External Footprinting Tools for Passive Reconnaissance


dmitry or the Deepmagic Information Gathering Tool can be used for a variety of reconnaissance purposes. It ships with Kali Linux and can be used to perform a whois lookup on the domain name of a host and save it to a text file like this:
dmitry -winsepo example.txt example.com


Kind of obvious, but very useful to get initial pointers on names as well as IP addresses.
ap-get install whois


Looking Glass or bgp.he.net can be used to run BGP queries on an ASN.


scans.io provides downloads of TCP/UDP port scans as well as service fingerprints like security certificates and DNS records. Its sister project censys.io allows the data to be queried online as opposed to downloading it.

Side note: pigz (parallel implementation of gzip) is a great tool for interrogating downloads quickly by using multiple CPUs and threads.


shodan.io is the search engine for the internet of things.

Common Crawl

An open repository of web crawl data available at commoncrawl.org.


Comodo’s Certificate Search can find certificates by domain name, organisation name or fingerprint.