OSINT Reconnaissance and Enumeration Tools

Subfinder is a passive subdomain enumeration tool and DNS asset discovery utility designed for mapping the external attack surface of a domain. It functions as a passive reconnaissance framework that identifies subdomains by querying curated third-party data sources and APIs without interacting directly with the target infrastructure. The tool utilizes a modular provider interface to integrate various passive sources and employs concurrent request orchestration to manage simultaneous network queries. It includes wildcard DNS filtering to identify and remove catch-all records, ensuring the resulting list contains unique and valid hosts. The utility is designed for security toolchain integration, supporting pipeline-based data streaming through standard input and output chaining. It provides capabilities for multi-format result export and includes a software development kit to embed the enumeration engine into other applications.

This project is an open-source intelligence reconnaissance framework and recursive attack surface mapper. It functions as a containerized security scanner designed to map public-facing infrastructure, perform subdomain enumeration, and automate the gathering of open-source intelligence. The system employs a recursive discovery engine to iteratively explore target infrastructure, utilizing a plugin-based module architecture to extend scanning capabilities. It integrates third-party APIs for data enrichment and applies YARA rules across discovered assets to identify specific vulnerability patterns. The framework covers a broad range of reconnaissance activities, including web application scanning, email address enumeration, and public infrastructure mapping. It maintains a state-persistent asset inventory and provides capabilities for web screenshot capture, parameter extraction, and real-time event streaming. Data is managed through an event-driven pipeline that supports external data export to databases and logging platforms, as well as notification delivery via webhooks to chat platforms.

Anubis is a command-line security reconnaissance framework designed for subdomain enumeration and attack surface mapping. It functions as a utility for security professionals to identify, catalog, and visualize the external digital footprint of an organization by discovering all subdomains associated with a target domain. The tool distinguishes itself through a modular resolver pipeline that integrates passive reconnaissance from third-party security APIs and public certificate transparency logs. It combines this data with active discovery methods, including recursive DNS brute-forcing and algorithmic pattern-based permutation generation, to uncover hidden infrastructure that is not publicly indexed. To maintain efficiency during large-scale assessments, the software utilizes asynchronous concurrent scanning to perform thousands of simultaneous DNS lookups. A built-in deduplication engine normalizes and filters these results to provide a clean, unique list of discovered assets for further vulnerability research.

Sublist3r is a subdomain enumeration tool and passive reconnaissance framework designed to discover subdomains by querying search engines and public intelligence sources. It functions as a security tool for identifying the digital footprint of a target domain. The project provides both passive enumeration through multi-source API aggregation and active discovery via a DNS brute force tool. It includes a TCP port scanner to identify active services and open ports on discovered subdomains, facilitating attack surface mapping. The tool can be used as a standalone utility or as a Python security library, exposing its core logic as a module for integration into custom automation scripts. Discovered network identifiers can be persisted to text files for external analysis.

theHarvester is a command-line utility designed for gathering open-source intelligence and mapping an organization's external attack surface. It functions as a security information gathering framework that automates the collection of publicly available data to assist in reconnaissance and threat analysis. The tool utilizes a plugin-based architecture to execute isolated queries against various search engines and public databases. It employs asynchronous task execution to run multiple discovery operations in parallel, while a centralized pipeline aggregates and deduplicates findings from these disparate sources into a unified output. The framework supports the identification of public-facing digital assets, including subdomains, IP addresses, and email addresses. It manages connectivity to third-party intelligence providers through a centralized configuration system that handles authentication keys for external data sources. Raw information retrieved from these services is processed using pattern-matching logic to isolate specific entities from unstructured text.

Findomain is a subdomain discovery tool and DNS resolver used for mapping an organization's external attack surface. It functions as a DNS infrastructure analyzer that searches for registered subdomains associated with a root domain to uncover undocumented infrastructure and services. The project includes an attack surface monitor that tracks changes to subdomains over time, using differential state monitoring to identify newly created or deleted assets. It provides real-time alerting via webhooks when changes in the monitored domain surface are detected. The system performs high-speed DNS resolution using multi-threaded queries and custom DNS server integration. Its capabilities extend to capturing visual evidence of active web services through headless browser screenshotting and consolidating reconnaissance data by importing subdomain lists from external tools.

