To avoid getting rate limited when doing your OSINT and scraping operations, use MangoProxy.
MangoProxy provides residential, ISP, datacenter, and mobile proxies in 200+ countries. Trusted by businesses worldwide for stable connections, fast response times, and scalable proxy infrastructure.
You can use the promo code VILI to get 8% off Static ISP proxies.
See the Running with proxies section to see how to setup your proxies.
A modular, terminal-based toolkit for OSINT, reconnaissance, and scraping - built in Python, runs on Linux and Windows.
Submit feature requests and bug reports in the issues tab.
| # | Tool | Description |
|---|---|---|
| 01 | Ig Scrape | Two-track Instagram OSINT scraper. Guest mode (no login) uses the ensta Guest API for public profile data and recent posts. Authenticated mode (Instagram sessionid cookie) queries Instagram's private mobile API directly for richer data - business flags, IGTV count, WhatsApp link status, and publicly listed contact details. Session IDs can optionally be saved in $HOME/.config/h4x-tools/config.json so they do not need to be re-entered every run. Both tracks run Instagram's account-recovery lookup to surface obfuscated email and phone. Results can be exported to scraped_data/ as TXT, CSV, or JSON. |
| 02 | Web Reconnaissance | Multi-mode OSINT search powered by the ddgs library. Choose from 7 modes: General (free-form), Person (12 dorks), Email (8 dorks), Domain (12 recon dorks), Username (12 platform dorks), Phone Number (8 dorks), or Custom Dork (write your own template). Configurable result count, retry/back-off on rate limits. Results can be exported to scraped_data/ as TXT, CSV, or JSON. |
| 03 | Phone Lookup | Validates and analyses a phone number via the phonenumbers library (E.164/national/international formats, country, region, carrier, line type, time zones), then runs ignorant to check social-media platform registrations. |
| 04 | IP Lookup | Resolves a hostname or IP address and queries ipinfo.io for geolocation data - city, region, country, coordinates, ISP/organization, postal code, and timezone - with a direct OpenStreetMap link. |
| 05 | Username Search | Checks a username across thousands of websites using Maigret's maintained site database and detection engines. Configure site count, timeout, parallel connections, retries, and detailed errors before scanning. Results can optionally be exported to scraped_data/maigret/ as TXT, CSV, or JSON. |
| 06 | Email Search | Checks an email address against 100+ websites and services using holehe to identify where the address is registered. |
| 07 | Leak Search | Multi-source breach and credential intelligence for an email address, domain, or username. Queries Hudson Rock Cavalier for stealer-log records (date of compromise, stealer family, infected machine details, masked credential samples, corporate/user service counts) and, for email targets, cross-references the ProxyNova COMB dataset (3.2B+ leaked credential lines) for a total hit count. Configurable inline entry limit; results can be exported to scraped_data/ as TXT, CSV, or JSON. |
| 08 | Port Scanner | Concurrently scans a user-defined TCP port range (1–N) on any IP or hostname using a 50-thread pool. Open ports are reported in real time. |
| 09 | WhoIs Lookup | Performs a WHOIS query on a domain using the whoisdomain library and displays registrar, registration/expiry dates, name servers, status, and registrant details. |
| 10 | Fake Info Generator | Generates a complete fake identity using Faker - name, job, company, email, phone, address, credit card, IBAN, and location. |
| 11 | Web Scrape | Asynchronously harvests all hyperlinks from a target URL. Optionally crawls every discovered page recursively. Results can be exported to scraped_data/ as TXT, CSV, or JSON. |
| 12 | Wi-Fi Finder | Scans for nearby Wi-Fi networks. Uses netsh on Windows and nmcli on Linux, reporting SSID, signal strength, and security type. The currently connected network is highlighted. |
| 13 | Wi-Fi Vault | Dumps saved Wi-Fi passwords stored on the local machine - netsh on Windows, nmcli on Linux. |
| 14 | Dir Buster | Asynchronously bruteforces directory and file paths on a target website using a built-in wordlist, printing every URL that returns HTTP 200. |
| 15 | Bluetooth Scanner | Scans for nearby Bluetooth devices via bluetoothctl (Linux) and reports device names and MAC addresses. (Windows support coming soon.) |
| 16 | Local Users | Enumerates all local user accounts on the system. On Linux: username, UID, GID, full name, home directory, shell, and group. On Windows: username, terminal, host, session start time, PID, SID, and domain. |
Important
Requires Python 3.10+ and Git. See the wiki for a step-by-step guide.
