ReconDB
CheatSheet

RECONDB — Cheat Sheet

All Categories · 38 tools · 2026

For authorized & educational use only

38 tools·197 commands

URL updates automatically · Share the link to restore this exact view

⚙

reconFTW

Dual-UseBash · ★ 7.4k

Automated recon framework chaining 45+ tools for full attack surface mapping.

GitHubgithub.com/six2dez/reconftw

⬡ Installation

# Clone and install

git clone https://github.com/six2dez/reconftw
cd reconftw
./install.sh --verbose

# Docker (no local install required)

docker pull six2dez/reconftw:main

▶ Usage

# Full scan with resume capabilities (recommended)

./reconftw.sh -d example.com -r

# Passive-only footprint scan (stealthy, no active probing)

./reconftw.sh -d example.com -p

# Subdomains-only scan

./reconftw.sh -d example.com -s

# Full scan on a list of domains

./reconftw.sh -l domains.txt -r

# Docker-based run

docker run -it --rm \
  -v "$(pwd)/OutputFolder/:/reconftw/Recon/" \
  six2dez/reconftw:main -d example.com -r
⚙

Recon-ng

Dual-UsePython · ★ 5.5k

Metasploit-style web reconnaissance framework with modular architecture.

GitHubgithub.com/lanmaster53/recon-ng

⬡ Installation

# Clone and install dependencies

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip3 install -r REQUIREMENTS

▶ Usage

# Start the framework

./recon-ng

# Search and install a module

[recon-ng][default] > modules search
[recon-ng][default] > marketplace install recon/domains-hosts/bing_domain_web

# Load, configure and run a module

[recon-ng][default] > modules load recon/domains-hosts/bing_domain_web
[recon-ng][default][bing_domain_web] > options set SOURCE example.com
[recon-ng][default][bing_domain_web] > run
[recon-ng][default] > show hosts

# Export results to HTML report

[recon-ng][default] > modules load reporting/html
[recon-ng][default][html] > options set FILENAME /tmp/report.html
[recon-ng][default][html] > run
⚙

SpiderFoot

Dual-UsePython · ★ 13k

OSINT automation platform integrating 200+ data sources with visual graphs.

GitHubgithub.com/smicallef/spiderfoot

⬡ Installation

# Clone and install

git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot
pip3 install -r requirements.txt

▶ Usage

# Start the web interface (recommended)

python3 ./sf.py -l 127.0.0.1:5001
# Navigate to http://127.0.0.1:5001

# CLI — run specific modules

python3 ./sf.py -m sfp_whois,sfp_dns,sfp_shodan -s example.com

# Run all modules against a target

python3 ./sf.py -s example.com

# Save output to CSV

python3 ./sf.py -s example.com -o csv -f /tmp/output.csv
◈

Subfinder

Ethical / DefensiveGo · ★ 10k

Fast passive subdomain discovery using 40+ online sources.

GitHubgithub.com/projectdiscovery/subfinder

⬡ Installation

# Install via Go

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

▶ Usage

# Find subdomains for a domain

subfinder -d example.com

# Output to a file

subfinder -d example.com -o subdomains.txt

# Use all sources (requires API keys in config)

subfinder -d example.com -all -o subdomains.txt

# Scan multiple domains from a file

subfinder -dL domains.txt -o all_subdomains.txt

# Pipe into httpx to find live hosts

subfinder -d example.com | httpx -silent
◈

Amass

Ethical / DefensiveGo · ★ 12k

OWASP attack surface mapping with passive, active, and brute-force enumeration.

GitHubgithub.com/owasp-amass/amass

⬡ Installation

# Install via Go

go install -v github.com/owasp-amass/amass/v4/...@master

▶ Usage

# Passive subdomain enumeration

amass enum -passive -d example.com

# Active subdomain enumeration

amass enum -active -d example.com

# Enumerate with brute force

amass enum -brute -d example.com

# Save results to file

amass enum -passive -d example.com -o amass_output.txt

# Visualize the attack surface (D3 graph)

amass viz -d3 -d example.com -o graph.html
◈

Assetfinder

Ethical / DefensiveGo · ★ 3k

Lightweight Go tool to find related domains and subdomains.

