Subdomain Enumeration and Reconnaissance Tools

Strix is an automated security research and vulnerability scanning platform that leverages language models to orchestrate complex security analysis tasks. It functions as a comprehensive framework for penetration testing and continuous security integration, allowing users to embed automated vulnerability research directly into development pipelines or execute it within isolated, containerized environments. The platform distinguishes itself through a multi-agent orchestration engine that coordinates specialized autonomous agents to perform parallel security assessments. By integrating LLM-agnostic routing, it supports a wide range of local and cloud-based model providers, enabling users to tailor analysis depth and reasoning capabilities to their specific security requirements. This orchestration is complemented by the ability to inject structured knowledge packages into agents, allowing for highly targeted vulnerability research and customized testing methodologies. The system provides a broad capability surface that combines static code analysis with dynamic runtime testing. It includes integrated headless browser automation for simulating user behavior, proxy-based traffic interception for inspecting and replaying network communication, and infrastructure mapping tools for reconnaissance. These features are unified within a sandboxed environment that supports custom script execution, terminal access, and real-time telemetry export for auditing and reporting. The project is designed for integration into existing development workflows, offering features like incremental codebase analysis, secret detection, and pipeline-native exit code reporting. It provides a centralized interface for managing scan intensity, authenticated testing, and the generation of structured security reports with proof-of-concept evidence.

afrog is an HTTP vulnerability scanner and web vulnerability management system that identifies security flaws and known CVEs using a YAML-based rule engine. It functions as a payload generator and scanner, comparing server responses against detection rules to find unauthorized access points. The project provides a framework for out-of-band security testing, detecting blind vulnerabilities by triggering and verifying external DNS or HTTP callbacks. Beyond web traffic, it includes a protocol fuzzer capable of executing multi-step read and write sequences over raw TCP and SSL sockets to identify flaws in non-HTTP services. The system covers a broad range of security capabilities, including network service discovery, dictionary-based brute forcing, and HTTP protocol fuzzing. It supports dynamic variable injection for payload construction, regex-based data extraction from responses, and the ability to store results in a database or export them as HTML and JSON reports.

Nmap is a command-line network security scanner and reconnaissance framework designed for infrastructure mapping and security auditing. It functions as a packet crafting utility that probes target systems to identify active hosts, detect open ports, and determine the services and operating systems running on a network. The tool distinguishes itself through its ability to perform raw socket packet injection and stateful connection tracking, allowing it to bypass standard operating system networking stacks. It utilizes an asynchronous concurrency model to manage large-scale network scans and employs specialized packet manipulation techniques to evade firewalls and intrusion detection systems. Beyond basic discovery, the software integrates a scripting engine that enables users to automate complex network tasks, perform deep service interrogation, and conduct vulnerability assessments. It relies on signature-based identification and TCP/IP stack fingerprinting to provide detailed analysis of remote hardware and software configurations.

Masscan is a command-line network scanner designed for large-scale discovery and infrastructure reconnaissance. It identifies open ports across specific network segments or the entire internet by probing vast address ranges with high efficiency. The tool functions as an asynchronous packet engine, bypassing standard operating system kernel networking stacks to transmit raw packets directly from application memory. The project distinguishes itself through a specialized architecture that manages millions of concurrent connections by separating packet transmission and reception into independent execution threads. It utilizes a stateless, index-based mathematical algorithm to randomize target selection, ensuring probes are distributed unpredictably across address spaces. To maintain consistent performance and prevent network congestion, the scanner employs a high-precision timer to regulate transmission rates and uses zero-copy buffer management to minimize memory overhead. The software provides a platform-agnostic interface for raw network access, allowing it to operate consistently across different hardware and operating system environments. It supports the export of collected reconnaissance data into structured formats such as XML, JSON, or plain text for further analysis. The application is distributed as a portable utility, with its core codebase maintained through standardized string handling and automated testing.

RustScan is a high-speed TCP network scanner written in Rust, designed for security reconnaissance and network mapping. It functions as an automated port discovery engine that identifies open ports on remote hosts using IPv6 addresses, CIDR ranges, or bulk input files. The tool is built for rapid surface area discovery, utilizing parallel port processing and OS-aware performance optimizations to identify active services. It allows for scan precision tuning through adjustable connection timeout thresholds and concurrent request controls to balance speed and accuracy. The system integrates with external security toolchains by piping discovered port data into shell scripts and third-party programs for automated vulnerability analysis. It also supports global configuration profiles to maintain consistent parameters across multiple executions.

Naabu is a port scanner library and tool that probes hosts for open ports using SYN, CONNECT, and UDP methods to identify active services. It functions as a Go library for embedding port scanning into programs, and as a standalone tool that accepts targets as hostnames, IP addresses, CIDR ranges, or ASN numbers. The tool discovers live hosts before scanning, filters ports by range or top lists, and can integrate with Nmap for service version detection. The project distinguishes itself through its SYN-based port probing approach that sends TCP SYN packets and analyzes responses without completing the full handshake, enabling faster scans. It supports passive port enumeration through external services like Shodan InternetDB, and can exclude CDN or WAF IPs from full scans. Naabu also provides a REST API for programmatic scan triggering, configuration management, and result export, alongside the ability to embed port scanning directly into Go programs with callback-based result handling. The tool covers host discovery, port scanning, and service detection across multiple input formats and output options. It includes features for filtering scan targets, rescanning completed scans, and exposing scan metrics via HTTP. The project is available as a command-line tool and as a Go library, with support for Docker deployment.

Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific executables and mobile application packages to establish remote command sessions. The framework covers a broad surface of capabilities, including web application penetration testing, OSINT reconnaissance, memory and disk forensics, and wireless network auditing. It provides tools for payload generation, credential theft, and the automation of information gathering from public data sources. This project is implemented primarily as a shell-based application.

httpx is a suite of tools and libraries for HTTP reconnaissance, infrastructure discovery, and DNS resolution. It functions as a command line toolkit for extracting metadata and status codes from HTTP targets and CIDR ranges, as well as a Go library for integrating these probing capabilities into custom programs. The project distinguishes itself through specialized infrastructure profiling, using TLS fingerprinting to extract JARM hashes and certificate details. It identifies underlying components such as CDN usage, Autonomous System Numbers, and CNAMEs to map web server software and infrastructure profiles. The toolkit covers broad capability areas including automated web probing, DNS resolution via DoH, TCP, and UDP, and security posture analysis of certificates and headers. It also manages HTTP authentication testing using Bearer tokens and BasicAuth, and employs retry logic and backoff strategies to navigate network obstacles. The project supports execution through containerized images for consistent deployment across operating systems.