pages that contain “anything” before your word.

For example, `how to * a website`, will return “how to…” design/create/hack, etc… “a website”.



* __|__ - this is a logical operator, for example, `"security" "tips"` will show all the sites which contain “security” or “tips,” or both words.



* __+__ - used to concatenate words, useful to detect pages that use more than one specific key.

`security + trails`



* __–__ - minus operator is used to avoiding showing results that contain certain words, for example, `security -trails` will show pages that use “security” in their text, but not those that have the word “trails.”