GitHubgithub.com/tomnomnom/assetfinder

⬡ Installation

# Install via Go

go install github.com/tomnomnom/assetfinder@latest

▶ Usage

# Find subdomains only

assetfinder --subs-only example.com

# Find all related domains and subdomains

assetfinder example.com

# Pipe results into httprobe

assetfinder --subs-only example.com | httprobe
◉

DNSx

Ethical / DefensiveGo · ★ 2k

Fast multi-purpose DNS toolkit for bulk resolution and record enumeration.

GitHubgithub.com/projectdiscovery/dnsx

⬡ Installation

# Install via Go

go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

▶ Usage

# Resolve a list of subdomains

cat subdomains.txt | dnsx -silent

# Find all A records

echo "example.com" | dnsx -a -resp

# Find all MX records

echo "example.com" | dnsx -mx -resp

# Find CNAME records (useful for subdomain takeover)

cat subdomains.txt | dnsx -cname -resp

# Brute force subdomains using a wordlist

dnsx -d example.com -w /usr/share/wordlists/subdomains.txt
◉

Fierce

Ethical / DefensivePython · ★ 1.5k

DNS reconnaissance tool for locating non-contiguous IP space and hostnames.

GitHubgithub.com/mschwager/fierce

⬡ Installation

# Install via pip

pip3 install fierce

▶ Usage

# Basic DNS reconnaissance

fierce --domain example.com

# Use a custom DNS server

fierce --domain example.com --dns-servers 8.8.8.8

# Attempt a zone transfer

fierce --domain example.com --zone-transfer
▣

Nmap

Dual-UseC/Lua · ★ 10k

Industry-standard network discovery and security auditing tool.

GitHubgithub.com/nmap/nmap

⬡ Installation

# Install via apt

sudo apt-get update && sudo apt-get install nmap -y

▶ Usage

# Stealth SYN scan with OS and version detection

sudo nmap -sS -A -p- target.com

# Scan top 1000 ports with service version detection

nmap -sV -sC target.com

# Run vulnerability scripts against a target

nmap --script vuln target.com

# Scan a subnet (host discovery)

nmap -sn 192.168.1.0/24

# Output to all formats (normal, XML, grepable)

nmap -sS -A target.com -oA scan_results

# Aggressive scan with timing template

nmap -T4 -A -v target.com
▣

Masscan

Dual-UseC · ★ 25.4k

Internet-scale port scanner — 10 million packets/second from a single machine.

GitHubgithub.com/robertdavidgraham/masscan

⬡ Installation

# Build from source

sudo apt-get --assume-yes install git make gcc libpcap-dev
git clone https://github.com/robertdavidgraham/masscan
cd masscan
make -j4
sudo make install

▶ Usage

# Scan a subnet for specific ports

sudo masscan -p80,8000-8100 10.0.0.0/8 --rate=1000

# Scan the entire internet for port 443

sudo masscan 0.0.0.0/0 -p443 --max-rate 100000 -oX scan.xml --excludefile exclude.txt

# Banner grabbing on port 80

sudo masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

# Save results to XML

sudo masscan -p80,443 10.0.0.0/8 -oX results.xml
▣

Naabu

Dual-UseGo · ★ 4.5k

Fast and reliable Go-based port scanner by ProjectDiscovery.

GitHubgithub.com/projectdiscovery/naabu

⬡ Installation

# Install via Go

go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

▶ Usage

# Scan top 100 ports

naabu -host example.com

# Scan all ports

naabu -host example.com -p -

# Scan a list of hosts on specific ports

naabu -list hosts.txt -p 80,443,8080,8443

# Pipe subfinder output into naabu

subfinder -d example.com | naabu -p 80,443
◎

Photon

Dual-UsePython · ★ 12.8k

Incredibly fast OSINT crawler extracting URLs, emails, keys, and subdomains.

