OSINT Tools 2
osintStart
- zoomeye
- sitelike
- scans
- Dorks-collections-list - List of Github repositories and articles with list of dorks for different search engines
- dorksearch - Fast google dork
shodan
- exposure
- faviconhasher
- Shodan Facet - recon website
- http.favicon.hash - http.favicon.hash:
ip-test
- centralops
- spyonweb
- whoisxmlapi
- viewdns
- bgp.he.net
- shodan cli
- fav-up - IP lookup by favicon using Shodan
- testssl.sh - Testing TLS/SSL encryption anywhere on any port
- ipaddressguide - IP address, traceroute an IP address, convert IP address into decimal value or CIDR format, and so on for both IPv4 and IPv6 format.
Virtual Host Finding
dns
- dnsrecon
- host linux tool
- nslookup
- domaineye
- anslookup
- dns
- DNSStager
- singularity - A DNS rebinding attack framework.
- whonow - A “malicious” DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
- dns-rebind-toolkit - A front-end JavaScript toolkit for creating DNS rebinding attacks.
- dref - DNS Rebinding Exploitation Framework
- rbndr - Simple DNS Rebinding Service
- httprebind - Automatic tool for DNS rebinding-based SSRF attacks
- dnsFookup - DNS rebinding toolkit
DNS public name server
- nameserver
- fresh-dns-servers - Fresh DNS servers
internet-search-engine-discovery
- shodan.io
- shodan query - shodan basic query
- spyse
- censys
- fofa
- binary edge
subdomain-enumeration
-
tlshelpers - A collection of shell scripts that help handling X.509 certificate and TLS issues
-
crtfinder - Fast tool to extract all subdomains from crt.sh website. Output will be up to sub.sub.sub.subdomain.com with standard and advanced search techniques
-
- API-dnsdumpster.com - (Unofficial) Python API
Exception(web) subdomain enumeration
Find subdomain on GitHub
Find subdomain from Official DoD(Depart of Defence) website
dns-bruteforce
osint
- DarkScrape - OSINT Tool For Scraping Dark Websites
- virustotal - Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community
- RED_HAWK - All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers
- siteindices - siteindices
- udork.sh
- fav-up
- testssl - Testing TLS/SSL encryption anywhere on any port
- bbtz
- sonar search
- notify - Notify is a Go-based assistance package that enables you to stream the output of several tools (or read from a file) and publish it to a variety of supported platforms.
- email finder
- analytics relationships
- mapcidr
- ppfuzz
- cloud-detect
- interactsh
- bbrf
- spiderfoot - SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
- visualsitemapper - free service that can quickly show an interactive visual map of your site.
- jwt - JWT.IO allows you to decode, verify and generate JWT. Gain control over your JWTs
- bgp.he - Internet Backbone and Colocation Provider
- spyse - Find any Internet asset by digital fingerprints
- whoxy - whois database
http-probing
- httprobe - by tomnomnom
- httpx - by project discovery
- httpstatus - web version
subdomain-takeover
- subjack - Subdomain Takeover tool written in Go
- SubOver - A Powerful Subdomain Takeover Tool
- autoSubTakeover - A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.
- NSBrute - Python utility to takeover domains vulnerable to AWS NS Takeover
- can-i-take-over-xyz - “Can I take over XYZ?” β a list of services and how to claim (sub)domains with dangling DNS records.
- Can-I-take-over-xyz-v2 - V2
- cnames - take a list of resolved subdomains and output any corresponding CNAMES en masse.
- subHijack - Hijacking forgotten & misconfigured subdomains
- tko-subs - A tool that can help detect and takeover subdomains with dead DNS records
- HostileSubBruteforcer - This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup.
- second-order - Second-order subdomain takeover scanner
- takeover - A tool for testing subdomain takeover possibilities at a mass scale.
web-screenshot
- EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
- aquatone - Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
- screenshoteer - Make website screenshots and mobile emulations from the command line.
