Passive Recon

host

command for DNS resolve

netcraft.com

more comprehensive

httrack

downloads a website source code to run it locally. NICE👍

dnsrecon

for dns enumeration and dns lookups

dnsdumpster

more comprehensive

wafw00f

WAF fingerprinting tool
To do its magic, WAFW00F does the following:

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
• If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
• If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks.

sublist3r

passive subdomain enumeration, can also be used for subdomain bruteforcing

theHarvester

https://github.com/laramies/theHarvester
for enumerating emails and subdomains

exploit-db.com

big database for exploits and google dorks

Google dorks

for subdomain enumeration, sensitive pages

examples:

site:
intitle:
inurl:
filetype:

Password Databases

https://haveibeenpwned.com/
try any email if it's compromised check which breach was it and there might be a password list for breached emails so now you have a password for this email NICE😘.