All tools

In-depth attack surface mapping and subdomain enumeration via passive and active techniques.

Find domains and subdomains related to a given domain using passive sources (Tom Hudson).

Internet-wide scan data and certificate intelligence for hosts, services, and attack surface research.

DNS lookup utility for querying record types, tracing resolution, and debugging DNSSEC.

Perl DNS enumerator for zone transfers, subdomain brute force, reverse lookups, and WHOIS.

Python DNS enumeration tool for records, zone transfers, brute force, and cache snooping.

DNS reconnaissance tool that locates non-contiguous IP space near target domains.

Interactive and non-interactive DNS query tool available on Linux and Windows for basic record lookups.

Open-source intelligence workflow: domains, emails, people, breaches, and infrastructure using Google dorks and free OSINT tools.

Modular reconnaissance framework with workspaces, modules, and API-driven OSINT collectors.

Search engine for Internet-connected devices, banners, ports, and exposed services via CLI and web.

OSINT automation platform correlating IPs, domains, emails, breaches, and social data from 200+ modules.

Find subdomains via passive sources, DNS brute force, certificate transparency, and permutation — then probe which are live.

Fast passive subdomain discovery using curated OSINT sources and API integrations.

OSINT gathering for emails, subdomains, hosts, and employee names from public sources.