Tools and Utilities

Here we can find some tools and utilities commonly used for processes related to information gathering:

DNS Dumpster

Web tool that maps a Domain through DNS services it uses
https://dnsdumpster.com/

DNSrecon

Tool to perform general enumeration of a domain

Commands

Installation

sudo apt install dnsrecon

Usage

dnsrecon -h #Get help with use
dnsrecon -d $domain #Enumerate a domain
dnsrecon -n $nameserver #Enumerate a name server
dnsrecon -d $domain -t $type #Specify the type of enumeration

Shodan

Online service that is built as a search engine for internet-connected devices
The utility tries to connect to every device reachable online, once it gets a response, it collects all the information related to the service and saves it in the database to make it searchable
https://www.shodan.io/

Commands

Installation

sudo apt install shodan

Usage

shodan init $APIkey #Set API key from your Shodana account
shodan host $IP     #Search information about a host

Wayback Machine

A website that creates snapshots of pages in time and displays them to the user
https://archive.org/web/

Wappalyzer

A website that helps to determine what technologies a page uses. Also works as a Firefox extension
Web site: https://www.wappalyzer.com/
Firefox extension: https://addons.mozilla.org/es/firefox/addon/wappalyzer/

User-Agent Switcher and Manager

Gives you the ability to pretend to be accessing the webpage from a different operating system or different web browser
https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/

OWASP Favicon

Database to identify typical icons of Development Frameworks
https://wiki.owasp.org/index.php/OWASP_favicon_database

LinEnum

Another tool for Linux enumeration
https://github.com/rebootuser/LinEnum

Commands

Installation

git clone https://github.com/rebootuser/LinEnum

Usage

./LinEnum.sh -s -k keyword -r report -e /tmp/ -t

Spiderfoot

Open-source intelligence (OSINT) automation tool
https://github.com/smicallef/spiderfoot

Usage

Click the New Scan tab, enter a name for the scan, and select a target. Scanning can also be personalized by the type of information required or by choosing the individual scanner modules
To add API keys, go to the Settings tab, open the page for the module you are looking for, and complete the table including the type of information the module searches for
- If you don't know how to get the API keys, click the ? next to the API option in the module and follow the instructions to get API keys

Commands

Installation

sudo apt install spiderfoot

Usage

spiderfoot -l 127.0.0.1:$port    #Deploy app locally in the specified port
spiderfoot -M                    #Display available modules

OSINT Framework

OSINT Framework with several tools to gather information passively
https://osintframework.com/

Hunter.io

Professional tool designed to help users find and verify email addresses associated with businesses or domains
https://hunter.io

The Ultimate OSINT Collection

Comprehensive, curated resource hub for open-source intelligence (OSINT) enthusiasts, investigators, and cybersecurity professionals
https://start.me/p/DPYPMz/the-ultimate-osint-collection

Recon-ng

OSINT framework that consists of a series of modules that can be run in workspaces

Commands

Installation

sudo apt install recon-ng

Usage

recon-ng    #Initiate fcommand interface
recon-web   #Initiate web GUI

#Inside the recon-ng console environment
[recon-ng][default] > help
[recon-ng][default] > workspaces create $wsname #Create workspace
[recon-ng][default] > workspaces list #List created workspaces
[recon-ng][default] > shell $command #Execute shell commands
[recon-ng][default] > back #Exit current context
[recon-ng][default] > marketplace search #Check modules available
[recon-ng][default] > marketplace search $name #Search specific modules
[recon-ng][default] > marketplace refresh #Refresh available modules
[recon-ng][default] > marketplace info $name #Check about an specific module
[recon-ng][default] > marketplace install $name #Install a module
[recon-ng][default] > modules search #Check installed modules
[recon-ng][default] > modules load $name #Enter the context of a module to use it

#Inside the context of a module
[recon-ng][$module] > info #Get details about a module
[recon-ng][$module] > options set $option #Set parameters for a module
[recon-ng][$module] > run #Set parameters for a module
[recon-ng][$module] > dashboard #Get results of the information gathered
recon-ng][$module] > show $entry #Check for specific categories

Whatweb

Tool to extract web servers, supporting frameworks, and applications

Commands

Installation

sudo apt install whatweb

Usage

whatweb $IPsslscan skillsforall.com

crt.sh

Obtain detailed certificate transparency information about a given domain
https://crt.sh/

sslscan

Command-line tool for testing and analyzing SSL/TLS-enabled services, checking their configuration and security

Commands

Installation

sudo apt install sslscan

Usage

sslscan $domain

enum4linux-ng

Command-line tool for doing reconnaissance and enumeration on Linux hosts

Commands

Installation

sudo apt install enum4linux-ng

Usage

enum4linux-ng $IP
enum4linux-ng -A $IP #Do all simple enumeration

SET

Social Engineering Toolkit, an open-source penetration testing framework designed for social engineering. Has many custom attack vectors that allow you to make a believable attack quickly

Commands

Installation

sudo apt install set

Usage

setoolkit     #Launch

BeEF

Browser Exploitation Framework, a tool that can be used to manipulate users by leveraging XSS vulnerabilities via sending fake notifications and stealing cookies, among others

Commands

Installation

sudo apt install beef-xss

Usage

beef-xss

Censys

Tool used for passive reconnaissance to find information about devices and networks on the Internet
https://censys.io

domain.glass

Offers free DNS record, IP address, hostname, and WHOIS lookup information, providing transparent domain information
https://domain.glass/

GrayHatWarfare

Provides a search engine for publicly accessible Amazon S3 buckets, allowing users to search for open storage buckets that may contain sensitive files, misconfigurations, or exposed data
https://buckets.grayhatwarfare.com/

DNSenum

Tool for information gathering and brute forcing of DNS domains and subdomains

Commands

Installation

sudo apt install dnsenum

Usage

dnsenum --enum $domain -f $wordlist -r # Bruteforce domain recursively
dnsenum --dnsserver $DNSip --enum $domain -f $wordlist #To use the Domain IP
dnsenum --enum $domain -f $wordlist -o $outFile #Specify an output file
dnsenum --dnsserver $DNSip --enum $domain -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o $outFile #Recommended way

wafw00f

Tool user to detect the presence of a WAF on a web application

Commands

Installation

pip install git+https://github.com/EnableSecurity/wafw00f

Usage

wafw00f $domain

Scrapy

Custom scraper tailored for reconnaissance written in python

Commands

Installation

pip install scrapy
mkdir Scrapy && cd ./Scrapy
wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
unzip ReconSpider.zip

Usage

python3 ReconSpider.py http://inlanefreight.com #Run the crawler
cat results.json #Check results

FinalRecon

Python-based reconnaissance tool with modules for different tasks like SSL certificate checking, Whois information gathering, header analysis, and crawling

Commands

Installation

sudo apt install finalrecon

Usage

finalrecon --headers --url $url #Get headers information
finalrecon --whois --url $url #Get whois lookup information
finalrecon --crawl --url $url #Crawl target

PreviousBruteforce subdomains NextUseful Tips

Last updated 1 month ago