- gowitness - gowitness - a golang, web screenshot utility using Chrome Headless
- WitnessMe - Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
- eyeballer - Convolutional neural network for analyzing pentest screenshots
- scrying - A tool for collecting RDP, web and VNC screenshots all in one place
- Depix - Recovers passwords from pixelized screenshots
- httpscreenshot - HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.
cms-enumeration
- ObserverWard - Cross platform community web fingerprint identification tool AEM
- aem-hacker
- cmseek - CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs
- webanlyze - Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
- whatweb - Next generation web scanner
- wappalyzer - wappalyzer website
- wappalyzer cli - Identify technology on websites.
- build with
- build with cli - BuiltWith API client
- backlinkwatch - Website for backlink finding
- retirejs -scanner detecting the use of JavaScript libraries with known vulnerabilities
automation
- inventory - Asset inventory on public bug bounty programs.
- bugradar - Advanced external automation on bug bounty programs by running the best set of tools to perform scanning and finding out vulnerabilities.
- wapiti-scanner - Scan your website
- nuclei - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.
- Nuclei-Templates-Collection - Nuclei templates collection
- the-nuclei-templates - Nuclei templates written by us.
- scant3r - ScanT3r - Module based Bug Bounty Automation Tool
- Sn1per - Automated pentest framework for offensive security experts
- metasploit-framework - Metasploit Framework
- nikto - Nikto web server scanner
- arachni - Web Application Security Scanner Framework
- jaeles - The Swiss Army knife for automated Web Application Testing
- retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities
- Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning
- getsploit - Command line utility for searching and downloading exploits
- flan - A pretty sweet vulnerability scanner
- Findsploit - Find exploits in local and online databases instantly
- BlackWidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.
- backslash-powered-scanner - Finds unknown classes of injection vulnerabilities
- Eagle - Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities
- cariddi - Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more…
- kenzer - automated web assets enumeration & scanning
- ReScue - An automated tool for the detection of regexes’ slow-matching vulnerabilities.
ile upload scanner
- fuxploider - File upload vulnerability scanner and exploitation tool.
Network Scanner
- openvas - Free software implementation of the popular Nessus vulnerability assessment system.
- vuls - Agentless vulnerability scanner for GNU/Linux and FreeBSD, written in Go.
- nexpose - Commercial vulnerability and risk management assessment engine that integrates with Metasploit, sold by Rapid7.
- nessus - Commercial vulnerability management, configuration, and compliance assessment platform, sold by Tenable.
Vulnerable Pattern Search
- gf - A wrapper around grep, to help you grep for things
- Gf-Patterns-Collection - More and more
wordpress
joomla
drupal
- droopescan - A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
cloud-enumeration
- s3-inspector - Tool to check AWS S3 bucket permissions
- S3-Recon - S3 RECON TIPS
- ScoutSuite
- slurp
- lazys3
- cloud_enum
- clovery
- gcpbucketbrute
- teh S3 bucketeers
Buckets
- S3Scanner - Scan for open AWS S3 buckets and dump the contents
- AWSBucketDump - Security Tool to Look For Interesting Files in S3 Buckets
- CloudScraper - CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
- s3viewer - Publicly Open Amazon AWS S3 Bucket Viewer
- festin - FestIn - S3 Bucket Weakness Discovery
- s3reverse - The format of various s3 buckets is convert in one format. for bugbounty and security testing.
- mass-s3-bucket-tester - This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable
- S3BucketList - Firefox plugin that lists Amazon S3 Buckets found in requests
- dirlstr - Finds Directory Listings or open S3 buckets from a list of URLs
- Burp-AnonymousCloud - Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities
- kicks3 - S3 bucket finder from html,js and bucket misconfiguration testing tool
- 2tearsinabucket - Enumerate s3 buckets for a specific target.
