Exposor is a tool using internet search engines to detect exposed technologies with a unified syntax.

Passive Reconnaissance Techniques Approach helps for penetration testing and bug bounty hunting by gathering information about a target system or network.

Passive recon & attack surface mapper — zero requests sent

Instagram information gathering

Open-source multi-user ICS/SCADA passive network discovery and topology platform. Upload PCAPs, visualize OT networks, generate assessment reports. Flask + Docker. The open-source engine behind Fathom.

Phone number osint

A lightweight Python tool for passive reconnaissance, including subdomain, email, and S3 bucket extraction, with AI-powered scanner for sensitive infrastructure mentions.

This is a Python script that provides the ability to perform: Check all NS Records for Zone Transfers. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT). Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion.

Recon-Scan: open‑source passive reconnaissance with AI‑powered security analysis. Zero‑touch, developer‑first, and privacy‑focused.

Passive subdomain enumeration tool in Python. Collects subdomains, resolves DNS, and optionally checks HTTP/HTTPS status.

⚡ Passive OSINT reconnaissance tool — subdomains, GitHub leaks, Shodan, Wayback Machine

🕵️♂️ Discover and extract endpoints, subdomains, and GraphQL queries effortlessly with this Burp Suite extension for efficient passive reconnaissance.

A basic passive reconnaissance tool made using Python. It checks tech stacks, security headers and hidden directories in a website.

Static is a lightweight, dependency-free typosquatting reconnaissance tool written in pure Python. It generates common typo variations of a target domain and checks them using DNS and HTTP/HTTPS heuristics to identify potentially available domains and redirect behavior.

From a domain or IP: subdomains, open ports, CVE scores, reputation, leaks — all passive.

👻 GhostPath — A powerful modular reconnaissance toolkit built for hackers, OSINT professionals & bug bounty hunters — passive + active recon in a sleek CLI shell. Discover subdomains, probe paths, mine archives and hunt certificates — all from one interactive terminal interface.

Passive domain intelligence: M365 tenant lookup, email security scoring, 225+ SaaS fingerprints, crt.sh enrichment & signal intelligence. Zero-credential, purely passive. Native MCP server for AI agents (Claude, Cursor, etc.).

Lightweight OSINT tool for passive DNS/subdomain discovery, DNS record lookup, reverse‑DNS and title extraction.

WP-Dex is an advanced passive WordPress reconnaissance tool built in Python for security auditing and intelligence gathering. It extracts detailed information about WordPress websites including plugins, themes, users, server fingerprinting, exposed paths, and known vulnerabilities — without performing any exploitation or modification. Designed for

Passive Recon - Subdomain Enumeration With sub-finder.