# Recon for Red Teaming- Practical

### Comprehensive list of Online and Offline Recon Tools

#### Data Leak Search Online Sites/Tools (Mostly used):

| Tool                          | Remarks                                                                                  |
| ----------------------------- | ---------------------------------------------------------------------------------------- |
| intelx.io                     | Somewhat expensive but worth it                                                          |
| dehashed.com                  | Paid one but comparatively reasonable                                                    |
| pastebin.com                  | Free                                                                                     |
| github.com                    | Free (Register to get the API)                                                           |
| postman.com & web.postman.com | Free                                                                                     |
| leakix.net                    | Paid                                                                                     |
| leakpeek.com                  | Paid                                                                                     |
| grep.app                      | Paid                                                                                     |
| firebase.google.com           | Free (Register to get the API)                                                           |
| haveibeenpwned.com            | Free, absolutely the best in the market to check the status of the compromised email IDs |

#### Data Leak Search Offline Tools (Mostly used):

<table><thead><tr><th width="286">Tool</th><th>Where to find</th></tr></thead><tbody><tr><td>theHarvester</td><td>Free- Kali/ParrotOS</td></tr><tr><td>mosint</td><td>Free- Kali/ParrotOS</td></tr><tr><td>h8mail</td><td>Free- Kali/ParrotOS</td></tr><tr><td>recon-ng</td><td>Free- Kali/ParrotOS</td></tr></tbody></table>

#### Subdomain Recon- Some popular tools:

<table><thead><tr><th width="231">Tool/Site</th><th>Remarks</th></tr></thead><tbody><tr><td>puredns</td><td><code>puredns bruteforce /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt redteamgarage.com -r ./resolvers.txt</code></td></tr><tr><td>amass</td><td><code>amass enum -d redteamgarage.com -rf resolvers.txt</code></td></tr><tr><td>subdomainfinder.c99.nl</td><td>Online Site</td></tr><tr><td>censys.io</td><td>Online Site</td></tr><tr><td>crt.sh</td><td>Online Site</td></tr><tr><td>virustotal.com</td><td>Online Site</td></tr><tr><td>knockpy</td><td><code>knockpy -d redteamgarage.com --recon --bruteforce</code></td></tr></tbody></table>

#### Some examples of subdomain recon:

<figure><img src="/files/jB1CrBR7Ubo7maQgheBh" alt=""><figcaption><p><em>Example: knockpy</em></p></figcaption></figure>

<figure><img src="/files/e5D6OZZxuVWYFUQr0byw" alt=""><figcaption><p><em>Example: amass</em></p></figcaption></figure>

<figure><img src="/files/6M6sG3DjHtzzyiKtYXnw" alt=""><figcaption><p><em>Example: puredns</em></p></figcaption></figure>

<figure><img src="/files/3XNl4jJHRJIV4zFAjNY5" alt=""><figcaption><p><em>Example: crt.sh</em></p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteamgarage.com/recon-for-red-teaming-practical.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.