5 Popular Open Source Tools for Reconnaissance


In penetration testing, reconnaissance (information gathering) is the first step to analyse the target and explore its attack surface. It is a crucial step to determine the ways that the target could be exploited.

In this article, we will explore the 5 essential and popular open-source tools for reconnaissance for penetration testing.

We will be covering the following tools:

  • Wappalyzer – Website Technology Identifier
  • DNSrecon – DNS-related information gathering
  • Sublit3r – Subdomain finder
  • theHarvester – Email Finder (for social engineering)
  • Ffuf – URL Fuzzer/Finder


Wappalyzer is software that identifies technologies in a web application such as CMS, web frameworks, eCommerce platforms, JavaScript libraries, analytics tools and more.

Wappalyzer is free to use, but they also have paid services (a monthly subscription) for its API or advance features. Wappalyzer is an open-source project so you can also download the software from GitHub.

Thus, Wappalyzer can be run from the Wappalyzer website, through a chrome extension, or executed with a command line interface (CLI).

Find out more about Wappalyzer here


DNSrecon is a DNS reconnaissance tool to gather DNS information, such as DNS records and DNS servers from a website or domain (DNSSEC, SOA, NS, MX and etc). This can help piece together the network infrastructure of an organization. Additionally, it does not trigger an alert from the organisation’s firewall or IDS/IPS. Conveniently, it comes preinstalled on Kali Linux.

Find out more about DNSrecon here


Sublits3r is a tool to help expand your attack surface by automatically finding subdomains of a target. It uses many search engines such as Baidu, Google, Yahoo, Netcraft and Virustotal to find the subdomains. Sublits3r is a python3 tool and is used from a command line interface (CLI).

Find out more about Sublit3r here


theHarvester is a tool used for social engineering. It can extract emails based on a given domain by using different search engines such as Bing, Virustotal, Shodan, etc. These email addresses can be used for brute-forcing login accounts or social engineering. However, some of the search engines will require an API key.

Find out more about theHarvester here


ffuf is a URL fuzzer (a brute force directory browsing tool) That is run from the command line. used to find hidden directories given a wordlist. This expands the attack surface of the target and can sometimes find sensitive or vulnerable files. Conveniently, it comes preinstalled on Kali Linux.

Find out more about Ffuf here


By using these 5 tools for reconnaissance together, you can gather a target’s:

  • Technology being used
  • DNS records
  • Subdomains
  • Emails
  • Hidden directories and vulnerable files

giving you a full picture of your target, and making it easier to find angles of attack and ways to exploit your target.

Related Articles

Wappalyzer – Website Technology Identifier for Pentesting

DNSrecon – DNS reconnaissance for Penetration Testing 

Sublist3r – Subdomain Finder for Pentesting

theHarvester – Email Harvesting & Social Engineering

Ffuf – URL Directory Finder/Fuzzer

Tips to Secure your devices to stop ransomware attacks

Leave a Reply

Your email address will not be published. Required fields are marked *