30 open-source projects similar to fortynorthsecurity/eyewitness, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best EyeWitness alternative.
EyeWitness is a web reconnaissance framework used to identify infrastructure and software versions across multiple websites through automated headless browser scans. It functions as an HTTP website screenshotter and a security reporting tool that captures visual snapshots and server headers from a list of web targets. The system distinguishes itself by combining visual documentation with security analysis. It generates searchable HTML reports that categorize website screenshots and metadata by content system or device type, while simultaneously performing server header analysis to determine u
Gowitness is a system for rendering web interfaces at scale to capture visual snapshots, HTTP metadata, and network scan results. It functions as a headless browser screenshot tool and a web surface mapper used to identify and visually document the attack surface of network ranges and URL lists. The tool includes a screenshot gallery server that provides a web-based interface for browsing, filtering, and managing a database of captures. It specifically serves as an Nmap target visualizer, parsing network scan results to automatically capture screenshots of discovered web services. Capabiliti
Aquatone is a web screenshot reconnaissance tool that captures full-page screenshots of web services discovered during network reconnaissance and groups them by visual similarity. It scans a list of hosts or domains for HTTP and HTTPS services on common and custom ports to find responsive web endpoints, then takes full-page screenshots of those pages for quick review. The tool accepts piped input from other tools and extracts URLs, domains, and IP addresses using regex pattern matching, making it pipeline-friendly for integration into existing workflows. It can also read XML output from Nmap
Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe
Amass is a network attack surface mapper and reconnaissance framework designed to discover and map the external, internet-facing infrastructure of a target organization. It functions as an open source intelligence tool that identifies public network boundaries and locates hidden or forgotten subdomains to define an organization's total reachable footprint. The project utilizes passive-source data aggregation from external APIs and public databases alongside active DNS brute-forcing and recursive subdomain expansion. It employs a graph-based asset mapping system to visualize the relationships
This project is an open-source intelligence reconnaissance framework and recursive attack surface mapper. It functions as a containerized security scanner designed to map public-facing infrastructure, perform subdomain enumeration, and automate the gathering of open-source intelligence. The system employs a recursive discovery engine to iteratively explore target infrastructure, utilizing a plugin-based module architecture to extend scanning capabilities. It integrates third-party APIs for data enrichment and applies YARA rules across discovered assets to identify specific vulnerability patte
recon-ng is an open source intelligence reconnaissance framework designed to automate the collection and aggregation of public information. It is a modular intelligence tool that utilizes a system of pluggable modules to harvest target data, resolve DNS queries, and parse web content. The framework is built as an API-driven tool with a programmatic interface to integrate with other security workflows. It is provided as a containerized application, using Docker to ensure a consistent environment for running reconnaissance tasks and managing a persistent data store. Its capabilities cover exte
Findomain is a subdomain discovery tool and DNS resolver used for mapping an organization's external attack surface. It functions as a DNS infrastructure analyzer that searches for registered subdomains associated with a root domain to uncover undocumented infrastructure and services. The project includes an attack surface monitor that tracks changes to subdomains over time, using differential state monitoring to identify newly created or deleted assets. It provides real-time alerting via webhooks when changes in the monitored domain surface are detected. The system performs high-speed DNS r
Subfinder is a security reconnaissance framework designed for subdomain enumeration and attack surface management. It functions as a discovery engine that identifies and maps internet-exposed infrastructure, cloud-hosted assets, and network ranges to maintain a comprehensive inventory of an organization's digital footprint. The project distinguishes itself through a modular, template-driven scanning engine that executes security checks against discovered assets. It leverages cloud-native asset discovery to query provider APIs and infrastructure metadata, while supporting distributed agent orc
Sn1per is a vulnerability management platform and penetration testing orchestrator designed to automate reconnaissance, vulnerability scanning, and exploit verification. It functions as a dockerized security toolkit that coordinates multiple tools into a unified automated pipeline to identify security flaws across network and web assets. The platform features an attack surface manager for discovering internet-facing assets through OSINT, DNS enumeration, and certificate transparency. It distinguishes itself with an AI-powered security analyzer that uses large language models to summarize scan
