Information Gathering

Traceroute tool that runs within an existing TCP connection. Bypasses some types of stateful packet filters.

Subdomain discovery tool that generates altered and mutated potential subdomains from known subdomains and wordlists for DNS bruteforcing.

AMAP is a next-generation scanning tool for pentesters that identifies applications even on non-standard ports. It uses trigger packets and response strings to detect protocols including non-ASCII based applications.

Amass is a tool for in-depth DNS enumeration and network mapping to help information security professionals discover attack surfaces and external assets. It uses open source information gathering and active reconnaissance techniques.

Apache-users enumerates usernames on systems running Apache with the UserDir module enabled. It uses a dictionary of usernames to probe for valid users via HTTP requests.

arp-scan is a command-line tool that uses the ARP protocol to discover and fingerprint IP hosts on the local network. It sends ARP requests and displays responses with MAC addresses and vendor information.

assetfinder is a command-line tool designed to find domains and subdomains associated with a specific domain. It uses multiple data sources to expand coverage and increase result accuracy.

Multi-threaded network reconnaissance tool which performs automated enumeration of services. Intended as a time-saving tool for CTFs and penetration testing environments.

Axel is a light command line download accelerator that uses multiple connections to speed up file downloads from the Internet. It supports HTTP, HTTPS, FTP, and FTPS protocols and can achieve up to 60% faster downloads.

AzureHound is the official BloodHound data collector for Microsoft Azure. It collects Azure data for use with BloodHound and BloodHound Enterprise.

bing-ip2hosts is a Bing.com web scraper that discovers hostnames and websites associated with an IP address. It leverages Bing's unique IP-based search feature to enumerate subdomains and identify shared hosting environments.

BloodHound uses graph theory to reveal hidden relationships within Active Directory environments. It helps both attackers and defenders identify complex attack paths and privilege relationships.

Python-based ingestor for BloodHound Community Edition (CE) that collects Active Directory data. Built on Impacket and compatible only with BloodHound CE.

Python-based ingestor for BloodHound using Impacket for Active Directory enumeration. Collects domain data like groups, sessions, trusts, and ACLs for BloodHound analysis.

Braa is a mass SNMP scanner capable of querying dozens or hundreds of hosts simultaneously in a single process. It consumes very few system resources and performs scanning very fast.

CertGraph crawls SSL certificates to build a directed graph of certificate Alternate Names for domain enumeration. It reveals chains of trust between domains sharing certificates.

Cisco Torch is a mass scanner for discovering remote Cisco hosts running services like Telnet, SSH, Web, NTP, TFTP, and SNMP. It launches dictionary attacks against discovered services and can automatically retrieve device configuration files if SNMP RW community is found.

Multi-cloud open source intelligence tool that enumerates public resources matching user-requested keywords across AWS, Azure, and Google Cloud Platform. Useful for penetration testing and network security analysis.

CloudBrute is an awesome cloud enumerator that finds company infrastructure, files, and apps on major cloud providers like Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, and Linode. It is useful for bug bounty hunters, red teamers, and penetration testers.

Command line tool for transferring data with URL syntax. Supports multiple protocols including HTTP, HTTPS, FTP, and more.

CutyCapt is a command-line utility that captures WebKit's rendering of web pages into various vector and bitmap formats including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP.

DMitry is a command line tool for information gathering, capable of finding subdomains, email addresses, uptime information, performing TCP port scans, and whois lookups. It provides deep reconnaissance on hosts through various passive and active techniques.

Dnsenum is a multithreaded Perl script to enumerate DNS information of a domain and discover non-contiguous IP blocks. It gathers comprehensive details including host addresses, name servers, MX records, and subdomains.

dnsgen is a DNS generator that creates combinations of domain names from provided input. It extracts custom words per execution and generates permutations based on a wordlist.

DNS domain name brute forcing tool that scans for common subdomains using built-in or external wordlists. Results can be saved in CSV and human-readable formats for further processing.

DNSRecon is a powerful Python script for DNS enumeration and scanning. It performs tasks like checking NS records for zone transfers, enumerating general DNS records, brute forcing subdomains, and more.

dnstracer traces DNS queries to determine where a given Domain Name Server gets its information for a hostname, following the chain of DNS servers back to the authoritative answer.

dnstwist generates a list of similarly looking domain names for a given domain and performs DNS queries for them. It checks MX records for active mail servers and estimates webpage similarity based on fuzzy hashes to detect typosquatters, phishing attacks, fraud and corporate espionage.

dnswalk is a DNS debugger that performs zone transfers of specified domains and checks the database for internal consistency and accuracy using nameserver lookups.

dnsx is a fast and multi-purpose DNS toolkit that performs multiple DNS queries using the retryabledns library with user-supplied resolvers. It supports DNS wildcard filtering and various record types like A, AAAA, CNAME, PTR, NS, MX, TXT, and SOA.

dscan is a wrapper around nmap that distributes scans across several hosts. It aggregates and splits address ranges, uses a configuration file for adjustable scan settings, and supports resume functionality.

