Offensive-OSINT-Tools

This repository consists of tools/links that a expert can use during Pentest/RedTeam. At the moment there are a huge number of awesome lists that contain a ton of tools, but the Offensive specialist most often doesn't need them, which is what motivated the creation of this list. These tools cover almost all the needs of the Offensive specialist and will help you get the job done well.

If the tool performs multiple functions, for example collecting subdomains and URLs, it will be listed in two places.

📖 Table of Contents

• Search Engines
• Emails collector
• References in the code
• SubDomain collector
• URL
• Tor
• Intelligence
• Network Info
• DnsHistory
• FTP servers
• Passive Infrastructure scanner
• Microsoft Excange
• Telegram
• Google Dorks
• Nickname search
• Cloud
• Information gathering tools
• Usefull links

↑ Contributing

Welcome! If you find that any of your favourite offensive tools is not on the list, you can suggest adding it.

---

↑ Search Engines

Search Engines for Investigation Domains/IP Addresses.

• Censys
• Shodan
• Greynoise.io
• ZoomEye
• Onyphe
• Fofa
• Binaryedge
• FullHunt
• Netlas
• Quake360
• Criminalip
• Synapsint
• Natlas
• Leakix

↑ Emails collector

Tools that help you collect email addresses. Usually the search requires the domain of the company.

• Hunter.io
• Snov.io
• Phonebook
• Poastal - Tool that provides valuable information on any email address
• Email-format - Analyses the company's mail format.
• h8mail - Email OSINT & Password breach hunting tool
• EmailFinder - Search emails from a domain through search engines
• theHarvester
• Anymailfinder - Find Verified Emails
• Omail
• Skymem
• Signalhire
• Rocketreach
• Infoga

↑ References in the code

Tools for finding mentions in code. Useful to search for company/company mentions to find passwords/secrets/confidential information.

• Searchcode
• Publicwww
• Grep.app

↑ SubDomain collector

Tools for automatic search of subdomains. Most of them require API keys to work correctly.

Tools

• Bbot
• Sudomy
• Amass
• theHarvester
• Spiderfoot
• SubGPT - SubGPT looks at subdomains you have already discovered for a domain and uses BingGPT to find more.
• alterx - Fast and customizable subdomain wordlist generator using DSL.

Only sites/tools whose search is not automated by the tools above are listed here.

• TI.defender.microsoft
• Securitytrails
• Shrewdeye
• Phonebook
• Nmmapper

↑ URL

Tools for passive collection and analysis URLs

• Gau
• Waymore
• Spiderfoot
• theHarvester
• Uscrapper - Tool that allows users to extract various personal information from a website.

↑ Tor

An undiscovered area, the author is too dumb for that. Will gradually expand.

• Ahmia

↑ Intelligence

Threat Intelligence tools containing extensive company information, subdomains, DNS information, URLs and much more.

• TI.defender.microsoft
• Securitytrails
• Pulsedive
• ThreatBook
• Alienvault

↑ Network Info

IP/Domain network analysis tools.

• Bgp.he
• Asnlookup
• Bgp.tools
• Myip
• IpInfo | Cmd version
• Whoisxmlapi

↑ DnsHistory

Tools for viewing the DNS history of a domain.

• Dnshistory
• Viewdns
• TI.defender.microsoft
• Securitytrails

↑ FTP servers

Tools allowing you to search for and download files located on public FTP servers.

• Searchftps

↑ Passive Infrastructure scanner

Tools for automated passive IP address/subnet scanning.

• Smap
• Nmap-censys

↑ Microsoft Excange

Tools to help with passive/semi-passive analysis of Microsoft Excgange.

• ExchangeFinder | #SemiOSINT

↑ Telegram

Tools for investigating Telegram chats.

• Telepathy

↑ Google Dorks

Tools for Google Dorks.

• Pagodo
• Google hacking database
• Recruitin - Compiles Google dorks to search on LinkedIn, Dribbble, GitHub, Xing, StackOverflow, Twitter
• Search - Custom queries in Google

↑ Nickname search

Nickname search tools.

• maigret
• Sherlock
• Social analyzer
• nexfil
• whatsmyname
• snoop
• userrecon
• NicknameFinder
• gideon
• Arina-OSINT
• netizenship
• Search4
• socialscan
• Sherlock
• recon-ng
• SocialPath

↑ Cloud

Tools for searching, gathering information from cloud.

• Cloud_sherlock

↑ Information gathering tools

• Gasmask

↑ Usefull links

Links to guide, methodologies and any information that would be useful

• WhereToGo - list of popular services that might be used in organizations. By having an account of the user - you can try to find entry points to the organization data. #semiosint
• Cloud OSINT - Repository with informtion related to Cloud Osint

Todo

• Add mobile number analysis tools (put into a category)
• Make a mindmap

Warning

Some of the sites included might require registration or offer more data for $$$, but you should be able to get at least a portion of the available information for no cost.

---

Inspired by https://github.com/jivoi/awesome-osint