- s3_objects_check - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
- s3tk - A security toolkit for Amazon S3
- CloudBrute - Awesome cloud enumerator
- s3cario - This tool will get the CNAME first if it’s a valid Amazon s3 bucket and if it’s not, it will try to check if the domain is a bucket name.
- S3Cruze - All-in-one AWS S3 bucket tool for pentesters.
github-secrets
- githacker
- git-hound
- gh-dork - Github dorking tool
- gitdorker - A Python program to scrape secrets from GitHub through usage of a large repository of dorks.
- github-endpoints
- git-secrets - Prevents you from committing secrets and credentials into git repositories
- gitleaks - Scan git repos (or files) for secrets using regex and entropy
- truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
- gitGraber - gitGraber: monitor GitHub to search and find sensitive data in real time for different online services
- talisman - By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious - such as authorization tokens and private keys.
- GitGot - Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
- git-all-secrets - A tool to capture all the git secrets by leveraging multiple open source git searching tools
- github-search - Tools to perform basic search on GitHub.
- git-vuln-finder - Finding potential software vulnerabilities from git commit messages
- commit-stream - #OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API
- gitrob - Reconnaissance tool for GitHub organizations
- repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
- GitMiner - Tool for advanced mining for content on Github
- shhgit - Ah shhgit! Find GitHub secrets in real time
- detect-secrets - An enterprise friendly way of detecting and preventing secrets in code.
- rusty-hog - A suite of secret scanners built in Rust for performance. Based on TruffleHog
- whispers - Identify hardcoded secrets and dangerous behaviours
- yar - Yar is a tool for plunderin’ organizations, users and/or repositories.
- dufflebag - Search exposed EBS volumes for secrets
- secret-bridge - Monitors Github for leaked secrets
- earlybird - EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
GitHub dork wordlist
Git
- GitTools - A repository with 3 tools for pwn’ing websites with .git repositories available
- gitjacker - Leak git repositories from misconfigured websites
- git-dumper - A tool to dump a git repository from a website
- GitHunter - A tool for searching a Git repository for interesting content
- dvcs-ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG…
email-hunting
- GHunt - π΅οΈββοΈ Investigate Google emails and documents.
- infoga - Infoga - Email OSINT
- reconspider - π Most Advanced Open Source Intelligence (OSINT) Framework for scanning IP Address, Emails, Websites, Organizations.
- theHarvester - E-mails, subdomains and names Harvester - OSINT
- hunter
- phonebook
- voilanorbert
- verifyemailaddress
- email-checker
- Clearbit-Connect
data-breach
web-wayback
- waymore - Find way more from the Wayback Machine!
- sigurlfind3r - A passive reconnaissance tool for known URLs discovery - it gathers a list of URLs passively using various online sources
- waybackurls - Fetch all the URLs that the Wayback Machine knows about for a domain
- gau - Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.
- gauplus - A modified version of gau
- waybackpy - Wayback Machine API Python interfaces and CLI tool.
- chronos - Extract pieces of info from a web page’s Wayback Machine history
Replace parameter value
- bhedak - A replacement of “qsreplace”, accepts URLs as standard input, replaces all query string values with user-supplied values and stdout.
Find reflected params
- gxss - A tool to check a bunch of URLs that contain reflecting params.
- freq - This is go CLI tool for send fast Multiple get HTTP request.
- bxss - A Blind XSS Injector tool
Find js file from waybackurls.txt
Automatic put parameter value
Declutters url lists
ports-scanning
- masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
- RustScan - The Modern Port Scanner
- naabu - A fast port scanner written in go with focus on reliability and simplicity.
- nmap - Nmap - the Network Mapper. Github mirror of official SVN repository.
- sandmap - Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles.
- ScanCannon - Combines the speed of masscan with the reliability and detailed enumeration of nmap
- unimap
Brute-Forcing from Nmap output
waf
- wafw00f
- cf-check
- w3af - w3af: web application attack and audit framework, the open source web vulnerability scanner.
