Penetration Testing Tools & API Keys
SYSTEM_AUDIO_STREAM
Status: FULL_STREAM_ENABLED | No Login Required
General
- Cheatsheets - Penetration Testing/Security Cheatsheets
- awesome-pentest - penetration testing resources
- Red-Team-Infrastructure-Wiki - Red Team infrastructure hardening resources
- Infosec_Reference - Information Security Reference
- Awesome-Red-Teaming - List of Awesome Red Teaming Resources
- awesome-windows-security - List of Awesome Windows Security Resources
Web Services
- JettyBleed - Jetty HttpParser Error Remote Memory Disclosure
- clusterd - Jboss/Coldfusion/WebLogic/Railo/Tomcat/Axis2/Glassfish
- xsser - From XSS to RCE wordpress/joomla
- Java-Deserialization-Exploit - weaponizes ysoserial code to gain a remote shell
- CMSmap - CMS scanner
- wordpress-exploit-framework - penetration testing of WordPress
- joomlol - Joomla User-Agent/X-Forwarded-For RCE
- joomlavs - Joomla vulnerability scanner
- mongoaudit - MongoDB auditing and pentesting tool
- davscan - Fingerprints servers, finds exploits, scans WebDAV
Web Applications
- HandyHeaderHacker - Examine HTTP response headers for common security issues
- OpenDoor - OWASP Directory Access scanner
- ASH-Keylogger - simple keylogger application for XSS attack
- tbhm - The Bug Hunters Methodology
- commix - command injection
- NoSQLMap - Mongo database and NoSQL
- xsshunter - Second order XSS
- LinkFinder - python script that finds endpoints in JavaScript files
Local privilege escalation
- yodo - become root via limited sudo permissions
- Pa-th-zuzu - Checks for PATH substitution vulnerabilities
- sudo-snooper - acts like the original sudo binary to fool users
- UACMe - Windows AutoElevate backdoor
- Invoke-LoginPrompt - Invokes a Windows Security Login Prompt
- Exploits-Pack - Exploits for getting local root on Linux
- windows-privesc-check - Standalone Executable
- unix-privesc-check - simple privilege escalation vectors
- LinEnum - local Linux Enumeration & Privilege Escalation Checks
- cowcron - Cronbased Dirty Cow Exploit
- WindowsExploits - Precompiled Windows exploits
- Privilege-Escalation - common local exploits and enumeration scripts
- Unix-Privilege-Escalation-Exploits-Pack -
- Sherlock - PowerShell script to quickly find missing software patches
- GTFOBins - list of Unix binaries that can be exploited to bypass system security restrictions
- juicy-potato - local privilege escalation from service account
Phishing
- eyephish - find similar looking domain names
- phishery - Basic Auth Credential Harvester with a Word Document Template URL Injector
- WordSteal - steal NTLM hashes
- ReelPhish - Real-Time Two-Factor Phishing Tool
- CredSniper - phishing framework (2FA)
- evilginx2 - for phishing login credentials along with session cookies
Open Source Intelligence
- truffleHog - Searches through git repositories for high entropy strings
- Altdns - Subdomain discovery
- github-dorks - reveal sensitive personal and/or organizational information
- gitrob - find sensitive information
- Bluto - DNS Recon , Email Enumeration
- SimplyEmail - Email recon
- Sublist3r - Fast subdomains enumeration tool for penetration testers
- snitch - information gathering via dorks
- RTA - scan all company's online facing assets
- InSpy - LinkedIn enumeration tool
- LinkedInt - LinkedIn scraper for reconnaissance
- amass - In-Depth DNS Enumeration and Network Mapping
- DVCS-Pillage - Pillage web accessible GIT, HG and BZR repositories
- UhOh365 - Script that can see if an email address is valid in Office365
- o365spray - Username enumeration and password spraying tool
- raven - Linkedin information gathering tool
- patator - multi-purpose brute-forcer
Post-exploitation
- Windows-Exploit-Suggester - patch levels against vulnerability database
- lazykatz - extract credentials from remote targets protected with AV
- Invoke-Vnc - Powershell VNC injector
