Tooling

A no-cost recon toolkit worth knowing

A shortlist of free, reputable tools for domain reconnaissance, subdomain discovery, and passive intelligence gathering.

You do not need a budget to do useful reconnaissance. This toolkit covers the core areas of passive domain and infrastructure research. Every tool listed is free for basic use.

Domain and DNS

  • WHOIS — registration history and contact data (when not redacted). Use whois on the command line or a registrar lookup.
  • SecurityTrails / ViewDNS.info — historical DNS records and reverse lookups.
  • crt.sh — certificate transparency logs. Excellent for discovering subdomains.

Example crt.sh query via curl:

curl -s "https://crt.sh/?q=%.example.com&output=json" | jq '.[].name_value'

Subdomain enumeration

  • Amass — comprehensive attack-surface mapping via OWASP.
  • Subfinder — fast, passive subdomain discovery.
  • Assetfinder — simple subdomain discovery from multiple sources.
subfinder -d example.com -o subdomains.txt

Web probing

  • httpx — fast HTTP probing with useful metadata.
  • nmap — network scanning (use only on assets you own or have permission to scan).
  • Wappalyzer — technology detection for websites.
cat subdomains.txt | httpx -title -tech-detect -status-code

Search and discovery

  • Google Dorks — targeted search operators for finding exposed files, login pages, and more.
  • Shodan — search engine for internet-connected devices and services.
  • Censys — internet asset discovery and monitoring.
  • Wayback Machine — historical snapshots of websites.

Intelligence platforms

  • VirusTotal — domain and file reputation.
  • URLScan.io — safe URL analysis and screenshot capture.
  • abuse.ch — malware and threat-intel feeds (ThreatFox, URLhaus, MalwareBazaar).

Putting it together

A typical recon workflow looks like this:

  1. Identify the target scope in writing.
  2. Run passive DNS and certificate searches to enumerate subdomains.
  3. Probe live hosts to capture titles, technologies, and response codes.
  4. Compare findings against threat-intel feeds.
  5. Document everything with source URLs and timestamps.

Key takeaway: Free tools are powerful, but they still require permission. Only point these at systems you own or are authorized to test. Passive reconnaissance is generally lower risk, but “passive” is not a legal defense by itself.