Pentest - Information gathering tools
Below some tools you can use for information gathering while performing a penetration test:
Online
googledorks from Hackers for Charity and from the Exploit Database
IP-address: free IP Address Lookup
Netcraft: what is that site running?
SHODAN: search engine for all connected object around the world (even fridges)
Threat Agent: collect informations from open sources (seems to be down?)
Wolfram|Alpha: compute answers and provide knowledge
YouGetSignal: collection of uncomplicated, powerful network tools
*Nix
amap: identify applications running on a port (default or not) with his database signature
apache-users: Apache users enumeration
arachni: audit tools that performs vulnerabilites assessment
Automater: retrieve information of a domain from different web sources (ip, age, geoloc, country, dns)
bed: check daemons for potential buffer overflows
bing-ip2hosts: (try to) retrieve all domain name hosted by an ip or another domain from Bing search engine
BlindElephant: fingerprint web app by comparing static files hash
braa: snmp mass scanner, like snmpwalk or snmpget or snmpcheck but can scan many host in the same time (oid required)
dirb: looks for hidden directories
dirbuster: looks for hidden directories and files
doona: improved bed tool
Burp Suite: java integrated platform for performing security testing of web applications
cdpsnarf: intercepts CDP packets (Cisco Discovery Protocol)
CeWL: create word lists by spidering a website
cisco-torch: cisco router exploitation tools, scans and brute force
dig: DNS lookup utility
discover: aggregator of different information gathering tools, discover generates html report
dmitry: email, subdomain, whois, port scan for a given domain
dnsenum: enumerate subdomains and other domain related information
dnsmap: perform dns enumeration
dnsrecon: perform dns enumeration
dnstracer: follows the chain of a given dns server
dnswalk: perform dns zone transfer
enum4linux: wrapper of samba information gathering tools
Fierce: DNS Enumeration
fimap: local/remote file inclusion exploitation tool
Firewalk: an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.
goofile: search filetype of a given domain on Google
GoLismero: perform passive/active scan and vulnerabilities assessment
Halberd: discover web servers behind load balancers
hping: improved ping, traceroute, firewall testing, port scanning, os fingerprinting, send file
host: DNS lookup utility
HTTrack: website copier
intrace: traceroute like
iSMTP: smtp user enumeration
knock: python tool designed to enumerate subdomains
load balancing detector: detects if a given domain uses load balancing
lynis: security auditing tools who performs local configuration tests
Maltego: gather informations about persons, emails, domain, social networks…
masscan: perform port scan like nmap but really faster
Metagoofil: extract metadata of public documents
Metasploit: “world’s most used penetration testing software”
Nessus: vulnerability scanner
NeXpose: vulnerability management solution
nmap: network exploration tool and security / port scanner
nslookup: query Internet name servers interactively
onesixtyone: simple SNMP scanner
openvas-scanner: security auditing tool used for testing remote systems
p0f: identify the players behind tpc/ip communications
Paros: java based HTTP/HTTPS proxy for assessing web application vulnerability
parsero: test robots.txt entries (can even search in Bing)
pdfinfo: PDF information extractor
ping: send packets to network hosts
recon-ng: web reconnaissance framework written in Python
smtp-user-enum: username guessing tool
snmpcheck: snmp service enumeration
snmpenum: powerful Snmp Enumeration tool
SSLScan: SSL port scanner
sslyze: analyze ssl configuration
telnet: interactive communication
theHarvester: gather informations on social networks and search engines results
tlssled: check ssl/tls version (based on sslscan)
traceroute & tcptraceroute: print the route packets trace to network host
URLCrazy: generate domain names based on letter permutation of a given domain name and try to resolve them
WebScarab: java framework for analysing applications who use HTTP and HTTPS
wget: non-interactive network downloader
WhatWeb: web scanner to identify what websites are running
whois: returns domain name informations
Xplico: network tool analyzer
zaproxy: proxy tool used to find vulnerabilities, can perform scans and fuzzing
Windows
FOCA: find metadata and hidden information in the documents its scans
NeoTrace: visual traceroute program
Website Ripper Copier: website downloader software to save website data
Xcode Exploit Scanner: help you to gather the dorks link from Google
to be continued…