- spraywmi - mass spraying Unicorn PowerShell injection
- redsnarf - for retrieving hashes and credentials from Windows workstations
- HostRecon - situational awareness
- mimipenguin - login password from the current linux user
- rpivot - socks4 reverse proxy for penetration testing
- metasploit-execute-assembly - Metasploit post module to executing a .NET Assembly
- NetRipper - Smart traffic sniffing
- memscan - Searches for strings, regex, credit card numbers
- pypykatz - Mimikatz implementation in pure Python
- Invoke-TheHash - PowerShell Pass The Hash Utils
Looting
- cookie_stealer - steal cookies from firefox cookies database
- Wifi-Dumper - dump the wifi profiles and cleartext passwords of the connected access points
- WebLogicPasswordDecryptor - decrypt WebLogic passwords
- jenkins-decrypt - Credentials dumper for Jenkins
- mimikittenz - ReadProcessMemory() in order to extract plain-text passwords
- LaZagne - Credentials recovery project
- SessionGopher - extract WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop
- BrowserGather - Fileless web browser information extraction
- windows_sshagent_extract - extract private keys from Windows 10 ssh-agent service
- MailSniper - searching through email in a Microsoft Exchange
- Invoke-CredentialPhisher - powershell script to send toast notifications
- Multipass - Password manager credential recovery tool
- KeyTabExtract - Extracts Key Values from .keytab files
- sus_ssh - Phishing SSH Key Passphrases
Network Hunting
- Sticky-Keys-Slayer - Scans for accessibility tools backdoors via RDP
- DomainPasswordSpray - password spray attack against users of a domain
- BloodHound - reveal relationships within an Active Directory
- CredNinja - identify if credentials are valid
- EyeWitness - take screenshots of websites
- gowitness - a golang, web screenshot utility
- PowerUpSQL - PowerShell Toolkit for Attacking SQL Server
- sparta - scanning and enumeration
- Sn1per - Automated Pentest Recon Scanner
- PCredz - This tool extracts creds from a pcap file or from a live interface
- ridrelay - Enumerate usernames on a domain where you have no creds
- goddi - dumps Active Directory domain information
- SprayingToolkit - Scripts to make password spraying attacks
- exchange_hunter2 - Hunting for Microsoft Exchange the LDAP Way
- adidnsdump - Active Directory Integrated DNS dumping
- PrivExchange - Exchange your privileges for Domain Admin
- ldapdomaindump - Active Directory information dumper via LDAP
- impacket_static_binaries - Standalone binaries
- Exchange2domain - All in One tools of privexchange
Wireless
- air-hammer - WPA Enterprise horizontal brute-force
- mana - toolkit for wifi rogue AP attacks
- crEAP - Harvesting Users on Enterprise Wireless Networks
- wifiphisher - phishing attacks against Wi-Fi clients
- WiFiSuite - consolidating the most common tools
Man in the Middle
- mitmproxy - An interactive TLS-capable intercepting HTTP proxy
- bettercap - bettercap
- MITMf - Framework for Man-In-The-Middle attacks
- Gifts/Responder - Responder for old python
- mitm6 - pwning IPv4 via IPv6
- shelljack - man-in-the-middle pseudoterminal injection
- SMBetray - SMB MiTM tool
Physical
- Brutal - Payload for teensy
- poisontap - Exploits locked/password protected computers over USB
- OverThruster - HID attack payload generator for Arduinos
- Paensy - An attacker-oriented library for the Teensy 3.1 microcontroller
- Kautilya - Payloads for a Human Interface Device
Payloads
- JavaReverseTCPShell - Spawns a reverse TCP shell in Java
- splunk_shells - Splunk with reverse and bind shells
- pyshell - shellify Your HTTP Command Injection
- RobotsDisallowed - harvest of the Disallowed directories
- SecLists - collection of multiple types of lists
- Probable-Wordlists - Wordlists sorted by probability
- ARCANUS - payload generator/handler.
