Best OSINT Tools for Attack Surface Mapping

BuiltWith

Website technology profiling platform

Censys

Internet asset and certificate search engine

DomainTools

Enterprise domain and DNS intelligence

FOFA

Internet asset search and mapping engine

GreyNoise

Internet scanner reputation intelligence

Masscan

Very fast internet-scale port scanner

Nmap

Network mapping and port scanning tool

OWASP Amass

Attack-surface mapping and DNS enumeration

Recon-ng

Modular web reconnaissance framework

SecurityTrails

DNS history and domain intelligence platform

Shodan

Search exposed internet-connected services

SpiderFoot

Automated OSINT reconnaissance framework

Wappalyzer

Detect technologies used by websites

Wireshark

Network protocol analyzer

ZoomEye

Cyberspace search engine for exposed assets

theHarvester

Collect emails and subdomains from public sources

urlscan.io

Scan and analyze URLs safely

AADInternals

Recon Azure AD / M365 tenant info from a domain

AFRINIC Whois

AFRINIC regional WHOIS service

ALterX

Subdomain permutation generator by ProjectDiscovery

APKLeaks

Scan an Android APK for hardcoded URLs, endpoints and secrets

APNIC Whois

APNIC regional WHOIS service

ARIN Whois-RWS

ARIN regional WHOIS API

ASNLookup

Free ASN to prefix lookup

ASNmap

ASN to CIDR resolver by ProjectDiscovery

ASlookup

Look up ASN, owner and announced prefixes for an IP

Advangle

Visual advanced-search query builder for Google and Bing

Altdns

a subdomain permutation tool that generates altered hostnames for DNS brute f

Analyze ID

Link sites sharing Analytics, AdSense, or tracking IDs

Aquatone

HTTP host screenshotting and clustering

Arjun

an HTTP parameter discovery tool for finding hidden inputs accepted by web ap

Assetfinder

a command-line tool for finding domains and subdomains related to a target or

AttackSurfaceMapper

Recon CLI chaining LinkedIn, Shodan, screenshots

BBOT

Recursive multi-source recon scanner

BGP.tools

Real-time BGP routing visibility platform

BGPView

Free BGP routing data REST API

BeVigil

Mobile-app security search engine surfacing APK secrets, keys and subdomains

BeVigil OSINT CLI

Query BeVigil API for hosts, subdomains and S3 buckets from apps and domains

BinaryEdge

Paid internet-scan and asset discovery API

BitSight

External cyber-risk rating by BitSight

Blacklist Checker

Check IPs and domains against 100+ DNS blacklists

BucketLoot

Scan open cloud buckets for exposed files and secrets

Burp Suite

a commercial web security testing platform for proxying, scanning, and analyz

CIRCL Passive DNS

CIRCL passive DNS service for researchers

CMSeeK

a CMS detection and exploitation-aid tool for identifying website platforms a

CVE Details

a searchable vulnerability database for CVEs, vendors, products, versions, an

Can I Take Over XYZ

a community-maintained reference for identifying services vulnerable to subdo

Carbon Dating the Web

Estimates the creation date of a web page from a URL

CeWL

Spiders a website to build a custom wordlist from its page text

Censys Search Pro

Censys attack-surface management platform

CentralOps

Web toolkit for WHOIS, DNS, and IP network lookups

CertKit CT Log Search

Search Certificate Transparency logs by domain for subdomains

Certspotter

Certificate Transparency monitoring service

Chaos

Curated bug-bounty subdomain dataset

Checkov

Scan infrastructure-as-code for misconfigurations

Cloud Custodian

Query cloud accounts for policy-violating resources

CloudFail

Find the origin IP of a Cloudflare-protected domain

Cloudlist

Cloud-provider asset enumerator

Columbus Project

Fast subdomain enumeration from CT logs and DNS, API-first

CompleteDNS

Historical nameserver records and reverse-NS lookup