Top 10 Tools for Reconnaissance


Reports show that more than 4.5 billion records were compromised in 2019. The figures were likely to increase in 2020. Hackers are using modern cyber tools to commit cybercrimes. There are some steps hackers take to hack a target, in which recon plays a key role. 

It also plays a key role in penetration testing. 

Computer scientists at Lockheed-Martin corporation described a new “intrusion kill chain” framework or model to defend computer networks in 2011. A cyber kill chain reveals the phases of a cyber attack: from early reconnaissance to the goal of data exfiltration. The kill chain can also be used as a management tool to help continuously improve network defense. The first step in a cyber kill chain is Reconnaissance which involves research, identification and selection of targets and attempts to identify vulnerabilities in the target network. 

Here we list 10 tools which can be used for Reconnaissance by Security teams in order to assess their own security posture against hackers. 

1. Google

We all know Google as the go-to search engine for all sorts of things. When it comes to reconnaissance, Google is the first tool that a penetration tester should use. Starting from people to organizations, search engines like Google, Bing, etc gives a lot of information about individuals, companies, and data including leaked content. Various Google Dorks are ways to query Google against certain information that may be useful for your security investigation. A list of such Google dorks may be found here.

2. Maltego CE 

Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet. You can find more details here

How It Helps You :

  • Maltego can be used for the information gathering phase of all security-related work. It will save you time and will allow you to work more accurately and smarter.
  • Maltego provides you with a much more powerful search, giving you smarter results. If access to “hidden” information determines your success, Maltego can help you discover it.
  • Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.

3. Recon- NG

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. More details on links here and here

4. Shodan

They claim to be the world’s first search engine for internet-connected devices.
Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence. Who buys Smart TVs? Which countries are building the most wind farms? What companies are affected by Heartbleed? Shodan provides the tools to answer questions at the Internet-scale. Shodan provides a public API that allows other tools to access all of Shodan’s data. Integrations are available for Nmap, Metasploit, Maltego, FOCA, Chrome, Firefox, and many more. More details here.

5. Censys

Get a current view of all of your organization’s assets so you can proactively prevent targeted attacks and investigate suspicious activity. You can get actionable insights, risk mitigation, monitoring and discovery, alerts, etc.

It can help you track changes to all of your assets over time to locate and identify potential insecurities and risks. It can also help monitor emerging software security vulnerabilities and track which assets need updating

More details here and usage guide here

READ MORE >>  Webinar-Under The Hood Of Deception Technologies

6. nMap

Nmap is one of the oldest and well-known port-scanners used by hackers and the security community.  Nmap stands for Network mapper and it is free and open-source.

Nmap uses IP packets in multiple different ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, whether there are packet filters/firewalls in use, and so on. It was designed to scan single hosts as well as large networks rapidly. Nmap is portable and runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. The current version is available for download.

7. Spiderfoot

SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names, and more. You simply specify the target you want to investigate, pick which modules to enable, and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.

The data returned from a SpiderFoot scan will reveal a lot of information about your target, providing insight into possible data leaks, vulnerabilities, or other sensitive information that can be leveraged during a penetration test, red team exercise, or for threat intelligence. Try it out against your own network to see what you might have exposed! Find more details here.

8. Dataspoilt

An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.

Datasploit is useful to collect relevant information about a target in order to expand your attack and defense surface very quickly. The feature list includes:

  • Automated OSINT on domain/email/username/phone for relevant information from different sources.
  • Useful for penetration testers, cyber investigators, defensive security professionals, etc.
  • Correlates and collaborative results show them in a consolidated manner.
  • Tries to find out credentials, API keys, tokens, subdomains, domain history, legacy portals, and more as related to the target.
  • Available as a single consolidating tool as well as standalone scripts.
  • Performs Active Scans on collected data.
  • Generates HTML and JSON reports along with text files.
  • More details here and here

9. Aquatone

A Tool for Domain Flyovers. AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach

More details here and here.

10. FireCompass

This tool helps you reduce Your Attack Surface – Identify Exposed Assets, Monitor Digital Footprint & Protect Against Phishing Risks, Misconfigured Infrastructure

It has the following use cases – 

  • Digital Footprint Shadow IT
  • Dark Web Monitoring
  • 3rd Party Risk Management

You can request for a free demo of your attack surface here

References 1

Reference 2