- weevely3 - Weaponized web shell
- fuzzdb - Dictionary of attack patterns
- payloads - web attack payloads
- Brosec - An interactive reference tool for payloads
- Demiguise - HTA encryption tool
- PayloadsAllTheThings - A list of useful payloads
- statistically-likely-usernames - statistically likely username lists
- ysoserial.net - Deserialization payload generator for .NET
Droppers
- HERCULES - payload generator that can bypass antivirus
- MacroShop - delivering payloads via Office Macros
- ClickOnceGenerator - Quick Malicious ClickOnceGenerator
- luckystrike - A PowerShell based utility for the creation of malicious Office macro documents
- Insanity-Framework - Generate Payloads
- Winpayloads - Undetectable Windows Payload Generation
- Enigma - Multiplatform payload dropper
- Gscript - framework to rapidly implement custom droppers
- mcreator - Encoded Reverse Shell Generator
- Phantom-Evasion - Python AV evasion tool
- hershell - Multiplatform reverse shell generator
- wep - Weaponize Macro payloads
- EvilClippy - creating malicious MS Office documents
- macro_pack - MS Office documents or VBS
- AVIator - backdoor generator utility
- MaliciousMacroGenerator - Malicious Macro Generator
- donut - shellcode that loads .NET Assemblies, PE files
Apple
- MMeTokenDecrypt - Decrypts and extracts iCloud and MMe authorization tokens
- OSXChromeDecrypt - Decrypt Google Chrome and Chromium Passwords on Mac OS X
- EggShell - iOS and OS X Surveillance Tool
- bonjour-browser - command line tool to browse for Bonjour
- logKext - open source keylogger for Mac OS X
- OSXAuditor - OS X computer forensics tool
- davegrohl - Password Cracker for OS X
- chainbreaker - Mac OS X Keychain Forensic Tool
- FiveOnceInYourLife - Local osx dialog box phishing
- ARD-Inspector - decrypt the Apple Remote Desktop database
- keychaindump - reading OS X keychain passwords
- Bella - python, post-exploitation, data mining tool
- EvilOSX - pure python, post-exploitation, RAT
- Apfell - A macOS, post-exploit, red teaming framework
Captive Portals
- cpscam - Bypass captive portals by impersonating inactive users
Passwords
- pipal - password analyser
- wordsmith - assist with creating tailored wordlists
- Invoke-PWAudit - discover similarly named accounts with shared passwords in AD
Obfuscation
- ObfuscatedEmpire - fork of Empire with Invoke-Obfuscation integrated directly in
- obfuscate_launcher - Simple script for obfuscating payload launchers
- Invoke-CradleCrafter - Download Cradle Generator & Obfuscator
- Invoke-Obfuscation - PowerShell Obfuscator
- nps_payload - payloads for basic intrusion detection avoidance
C# Tooling
- SharpWeb - .NET 2.0 CLR project to retrieve saved browser credentials
- reconerator - C# Targeted Attack Reconnissance Tools
- SafetyKatz - create a minidump of LSASS
- SharpShooter - framework for the retrieval and execution of arbitrary CSharp source code
- SharpCradle - download and execute .NET binaries into memory
- Sharp-WMIExec - C# conversion of Invoke-WMIExec
- Sharp-SMBExec - C# conversion of Invoke-SMBExec
- SharpCloud - Collecting AWS, Microsoft Azure, and Google Compute creds
- SharpView - C# implementation of PowerView
- SharpHound - The BloodHound C# Ingestor
- SharpGen - C# compiler to cross-compile .NET console applications or libraries.
- InveighZero - C# LLMNR/NBNS spoofer
- SharpSploitConsole - Console Application designed to interact with SharpSploit
- SharpSniper - Find specific users in active directory via username and IP address
- SharPersist - Windows persistence toolkit
- RedTeamCSharpScripts - C# Script used for Red Team
- SharPyShell - tiny and obfuscated ASP.NET webshell for C#
Not Powershell
- PowerShdll - Run PowerShell with rundll32
- PowerLine- Powershell Scripts in a binary
- PowerOPS - C# that runs PowerShell commands and functions
- nps - Not PowerShell
- PowerHub - post exploitation tool
RATs
- SILENTTRINITY - post-exploitation agent powered by Python, IronPython, C# and .NET's DLR
- DoHC2 - command and control (C2) via DNS over HTTPS (DoH)
- RemoteRecon - Remote Recon and Collection
- Mertin - cross-platform post-exploitation HTTP/2 Command & Control
- dnscat2-powershell - encrypted DNS command and control tool
- Koadic - JScript RAT
- Pupy - cross-platform RAT written in python
- sliver - Implant framework
- Covenant - Covenant is a collaborative .NET C2
Cloud
- pacu - The AWS exploitation framework
- weirdAAL - AWS Attack Library
- ScoutSuite - Multi-Cloud Security Auditing Tool
- AWS-IAM-Privilege-Escalation - AWS IAM privilege escalation methods
- nimbostratus - fingerprinting and exploiting Amazon cloud infrastructures
API Keys You Need
Many tools will require API keys Get them..
