Reconnaissance & OSINT

Network mapping and attack surface discovery tool. Finds subdomains and IPs.

Find usernames across multiple social networks. Ideal for OSINT investigations.

Directory/file, DNS and vhost brute-forcing tool written in Go.

Fast web fuzzer written in Go. Ideal for discovering directories and parameters.

Link analysis and data enrichment tool. Visualizes relationships between people, domains and emails.

Search engine for Internet-connected devices. Find servers, routers, webcams and more.

Full-featured web reconnaissance framework designed to gather information from open sources quickly.

Automated OSINT reconnaissance platform with over 200 data sources. Integrates Shodan, VirusTotal and HaveIBeenPwned.

Collection of free OSINT tools organized by categories. Essential starting point.

Tool for gathering emails, subdomains, IPs and URLs using multiple public data sources.

Fast passive subdomain discovery tool. Uses multiple data sources.

Visual inspection tool of websites for pentesting. Generates screenshots of hosts.

Search platform that continuously scans the Internet to find exposed devices and services.

Ultra-fast web crawler designed for OSINT. Extracts URLs, emails, files and more.

Fast and multipurpose HTTP toolkit. Probes web services and extracts information.

Fast port scanner written in Go. Designed for large-scale scans.

Fetches known URLs for a domain from Wayback Machine.

Fetches known URLs from AlienVault OTX, Wayback Machine and Common Crawl.

Finds domains and subdomains related to a given domain.