Waf bypass
- bypass-firewalls-by-DNS-history - Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
- CloudFail - Utilize misconfigured DNS and old database records to find hidden IP’s behind the CloudFlare network
directory-search
- gobuster - Directory/File, DNS and VHost busting tool written in Go
- recursebuster - rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments
- feroxbuster - A fast, simple, recursive content discovery tool written in Rust.
- dirsearch - Web path scanner
- dirsearch - A Go implementation of dirsearch.
- filebuster - An extremely fast and flexible web fuzzer
- dirstalk - Modern alternative to dirbuster/dirb
- dirbuster-ng - dirbuster-ng is C CLI implementation of the Java dirbuster tool
- gospider - Gospider - Fast web spider written in Go
- hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
Fuzzing
- ffuf - Fast web fuzzer written in Go
- wfuzz - Web application fuzzer
- fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
- IntruderPayloads - A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
- fuzz.txt - Potentially dangerous files
- fuzzilli - A JavaScript Engine Fuzzer
- fuzzapi - Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
- qsfuzz - qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
hidden-file-or-directory
18-03-22
- relative-url-extractor - A small tool that extracts relative URLs from a file.
- virtual-host-discovery - A script to enumerate virtual hosts on a server.
JS
- linx - Reveals invisible links within JavaScript files
- diffJs - Tool for monitoring changes in javascript files on WebApps for reconnaissance.
- scripthunter - Tool to find JavaScript files on Websites
Metadata
-
exiftool - ExifTool meta information reader/writer
-
earlybird - EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
-
DumpsterDiver - Tool to search secrets in various filetypes.
-
ChopChop - ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.
-
gospider - Fast web spider written in Go
-
gobuster - Directory/File, DNS and VHost busting tool written in Go
-
jwsxploiter - A tool to test security of json web token
-
bfac - BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application’s source code.
-
linkfinder - A python script that finds endpoints in JavaScript files
-
secretfinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files
-
JSParser - A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
Broken link
- broken-link-checker - Find broken links, missing images, etc within your HTML.
- brokenlinkhijacker - A Fast Broken Link Hijacker Tool written in Python
parameter-finder
- paramspider - Mining parameters from dark corners of Web Archives
- parameth - This tool can be used to brute discover GET and POST parameters
- param-miner - This extension identifies hidden, unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities.
- ParamPamPam - This tool for brute discover GET and POST parameters.
- Arjun - HTTP parameter discovery suite.
Dlelte Duplicate from waybacks
- dpfilter - BugBounty , sort and delete duplicates param value without missing original value
bypass-forbidder-directory
- dirdar - DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it
- 4-ZERO-3 - 403/401 Bypass Methods
- byp4xx - Pyhton script for HTTP 40X responses bypassing. Features: Verb tampering, headers, #bugbountytips tricks and 2454 User-Agents.
- 403bypasser - 403bypasser automates techniques used to bypass access control restrictions on target pages. This tool will continue to be developed, contributions are welcome.
wordlists-payloads
-
bruteforce-lists - Some files for bruteforcing certain things.
-
CheatSheetSeries - The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
-
Bug-Bounty-Wordlists - A repository that includes all the important wordlists used while bug hunting.
-
seclists - SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
-
Payload Box - Attack payloads only π¦
-
awesome-wordlists - A curated list wordlists for bruteforcing and fuzzing
-
Fuzzing-wordlist - fuzzing-wordlists
-
Web-Attack-Cheat-Sheet - Web Attack Cheat Sheet
-
payloadsallthethings - A list of useful payloads and bypass for Web Application Security and Pentest/CT
-
pentestmonkey - Taking the monkey work out of pentesting
-
STOK suggest
-
SecUtils - Random utilities from my security projects that might be useful to others
-
webshell - This is a webshell open source project
-
OneListForAll - Rockyou for web fuzzing
-
bruteforce-lists - Some files for bruteforcing certain things.