| Name | Description | Type |
|---|---|---|
| AbstractAPI | Look up domain, phone and IP address information from AbstractAPI. | Tiered API |
| abuse.ch | Check if a host/domain, IP address or netblock is malicious according to Abuse.ch. | Free API |
| AbuseIPDB | Check if an IP address is malicious according to AbuseIPDB.com blacklist. | Tiered API |
| Abusix Mail Intelligence | Check if a netblock or IP address is in the Abusix Mail Intelligence blacklist. | Tiered API |
| Account Finder | Look for possible associated accounts on nearly 200 websites like Ebay, Slashdot, reddit, etc. | |
| AdBlock Check | Check if linked pages would be blocked by AdBlock Plus. | Tiered API |
| AdGuard DNS | Check if a host would be blocked by AdGuard DNS. | Free API |
| Ahmia | Search Tor 'Ahmia' search engine for mentions of the target. | Free API |
| AlienVault IP Reputation | Check if an IP or netblock is malicious according to the AlienVault IP Reputation database. | Free API |
| AlienVault OTX | Obtain information from AlienVault Open Threat Exchange (OTX) | Tiered API |
| Amazon S3 Bucket Finder | Search for potential Amazon S3 buckets associated with the target and attempt to list their contents. | Free API |
| Apple iTunes | Search Apple iTunes for mobile apps. | Free API |
| Archive.org | Identifies historic versions of interesting files/pages from the Wayback Machine. | Free API |
| ARIN | Queries ARIN registry for contact information. | Free API |
| Azure Blob Finder | Search for potential Azure blobs associated with the target and attempt to list their contents. | Free API |
| Bad Packets | Obtain information about any malicious activities involving IP addresses found | Commercial API |
| Base64 Decoder | Identify Base64-encoded strings in URLs, often revealing interesting hidden information. | |
| BGPView | Obtain network information from BGPView API. | Free API |
| Binary String Extractor | Attempt to identify strings in binary content. | |
| BinaryEdge | Obtain information from BinaryEdge.io Internet scanning systems, including breaches, vulnerabilities, torrents and passive DNS. | Tiered API |
| Bing (Shared IPs) | Search Bing for hosts sharing the same IP. | Tiered API |
| Bing | Obtain information from bing to identify sub-domains and links. | Tiered API |
| Bitcoin Finder | Identify bitcoin addresses in scraped webpages. | |
| Bitcoin Who's Who | Check for Bitcoin addresses against the Bitcoin Who's Who database of suspect/malicious addresses. | Tiered API |
| BitcoinAbuse | Check Bitcoin addresses against the bitcoinabuse.com database of suspect/malicious addresses. | Free API |
| Blockchain | Queries blockchain.info to find the balance of identified bitcoin wallet addresses. | Free API |
| blocklist.de | Check if a netblock or IP is malicious according to blocklist.de. | Free API |
| BotScout | Searches BotScout.com's database of spam-bot IP addresses and e-mail addresses. | Tiered API |
| botvrij.eu | Check if a domain is malicious according to botvrij.eu. | Free API |
| BuiltWith | Query BuiltWith.com's Domain API for information about your target's web technology stack, e-mail addresses and more. | Tiered API |
| C99 | Queries the C99 API which offers various data (geo location, proxy detection, phone lookup, etc). | Commercial API |
| CallerName | Lookup US phone number location and reputation information. | Free API |
| Censys | Obtain host information from Censys.io. | Tiered API |
| Certificate Transparency | Gather hostnames from historical certificates in crt.sh. | Free API |
| CertSpotter | Gather information about SSL certificates from SSLMate CertSpotter API. | Tiered API |
| CINS Army List | Check if a netblock or IP address is malicious according to Collective Intelligence Network Security (CINS) Army list. | Free API |
| CIRCL.LU | Obtain information from CIRCL.LU's Passive DNS and Passive SSL databases. | Free API |
| CleanBrowse.org | Check if a host would be blocked by CleanBrowse.org DNS content filters. | Free API |
| CleanTalk Spam List | Check if a netblock or IP address is on CleanTalk.org's spam IP list. | Free API |
| Clearbit | Check for names, addresses, domains and more based on lookups of e-mail addresses on clearbit.com. | Tiered API |
| CloudFlare DNS | Check if a host would be blocked by CloudFlare DNS. | Free API |
| CoinBlocker Lists | Check if a domain appears on CoinBlocker lists. | Free API |
| CommonCrawl | Searches for URLs found through CommonCrawl.org. | Free API |
| Comodo Secure DNS | Check if a host would be blocked by Comodo Secure DNS. | Tiered API |
