# Active and Passive Reconnaissance Tips and Tools ## Passive Recon ### Website Exploration and "Google Hacking" * censys - https://censys.io * Spyse - https://spyse.com * netcraft - https://searchdns.netcraft.com * Google Hacking Database (GHDB) - https://www.exploit-db.com/google-hacking-database * ExifTool - https://www.sno.phy.queensu.ca/~phil/exiftool * Certficate Search - https://crt.sh/ * Huge TLS/SSL certificate DB with advanced search - https://certdb.com * Google Transparency Report - https://transparencyreport.google.com/https/certificates * SiteDigger - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx ### Social Media * A tool to scrape LinkedIn: https://github.com/dchrastil/TTSL * cree.py http://ilektrojohn.github.com/creepy ### Whois WHOIS information is based upon a tree hierarchy. ICANN (IANA) is the authoritative registry for all of the TLDs and is a great starting point for all manual WHOIS queries. * ICANN - http://www.icann.org * IANA - http://www.iana.com * NRO - http://www.nro.net * AFRINIC - http://www.afrinic.net * APNIC - http://www.apnic.net * ARIN - http://ws.arin.net * LACNIC - http://www.lacnic.net * RIPE - http://www.ripe.net ## BGP looking glasses * BGP4 - http://www.bgp4.as/looking-glasses * BPG6 - http://lg.he.net/ ## DNS * dnsenum - http://code.google.com/p/dnsenum * dnsmap - http://code.google.com/p/dnsmap * dnsrecon - http://www.darkoperator.com/tools-and-scripts * dnstracer - http://www.mavetju.org/unix/dnstracer.php * dnswalk - http://sourceforge.net/projects/dnswalk ## Dark Web Research * [Search Engines for Academic Research](https://www.itseducation.asia/deep-web.htm) * See additional information under the [OSINT Dark Web OSINT Tools section](https://github.com/The-Art-of-Hacking/h4cker/tree/master/osint#dark-web-osint-tools) ### Other Great Intelligence Gathering Sources and Tools * Resources from Pentest-standard.org - http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#Intelligence_Gathering ## Active Recon * [Tons of references to scanners and vulnerability management software for active reconnaissance](http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#Vulnerability_Analysis) * [nmap cheat sheet](https://github.com/The-Art-of-Hacking/h4cker/blob/master/cheat_sheets/NMAP_cheat_sheet.md) * [nikto](https://learning.oreilly.com/interactive-lab/ethical-hacking-web/9780137673469X003/) * [nuclei](https://github.com/The-Art-of-Hacking/h4cker/blob/master/cheat_sheets/NMAP_cheat_sheet.md) * [OWASP ZAP](https://www.zaproxy.org)