ComprehensiveReconnaissance Tools for Red Teaming and OSINT Operations
Active Intelligence Gathering
EyeWitness
Is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
https://github.com/ChrisTruncer/EyeWitness
AWSBucketDump
Is tool to quickly enumerate AWS S3 buckets to look for loot.
https://github.com/jordanpotti/AWSBucketDump
AQUATONE
Ia a set of tools for performing reconnaissance on domain names.
https://github.com/michenriksen/aquatone
spoofcheck
Is a program that checks if a domain can be
spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing.
https://github.com/BishopFox/spoofcheck
Nmap
Is used to discover hosts and services on a computer network, thus building a “map” of the
network.
dnsrecon
Is a tool DNS Enumeration Script.
https://github.com/darkoperator/dnsrecon
Passive Intelligence Gathering
Social Mapper
Social Mapper OSINT Social Media Mapping Tool, takes a list of names & images (or LinkedIn company
name) and performs automated target searching on a huge scale across multiple social media sites. Not
restricted by APIs as it instruments a browser using Selenium. Outputs reports to aid in correlating targets
across sites.
https://github.com/SpiderLabs/
skiptracer
social_mapper skiptracer OSINT scraping framework, utilizes
some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a
target on a ramen noodle budget.
https://github.com/xillwillx/skiptracer
ScrapedIn
Is a tool to scrape LinkedIn without API restrictions for data reconnaissance.
https://github.com/dchrastil/ScrapedIn
linkScrape
A LinkedIn user/company enumeration
tool.
https://github.com/NickSanzotta/linkScrape
FOCA (Fingerprinting Organizations with Collected Archives)
is a tool used mainly to find metadata and
hidden information in the documents its scans.
https://github.com/ElevenPaths/FOCA
theHarvester
is a tool for gathering subdomain names, e-mail
addresses, virtual hosts, open ports/ banners, and employee names from different public sources.
https://github.com/laramies/theHarvester
Metagoofil
Is a tool for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the
target websites.
https://github.com/laramies/metagoofil
SimplyEmail
Email recon made fast and easy, with a framework to build on.
https://github.com/killswitch-GUI/SimplyEmail
truffleHog
searches through git repositories for secrets,
digging deep into commit history and branches.
https://github.com/dxa4481/truffleHog
Just-Metadata
is a tool that gathers and analyzes metadata about IP addresses. It attempts to find
relationships between systems within a large dataset.
https://github.com/ChrisTruncer/Just-Metadata
typofinder
Is a finder of domain typos showing country of IP address.
https://github.com/nccgroup/typofinder
pwnedOrNot
is a python script which checks if the email
account has been compromised in a data breach, if the email account is compromised it proceeds to find
passwords for the compromised account.
https://github.com/thewhiteh4t/pwnedOrNot
GitHarvester
This tool is used for harvesting information from GitHub like google dork.
https://github.com/metac0rtex/GitHarvester
pwndb
is a python command-line tool for searching leaked
credentials using the Onion service with the same name.
https://github.com/davidtavarez/pwndb/
Frameworks
Maltego
is a unique platform developed to deliver a clear threat picture to the environment that an
organization owns and operates.
https://www.paterva.com/web7/downloads.php
SpiderFoot
the open source footprinting and intelligence-gathering tool.
https://github.com/smicallef/spiderfoot
datasploit
is an OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and
give data in multiple formats.
https://github.com/DataSploit/datasploit
Recon-ng
is a full-featured Web Reconnaissance framework written in Python.