Dufflebag searches public AWS Elastic Block Storage (EBS) snapshots for accidentally exposed secrets. It operates as an Elastic Beanstalk application within an AWS environment.

OSINT tool that obtains a target's phone number using only their email address by exploiting password reset mechanisms and public data sources.

EmailHarvester is a tool to retrieve domain email addresses from popular search engines. It supports exporting results to TXT and XML files with options for limiting results and using proxies.

Enum4linux enumerates information from Windows and Samba systems using Samba tools. It provides functionality similar to the former enum.exe with added features like RID cycling.

Next generation version of enum4linux for enumerating information from Windows and Samba systems. Features JSON/YAML export and smart enumeration targeted at security professionals and CTF players.

Fierce is a DNS reconnaissance tool that locates non-contiguous IP space and hostnames against specified domains. It serves as a precursor to tools like nmap by identifying likely targets inside and outside corporate networks.

Fast and simple Python script for web reconnaissance that follows a modular structure and provides detailed information on various areas.

Findomain is the fastest and most complete solution for domain recognition and subdomain enumeration. It supports advanced features like screenshoting, port scanning, HTTP checks, and integrations with Discord, Slack, and Telegram.

Firewalk is an active reconnaissance network security tool that determines what layer 4 protocols a given IP forwarding device will pass. It helps assess the security configuration of packet filtering devices like firewalls.

fping sends ICMP ECHO_REQUEST packets to network hosts to determine if they are responding. It differs from ping by allowing multiple targets on the command line or from a file and uses a round-robin fashion to ping them.

Fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. Inspired by Tomnomnom’s waybackurls.

Gitxray scans GitHub repositories and contributors to collect data using public GitHub REST APIs. It gathers information that would otherwise be very time-consuming to obtain manually, seeking out data in unconventional places.

High-performance discovery tool for directories, DNS subdomains, virtual hosts, cloud storage buckets, TFTP servers, and custom fuzzing. Designed for penetration testers to perform security assessments and reconnaissance.

Command line tool for searching specific file types within a given domain using Google search. Identifies publicly accessible files like PDFs from target domains.

Email open source intelligence and breach hunting tool that queries different breach and reconnaissance services or local breaches like Troy Hunt’s Collection1 and Breach Compilation torrent.

HostHunter discovers and extracts hostnames from a set of target IP addresses using OSINT techniques. It generates CSV or TXT output files with results and optionally captures screenshots of associated web applications.

httprint is a web server fingerprinting tool that identifies web servers based on their characteristics, even if obfuscated by banner changes or plugins. It can also detect web-enabled devices without server banners, such as routers and access points.

httprobe takes a list of domains and probes for working HTTP and HTTPS servers. It is a tool to test a domains list by checking for active web servers.

HTTrack is an offline browser utility that copies websites to a local directory, recursively building all directories and files. It preserves the original site's relative link structure for offline browsing.

Queries the ident service (113/TCP) to determine the OS-level user running processes on specified TCP ports of a target system. Helps prioritize services for pentesting and gather usernames for password guessing attacks.

Discover and fingerprint IKE hosts (IPsec VPN Servers). Uses retransmission backoff pattern for implementation identification.

InSpy is a LinkedIn enumeration tool for discovering employees by job titles and technologies used by target companies. It requires a HunterIO API key for operation.

Instaloader is an Instagram automatic photo downloader that retrieves public and private profiles, hashtags, stories, feeds, and saved media along with comments, geotags, and captions. It supports resuming interrupted downloads and automatically handles profile name changes.

Traceroute-like application that enumerates IP hops by piggybacking on existing TCP connections. Useful for network reconnaissance and firewall bypassing.

IVRE is a network reconnaissance framework for passive and active recon including flow analytics and fingerprinting. It uses Nmap for scans, supports ZMap pre-scanning, and imports XML output from Nmap and Masscan.

Knocker is a simple and easy to use TCP security port scanner written in C using threads. It analyzes hosts and the network services running on them.

lbd is a load balancing detector that checks if a given domain uses load-balancing. It tests for both DNS-loadbalancing and HTTP-loadbalancing.

Active Directory information dumper via LDAP that collects and parses domain data into human-readable HTML, JSON, CSV/TSV, and greppable formats. Provides utilities to convert output to BloodHound CSV and pretty enum4linux-style reports.

LDeep is an in-depth LDAP enumeration utility that runs against Active Directory LDAP servers or locally on saved files. It supports detailed data retrieval using various backend engines.

