recon.md

title	description
Reconnaissance	Understand your target. Perform in-depth research and discover new attack surfaces.

Reconnaissance

Understand your target. Perform in-depth research and discover new attack surfaces.

Content Discovery

• content-discovery - Tool to support with "Content Discovery" during mapping of a web applications/sites.
• dirble - Fast directory scanning and scraping tool.
• DirBuster - a multi threaded java application designed to brute force directories and files names on web/application servers.
• DirHunt - Find web directories without bruteforce.
• dirsearch - Web path scanner.
• Feroxbuster - A fast, simple, recursive content discovery tool written in Rust.
• ffuf - Fast web fuzzer written in Go.
• GoBuster - Directory/File, DNS and VHost busting tool written in Go.
• Hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
• HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages.
• IISRecon - IIS shortname scanner + bruteforce.
• Kiterunner - Contextual Content Discovery Tool.
• LinkFinder - A python script that finds endpoints in JavaScript files.
• ParamSpider - Mining parameters from dark corners of Web Archives.
• Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
• RecurseBuster - Rapid content discovery tool for recursively querying webservers.
• Scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration.
• UnChain - A tool to find redirection chains in multiple URLs.
• xnLinkFinder - A python tool used to discover endpoints for a given target.
• x8 - Hidden parameters discovery suite written in Rust.

DNS

• aiodnsbrute - Python 3.5+ DNS asynchronous brute force utility.
• dnsdumpter - dns recon & research, find & lookup dns records.
• dnssearch - A subdomain enumeration tool.
• dnsX - Fast and multi-purpose DNS toolkit allow to run multiple DNS queries.
• Fastsub - A custom built DNS bruteforcer with multi-threading, and handling of bad resolvers.
• Fierce - A DNS reconnaissance tool for locating non-contiguous IP space.
• MassDNS - A high-performance DNS stub resolver for bulk lookups and reconnaissance.
• Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
• SubBrute - A DNS meta-query spider that enumerates DNS records, and subdomains.

Domains

• Altdns - Generates permutations, alterations and mutations of subdomains and then resolves them.
• Amass - In-depth Attack Surface Mapping and Asset Discovery.
• Assetfinder - Find domains and subdomains potentially related to a given domain.
• Chaos-Client - Go client to communicate with Chaos DNS API.
• crt.sh - Certificate search on domains.
• ctfr - Abusing Certificate Transparency logs for getting HTTPS websites subdomains.
• Discover - Custom bash scripts to automate various pentesting tasks including recon.
• findomain - The complete solution for domain recognition.
• findsubdomains.com (spyse) - subdomain finder in order to make your reconnaissance process faster and effortless.
• Knock - Knock Subdomain Scan.
• OneForAll - A powerful subdomain integration tool.
• Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
• Robtex - Robtex is used for various kinds of research of IP numbers, Domain names, etc.
• Scilla - Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration.
• sigurlfind3r - A reconnaissance tool, it fetches URLs from AlienVault's OTX, Common Crawl, URLScan, Github and the Wayback Machine.
• subfinder - Fast passive subdomian enumeration tool.
• sublist3r - Fast subdomains enumeration tool for penetration testers.
• Turbolist3r - Subdomain enumeration tool with analysis features for discovered domains.
• Websitewatcher - Monitor webist domain for changes.

Dorking

• Dorkbot - Command line dorking tool.

Frameworks

• Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning.
• ReconDog - Reconnaissance Swiss Army Knife.
• sn1per - Discover the attack surface and prioritize risks with our continuous Attack Surface Management.

Search Engines

• Censys - Highly-indexed Internet-wide scan data at scale.
• Google Dataset - Indexed datasets.
• Mamont - Open FTP Indexer.
• Napalm - Open FTP Indexer.
• OCCRP Aleph - Global archive of research material.
• OnionScan - TOR scanner.
• Shodan - The security search engine. Search everything IoT.
• Wayback Machine - Internet archive of saved web pages.

Wordlists

• API Endpoints & Objects - A list of 3203 common API endpoints and objects designed for fuzzing.
• Funny Fuzzing Wordlist - Funny Fuzzing Wordlist.
• Fuzz.txt - Directory & File List.
• SecLists - A collection of multiple types of lists used during security assessments, collected in one place.
• Secrets in Environment Variables - Awesome list of secrets in environment variables.