Social-analyzer is an open-source intelligence framework designed for the automated discovery, correlation, and verification of digital identities across online platforms. It functions as a comprehensive engine for gathering social media intelligence, utilizing distributed browser automation to extract metadata and profile information from hundreds of websites simultaneously. The platform distinguishes itself through its ability to perform cross-platform identity correlation using heuristic-based pattern matching and name permutation generation. It processes these findings through a confidence-weighted filtering system, which assigns numerical scores to results to prioritize accuracy and minimize false positives. Users can further analyze these digital footprints through interactive, force-directed graph visualizations that map relationships between disparate data points. The tool provides a broad suite of analytical capabilities, including textual content evaluation, language detection, and digital footprint analysis. It manages complex investigation workflows by orchestrating parallel worker threads and modular search plugins, allowing for the bulk execution of profile discovery tasks. The system supports structured data export and provides integrated validation routines to confirm the authenticity of web domains and discovered accounts.

Photon is a command-line web crawler designed for security reconnaissance and information gathering. It systematically traverses websites to discover URLs, map domain infrastructure, and identify associated subdomains by retrieving DNS records. The tool distinguishes itself through its ability to perform deep content analysis, including the extraction of sensitive data such as API keys and authentication tokens using user-defined regular expressions. It supports offline inspection by cloning crawled web content to the local filesystem, allowing for structural analysis without additional network activity. The crawler utilizes multi-threaded execution to maximize throughput during discovery and supports proxy-aware routing to manage traffic origin. Its architecture is built for integration into automated security workflows, allowing users to pipe discovered metadata and extracted patterns directly to standard output or export results into structured files for further processing.

Gobuster is a command-line security utility designed for brute-force discovery of hidden infrastructure and content. It operates by systematically testing wordlists against target network services to identify files, directories, subdomains, and cloud storage buckets. The tool utilizes a concurrent worker pool to execute these requests in parallel, ensuring efficient scanning across various network environments. The project distinguishes itself through a modular plugin architecture that supports multiple discovery modes, including HTTP, DNS, and TFTP. This design allows for protocol-agnostic request abstraction, enabling the tool to perform virtual host identification, cloud storage auditing, and custom protocol fuzzing within a unified execution pipeline. Users can further refine these operations by customizing network headers, proxy settings, and security certificates. Beyond basic enumeration, the tool provides robust result management capabilities. It includes response-based filtering logic to discard irrelevant data based on status codes or content patterns, and it supports real-time stream-based processing to save findings directly to local files. These features allow for the systematic mapping of external network footprints and the identification of exposed application endpoints or sensitive configuration data.

Amass is a network attack surface mapper and reconnaissance framework designed to discover and map the external, internet-facing infrastructure of a target organization. It functions as an open source intelligence tool that identifies public network boundaries and locates hidden or forgotten subdomains to define an organization's total reachable footprint. The project utilizes passive-source data aggregation from external APIs and public databases alongside active DNS brute-forcing and recursive subdomain expansion. It employs a graph-based asset mapping system to visualize the relationships between discovered domains and IP addresses, supported by a modular plugin system for integrating third-party discovery services. The framework covers broader capabilities including network reconnaissance, public asset discovery, and the preparation of security audits by mapping all reachable entry points. These processes are managed through a concurrent worker pipeline to accelerate the scanning and resolution of large target sets.

reconftw is an attack surface management framework and reconnaissance workflow orchestrator designed to automate the discovery, mapping, and monitoring of external digital assets. It operates as a modular tool-chain pipeline that coordinates a sequence of security tools to perform intelligence gathering and vulnerability scanning. The project distinguishes itself through a cloud-native deployment model that parallelizes scanning workloads across a fleet of remote VPS instances to bypass local resource constraints. It utilizes container-based environment isolation to ensure consistent execution across different cloud providers and features a checkpoint system to resume interrupted workflows from the last point of failure. The toolkit covers a broad range of capabilities, including passive and active subdomain enumeration, open-source intelligence gathering, and network infrastructure analysis. It also incorporates automated vulnerability scanning for common web flaws and CVEs, differential asset tracking to identify new targets, and the generation of security reports using artificial intelligence. The environment can be deployed via container orchestration and integrated into CI/CD pipelines for recurring security checks.

