# Recon for Red Teaming- Practical

### Comprehensive list of Online and Offline Recon Tools

#### Data Leak Search Online Sites/Tools (Mostly used):

| Tool                          | Remarks                                                                                  |
| ----------------------------- | ---------------------------------------------------------------------------------------- |
| intelx.io                     | Somewhat expensive but worth it                                                          |
| dehashed.com                  | Paid one but comparatively reasonable                                                    |
| pastebin.com                  | Free                                                                                     |
| github.com                    | Free (Register to get the API)                                                           |
| postman.com & web.postman.com | Free                                                                                     |
| leakix.net                    | Paid                                                                                     |
| leakpeek.com                  | Paid                                                                                     |
| grep.app                      | Paid                                                                                     |
| firebase.google.com           | Free (Register to get the API)                                                           |
| haveibeenpwned.com            | Free, absolutely the best in the market to check the status of the compromised email IDs |

#### Data Leak Search Offline Tools (Mostly used):

<table><thead><tr><th width="286">Tool</th><th>Where to find</th></tr></thead><tbody><tr><td>theHarvester</td><td>Free- Kali/ParrotOS</td></tr><tr><td>mosint</td><td>Free- Kali/ParrotOS</td></tr><tr><td>h8mail</td><td>Free- Kali/ParrotOS</td></tr><tr><td>recon-ng</td><td>Free- Kali/ParrotOS</td></tr></tbody></table>

#### Subdomain Recon- Some popular tools:

<table><thead><tr><th width="231">Tool/Site</th><th>Remarks</th></tr></thead><tbody><tr><td>puredns</td><td><code>puredns bruteforce /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt redteamgarage.com -r ./resolvers.txt</code></td></tr><tr><td>amass</td><td><code>amass enum -d redteamgarage.com -rf resolvers.txt</code></td></tr><tr><td>subdomainfinder.c99.nl</td><td>Online Site</td></tr><tr><td>censys.io</td><td>Online Site</td></tr><tr><td>crt.sh</td><td>Online Site</td></tr><tr><td>virustotal.com</td><td>Online Site</td></tr><tr><td>knockpy</td><td><code>knockpy -d redteamgarage.com --recon --bruteforce</code></td></tr></tbody></table>

#### Some examples of subdomain recon:

<figure><img src="https://1698500628-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FifilBLhnTZVjmLemJ6ni%2Fuploads%2FhWDsto6cleYssaBAqJWp%2Fimage.png?alt=media&#x26;token=e26a6bbb-2e0d-431a-a68d-2b3cd31d09e8" alt=""><figcaption><p><em>Example: knockpy</em></p></figcaption></figure>

<figure><img src="https://1698500628-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FifilBLhnTZVjmLemJ6ni%2Fuploads%2F0eegYtY6EdRwnVkqay8x%2Fimage.png?alt=media&#x26;token=29a75571-2c22-43b8-92e0-414df842f5a8" alt=""><figcaption><p><em>Example: amass</em></p></figcaption></figure>

<figure><img src="https://1698500628-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FifilBLhnTZVjmLemJ6ni%2Fuploads%2FkUTWufm8SjrDrCFz8ki9%2Fimage.png?alt=media&#x26;token=29729068-95f5-45b4-ada7-dad4cc73362b" alt=""><figcaption><p><em>Example: puredns</em></p></figcaption></figure>

<figure><img src="https://1698500628-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FifilBLhnTZVjmLemJ6ni%2Fuploads%2F2A082c1gz0SyRtkokHkL%2Fimage.png?alt=media&#x26;token=237f8347-17e3-4dfb-a5c1-70c1b4483528" alt=""><figcaption><p><em>Example: crt.sh</em></p></figcaption></figure>