GitHubgithub.com/s0md3v/Photon

⬡ Installation

# Clone and install

git clone https://github.com/s0md3v/Photon.git
cd Photon
pip3 install -r requirements.txt

▶ Usage

# Crawl a single domain

python3 photon.py -u "http://example.com"

# Export results as JSON

python3 photon.py -u "http://example.com" --export=json

# Use Wayback Machine as seeds

python3 photon.py -u "http://example.com" --wayback

# Set crawl depth and thread count

python3 photon.py -u "http://example.com" --depth 3 --threads 10
◎

Hakrawler

Dual-UseGo · ★ 4k

Fast web crawler for discovering endpoints and assets within web applications.

GitHubgithub.com/hakluke/hakrawler

⬡ Installation

# Install via Go

go install github.com/hakluke/hakrawler@latest

▶ Usage

# Basic crawl

echo https://example.com | hakrawler

# Crawl with depth

echo https://example.com | hakrawler -depth 3

# Include subdomains in crawl

echo https://example.com | hakrawler -subs

# Output only URLs

echo https://example.com | hakrawler -plain
◎

Katana

Dual-UseGo · ★ 12k

Next-generation crawling framework with JavaScript parsing support.

GitHubgithub.com/projectdiscovery/katana

⬡ Installation

# Install via Go

go install github.com/projectdiscovery/katana/cmd/katana@latest

▶ Usage

# Crawl a URL

katana -u https://example.com

# Crawl with JavaScript parsing enabled

katana -u https://example.com -js-crawl

# Crawl with a specific depth

katana -u https://example.com -depth 3

# Crawl a list of URLs

katana -list urls.txt -o output.txt
◆

Maigret

Dual-UsePython · ★ 19.2k

Collect a dossier on a person by username — checks 3,000+ sites, no API keys needed.

GitHubgithub.com/soxoj/maigret

⬡ Installation

# Install via pip

pip3 install maigret

▶ Usage

# Basic username search

maigret target_username

# Generate HTML and PDF reports

maigret target_username --html --pdf

# Search on sites tagged as photo and dating

maigret target_username --tags photo,dating

# Search for multiple usernames

maigret user1 user2 user3 -a

# Launch the web interface

maigret --web 5000

# Docker usage

docker run -v /mydir:/app/reports soxoj/maigret:latest target_username --html
◆

Sherlock

Dual-UsePython · ★ 60k

Hunt down social media accounts by username across 400+ social networks.

GitHubgithub.com/sherlock-project/sherlock

⬡ Installation

# Clone and install

git clone https://github.com/sherlock-project/sherlock.git
cd sherlock
python3 -m pip install -r requirements.txt

▶ Usage

# Search for a username

python3 sherlock target_username

# Output to CSV

python3 sherlock target_username --csv

# Output to XLSX

python3 sherlock target_username --xlsx

# Search on specific sites only

python3 sherlock target_username --site twitter --site instagram

# Search for multiple usernames

python3 sherlock user1 user2 user3
◆

Holehe

Dual-UsePython · ★ 10.5k

Check if an email is attached to accounts on 120+ sites using password-reset flows.

GitHubgithub.com/megadose/holehe

⬡ Installation

# Install via pip

pip3 install holehe

▶ Usage

# Check a single email

holehe [email protected]

# Docker usage

docker build . -t my-holehe-image
docker run my-holehe-image holehe [email protected]
◆

h8mail

Dual-UsePython · ★ 4.9k

Email OSINT and password breach hunting tool with local and API-based search.

GitHubgithub.com/khast3x/h8mail

⬡ Installation

# Install via pip

pip3 install h8mail

▶ Usage

# Basic search for an email

h8mail -t [email protected]

# Search using a local cleartext breach file

h8mail -t [email protected] -lb /path/to/breach/file.txt

# Generate a config file for API keys

h8mail --gen-config

# Search using API keys from config

h8mail -t [email protected] -c h8mail_config.ini

# Output results to CSV

h8mail -t [email protected] -o results.csv
▲

PhoneInfoga

Dual-UseGo · ★ 16.1k

Advanced international phone number scanner — carrier, location, VoIP detection.