OSINT tool that generates username lists from companies on LinkedIn. Pure web-scraper requiring valid LinkedIn credentials, no API key needed.

Plugin for Simon Willison's LLM tool that provides Nmap network scanning capabilities through function calling. Enables LLMs to perform network discovery and security scanning tasks using Nmap.

Maltego is an open source intelligence and forensics application that offers timely mining and gathering of information. It represents this information in an easy to understand format.

Set of offensive Maltego transforms that enable running nmap, sqlmap, and additional tools directly against entities within Maltego for reconnaissance and vulnerability assessment.

OWASP Maryam is a modular open source framework for OSINT and data gathering from open sources and search engines. It provides a powerful environment to harvest and collect data quickly and thoroughly.

Masscan is a fast TCP port scanner that transmits SYN packets asynchronously to scan IP address and port ranges. It produces results similar to nmap while operating like scanrand, unicornscan, and ZMap.

High-performance DNS stub resolver for resolving massive amounts of domain names, capable of over 350,000 names per second using public resolvers. Designed for bulk lookups and reconnaissance.

Metagoofil is an information gathering tool for extracting metadata from public documents belonging to a target company. It searches Google to identify and download files like PDF, DOC, XLS, and PPT.

mxcheck is an info and security scanner for e-mail servers. It checks DNS records, blacklists, open relays, TLS support, and more.

Naabu is a fast port scanner written in Go that enumerates open ports on hosts reliably and simply. It performs SYN/CONNECT scans and lists responsive ports.

NBTscan scans IP networks for NetBIOS name information by sending status queries to each address in a supplied range. It lists IP address, NetBIOS computer name, logged-in user name, and MAC address for responding hosts.

nbtscan-unixwiz scans for open NETBIOS nameservers on local or remote TCP/IP networks to identify potential open shares. It operates like the Windows nbtstat tool but supports scanning address ranges.

Net-SNMP provides tools and libraries for SNMP protocol operations, including querying network devices, sending traps, and managing SNMP agents for information exchange between servers and clients.

NET-3 networking toolkit providing essential tools for controlling the Linux kernel's network subsystem. Includes utilities like arp, ifconfig, netstat, and route for network configuration and monitoring.

Netcat-traditional is a simple Unix utility that reads and writes data across TCP or UDP network connections. It serves as a reliable back-end tool for scripts and a feature-rich network debugging and exploration utility.

Netdiscover is an active/passive network address scanner using ARP requests. It detects online hosts passively or actively on wireless networks without DHCP or hub/switched networks.

netmask helps determine network masks and convert between common IP netmask and address formats. It is a tiny program handy for firewalls, routers, or shell scripts to specify ranges of hosts with the smallest set of network masks.

Netscanner is a network scanner and diagnostic tool featuring a modern TUI. It supports listing hardware interfaces, WiFi scanning, pinging CIDR ranges, and packet dumping for IPv4 and IPv6 protocols.

Nextnet is a pivot point discovery tool written in Go. It probes a list of networks to identify potential pivot points.

Nmap is a utility for network exploration and security auditing that supports host discovery, port scanning, version detection, and OS fingerprinting. It includes related tools like ncat, nping, ndiff, and zenmap for enhanced network analysis capabilities.

NmapSI4 is a complete Qt-based graphical interface for nmap, the network scanner. It provides a full-featured GUI to manage all options of this powerful security network scanner.

onesixtyone is a fast and simple SNMP scanner that sends asynchronous SNMP requests for the sysDescr value to discover software descriptions on network devices. It supports user-adjustable timing and logging of responses.

OSRFramework is a collection of tools for Open Source Intelligence tasks including username checking across platforms, email verification, domain availability checks, and phone number lookups.

p0f is a passive OS fingerprinting tool that identifies remote systems based on SYN packets without sending any data. It determines OS, distance to hosts, and network structure while supporting tcpdump-style filtering.

Photon is an incredibly fast crawler designed for open source intelligence (OSINT). It extracts URLs, intel like emails and social media, files, secret keys, JavaScript files, and more while crawling.

Pnscan is a multi threaded port scanner that can scan a large network very quickly. It does not have all the features that nmap has but is much faster.

Polenum extracts password policy information from remote Windows systems over SMB. It allows Linux users to query Windows password policies without needing a Windows machine.

Recon-ng is a full-featured Web Reconnaissance framework written in Python for conducting open source web-based reconnaissance quickly and thoroughly. It features independent modules, database interaction, and a Metasploit-like interface.

ReconSpider is an Advanced Open Source Intelligence (OSINT) Framework for scanning IP Addresses, Emails, Websites, and Organizations to gather information from various sources. It aggregates raw data, visualizes it on a dashboard, and supports alerting and monitoring.

ridenum is a RID cycling attack tool that enumerates user accounts through null sessions and SID to RID enumeration. It can also brute force discovered accounts using an optional password file.

