dnsenum
dnsenum dnsenum is the comprehensive DNS enumerator that bruteforces subdomains, transfers zones, and pulls AXFR records for mapping attack surfaces in recon phases. Run its Perl script with -f for wordlists and -r for reverse lookups, outputting zones for further enum. Open-source from fwaeytens, it's the DNS diver for pentesters templating brute and transfer hunts.
Explore →dnsrecon
dnsrecon dnsrecon is the multi-threaded DNS toolkit for subdomain bruteforce, zone transfers, and SRV enum, resolving hosts with massdns for efficient footprinting. Launch its Python CLI with -d for domains and -t std for standard recon, exporting XML for tools. Open-source from darkoperator, it's the recon ranger for OSINT pros chaining DNS discoveries.
Explore →massdns
massdns massdns is the ultra-fast resolver that bruteforces subdomains against custom servers, outputting uniques with stats for high-volume enum without recursion delays. Compile its C code, feed lists via stdin with resolvers, and grep for wildcards. Open-source from blechschmidt, it's the mass mapper for pentesters scaling DNS queries massively.
Explore →dnsx
dnsx dnsx is the versatile DNS toolkit for wildcard detection, filter chains, and resolution testing, templating queries with A/AAAA/CNAME for clean recon outputs. Run its Go binary with -rd for random resolvers, processing lists for validated hosts. Open-source from projectdiscovery, it's the DNS dialer for analysts templating resolution workflows.
Explore →ipinfo-cli
ipinfo CLI ipinfo CLI is the terminal geolocator that queries IPs for ASN, org, and location details, templating lookups with JSON for scripted OSINT chains. Install via Go, run on lists with --format for fields, piping to jq for parses. Open-source from ipinfo, it's the IP informant for recon rangers mapping addresses to assets.
Explore →whois
whois whois is the query engine for IP/DNS ownership, pulling RDAP/WHOIS data for netblocks and abuse contacts in footprinting phases. Compile from C or use system binary, script queries for batch intel on resolved hosts. Open-source from GNU, it's the registry reader for pentesters tracing domains to registrars.
Explore →shodan-cli
Shodan CLI shodan-cli queries the IoT search engine for IP/DNS banners and vulns, templating searches for exposed services in passive recon. Auth via API key, run host commands on targets for JSON details. Open-source from achillean, it's the device diviner for OSINT pros unearthing internet-connected intel.
Explore →censys-search
Censys Search censys-search is the CLI for querying Censys's scan data on IPs/DNS, fetching certs and ports for vuln enrichment in asset mapping. Install via pip, search with --api-id for structured outputs. Open-source from censys, it's the scan summoner for researchers templating global exposure queries.
Explore →dnsdumpster-cli
DNS Dumpster CLI dnsdumpster-cli scrapes DNS Dumpster for subdomain/IP associations, templating searches for passive recon without API limits. Run its Python script on domains for CSV exports of records. Open-source from community, it's the dumpster diver for pentesters sifting public DNS trash for treasures.
Explore →dnsgen