Awesome

Awesome Asset Discovery

Asset Discovery is the initial phase of any security assessment engagement, be it offensive or defensive. With the evolution of information technology, the scope and definition of assets has also evolved.

Earlier the servers, workstations and websites were primary IT assets of an organization, but today this definition is very limiting and should include anything and everything an organization and its entities has their data on (knowingly or unknowingly). The scope of ownership could differ, but it does not limit the attack surface, for example if an organization puts out open source code on Github, they are not the owner of Github but of the data they put under their repositories. In a scenario where some organization secret has been put on this Github account, it could pose a threat equal or more than running a vulnerable service.

We have explored this aspect of assets in our blog post here.

Through this repository, we want to put out a list of curated resources which help during asset discovery phase of a security assessment engagement. We welcome suggestions and contributions from the community in terms of resources as well as categories.

To know more about our Attack Surface Management platform, check out NVADR.

Content Discovery
IP Address Discovery
Domain / Subdomain Discovery
Email Discovery
Network / Port Scanning
Business Communication Infrastructure Discovery
Source Code Aggregators / Search - Information Discovery
Cloud Infrastructure Discovery
Company Information and Associations
Internet Survey Data
Social Media / Employee Profiling
Data Leaks
Internet Scan / Archived Information

↑Content Discovery

rustbuster: Files, directories and vhost buster written in Rust.

↑IP Address Discovery

Mxtoolbox: Bulk Domain/IP lookup tool
Domaintoipconverter: Bulk domain to IP converter
Massdns: A DNS resolver utility for bulk lookups
Googleapps Dig: Online Dig tool by Google
DataSploit (IP Address Modules): An OSINT Framework to perform various recon techniques
Domain Dossier: Investigate domains and IP addresses
Bgpview: Search ASN, IPv4/IPv6 or resource name
Hurricane Electric BGP Toolkit: Keyword to ASN lookup
Viewdns: Multiple domain/IP tools
Ultratools ipv6Info: Multiple information related to IPv6 address
Whois: Command line utility usually used to find information about registered users/assignees of an Internet resource.
ICANN Whois: Whois service by Internet Corporation for Assigned Names and Numbers (ICANN)
Nslookup Linux / Windows: Command line utility usually used for querying the DNS records
bgp : Internet Backbone and Colocation Provider ... Hurricane Electric IP Transit. Our Global Internet Backbone provides IP Transit with low latency, access to thousands of networks, and dual-stack

↑Domain / Subdomain Discovery

RedHunt Labs Attack Surface Recon API: RedHunt Labs' Recon API offers comprehensive domain intelligence and reconnaissance capabilities. With access to their extensive in-house database of over 6 billion records, including domains, subdomains, third-party SaaS, data leaks, and intelligent correlations, this API empowers you to enhance your Attack Surface Management and InfoSec workflows.
SubFinder: SubFinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
Amass: A subdomain enumeration utility
Sublist3r: Subdomains enumeration tool with multiple sources
Aiodnsbrute: Asynchronous DNS brute force utility
LDNS: A DNS library useful for DNS tool programming
Dns-nsec3-enum: Nmap NSE Script for NSEC3 walking
Nsec3map: A tool to NSEC and NSEC3 walking
Crt.sh: Domain certificate Search
Ct-exposer: A tool to discovers sub-domains by searching Certificate Transparency logs
Certgraph: A tool to crawl the graph of certificate Alternate Names
Appsecco - The art of subdomain enumeration: The supplement material for the book "The art of sub-domain enumeration"
SSLScrape: A scanning tool to scrape hostnames from SSL certificates
Wolframalpha: Computational knowledge engine
Project Sonar: Forward DNS Data
Project Sonar: Reverse DNS Data
GoBuster: Directory/File, DNS and VHost busting tool written in Go
Bluto: Recon, Subdomain Bruting, Zone Transfers

↑Email Discovery

Hunter: Email search for a domain
Skrapp: Browser addon to find emails on Linkedin
Email Extractor: Chrome extension to extract emails from web pages
Convertcsv: Online tool to extract email addresses in text, web pages, data files etc.
linkedin2username: OSINT Tool: Generate username lists for companies on LinkedIn
Office365UserEnum: Enumerate valid usernames from Office 365 using ActiveSync.

↑Network / Port Scanning

Zmap: A fast network scanner designed for Internet-wide network surveys
Masscan: An asynchronously TCP port scanner
ZMapv6: A modified version of Zmap with IPv6 support.
Nmap: A free and open source utility for network discovery. The most popular port scanner.

↑Business Communication Infrastructure Discovery

Mxtoolbox: Online tool to check mail exchanger (MX) records
MicroBurst: PowerShell based Azure security assessment scripts
Lyncsmash: Tools to enumerate and attack self-hosted Lync/Skype for Business
Enumeration-as-a-Service: Script for SaaS offering enumeration through DNS queries
ruler : A tool to abuse Exchange services

↑Source Code Aggregators / Search - Information Discovery

Github: Github Advanced Search
Bitbucket: Bitbucket Search using Google
Gitrob: Reconnaissance tool for GitHub organizations
Gitlab: Search Gitlab projects
Publicwww: Source Code Search Engine
builtwith : Web technology information profiler tool. Find out what a website is built with.

↑Cloud Infrastructure Discovery

CloudScraper: A tool to spider websites for cloud resources (S3 Buckets, Azure Blobs, DigitalOcean Storage Space)
InSp3ctor: AWS S3 Bucket/Object finder
Buckets Grayhatwarfare: Search for Open Amazon s3 Buckets and their contents
Spaces-finder: A tool to hunt for publicly accessible DigitalOcean Spaces
GCPBucketBrute: A Google Storage buckets enumeration script
CloudStorageFinder: Tools to find public data in cloud storage systems

↑Company Information and Associations

Crunchbase: Information about companies (funding, acquisition, merger etc.) and the people behind them
Companieshouse: United Kingdom's registrar of companies
OverSeas Registries: List of company registries located around the world
Opencorporates: Open database of companies in the world

↑Internet Survey Data

Project Resonance: RedHunt Labs’s Internet wide surveys to study and understand the security state of the Internet.
Project Sonar: Rapid7’s internet-wide surveys data across different services and protocols
Scans.io: Internet-Wide Scan Data Repository, hosted by the ZMap Team
Portradar: Free and open port scan data by packet.tel

↑Social Media / Employee Profiling

LinkedInt: A LinkedIn scraper for reconnaissance
Glassdoor: Company review and rating search
SocialBlade: Track user statistics for different platforms including YouTube and Twitter
Social-Searcher: Social Media Search Engine
Checkuser: Social existence checker

↑Data Leaks

Dumpmon: A twitter bot which monitors multiple paste sites for password dumps and other sensitive information
Pastebin_scraper: Automated tool to monitor pastebin for interesting information
Scavenger: Paste sites crawler (bot) looking for leaked credentials
Pwnbin: Python based Pastebin crawler for keywords.
PwnedOrNot: Tool to find passwords for compromised accounts

↑Internet Scan / Archived Information

Cachedviews: Cached view of pages on the Internet from multiple sources
Wayback Machine: Internet Archive
Shodan: Search engine for Internet-connected devices
Censys: Another search engine for internet-connected devices
Zoomeye: Cyberspace Search Engine

Contributing

In case you would like to add information to this repository or suggest some ideas, please use one of the following options:

Create an Issue.
Send us Pull Requests
Drop an email to contact@redhuntlabs.com

Connect

To connect with us:

License

This work is licensed under CC0 1.0 Universal