Tool to find open S3 buckets and dump their contents. Supports multi-threaded scanning, S3-compatible APIs, permission checks, and Docker.

SCTP network scanner for discovering SCTP services and performing port scans on remote networks. Uses CRC32 checksummed packets to identify SCTP stack availability and scan frequent ports.

SecLists is a collection of multiple types of lists used during security assessments, including usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, and more. It enables security testers to quickly access comprehensive wordlists on a testing system.

SharpHound is a C# data collector for BloodHound. It provides pre-built binaries to gather Active Directory enumeration data.

Sherlock finds usernames across over 300 social networks by querying unique URLs provided by site designers. It determines username availability based on site responses.

SMBMap is a handy SMB enumeration tool that allows users to enumerate Samba share drives across an entire domain. It lists share drives, drive permissions, share contents, and supports upload/download functionality, file name auto-download pattern matching, and remote command execution.

smtp-user-enum is a username guessing tool for SMTP services. It uses VRFY, EXPN, or RCPT TO methods to check for valid usernames on target servers.

Semi-automatic OSINT framework and package manager for IT security professionals and bug hunters. Enumerates attack surface by processing public information and mapping results in a unified format.

SNMP service enumeration tool that enumerates SNMP devices and outputs results in a human-readable format, similar to snmpwalk. Useful for penetration testing or systems monitoring.

snmpenum is a simple Perl script that enumerates information on machines running SNMP by performing SNMP table dumps. It helps security professionals gather system details from vulnerable SNMP services.

SpiderFoot is an open source intelligence (OSINT) automation tool that gathers intelligence about targets such as IP addresses, domain names, hostnames, network subnets, ASNs, email addresses, or person's names. It can be used offensively for penetration testing or defensively to identify exposed information.

Subfinder is a subdomain discovery tool that finds valid subdomains for websites using passive online sources. It features a simple modular architecture optimized for speed.

Subjack is a subdomain takeover tool written in Go that scans a list of subdomains concurrently to identify ones that can be hijacked. It leverages Go's speed for efficient mass-testing and checks for subdomains on non-existent domains available for registration.

Fast subdomains enumeration tool for penetration testers using OSINT. Enumerates subdomains via multiple search engines and additional sources.

Tool for gathering e-mail accounts and subdomain names from public sources. Collects subdomains, emails, virtual hosts, open ports/banners, and employee names using search engines and PGP key servers.

tnftp is an enhanced FTP client ported from NetBSD, offering advanced features like command-line editing, URL fetching, and IPv6 support. It provides superior functionality over standard FTP clients for secure and efficient file transfers.

Traces the route taken by packets over an IPv4/IPv6 network. Displays the IP number and host name of machines along the route to diagnose network connectivity problems.

TruffleHog searches through git repositories for secrets, digging deep into commit history and branches. It is effective at finding secrets accidentally committed.

Unicornscan is a scalable, accurate, flexible, and efficient information gathering and correlation engine for security research. It provides a user-land distributed TCP/IP stack for advanced asynchronous stateless TCP and UDP scanning with OS and application identification.

Domain typo generator that creates and tests variations of domain names to detect typo squatting, URL hijacking, phishing, and corporate espionage.

waybackpy is a Python package and CLI tool that interfaces with the Wayback Machine's APIs. It provides access to SavePageNow API, CDX Server API, and Availability API for archiving and retrieving web page snapshots.

Wget is a non-interactive network utility to retrieve files from the web using HTTP(S) and FTP protocols. It supports recursive retrieval, works in the background, and handles slow or unstable connections by resuming downloads.

Whatmask is a subnet mask notation conversion tool that helps with network settings by converting between various netmask formats and calculating subnet details. It supports two modes: subnet mask conversion alone or full network information from an IP address and netmask.

WhatWeb is a next generation web scanner that identifies websites and recognizes web technologies including content management systems, blogging platforms, JavaScript libraries, web servers, and embedded devices. It has over 900 plugins to detect version numbers, email addresses, account IDs, and more.

Intelligent WHOIS client that queries online servers for domain and IP address information. Includes mkpasswd, a feature-rich front end to the crypt(3) password encryption function.

WitnessMe is a Web Inventory tool inspired by Eyewitness, designed to take screenshots and gather information from web targets. It uses a headless browser backend and is extensible for custom functionality.

Wotmate reimplements the defunct PGP pathfinder using only your own keyring. It provides tools to visualize shortest paths and trust relationships between keys.

zonedb provides a free, open-source database of public DNS zones including top-level domains, subdomains, retired, and withdrawn zones with associated metadata. It offers both a source library and a command-line program for managing zone data.