git clone https://github.com/vil/h4x-tools.git
cd h4x-tools
sh setup.shgit clone https://github.com/vil/h4x-tools.git
cd h4x-tools
setup.batThe setup scripts install all dependencies and optionally build a standalone executable via PyInstaller. You can also run the toolkit directly with:
python h4xtools.pyDependencies can be installed manually with:
pip install -r requirements.txtRun python h4xtools.py --help to list all direct-run options. If no tool flag is provided, H4X-Tools opens the interactive menu.
Examples:
python h4xtools.py --igscrape some_username --verbose
python h4xtools.py --username some_handle --debug
python h4xtools.py --ip example.com --whois example.com
python h4xtools.py --port-scanner 192.168.1.10 --port-range 1000Tool flags can usually be passed without a value to prompt only for the missing target:
python h4xtools.py --igscrape --verboseLaunch with -v / --verbose for verbose output or --debug for debug output:
python h4xtools.py --verbose
python h4xtools.py --debugIf you are encountering rate limits or wish to mask your traffic, you can route H4X-Tools through proxies using ProxyChains. This tool intercepts the network traffic generated by H4X-Tools and forces it through your specified proxy list.
sudo apt update
sudo apt install proxychains4 -ysudo pacman -S proxychains-ngsudo dnf install proxychains-ngBecause ProxyChains relies on UNIX-specific hooks (LD_PRELOAD), it does not run natively on standard Windows command lines. You have two primary methods to use it on Windows:
- Option A: Inside WSL (Recommended) If you run H4X-Tools inside the Windows Subsystem for Linux, simply follow the Ubuntu installation steps above within your WSL terminal.
- Option B: Native Windows Port You can install a community-maintained Windows port via Scoop:
scoop install proxychainsBefore running the tool, you need to tell ProxyChains which proxies to use.
- Open the configuration file in a text editor.
- Linux / WSL:
/etc/proxychains4.conf(Requiressudo) or create a local copy at~/.proxychains/proxychains.conf. - Windows (Scoop): Located in your scoop application directory (typically
~/scoop/apps/proxychains/current/proxychains.conf).
- Scroll to the bottom of the file to the
[ProxyList]section and add your proxies. For example:
[ProxyList]
# Protocol Host/IP Port Username Password
# Examples:
socks5 127.0.0.1 9050 # Local Tor service
http 192.168.1.50 8080 # Public or private HTTP proxy
Tip
You can toggle between strict_chain (uses proxies in exact order), dynamic_chain (skips dead proxies), or random_chain in the configuration file depending on your proxy list reliability.
Once configured, simply prefix your standard startup command with proxychains4 (or proxychains on Windows):
proxychains4 python h4xtools.pyproxychains python h4xtools.pyContributions are welcome! If you have Python knowledge and want to add a tool or improve an existing one:
- Fork the repository.
- Create a branch:
git checkout -b feature/my-tool - Write your code and tests.
- Open a pull request describing what you added or changed.
Please keep the style consistent with the existing utilities (use helper/printer.py for output, @timer.timer for the entry point, etc.).
Pre-compiled binaries are not provided. Downloading pre-built executables from untrusted sources is unsafe - always build from source yourself.
This source code is licensed under the GNU General Public License v3.0.
This toolkit is intended for educational and authorised security research purposes only. Do not use it against systems or accounts you do not own or have explicit permission to test.