-
english-words - π A text file containing 479k English words for all your dictionary/word-based projects e.g: auto-completion / autosuggestion
Exceptional
- Web-Sec-CheatSheet
- wordlists - Automated & Manual Wordlists provided by Assetnote
- fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
- WordList
- Commodity-Injection-Signatures - Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
miscellaneous
- hack-tools
- httpmethods - HTTP verb tampering & methods enumeration
- awesome oscp
- maltego
- owtf
- site broker
- explo
- big bounty
- awesome bug bounty tools
- awesome web hacking
- awesome open source
- cerbrutus
- radamsa
- reconmaster
- unicode-converter - Unicode Converter Decimal, text, URL, and unicode converter
- breport - Bounty report genarator
- hackerone 100 tools - Hackerone 100 tools for hacker
- Nmap-For-Pentester - hunt the vulnerabilties with “Nmap”.
social-engineering
- social-engineer-toolkit - The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here.
Uncategorized
- JSONBee - A ready to use JSONP endpoints/payloads to help bypass content security policy (CSP) of different websites.
- CyberChef - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
- bountyplz - Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
- awesome-vulnerable-apps - Awesome Vulnerable Applications
- XFFenum - X-Forwarded-For [403 forbidden] enumeration
scripts
- awesome-bughunting-oneliners - A list of Awesome Bughunting oneliners , collected from the various sources
- awesome-oneliner-bugbounty - A collection of awesome one-liner scripts especially for bug bounty tips.
- bbtips - BugBountyTips
- oneliner-bugbounty - oneliner commands for bug bounties
- One-Liner-Scripts - A collection of awesome one-liner scripts for bug bounty hunting.
API_key
- keyhacks - Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they’re valid.
- gmapsapiscanner - Used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.
Code_review
- phpvuln - πΈοΈ Audit tool to find common vulnerabilities in PHP source code
log-file-analyze
programs
- disclose -Open-source vulnerability disclosure and bug bounty program database.
- bug bounty dork - List of Google Dorks for sites that have responsible disclosure program / bug bounty program
- crunchbase - Discover innovative companies and the people behind them
- bounty-targets-data - This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports
- Vdps_are_love - This repo is made for those hunters who love to hunt on VDP programs. List of Vdp programs which are not affiliated with known bug bounty platforms such as HackerOne or Bugcrowd.
- chaos - We actively collect and maintain internet-wide assets’ data, this project is meant to enhance research and analyse changes around DNS for better insights.
- bug-bounty-list - The most comprehensive, up to date crowdsourced list of bug bounty and security vulnerability disclosure programs from across the web curated by the hacker community.
burp-suite-extesion
- Active scan ++
- Content Type Converter
- Param miner
- Logger ++
- Turbo intruder
- Upload scanner
- Reflected parameters
- Collaborator everywhere
- Backslash powered scanner
- Software version Reporter
- Software vulnerability scanner
- Autorize
- HTTP request smuggler
- Flow
- Hunt
- Burp Bounty
- Taborator
- Add custom header
- command injection attacker
- BurpSuite-Xkeys - A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage.
- Admin-Panel_Finder - A burp suite extension that enumerates infrastructure and application admin interfaces (OTG-CONFIG-005)
- x8-Burp - Hidden parameters discovery suite
- burp-extensions - Burp Extensions
- inql - InQL - A Burp Extension for GraphQL Security Testing
- ip-rotate - Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
- saml-raider - SAML2 Burp Extension
- jwt-editor - A Burp Suite extension and standalone application for creating and editing JSON Web Tokens. This tool supports signing and verification of JWS, encryption and decryption of JWE and automation of several well-known attacks against applications that consume JWT.
Burp suite pro
- Burp-Suite - || Activate Burp Suite Pro with Loader and Key-Generator ||
DOS
- slowhttptest - Application Layer DoS attack simulator
Websocket
- STEWS - A Security Tool for Enumerating WebSockets
Smart-Contract
- mythril - Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains.