A compiled list of tools for reconnaissance and footprinting
A compiled list of tools for reconnaissance and footprinting.
Domain and Network Recon - Tools for grabbing network related information.
Personal Information and Email Footprinting - Tools for finding personal information such as social networks and emails as well as footprinting tools for mail.
Hacking with Google - Use Google commands to your advantage
Robust tools for gathering domain and network information.
ARIN Whois/RDAP - A public resource that allows a user to retrieve information about IP number resources, organizations, and Points of Contact registered with ARIN.
Aquatone - A tool for visual inspection of websites across a large amount of hosts. Very convenient for quickly gaining an overview of HTTP-based attack surfaces.
Batch IP Converter - An award-winning network tool to work with IP addresses. Domain-to-IP Converter, Batch Ping, Tracert, Whois, and more.
BuiltWith - Scans for over 46,953 different web technologies. Discover what tools a site uses such as shopping carts, hosting, analytics, and more.
Censys - Mines a global internet dataset to enumerate assets that may compromise an attack surface.
DataSploit - Performs automated OSINT on a domain/email/username/phone and finds relevant information from different sources.
DNSDumpster - Can discover hosts related to a domain. Map an organizations attack surface with a virtual "dumpster dive."
Domaintools - Find Whois information quickly and easily including registrar, name servers, and etc.
FindSubDomains - From Spyse. Awesome tool to find subdomains.
FireCompass - Discovers and organization's digital attack surface.
Informer - Retrieves a quick aggregated view of everything the Web can promptly tell you about a site.
Maltego - Open Source Intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.
Netcraft - Multiple tools from site report to DNS search.
Professional Toolset - Ping, Tracert, HTTP Headers, and more!
Shodan - Shodan has servers around the world that crawl the internet 24/7 to provide the latest internet intelligence.
SpiderFoot - Automated OSINT collection!
Traceroute NG - Continuous probing, detects path changes, supports IPv4 & IPv6, Creates a txt logfile.
URL Fuzzer - Free light scan for hidden files and directories.
VisualRoute - Continuous trace routing, reverse tracing, port probing, route analysis, and much more!
You Get Signal - Port forwarding, network location, visual trace route, reverse IP domain check, and more!
Wappalyzer - Identify technologies on websites. Find out the technology stack of any website.
WebShag - Multi-threaded, multi-platform web server audit tool. Gathers useful functionalities for web server auditing like website crawling, URL scanning, or file fuzzing.
Wireshark - The world's foremost and widely-used network protocol analyzer.
Whois.net - Quick and easy Whois lookup. Domain name search, registration and availability, and more.
nslookup - Command-line tool for querying the Domain Name System to obtain name or IP address mapping and other DNS records.
tracert - Commmand-line tool for displaying a route and measuring transit delays of packets across an Internal Protocol network.
dig - Domain Information Groper - Queries the DNS of a given server.
dnsrecon - Check NS Records for Zone Transfers, enumerate general DNS records, check cached DNS records, and more.
dnstracer - Determines where a given Domain Name Server gets its information from for a given hostname.
Fierce - DNS reconnaissance tool for locating non-contiguous IP space.
Ghost Eye - Information gathering tool for Whois, DNS, EtherApe, Nmap, and more.
recon-ng - Provides a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.
traceroute - Print the route packets trace to network host.
unicornscan - Provides a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network.
whois - Quick and easy client for the whois directory service.
Tools for gathering personal information, social networks, and email footprinting.
BeenVerified - Background checks with loads of information.
eMailTrackerPro - Pull detailed information from an email header. Also includes spam filtering.
Followerwonk - Information scraped from Twitter.
Infoga - Gather email OSINT. Domains, sources, breaches, and more.
Jigsaw - OSINT-X Intelligence Collection Tool from Jigsaw allows for the collection of data from RSS feeds, the dark web, Twitter, Facebook, and other sources.
PeekYou - Locate personal information from family members to social media accounts.
sherlock - Crawls the web for social profiles.
theHarvester - Pulls a list of email addresses of a specific domain from multiple search engines.
Commands (or "dorks") for the world's most popular search engine
cache - this command will show you the cached version of any website.
cache: securitytrails.com
allintext - searches for specific text contained on any web page.
allintext: hacking tools
allintitle - exactly the same as allintext, but will show pages that contain titles with X characters.
allintitle:"Security Companies"
allinurl - it can be used to fetch results whose URL contains all the specified characters.
allinurl client area
filetype - used to search for any kind of file extensions, for example, if you want to search for jpg files you can use:
filetype: jpg
inurl - this is exactly the same as allinurl, but it is only useful for one single keyword.
inurl: admin
intitle - used to search for various keywords inside the title, for example,
intitle:security tools
will search for titles beginning with “security” but “tools” can be somewhere else in the page.
inanchor - this is useful when you need to search for an exact anchor text used on any links.
inanchor:"cyber security"
intext - useful to locate pages that contain certain characters or strings inside their text.
intext:"safe internet"
link - will show the list of web pages that have links to the specified URL.
link: microsoft.com
site - will show you the full list of all indexed URLs for the specified domain and subdomain.
site:securitytrails.com
* - wildcard used to search pages that contain “anything” before your word.
For example, how to * a website
, will return “how to…” design/create/hack, etc… “a website”.
| - this is a logical operator, for example, "security" "tips"
will show all the sites which contain “security” or “tips,” or both words.
+ - used to concatenate words, useful to detect pages that use more than one specific key.
security + trails
– - minus operator is used to avoiding showing results that contain certain words, for example, security -trails
will show pages that use “security” in their text, but not those that have the word “trails.”