Hello! It takes a minute to create a free account.
When you create an account we will be able to remember exactly what you have read so you can pick up where you left off. You will receive notifications here or by email when someone replies to you. You can also reply to or vote on topics to show your appreciation.Get Started Already have an account?
Resources for Security Assessment / Asset Discovery
Asset Discovery is the initial phase of any security assessment engagement, be it offensive or defensive. With the evolution of information technology, the scope and definition of assets have also evolved.
Earlier the servers, workstations, and websites were primary IT assets of an organization, but today this definition is very limiting and should include anything and everything an organization and its entities have their data on (knowingly or unknowingly). The scope of ownership could differ, but it does not limit the attack surface, for example, if an organization puts out open-source code on Github, they are not the owner of Github but of the data they put under their repositories. In a scenario where some organization secret has been put on this Github account, it could pose a threat equal to or more than running a vulnerable service.
I want to put out a list of curated resources that help during the asset discovery phase of a security assessment engagement.
- rustbuster: Files, directories, and vhost buster written in Rust.
IP Address Discovery
- Mxtoolbox: Bulk Domain/IP lookup tool
- Domaintoipconverter: Bulk domain to IP converter
- Massdns: A DNS resolver utility for bulk lookups
- Googleapps Dig: Online Dig tool by Google
- DataSploit (IP Address Modules): An OSINT Framework to perform various recon techniques
- Domain Dossier: Investigate domains and IP addresses
- Bgpview: Search ASN, IPv4/IPv6 or resource name
- Hurricane Electric BGP Toolkit: Keyword to ASN lookup
- Viewdns: Multiple domain/IP tools
- Ultratools ipv6Info: Multiple information related to IPv6 address
- Whois: Command line utility usually used to find information about registered users/assignees of an Internet resource.
- ICANN Whois: Whois service by Internet Corporation for Assigned Names and Numbers (ICANN)
- Nslookup Linux / Windows: Command line utility usually used for querying the DNS records
- bgp : Internet Backbone and Colocation Provider ... Hurricane Electric IP Transit. Our Global Internet Backbone provides IP Transit with low latency, access to thousands of networks, and dual-stack
Domain / Subdomain Discovery
- SubFinder: SubFinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
- Amass: A subdomain enumeration utility
- Sublist3r: Subdomains enumeration tool with multiple sources
- Aiodnsbrute: Asynchronous DNS brute force utility
- LDNS: A DNS library useful for DNS tool programming
- Dns-nsec3-enum: Nmap NSE Script for NSEC3 walking
- Nsec3map: A tool to NSEC and NSEC3 walking
- Crt.sh: Domain certificate Search
- Ct-exposer: A tool to discovers sub-domains by searching Certificate Transparency logs
- Certgraph: A tool to crawl the graph of certificate Alternate Names
- Appsecco - The art of subdomain enumeration: The supplement material for the book "The art of sub-domain enumeration"
- SSLScrape: A scanning tool to scrape hostnames from SSL certificates
- Wolframalpha: Computational knowledge engine
- Project Sonar: Forward DNS Data
- Project Sonar: Reverse DNS Data
- GoBuster: Directory/File, DNS and VHost busting tool written in Go
- Bluto: Recon, Subdomain Bruting, Zone Transfers
- Hunter: Email search for a domain
- Skrapp: Browser add-on to find emails on Linkedin
- Email Extractor: Chrome extension to extract emails from web pages
- Convertcsv: Online tool to extract email addresses in text, web pages, data files etc.
- linkedin2username: OSINT Tool: Generate username lists for companies on LinkedIn
- Office365UserEnum: Enumerate valid usernames from Office 365 using ActiveSync.
Network / Port Scanning
- Zmap: A fast network scanner designed for Internet-wide network surveys
- Masscan: An asynchronously TCP port scanner
- ZMapv6: A modified version of Zmap with IPv6 support.
- Nmap: A free and open source utility for network discovery. The most popular port scanner.
Business Communication Infrastructure Discovery
- Mxtoolbox: Online tool to check mail exchanger (MX) records
- MicroBurst: PowerShell based Azure security assessment scripts
- Lyncsmash: Tools to enumerate and attack self-hosted Lync/Skype for Business
- Enumeration-as-a-Service: Script for SaaS offering enumeration through DNS queries
- ruler : A tool to abuse Exchange services
Source Code Aggregators / Search - Information Discovery
- Github: Github Advanced Search
- Bitbucket: Bitbucket Search using Google
- Gitrob: Reconnaissance tool for GitHub organizations
- Gitlab: Search Gitlab projects
- Publicwww: Source Code Search Engine
- builtwith : Web technology information profiler tool. Find out what a website is built with.
Cloud Infrastructure Discovery
- CloudScraper: A tool to spider websites for cloud resources (S3 Buckets, Azure Blobs, DigitalOcean Storage Space)
- InSp3ctor: AWS S3 Bucket/Object finder
- Buckets Grayhatwarfare: Search for Open Amazon s3 Buckets and their contents
- Spaces-finder: A tool to hunt for publicly accessible DigitalOcean Spaces
- GCPBucketBrute: A Google Storage buckets enumeration script
- CloudStorageFinder: Tools to find public data in cloud storage systems
Company Information and Associations
- Crunchbase: Information about companies (funding, acquisition, merger, etc.) and the people behind them
- Companieshouse: United Kingdom's registrar of companies
- OverSeas Registries: List of company registries located around the world
- Opencorporates: Open database of companies in the world
Internet Survey Data
- Project Resonance: RedHunt Labs’s Internet-wide surveys to study and understand the security state of the Internet.
- Project Sonar: Rapid7’s internet-wide surveys data across different services and protocols
- Scans.io: Internet-Wide Scan Data Repository, hosted by the ZMap Team
- Portradar: Free and open port scan data by packet.tel
Social Media / Employee Profiling
- LinkedInt: A LinkedIn scraper for reconnaissance
- Glassdoor: Company review and rating search
- SocialBlade: Track user statistics for different platforms including YouTube and Twitter
- Social-Searcher: Social Media Search Engine
- Checkuser: Social existence checker
- Dumpmon: A Twitter bot which monitors multiple paste sites for password dumps and other sensitive information
- Pastebin_scraper: Automated tool to monitor Pastebin for interesting information
- Scavenger: Paste sites crawler (bot) looking for leaked credentials
- Pwnbin: Python-based Pastebin crawler for keywords.
- PwnedOrNot: Tool to find passwords for compromised accounts
Internet Scan / Archived Information