GitHubgithub.com/sundowndev/phoneinfoga

⬡ Installation

# Download binary for Linux

curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install | bash
sudo mv ./phoneinfoga /usr/local/bin/phoneinfoga

# Docker

docker pull sundowndev/phoneinfoga:latest

▶ Usage

# Scan a phone number (include country code)

phoneinfoga scan -n "+15554443333"

# Launch the web interface

phoneinfoga serve -p 8080

# Docker usage

docker run -it sundowndev/phoneinfoga:latest scan -n "+15554443333"
◐

Gitleaks

Ethical / DefensiveGo · ★ 25.5k

SAST tool for detecting hardcoded secrets, API keys, and tokens in git repos.

GitHubgithub.com/gitleaks/gitleaks

⬡ Installation

# Via Docker

docker pull zricethezav/gitleaks:latest

# Via Homebrew

brew install gitleaks

# From source

git clone https://github.com/gitleaks/gitleaks.git
cd gitleaks
make build

▶ Usage

# Scan a local directory

docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source="/path" -v

# Scan and output a JSON report

gitleaks detect --source="/path/to/repo" --report-path="gitleaks-report.json"

# Scan a remote GitHub repository

gitleaks detect --source="https://github.com/user/repo"

# Scan stdin

cat file.txt | gitleaks detect --pipe
◐

TruffleHog

Ethical / DefensiveGo · ★ 17k

Searches git repos for high entropy strings and secrets deep in commit history.

GitHubgithub.com/trufflesecurity/trufflehog

⬡ Installation

# Install binary

curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin

▶ Usage

# Scan a GitHub repository

trufflehog git https://github.com/user/repo.git

# Scan a local directory

trufflehog filesystem /path/to/directory

# Scan all repos in a GitHub organization

trufflehog github --org=myorganization

# Scan a Docker image

trufflehog docker --image=ubuntu:latest

# Scan an S3 bucket

trufflehog s3 --bucket=my-bucket
◐

GitDorker

Dual-UsePython · ★ 2k

Uses GitHub Search API with dork lists to find sensitive information on GitHub.

GitHubgithub.com/obheda12/GitDorker

⬡ Installation

# Clone and install

git clone https://github.com/obheda12/GitDorker.git
cd GitDorker
pip3 install -r requirements.txt

▶ Usage

# Search GitHub for sensitive files related to a target

python3 GitDorker.py -tf TOKENSFILE -q example.com -d dorks/BHEH_top_dorks.txt

# Search for specific keywords

python3 GitDorker.py -tf TOKENSFILE -q "example.com password" -d dorks/BHEH_top_dorks.txt
⬡

Nuclei

Dual-UseGo · ★ 22k

Fast template-based vulnerability scanner with 9,000+ community templates.

GitHubgithub.com/projectdiscovery/nuclei

⬡ Installation

# Install via Go

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

▶ Usage

# Update templates first (always do this)

nuclei -update-templates

# Scan a single URL

nuclei -u https://example.com

# Scan a list of URLs from a file

nuclei -l urls.txt

# Run only critical and high severity templates

nuclei -u https://example.com -severity critical,high

# Run specific template categories

nuclei -u https://example.com -tags cve,misconfig

# Output results to JSON

nuclei -u https://example.com -json-export results.json
⬡

Nikto

Dual-UsePerl · ★ 8k

Comprehensive web server scanner testing for 6,700+ dangerous files and misconfigs.

GitHubgithub.com/sullo/nikto

⬡ Installation

# Clone from GitHub

git clone https://github.com/sullo/nikto.git
cd nikto/program

▶ Usage

# Scan a web server

./nikto.pl -h http://example.com

# Scan with SSL

./nikto.pl -h https://example.com -ssl

# Scan a specific port

./nikto.pl -h example.com -p 8080

# Output to HTML report

./nikto.pl -h http://example.com -o report.html -Format html

# Scan with XSS tuning only

./nikto.pl -h http://example.com -Tuning 4
◇

TheHarvester

Dual-UsePython · ★ 12k

Gather emails, subdomains, virtual hosts, open ports, and employee names from public sources.

GitHubgithub.com/laramies/theHarvester

⬡ Installation

# Clone and install

git clone https://github.com/laramies/theHarvester.git
cd theHarvester
pip3 install -r requirements.txt

▶ Usage

# Search using Google and LinkedIn

python3 theHarvester.py -d example.com -l 500 -b google,linkedin

# Use all available sources

python3 theHarvester.py -d example.com -b all

# Search using Shodan

python3 theHarvester.py -d example.com -b shodan -l 100

# Save results to XML

python3 theHarvester.py -d example.com -b google -f results.xml
◇

OSINT-SPY

Dual-UsePython · ★ 1.5k

Multi-target OSINT scanner for emails, domains, IPs, and SSL analysis.

