Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nateahess/awesome-recon-tools

A compiled list of tools for reconnaissance and footprinting
https://github.com/nateahess/awesome-recon-tools

List: awesome-recon-tools

awesome awesome-list cybersecurity footprinting recon reconnaissance red-team security

Last synced: 16 days ago
JSON representation

A compiled list of tools for reconnaissance and footprinting

Awesome Lists containing this project

README

        

![header-image](https://github.com/nahberry/Recon-Tools/blob/main/Logo/Recon-Tools.PNG)

# Recon Tools [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)
> A compiled list of tools for reconnaissance and footprinting.




Tweet


## Contents

* [Domain and Network Recon](#Domain-and-Network-Recon) - Tools for grabbing network related information.

* [Personal Information and Email Footprinting](#Personal-Information-and-Email-Footprinting) - Tools for finding personal information such as social networks and emails as well as footprinting tools for mail.

* [Hacking with Google](#Hacking-with-Google) - Use Google commands to your advantage

## Domain and Network Recon
> Robust tools for gathering domain and network information.

### Programs and Web Applications

* [ARIN Whois/RDAP](https://arin.net/about/welcom/region) - A public resource that allows a user to retrieve information about IP number resources, organizations, and Points of Contact registered with ARIN.

* [Aquatone](https://github.com/michenriksen/aquatone) - A tool for visual inspection of websites across a large amount of hosts. Very convenient for quickly gaining an overview of HTTP-based attack surfaces.

* [Batch IP Converter](http://sabsoft.com) - An award-winning network tool to work with IP addresses. Domain-to-IP Converter, Batch Ping, Tracert, Whois, and more.

* [BuiltWith](https://builtwith.com) - Scans for over 46,953 different web technologies. Discover what tools a site uses such as shopping carts, hosting, analytics, and more.

* [Censys](https://censys.io) - Mines a global internet dataset to enumerate assets that may compromise an attack surface.

* [DataSploit](https://github.com/DataSploit/datasploit) - Performs automated OSINT on a domain/email/username/phone and finds relevant information from different sources.

* [DNSDumpster](https://dnsdumpster.com) - Can discover hosts related to a domain. Map an organizations attack surface with a virtual "dumpster dive."

* [Domaintools](https://whois.domaintools.com) - Find Whois information quickly and easily including registrar, name servers, and etc.

* [FindSubDomains](https://findsubdomains.com) - From Spyse. Awesome tool to find subdomains.

* [FireCompass](https://firecompass.com) - Discovers and organization's digital attack surface.

* [Informer](https://website.informer.com/) - Retrieves a quick aggregated view of everything the Web can promptly tell you about a site.

* [Maltego](https://maltego.com) - Open Source Intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.

* [Netcraft](https://netcraft.com) - Multiple tools from site report to DNS search.

* [Professional Toolset](https://network-tools.com) - Ping, Tracert, HTTP Headers, and more!

* [Shodan](https://shodan.io) - Shodan has servers around the world that crawl the internet 24/7 to provide the latest internet intelligence.

* [SpiderFoot](https://www.spiderfoot.net/) - Automated OSINT collection!

* [Traceroute NG](https://solarwinds.com/free-tools/traceroute-ng) - Continuous probing, detects path changes, supports IPv4 & IPv6, Creates a txt logfile.

* [URL Fuzzer](https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files#) - Free light scan for hidden files and directories.

* [VisualRoute](http://www.visualroute.com) - Continuous trace routing, reverse tracing, port probing, route analysis, and much more!

* [You Get Signal](https://yougetsignal.com) - Port forwarding, network location, visual trace route, reverse IP domain check, and more!

* [Wappalyzer](https://www.wappalyzer.com) - Identify technologies on websites. Find out the technology stack of any website.

* [WebShag](https://github.com/wereallfeds/webshag) - Multi-threaded, multi-platform web server audit tool. Gathers useful functionalities for web server auditing like website crawling, URL scanning, or file fuzzing.

* [Wireshark](https://wireshark.org) - The world's foremost and widely-used network protocol analyzer.

* [Whois.net](https://whois.net) - Quick and easy Whois lookup. Domain name search, registration and availability, and more.

### Windows CLI

* [nslookup](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup) - Command-line tool for querying the Domain Name System to obtain name or IP address mapping and other DNS records.

* [tracert](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tracert) - Commmand-line tool for displaying a route and measuring transit delays of packets across an Internal Protocol network.

