HackerGPT provides a comprehensive suite of scanning and reconnaissance tools designed for cybersecurity professionals and OSINT enthusiasts. These tools help you discover network services, map infrastructure, and gather intelligence about target domains.
Scanning Tools
Use these tools to discover open ports, running services, and detect potential vulnerabilities on target hosts.
Network Scanning (nmap_scan)
Advanced network mapping and vulnerability discovery tool with multiple scan types:
- Service Discovery: Identify running services on target hosts
- SYN Scan (-sS): Fast, stealthy half-open scan
- TCP Scan (-sT): Full TCP connection scan
- UDP Scan (-sU): Discover UDP services
- Comprehensive Scan (-A): OS detection, version detection, script scanning, and traceroute
Example Prompts:
Perform a service discovery scan on juice-shop.hackergpt.app
Run a SYN scan on example.com
Perform OS and version detection on testphp.vulnweb.com
Do a comprehensive scan on my target domain
Web Fingerprinting (web_fingerprint)
Fingerprint web applications to discover server type, version, and other software information. This is recommended as a first step for service discovery.
- Identifies the server and software running on it
- Helps with identifying potential vulnerabilities
- Detects web frameworks and technologies in use
Example Prompts:
Check juice-shop.hackergpt.app
Fingerprint the web application at example.com
What technologies is hackergpt.app running?
SSL/TLS Scanning (sslscan)
Analyze SSL/TLS configuration to identify security weaknesses in cryptographic implementations.
- Identifies supported TLS/SSL protocol versions
- Lists available cipher suites
- Checks for vulnerabilities like Heartbleed
- Evaluates certificate information
Example Prompts:
Perform SSL Scan on juice-shop.hackergpt.app
Check SSL configuration for example.com
Is example.com vulnerable to heartbleed?
Reconnaissance Tools
Gather intelligence about target domains, discover hidden infrastructure, and map out potential attack surfaces.
Subdomain Discovery (subfinder)
Advanced subdomain enumeration to discover hidden or forgotten infrastructure.
- Discovers subdomains using multiple sources
- Identifies potential attack surfaces
- Uncovers forgotten or misconfigured services
Example Prompts:
Find subdomains for wikipedia.org
Enumerate subdomains of example.com
What subdomains exist for target.com?
WHOIS Lookup (whois)
Domain registration intelligence gathering for extracting ownership and registration details.
- Extracts registration details and dates
- Reveals ownership information
- Identifies potential contact points
- Shows domain expiration dates
Example Prompts:
Find domain registration details for hackergpt.app
WHOIS lookup for example.com
Who owns the domain target.com?
Geo IP Location (get_ip_geolocation)
Geographical infrastructure mapping to understand where target systems are located.
- Provides city, region, and country information
- Returns latitude and longitude coordinates
- Offers geopolitical context for targeted infrastructure
Example Prompts:
Find geo location of hackergpt.app
Where is the server for example.com located?
Get IP geolocation for 8.8.8.8
Domain to IP Resolution (get_domain_ip)
Map domain names to their IP addresses for further analysis.
Example Prompts:
What is the IP address of example.com?
Resolve hackergpt.app to its IP
Combining Tools for Better Results
HackerGPT can chain multiple tools together to provide comprehensive analysis. Here are some powerful combinations:
Full Reconnaissance Workflow
Perform a service discovery scan and find associated CVEs on testphp.vulnweb.com
Infrastructure Mapping
Find subdomains for target.com and check their SSL configurations
Vulnerability Discovery Chain
Perform a service discovery scan and find associated CVEs on juice-shop.hackergpt.app
After vulnerabilities are found, you can prompt:
Find exploit script for CVE-XXXX-XXXXX
Best Practices
- Start with web fingerprinting: Always begin reconnaissance by fingerprinting the target to understand what you're dealing with.
- Use appropriate scan types: SYN scans are faster and stealthier; TCP scans are more reliable but slower.
- Combine tools: Chain multiple tools together for comprehensive results.
- Only scan authorized targets: Always ensure you have permission before scanning any system.
Quick Reference
| Tool | Purpose | Example |
|---|---|---|
| nmap_scan | Network/port scanning | Perform a service discovery scan on target.com |
| web_fingerprint | Web app identification | Check target.com |
| sslscan | SSL/TLS analysis | Perform SSL Scan on target.com |
| subfinder | Subdomain discovery | Find subdomains for target.com |
| whois | Domain registration info | Find domain registration details for target.com |
| get_ip_geolocation | IP location mapping | Find geo location of target.com |
| get_domain_ip | Domain to IP resolution | What is the IP of target.com? |