reconftw is an attack surface management framework and reconnaissance workflow orchestrator designed to automate the discovery, mapping, and monitoring of external digital assets. It operates as a modular tool-chain pipeline that coordinates a sequence of security tools to perform intelligence gathering and vulnerability scanning. The project distinguishes itself through a cloud-native deployment model that parallelizes scanning workloads across a fleet of remote VPS instances to bypass local resource constraints. It utilizes container-based environment isolation to ensure consistent executio
Naabu is a port scanner library and tool that probes hosts for open ports using SYN, CONNECT, and UDP methods to identify active services. It functions as a Go library for embedding port scanning into programs, and as a standalone tool that accepts targets as hostnames, IP addresses, CIDR ranges, or ASN numbers. The tool discovers live hosts before scanning, filters ports by range or top lists, and can integrate with Nmap for service version detection. The project distinguishes itself through its SYN-based port probing approach that sends TCP SYN packets and analyzes responses without complet
Allure is a test reporting framework that normalizes execution data from multiple test frameworks across different programming languages into a common intermediate format. It aggregates results from multiple sources into a shared directory of JSON files and generates self-contained HTML reports through a modular plugin pipeline. The architecture includes a hierarchical step tree model to represent test execution, metadata annotation injection to enrich results at runtime, and directory-watch incremental rendering that regenerates reports in real time as new data arrives. Unlike generic report
Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
This project is a bug bounty target dataset and security asset list. It serves as a structured repository of reachable network assets, domains, and applications eligible for security testing across multiple vulnerability disclosure programs. The dataset is designed to support bug bounty reconnaissance, attack surface mapping, and security target analysis. It provides organized scopes and target lists to help identify valid assets for security testing and vulnerability research workflows. The repository utilizes automated scraping pipelines and platform API integration to synchronize data. It
Knock is an attack surface management tool and DNS reconnaissance framework used for discovering and mapping an organization's external infrastructure. It functions as a subdomain enumeration tool and HTTP security scanner to identify reachable hosts and organizational assets. The project distinguishes itself by using a passive-active hybrid enumeration strategy, combining external API lookups with active wordlist brute-force attacks and DNS zone transfers. It includes a multi-stage validation pipeline that detects DNS wildcard records and verifies host connectivity to filter out false positi
Nettacker is an automated penetration testing framework designed to orchestrate reconnaissance, port scanning, and vulnerability detection. It functions as a network reconnaissance tool and vulnerability scanner that identifies open ports, fingerprints services, and checks systems against databases of known security flaws. The framework distinguishes itself by combining a web application crawler for discovering hidden paths via fuzzing with a vulnerability management system that persists scan results in a database to track historical assessments. It also includes specialized capabilities for
Prowler is a multi-cloud security posture management platform and vulnerability scanner. It provides tools for automating security audits, evaluating cloud infrastructure against regulatory compliance frameworks, and managing security assessments through a dedicated analysis dashboard. The project distinguishes itself by providing an AI-driven security context server that feeds structured data to AI assistants for automated risk analysis. It also employs graph-based attack path mapping to visualize potential lateral movement and exploitation routes across cloud inventories. The platform cove
Th3inspector is a command-line open-source intelligence reconnaissance tool used for gathering public information on websites, phone numbers, and network records. It functions as a central interface for collecting technical metadata and performing various lookups to build profiles of target entities. The project provides specialized verification utilities for validating email addresses, phone numbers, and credit card bank identification numbers. It also includes tools for retrieving domain registration age, ownership records, and identified subdomains from global databases. Additional capabi
X-ray is a headless browser web scraper and HTML content crawler designed to extract structured data from websites. It functions as a stream-based data scraper and structured data extractor, using selectors to retrieve text and attributes from HTML as nested objects or arrays. The project includes a request rate controller to manage network traffic through concurrency limits, throttles, and timeouts. It handles dynamic website scraping by rendering JavaScript via a headless browser and performs automated website crawling using breadth-first link following and pagination management. The syste
Learn-Web-Hacking is a structured web security study guide and penetration testing knowledge base. It provides a collection of research notes focused on identifying and exploiting vulnerabilities in web applications and network protocols. The project includes specialized frameworks for evaluating security risks in large language models to prevent prompt injection, as well as guides for hardening cloud-native infrastructure, including container standards and orchestration tools. It also covers the analysis of identity standards and authentication protocols. The material spans a broad range of