| Company Name Extractor | Identify company names in any obtained data. | |
| Cookie Extractor | Extract Cookies from HTTP headers. | |
| Country Name Extractor | Identify country names in any obtained data. | |
| Credit Card Number Extractor | Identify Credit Card Numbers in any data | |
| Crobat API | Search Crobat API for subdomains. | Free API |
| Cross-Referencer | Identify whether other domains are associated ('Affiliates') of the target by looking for links back to the target site(s). | |
| CRXcavator | Search CRXcavator for Chrome extensions. | Free API |
| Custom Threat Feed | Check if a host/domain, netblock, ASN or IP is malicious according to your custom feed. | |
| CyberCrime-Tracker.net | Check if a host/domain or IP address is malicious according to CyberCrime-Tracker.net. | Free API |
| Darksearch | Search the Darksearch.io Tor search engine for mentions of the target domain. | Free API |
| Debounce | Check whether an email is disposable | Free API |
| Dehashed | Gather breach data from Dehashed API. | Commercial API |
| Digital Ocean Space Finder | Search for potential Digital Ocean Spaces associated with the target and attempt to list their contents. | Free API |
| DNS Brute-forcer | Attempts to identify hostnames through brute-forcing common names and iterations. | |
| DNS Common SRV | Attempts to identify hostnames through brute-forcing common DNS SRV records. | |
| DNS for Family | Check if a host would be blocked by DNS for Family. | Free API |
| DNS Look-aside | Attempt to reverse-resolve the IP addresses next to your target to see if they are related. | |
| DNS Raw Records | Retrieves raw DNS records such as MX, TXT and others. | |
| DNS Resolver | Resolves hosts and IP addresses identified, also extracted from raw content. | |
| DNS Zone Transfer | Attempts to perform a full DNS zone transfer. | |
| DNSDB | Query FarSight's DNSDB for historical and passive DNS data. | Tiered API |
| DNSDumpster | Passive subdomain enumeration using HackerTarget's DNSDumpster | Free API |
| DNSGrep | Obtain Passive DNS information from Rapid7 Sonar Project using DNSGrep API. | Free API |
| DroneBL | Query the DroneBL database for open relays, open proxies, vulnerable servers, etc. | Free API |
| DuckDuckGo | Query DuckDuckGo's API for descriptive information about your target. | Free API |
| E-Mail Address Extractor | Identify e-mail addresses in any obtained data. | |
| EmailCrawlr | Search EmailCrawlr for email addresses and phone numbers associated with a domain. | Tiered API |
| EmailFormat | Look up e-mail addresses on email-format.com. | Free API |
| EmailRep | Search EmailRep.io for email address reputation. | Tiered API |
| Emerging Threats | Check if a netblock or IP address is malicious according to EmergingThreats.net. | Free API |
| Error String Extractor | Identify common error messages in content like SQL errors, etc. | |
| Ethereum Address Extractor | Identify ethereum addresses in scraped webpages. | |
| Etherscan | Queries etherscan.io to find the balance of identified ethereum wallet addresses. | Free API |
| File Metadata Extractor | Extracts meta data from documents and images. | |
| Flickr | Search Flickr for domains, URLs and emails related to the specified domain. | Free API |
| Focsec | Look up IP address information from Focsec. | Tiered API |
| FortiGuard Antispam | Check if an IP address is malicious according to FortiGuard Antispam. | Free API |
| Fraudguard | Obtain threat information from Fraudguard.io | Tiered API |
| F-Secure Riddler.io | Obtain network information from F-Secure Riddler.io API. | Commercial API |
| FullContact | Gather domain and e-mail information from FullContact.com API. | Tiered API |
| FullHunt | Identify domain attack surface using FullHunt API. | Tiered API |
| Github | Identify associated public code repositories on Github. | Free API |
| GLEIF | Look up company information from Global Legal Entity Identifier Foundation (GLEIF). | Tiered API |
| Google Maps | Identifies potential physical addresses and latitude/longitude coordinates. | Tiered API |
| Google Object Storage Finder | Search for potential Google Object Storage buckets associated with the target and attempt to list their contents. | Free API |
| Google SafeBrowse | Check if the URL is included on any of the Safe Browse lists. | Free API |
| Obtain information from the Google Custom Search API to identify sub-domains and links. | Tiered API | |
| Gravatar | Retrieve user information from Gravatar API. | Free API |
| Grayhat Warfare | Find bucket names matching the keyword extracted from a domain from Grayhat API. | Tiered API |
