reddit hackernews mail facebook facebook linkedin

Pentest - Information gathering tools

Below some tools you can use for information gathering while performing a penetration test:


googledorks from Hackers for Charity and  from the Exploit Database

IP-address: free IP Address Lookup

Netcraft: what is that site running?

SHODAN: search engine for all connected object around the world (even fridges)

Threat Agent: collect informations from open sources (seems to be down?)

Wolfram|Alpha:  compute answers and provide knowledge

YouGetSignal:  collection of uncomplicated, powerful network tools


amap: identify applications running on a port (default or not) with his database signature

apache-users: Apache users enumeration

arachni: audit tools that performs vulnerabilites assessment

Automater: retrieve information of a domain from different web sources (ip, age, geoloc, country, dns)

bed: check daemons for potential buffer overflows

bing-ip2hosts: (try to) retrieve all domain name hosted by an ip or another domain from Bing search engine

BlindElephant: fingerprint web app by comparing static files hash

braa: snmp mass scanner, like snmpwalk or snmpget or snmpcheck but can scan many host in the same time (oid required)

dirb: looks for hidden directories

dirbuster: looks for hidden directories and files

doona: improved bed tool

Burp Suite: java integrated platform for performing security testing of web applications

cdpsnarf: intercepts CDP packets (Cisco Discovery Protocol)

CeWL: create word lists by spidering a website

cisco-torch: cisco router exploitation tools, scans and brute force

dig: DNS lookup utility

discover: aggregator of different information gathering tools, discover generates html report

dmitry: email, subdomain, whois, port scan for a given domain

dnsenum: enumerate subdomains and other domain related information

dnsmap: perform dns enumeration

dnsrecon: perform dns enumeration

dnstracer: follows the chain of a given dns server

dnswalk: perform dns zone transfer

enum4linux: wrapper of samba information gathering tools

Fierce: DNS Enumeration

fimap: local/remote file inclusion exploitation tool

Firewalk: an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.

goofile: search filetype of a given domain on Google

GoLismero: perform passive/active scan and vulnerabilities assessment

Halberd: discover web servers behind load balancers

hping: improved ping, traceroute, firewall testing, port scanning, os fingerprinting, send file

host: DNS lookup utility

HTTrack: website copier

intrace: traceroute like

iSMTP: smtp user enumeration

knock: python tool designed to enumerate subdomains

load balancing detector: detects if a given domain uses load balancing

lynis: security auditing tools who performs local configuration tests

Maltego: gather informations about persons, emails, domain, social networks…

masscan: perform port scan like nmap but really faster

Metagoofil: extract metadata of public documents

Metasploit: “world’s most used penetration testing software”

Nessus: vulnerability scanner

NeXpose: vulnerability management solution

nmap: network exploration tool and security / port scanner

nslookup: query Internet name servers interactively

onesixtyone: simple SNMP scanner

openvas-scanner: security auditing tool used for testing remote systems

p0f: identify the players behind tpc/ip communications

Paros: java based HTTP/HTTPS proxy for assessing web application vulnerability

parsero: test robots.txt entries (can even search in Bing)

pdfinfo: PDF information extractor

ping: send packets to network hosts

recon-ng: web reconnaissance framework written in Python

smtp-user-enum: username guessing tool

snmpcheck: snmp service enumeration

snmpenum: powerful Snmp Enumeration tool

SSLScan: SSL port scanner

sslyze: analyze ssl configuration

telnet: interactive communication

theHarvester: gather informations on social networks and search engines results

tlssled: check ssl/tls version (based on sslscan)

traceroute & tcptraceroute: print the route packets trace to network host

URLCrazy: generate domain names based on letter permutation of a given domain name and try to resolve them

WebScarab: java framework for analysing applications who use HTTP and HTTPS

wget: non-interactive network downloader

WhatWeb: web scanner to identify what websites are running

whois: returns domain name informations

Xplico: network tool analyzer

zaproxy: proxy tool used to find vulnerabilities, can perform scans and fuzzing


FOCA:  find metadata and hidden information in the documents its scans

NeoTrace: visual traceroute program

Website Ripper Copier:  website downloader software to save website data

Xcode Exploit Scanner:  help you to gather the dorks link from Google

to be continued…

External resources