### Linux CLI // Kali

* [dig](https://linuxhandbook.com/dig-command/) - Domain Information Groper - Queries the DNS of a given server.

* [dnsrecon](https://tools.kali.org/information-gathering/dnsrecon) - Check NS Records for Zone Transfers, enumerate general DNS records, check cached DNS records, and more.

* [dnstracer](https://tools.kali.org/information-gathering/dnstracer) - Determines where a given Domain Name Server gets its information from for a given hostname.

* [Fierce](https://github.com/mschwager/fierce) - DNS reconnaissance tool for locating non-contiguous IP space.

* [Ghost Eye](https://github.com/BullsEye0/ghost_eye) - Information gathering tool for Whois, DNS, EtherApe, Nmap, and more.

* [recon-ng](https://github.com/lanmaster53/recon-ng) - Provides a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.

* [ronin-recon](https://github.com/ronin-rb/ronin-recon#readme) - Recursive recon engine and framework that can enumerate subdomains, DNS records, port scan, grab TLS certs, spider websites, and collect email addresses.

* [traceroute](https://www.commandlinux.com/man-page/man1/traceroute.db.1.html) - Print the route packets trace to network host.

* [unicornscan](https://tools.kali.org/information-gathering/unicornscan) - Provides a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network.

* [whois](https://www.commandlinux.com/man-page/man1/whois.1.html) - Quick and easy client for the whois directory service.

## Personal Information and Email Footprinting
> Tools for gathering personal information, social networks, and email footprinting.

### Programs and Web Applications

* [BeenVerified](https://beenverified.com) - Background checks with loads of information.

* [eMailTrackerPro](https://emailtrackerpro.com) - Pull detailed information from an email header. Also includes spam filtering.

* [Followerwonk](https://followerwonk.com) - Information scraped from Twitter.

* [Infoga](https://github.com/m4ll0k/infoga) - Gather email OSINT. Domains, sources, breaches, and more.

* [Jigsaw](https://www.jigsawsecurityenterprise.com/) - OSINT-X Intelligence Collection Tool from Jigsaw allows for the collection of data from RSS feeds, the dark web, Twitter, Facebook, and other sources.

* [PeekYou](https://peekyou.com) - Locate personal information from family members to social media accounts.

### Linux CLI // Kali

* [sherlock](https://github.com/sherlock-project/sherlock) - Crawls the web for social profiles.

* [theHarvester](https://tools.kali.org/information-gathering/theharvester) - Pulls a list of email addresses of a specific domain from multiple search engines.

## Hacking with Google
> Commands (or "dorks") for the world's most popular search engine

* __cache__ - this command will show you the cached version of any website.
`cache: securitytrails.com`

* __allintext__ - searches for specific text contained on any web page.
`allintext: hacking tools`

* __allintitle__ - exactly the same as allintext, but will show pages that contain titles with X characters.
`allintitle:"Security Companies"`

* __allinurl__ - it can be used to fetch results whose URL contains all the specified characters.
`allinurl client area`

* __filetype__ - used to search for any kind of file extensions, for example, if you want to search for jpg files you can use:
`filetype: jpg`

* __inurl__ - this is exactly the same as allinurl, but it is only useful for one single keyword.
`inurl: admin`

* __intitle__ - used to search for various keywords inside the title, for example,
`intitle:security tools` will search for titles beginning with “security” but “tools” can be somewhere else in the page.

* __inanchor__ - this is useful when you need to search for an exact anchor text used on any links.
`inanchor:"cyber security"`

* __intext__ - useful to locate pages that contain certain characters or strings inside their text.
`intext:"safe internet"`

* __link__ - will show the list of web pages that have links to the specified URL.
`link: microsoft.com`

* __site__ - will show you the full list of all indexed URLs for the specified domain and subdomain.
`site:securitytrails.com`

* __*__ - wildcard used to search pages that contain “anything” before your word.
For example, `how to * a website`, will return “how to…” design/create/hack, etc… “a website”.

* __|__ - this is a logical operator, for example, `"security" "tips"` will show all the sites which contain “security” or “tips,” or both words.

* __+__ - used to concatenate words, useful to detect pages that use more than one specific key.
`security + trails`

* __–__ - minus operator is used to avoiding showing results that contain certain words, for example, `security -trails` will show pages that use “security” in their text, but not those that have the word “trails.”