| Greensnow | Check if a netblock or IP address is malicious according to greensnow.co. | Free API |
| grep.app | Search grep.app API for links and emails related to the specified domain. | Free API |
| GreyNoise | Obtain IP enrichment data from GreyNoise | Tiered API |
| HackerOne (Unofficial) | Check external vulnerability scanning/reporting service h1.nobbd.de to see if the target is listed. | Free API |
| HackerTarget | Search HackerTarget.com for hosts sharing the same IP. | Free API |
| Hash Extractor | Identify MD5 and SHA hashes in web content, files and more. | |
| HaveIBeenPwned | Check HaveIBeenPwned.com for hacked e-mail addresses identified in breaches. | Commercial API |
| Hosting Provider Identifier | Find out if any IP addresses identified fall within known 3rd party hosting ranges, e.g. Amazon, Azure, etc. | |
| Host.io | Obtain information about domain names from host.io. | Tiered API |
| Human Name Extractor | Attempt to identify human names in fetched content. | |
| Hunter.io | Check for e-mail addresses and names on hunter.io. | Tiered API |
| Hybrid Analysis | Search Hybrid Analysis for domains and URLs related to the target. | Free API |
| IBAN Number Extractor | Identify International Bank Account Numbers (IBANs) in any data. | |
| Iknowwhatyoudownload.com | Check iknowwhatyoudownload.com for IP addresses that have been using torrents. | Tiered API |
| Gather information from Instagram profiles. | Free API | |
| IntelligenceX | Obtain information from IntelligenceX about identified IP addresses, domains, e-mail addresses and phone numbers. | Tiered API |
| Interesting File Finder | Identifies potential files of interest, e.g. office documents, zip files. | |
| Internet Storm Center | Check if an IP address is malicious according to SANS ISC. | Free API |
| ipapi.co | Queries ipapi.co to identify geolocation of IP Addresses using ipapi.co API | Tiered API |
| ipapi.com | Queries ipapi.com to identify geolocation of IP Addresses using ipapi.com API | Tiered API |
| IPInfo.io | Identifies the physical location of IP addresses identified using ipinfo.io. | Tiered API |
| IPQualityScore | Determine if target is malicious using IPQualityScore API | Tiered API |
| ipregistry | Query the ipregistry.co database for reputation and geo-location. | Tiered API |
| ipstack | Identifies the physical location of IP addresses identified using ipstack.com. | Tiered API |
| JsonWHOIS.com | Search JsonWHOIS.com for WHOIS records associated with a domain. | Tiered API |
| Junk File Finder | Looks for old/temporary and other similar files. | |
| Keybase | Obtain additional information about domain names and identified usernames. | Free API |
| Koodous | Search Koodous for mobile apps. | Free API |
| LeakIX | Search LeakIX for host data leaks, open ports, software and geoip. | Free API |
| Leak-Lookup | Searches Leak-Lookup.com's database of breaches. | Free API |
| Maltiverse | Obtain information about any malicious activities involving IP addresses | Free API |
| MalwarePatrol | Searches malwarepatrol.net's database of malicious URLs/IPs. | Tiered API |
| MetaDefender | Search MetaDefender API for IP address and domain IP reputation. | Tiered API |
| Mnemonic PassiveDNS | Obtain Passive DNS information from PassiveDNS.mnemonic.no. | Free API |
| multiproxy.org Open Proxies | Check if an IP address is an open proxy according to multiproxy.org open proxy list. | Free API |
| MySpace | Gather username and location from MySpace.com profiles. | Free API |
| NameAPI | Check whether an email is disposable | Tiered API |
| NetworksDB | Search NetworksDB.io API for IP address and domain information. | Tiered API |
| NeutrinoAPI | Search NeutrinoAPI for phone location information, IP address information, and host reputation. | Tiered API |
| numverify | Lookup phone number location and carrier information from numverify.com. | Tiered API |
| Onion.link | Search Tor 'Onion City' search engine for mentions of the target domain using Google Custom Search. | Free API |
| Onionsearchengine.com | Search Tor onionsearchengine.com for mentions of the target domain. | Free API |
| Onyphe | Check Onyphe data (threat list, geo-location, pastries, vulnerabilities) about a given IP. | Tiered API |
| Open Bug Bounty | Check external vulnerability scanning/reporting service openbugbounty.org to see if the target is listed. | Free API |
| Open Passive DNS Database | Obtain passive DNS information from pdns.daloo.de Open passive DNS database. | Free API |
