- Craal (GitHub, Pastebin, S3 Buckets, Protoxin, CertStream): https://github.com/jaylagorio/craal
- Semi-automatic OSINT framework and package manager: https://github.com/kpcyrd/sn0int
Domain Related Tools¶
- Dmain Registrations
- Similar websites
- Generates permutations, alterations and mutations of subdomains and then resolves them: https://github.com/infosec-au/altdns
- Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
- SubFinder is a subdomain discovery tool that discovers valid subdomains for websites: https://github.com/subfinder/subfinder
- Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist: https://github.com/guelfoweb/knock
- Abusing Certificate Transparency logs for getting HTTPS websites subdomains: https://github.com/UnaPibaGeek/ctfr
- Source Code Analysis
- Analytic ID cross referencing
- SSL Certificates
- Whois API
- OSINT tool for visualizing relationships between domains, IPs and email addresses: https://hackernoon.com/osint-tool-for-visualizing-relationships-between-domains-ips-and-email-addresses-94377aa1f20a
Subdomain to IP¶
- Bouncing through an old expired domain. Trusted in all lists.
- W/ a single target domain url, enumerate subdomains.
- Subdomains > IP Addresses > ARIN crawl for more CIDRs.
Performs OSINT scan on email/domain/ip_address/organization.
- Find compromised NoSQL systems from Shodan JSON export: https://gist.github.com/n0x08/39c4fef373d0ac02d61da5d1d3865ce5
- Buscador Investigative Operating System: https://inteltechniques.com/buscador/
visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
- EyeWitness - take screenshots of websites, provide some server header info, and identify default credentials if possible: https://github.com/FortyNorthSecurity/EyeWitness