GitHubgithub.com/SharadKumar97/OSINT-SPY

⬡ Installation

# Clone and install

git clone https://github.com/SharadKumar97/OSINT-SPY.git
cd OSINT-SPY
pip3 install -r requirements.txt

▶ Usage

# Domain reconnaissance

python3 osint-spy.py --domain example.com

# Email reconnaissance

python3 osint-spy.py --email [email protected]

# IP WHOIS lookup

python3 osint-spy.py --ip 8.8.8.8

# Check SSL ciphers

python3 osint-spy.py --ssl_cipher example.com

# Check for Heartbleed vulnerability

python3 osint-spy.py --ssl_bleed example.com
◑

Twint

Dual-UsePython · ★ 15k

Advanced Twitter scraping without API — scrape tweets, followers, and more.

GitHubgithub.com/twintproject/twint

⬡ Installation

# Install via pip

pip3 install twint

▶ Usage

# Scrape all tweets from a user

twint -u username

# Search for tweets containing a keyword

twint -s "keyword"

# Scrape tweets from a user since a specific date

twint -u username --since 2024-01-01

# Search for tweets near a location

twint -s "keyword" --near "New York" --within 10km

# Save output to CSV

twint -u username -o output.csv --csv
◑

Instaloader

Dual-UsePython · ★ 9k

Download Instagram posts, stories, metadata, and profile information.

GitHubgithub.com/instaloader/instaloader

⬡ Installation

# Install via pip

pip3 install instaloader

▶ Usage

# Download all posts from a public profile

instaloader profile target_username

# Download only stories

instaloader --stories target_username

# Download posts with metadata

instaloader --metadata-json target_username

# Download posts from a hashtag

instaloader "#hashtag"
▼

OnionSearch

Dual-UsePython · ★ 1k

Scrape URLs across multiple .onion search engines (requires Tor).

GitHubgithub.com/megadose/OnionSearch

⬡ Installation

# Clone and install

git clone https://github.com/megadose/OnionSearch.git
cd OnionSearch
pip3 install -r requirements.txt

▶ Usage

# Search for a keyword (requires Tor running)

python3 onionsearch.py "keyword"

# Save results to CSV

python3 onionsearch.py "keyword" --output results.csv
◻

ExifTool

Ethical / DefensivePerl · ★ 3k

Read, write, and edit metadata in images, videos, audio, and documents.

GitHubgithub.com/exiftool/exiftool

⬡ Installation

# Install via apt

sudo apt-get install libimage-exiftool-perl

▶ Usage

# Extract all metadata from an image

exiftool image.jpg

# Extract GPS coordinates

exiftool -gps:all image.jpg

# Extract metadata from all images in a directory

exiftool /path/to/images/

# Remove all metadata from an image

exiftool -all= image.jpg

# Extract metadata and save to text file

exiftool image.jpg > metadata.txt
◻

Metagoofil

Dual-UsePython · ★ 1k

Extract metadata from public documents (PDF, DOC, XLS, PPT) belonging to a target.

GitHubgithub.com/opsdisk/metagoofil

⬡ Installation

# Clone and install

git clone https://github.com/opsdisk/metagoofil.git
cd metagoofil
pip3 install -r requirements.txt

▶ Usage

# Extract metadata from PDF files related to a domain

python3 metagoofil.py -d example.com -t pdf -l 100 -n 25 -o /tmp/results -f results.html

# Extract metadata from DOC files

python3 metagoofil.py -d example.com -t doc -l 50 -n 10 -o /tmp/results -f results.html
◈

Aircrack-ng

Offensive / Red TeamC · ★ 5k

Complete suite of tools to assess WiFi network security — capture, crack, inject.