| OpenCorporates | Look up company information from OpenCorporates. | Tiered API |
| OpenDNS | Check if a host would be blocked by OpenDNS. | Free API |
| OpenNIC DNS | Resolves host names in the OpenNIC alternative DNS system. | Free API |
| OpenPhish | Check if a host/domain is malicious according to OpenPhish.com. | Free API |
| OpenStreetMap | Retrieves latitude/longitude coordinates for physical addresses from OpenStreetMap API. | Free API |
| Page Information | Obtain information about web pages (do they take passwords, do they contain forms, etc.) | |
| PasteBin | PasteBin search (via Google Search API) to identify related content. | Tiered API |
| PGP Key Servers | Look up e-mail addresses in PGP public key servers. | |
| PhishStats | Check if a netblock or IP address is malicious according to PhishStats. | Free API |
| PhishTank | Check if a host/domain is malicious according to PhishTank. | Free API |
| Phone Number Extractor | Identify phone numbers in scraped webpages. | |
| Port Scanner - TCP | Scans for commonly open TCP ports on Internet-facing systems. | |
| Project Honey Pot | Query the Project Honey Pot database for IP addresses. | Free API |
| ProjectDiscovery Chaos | Search for hosts/subdomains using chaos.projectdiscovery.io | Commercial API |
| Psbdmp | Check psbdmp.cc (PasteBin Dump) for potentially hacked e-mails and domains. | Free API |
| Pulsedive | Obtain information from Pulsedive's API. | Tiered API |
| PunkSpider | Check the QOMPLX punkspider.io service to see if the target is listed as vulnerable. | Free API |
| Quad9 | Check if a host would be blocked by Quad9 DNS. | Free API |
| Recon.dev | Search Recon.dev for subdomains. | Free API |
| ReverseWhois | Reverse Whois lookups using reversewhois.io. | Free API |
| RIPE | Queries the RIPE registry (includes ARIN data) to identify netblocks and other info. | Free API |
| RiskIQ | Obtain information from RiskIQ's (formerly PassiveTotal) Passive DNS and Passive SSL databases. | Tiered API |
| Robtex | Search Robtex.com for hosts sharing the same IP. | Free API |
| Scylla | Gather breach data from Scylla API. | Free API |
| searchcode | Search searchcode for code repositories mentioning the target domain. | Free API |
| SecurityTrails | Obtain Passive DNS and other information from SecurityTrails | Tiered API |
| Seon | Queries seon.io to gather intelligence about IP Addresses, email addresses, and phone numbers | Commercial API |
| SHODAN | Obtain information from SHODAN about identified IP addresses. | Tiered API |
| Similar Domain Finder | Search various sources to identify similar looking domain names, for instance squatted domains. | |
| Skymem | Look up e-mail addresses on Skymem. | Free API |
| SlideShare | Gather name and location from SlideShare profiles. | Free API |
| Snov | Gather available email IDs from identified domains | Tiered API |
| Social Links | Queries SocialLinks.io to gather intelligence from social media platforms and dark web. | Commercial API |
| Social Media Profile Finder | Tries to discover the social media profiles for human names identified. | Tiered API |
| Social Network Identifier | Identify presence on social media networks such as LinkedIn, Twitter and others. | |
| SORBS | Query the SORBS database for open relays, open proxies, vulnerable servers, etc. | Free API |
| SpamCop | Check if a netblock or IP address is in the SpamCop database. | Free API |
| Spamhaus Zen | Check if a netblock or IP address is in the Spamhaus Zen database. | Free API |
| spur.us | Obtain information about any malicious activities involving IP addresses found | Commercial API |
| SpyOnWeb | Search SpyOnWeb for hosts sharing the same IP address, Google Analytics code, or Google Adsense code. | Tiered API |
| Spyse | Search Spyse.com Internet assets registry for information about domains, IP addresses, host info, potential vulnerabilities, passive DNS, etc. | Tiered API |
| SSL Certificate Analyzer | Gather information about SSL certificates used by the target's HTTPS sites. | |
| StackOverflow | Search StackOverflow for any mentions of a target domain. Returns potentially related information. | Tiered API |
| Steven Black Hosts | Check if a domain is malicious (malware or adware) according to Steven Black Hosts list. | Free API |
| Strange Header Identifier | Obtain non-standard HTTP headers returned by web servers. | |
| Subdomain Takeover Checker | Check if affiliated subdomains are vulnerable to takeover. | |
| Sublist3r PassiveDNS | Passive subdomain enumeration using Sublist3r's API | Free API |