Drozer is a security testing framework for Android applications that operates through an agent-based remote execution model. It combines a client-server command routing system with a device-side agent, enabling security assessments by mapping inter-process communication (IPC) attack surfaces and running dynamic exploit modules directly on Android devices. The framework distinguishes itself through its ability to discover and enumerate exported Android components by analyzing manifest data and crafting Intents to probe for vulnerabilities. It supports content provider query injection to detect
pydoll is a Chrome DevTools Protocol automation library and headless browser controller used for web data extraction and parallel browser automation. It controls Chromium-based browsers via direct WebSocket connections, allowing it to manage isolated browser contexts and tabs while bypassing the overhead and detection associated with WebDriver. The project features an anti-bot evasion framework that mimics natural human behavior, including mouse movements generated via Bezier curves and variable typing patterns. It provides specialized stealth capabilities to bypass behavioral analysis and au
jsdom is a Node.js DOM implementation that functions as a headless browser emulator and virtual browser environment. It provides a pure JavaScript implementation of web standards, acting as a web standards polyfill that simulates the window and document objects within a non-browser runtime. The project implements W3C and WHATWG specifications to provide a programmatic environment for parsing HTML and manipulating content. It serves as an HTML parser and serializer, allowing for the transformation of HTML strings into document structures and the export of those structures back into text. The
Gau is a command-line tool and passive URL enumerator designed to discover and aggregate known and historical web addresses for specific target domains. It functions as a collection framework that retrieves domain-specific data from public web archives and threat intelligence providers. The tool focuses on passive reconnaissance and open-source intelligence research to map attack surfaces without sending requests directly to target infrastructure. It aggregates data from multiple external sources to identify accessible web endpoints and forgotten pages. The system includes capabilities for r
PhantomJS is a scriptable, headless browser engine based on WebKit that provides a programmatic interface for automating web page interactions. It operates without a graphical user interface, allowing for the execution of JavaScript to navigate pages, manipulate the document object model, and perform functional testing of web applications. The tool distinguishes itself by providing low-level control over the browser rendering lifecycle and network stack. It enables real-time interception and modification of network traffic, alongside the ability to generate visual snapshots and document expor
Sublist3r is a subdomain enumeration tool and passive reconnaissance framework designed to discover subdomains by querying search engines and public intelligence sources. It functions as a security tool for identifying the digital footprint of a target domain. The project provides both passive enumeration through multi-source API aggregation and active discovery via a DNS brute force tool. It includes a TCP port scanner to identify active services and open ports on discovered subdomains, facilitating attack surface mapping. The tool can be used as a standalone utility or as a Python security
Knockpy is a DNS subdomain scanner and passive reconnaissance tool designed to discover subdomains and gather network intelligence. It functions as a DNS enumeration framework that combines active discovery methods with the ability to query external security services for passive domain data. The tool identifies targets through a combination of wordlist-based brute forcing, DNS zone transfers, and the aggregation of data from external security APIs. To ensure accuracy, it includes wildcard DNS detection to filter out false positives during the enumeration process. Beyond discovery, the system
Xray is a security assessment tool focused on web vulnerability scanning, attack surface mapping, and technology fingerprinting. It identifies common security flaws through automated scanning and semantic analysis, while verifying findings via a custom proof-of-concept execution engine. The system distinguishes itself with a containerized vulnerability testbed used to deploy pre-configured vulnerable applications. This environment allows for the simulation of specific vulnerabilities and edge-case scenarios to validate scanner accuracy and eliminate false positives. The platform covers a bro
Subfinder is a passive subdomain enumeration tool and DNS discovery utility designed to identify valid subdomains and hostnames associated with a specific organization or domain. It functions as a passive reconnaissance tool, gathering information about target domains by querying online databases without sending network traffic to the target infrastructure. The tool utilizes a pluggable provider architecture to separate discovery logic into independent modules, allowing for the integration of multiple passive-source APIs. It employs a concurrent-worker request model to execute network request