GitHubgithub.com/aircrack-ng/aircrack-ng

⬡ Installation

# Install via apt

sudo apt-get install aircrack-ng

▶ Usage

# Put wireless interface into monitor mode

sudo airmon-ng start wlan0

# Capture packets from all networks

sudo airodump-ng wlan0mon

# Capture packets from a specific network

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Crack a WPA2 handshake with a wordlist

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
△

CloudEnum

Dual-UsePython · ★ 3k

Multi-cloud OSINT tool for enumerating public resources in AWS, Azure, and GCP.

GitHubgithub.com/initstring/cloud_enum

⬡ Installation

# Clone and install

git clone https://github.com/initstring/cloud_enum.git
cd cloud_enum
pip3 install -r requirements.txt

▶ Usage

# Enumerate cloud resources for a keyword

python3 cloud_enum.py -k targetcompany

# Enumerate multiple keywords

python3 cloud_enum.py -k targetcompany -k targetcompany-dev

# Output results to a file

python3 cloud_enum.py -k targetcompany -l /tmp/cloud_results.txt
△

S3Scanner

Dual-UsePython · ★ 2.5k

Find open S3 buckets and dump their contents.

GitHubgithub.com/sa7mon/S3Scanner

⬡ Installation

# Install via pip

pip3 install s3scanner

▶ Usage

# Scan a single bucket

s3scanner scan --bucket my-bucket-name

# Scan a list of bucket names from a file

s3scanner scan --bucket-file buckets.txt

# Dump the contents of an open bucket

s3scanner dump --bucket my-bucket-name
⬢

SQLMap

Offensive / Red TeamPython · ★ 32k

Automated SQL injection detection and exploitation tool.

GitHubgithub.com/sqlmapproject/sqlmap

⬡ Installation

# Clone from GitHub

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

▶ Usage

# Test a URL for SQL injection

python3 sqlmap.py -u "http://example.com/page.php?id=1"

# Enumerate databases

python3 sqlmap.py -u "http://example.com/page.php?id=1" --dbs

# Dump a specific database table

python3 sqlmap.py -u "http://example.com/page.php?id=1" -D dbname -T tablename --dump

# Test a POST request

python3 sqlmap.py -u "http://example.com/login.php" --data="user=admin&pass=test"
⬢

XSStrike

Offensive / Red TeamPython · ★ 13k

XSS detection suite with intelligent payload generator and fuzzing engine.

GitHubgithub.com/s0md3v/XSStrike

⬡ Installation

# Clone and install

git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip3 install -r requirements.txt

▶ Usage

# Scan a URL for XSS vulnerabilities

python3 xsstrike.py -u "http://example.com/search?q=test"

# Crawl and scan a website

python3 xsstrike.py -u "http://example.com" --crawl

# Blind XSS testing

python3 xsstrike.py -u "http://example.com/search?q=test" --blind
⬢

Gobuster

Dual-UseGo · ★ 10k

Brute-force URIs, DNS subdomains, virtual hosts, and open S3 buckets.

GitHubgithub.com/OJ/gobuster

⬡ Installation

# Install via Go

go install github.com/OJ/gobuster/v3@latest

▶ Usage

# Directory brute-forcing

gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt

# DNS subdomain brute-forcing

gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt

# Virtual host brute-forcing

gobuster vhost -u http://example.com -w /usr/share/wordlists/vhosts.txt

# S3 bucket enumeration

gobuster s3 -w /usr/share/wordlists/buckets.txt
⬢

Ffuf

Dual-UseGo · ★ 13k

Fuzz Faster U Fool — fast web fuzzer for directories, parameters, and headers.

GitHubgithub.com/ffuf/ffuf

⬡ Installation

# Install via Go

go install github.com/ffuf/ffuf/v2@latest

▶ Usage

# Fuzz a URL for directories

ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# Fuzz with a filter on response size

ffuf -u http://example.com/FUZZ -w wordlist.txt -fs 4242

# Fuzz POST data

ffuf -u http://example.com/login -X POST -d "username=FUZZ&password=test" -w usernames.txt

# Fuzz HTTP headers

ffuf -u http://example.com/ -H "X-Forwarded-For: FUZZ" -w ips.txt

RECONDB 2026 · For authorized & educational use only

RECONDB · Cheat Sheet · 2026