| SURBL | Check if a netblock, IP address or domain is in the SURBL blacklist. | Free API |
| Talos Intelligence | Check if a netblock or IP address is malicious according to TalosIntelligence. | Free API |
| TextMagic | Obtain phone number type from TextMagic API | Tiered API |
| ThreatCrowd | Obtain information from ThreatCrowd about identified IP addresses, domains and e-mail addresses. | Free API |
| ThreatFox | Check if an IP address is malicious according to ThreatFox. | Free API |
| ThreatMiner | Obtain information from ThreatMiner's database for passive DNS and threat intelligence. | Free API |
| TLD Searcher | Search all Internet TLDs for domains with the same name as the target (this can be very slow.) | |
| Tool - CMSeeK | Identify what Content Management System (CMS) might be used. | Tool |
| Tool - DNSTwist | Identify bit-squatting, typo and other similar domains to the target using a local DNSTwist installation. | Tool |
| Tool - nbtscan | Scans for open NETBIOS nameservers on your target's network. | Tool |
| Tool - Nmap | Identify what Operating System might be used. | Tool |
| Tool - Nuclei | Fast and customisable vulnerability scanner. | Tool |
| Tool - onesixtyone | Fast scanner to find publicly exposed SNMP services. | Tool |
| Tool - Retire.js | Scanner detecting the use of JavaScript libraries with known vulnerabilities | Tool |
| Tool - snallygaster | Finds file leaks and other security problems on HTTP servers. | Tool |
| Tool - testssl.sh | Identify various TLS/SSL weaknesses, including Heartbleed, CRIME and ROBOT. | Tool |
| Tool - TruffleHog | Searches through git repositories for high entropy strings and secrets, digging deep into commit history. | Tool |
| Tool - WAFW00F | Identify what web application firewall (WAF) is in use on the specified website. | Tool |
| Tool - Wappalyzer | Wappalyzer indentifies technologies on websites. | Tool |
| Tool - WhatWeb | Identify what software is in use on the specified website. | Tool |
| TOR Exit Nodes | Check if an IP adddress or netblock appears on the Tor Metrics exit node list. | Free API |
| TORCH | Search Tor 'TORCH' search engine for mentions of the target domain. | Free API |
| Trashpanda | Queries Trashpanda to gather intelligence about mentions of target in pastesites | Tiered API |
| Trumail | Check whether an email is disposable | Free API |
| Twilio | Obtain information from Twilio about phone numbers. Ensure you have the Caller Name add-on installed in Twilio. | Tiered API |
| Gather name and location from Twitter profiles. | Free API | |
| UCEPROTECT | Check if a netblock or IP address is in the UCEPROTECT database. | Free API |
| URLScan.io | Search URLScan.io cache for domain information. | Free API |
| Venmo | Gather user information from Venmo API. | Free API |
| ViewDNS.info | Identify co-hosted websites and perform reverse Whois lookups using ViewDNS.info. | Tiered API |
| VirusTotal | Obtain information from VirusTotal about identified IP addresses. | Tiered API |
| VoIP Blacklist (VoIPBL) | Check if an IP address or netblock is malicious according to VoIP Blacklist (VoIPBL). | Free API |
| VXVault.net | Check if a domain or IP address is malicious according to VXVault.net. | Free API |
| Web Analytics Extractor | Identify web analytics IDs in scraped webpages and DNS TXT records. | |
| Web Framework Identifier | Identify the usage of popular web frameworks like jQuery, YUI and others. | |
| Web Server Identifier | Obtain web server banners to identify versions of web servers being used. | |
| Web Spider | Spidering of web-pages to extract content for searching. | |
| WhatCMS | Check web technology using WhatCMS.org API. | Tiered API |
| Whoisology | Reverse Whois lookups using Whoisology.com. | Commercial API |
| Whois | Perform a WHOIS look-up on domain names and owned netblocks. | |
| Whoxy | Reverse Whois lookups using Whoxy.com. | Commercial API |
| WiGLE | Query WiGLE to identify nearby WiFi access points. | Free API |
| Wikileaks | Search Wikileaks for mentions of domain names and e-mail addresses. | Free API |
| Wikipedia Edits | Identify edits to Wikipedia articles made from a given IP address or username. | Free API |
| XForce Exchange | Obtain IP reputation and passive DNS information from IBM X-Force Exchange. | Tiered API |
| Yandex DNS | Check if a host would be blocked by Yandex DNS. | Free API |
| Zetalytics | Query the Zetalytics database for hosts on your target domain(s). | Tiered API |
| Zone-H Defacement Check | Check if a hostname/domain appears on the zone-h.org 'special defacements' RSS feed. | Free API |