Rengine is an automated reconnaissance framework and vulnerability management platform designed for attack surface monitoring. It functions as a centralized hub for discovering subdomains and open ports, gathering open-source intelligence, and tracking security flaws across target networks. The system integrates large language models to analyze reconnaissance data and generate vulnerability descriptions and insights. It distinguishes itself through a plugin-based tool integration that wraps external security scanning binaries and a target mapping system that tracks changes to assets over time. The platform provides capabilities for bug bounty program coordination, recurring scan scheduling, and role-based access control for security teams. It also includes tools for natural language data filtering, webhook-based event notifications, and template-driven security report generation.

Sn1per is a vulnerability management platform and penetration testing orchestrator designed to automate reconnaissance, vulnerability scanning, and exploit verification. It functions as a dockerized security toolkit that coordinates multiple tools into a unified automated pipeline to identify security flaws across network and web assets. The platform features an attack surface manager for discovering internet-facing assets through OSINT, DNS enumeration, and certificate transparency. It distinguishes itself with an AI-powered security analyzer that uses large language models to summarize scan outputs and triage vulnerabilities, alongside an active exploit validation engine to eliminate false positives. Its broader capabilities cover mobile application auditing for Android and iOS binaries, dark web leak monitoring, and asset risk assessment. The system provides a security analysis dashboard for managing multi-user workspaces, generating structured reports, and configuring security tools via a web interface. The environment is deployed using containers and persistent volumes to ensure a reproducible runtime.

Subfinder is a security reconnaissance framework designed for subdomain enumeration and attack surface management. It functions as a discovery engine that identifies and maps internet-exposed infrastructure, cloud-hosted assets, and network ranges to maintain a comprehensive inventory of an organization's digital footprint. The project distinguishes itself through a modular, template-driven scanning engine that executes security checks against discovered assets. It leverages cloud-native asset discovery to query provider APIs and infrastructure metadata, while supporting distributed agent orchestration to parallelize discovery workloads across remote nodes. For dynamic web application analysis, the tool incorporates headless browser rendering to execute client-side code and capture visual state. The platform provides a broad capability surface for security operations, including asynchronous interaction monitoring to detect blind vulnerabilities and server-side request forgery. It features a domain-specific language for granular filtering of scan results and supports pipeline-oriented data streaming to integrate findings into external security tools and reporting systems. The software is implemented in Go and provides a command-line interface for executing discovery tasks and managing security workflows.

MediaCrawler is an automated web scraping framework designed to extract public posts, comments, and creator metadata from various social media platforms. It functions as a headless browser automator, utilizing real browser instances to render dynamic content and execute the client-side scripts necessary for interacting with modern web interfaces. The system distinguishes itself through a focus on session persistence and network flexibility. It supports remote debugging to reuse active browser sessions and cookies, which helps minimize the risk of triggering platform security challenges. To maintain stable data collection at scale, the tool integrates proxy-based request routing, allowing users to distribute traffic across external IP services to bypass rate limits and geographic restrictions. The architecture is built for extensibility and modularity, employing a provider pattern that allows developers to integrate new platforms or custom storage backends through standardized interfaces. Users can manage complex scraping workflows via command-line configuration, enabling the definition of specific targets and storage formats—such as JSON, CSV, or various database systems—without modifying the core logic. The project also includes utilities for data visualization, such as generating word clouds from collected comments. Installation requires setting up the necessary runtime environments, including a JavaScript engine for handling complex client-side rendering and the appropriate browser automation drivers.