#1 Web Attack Cheat Sheet

Choose a wildscope and enumerate subs using: subfinder +amass+ assetfinder + knockpy

  1. Now run httpx and pic interesting subdomains only, Specially php aspx html asp and old looking websites

  2. Now fuzz interesting subs with ffuf

  3. Sometimes you will find hidden register endpoint after fuzzing and sensitive info disclosures too

  4. Put more focus on subdomains where you can create account and hunt for manual bugs like Htmli , xss , csrf , idor

----------------------------------------------------------------------------------------

PLATFORMS

https://github.com/arkadiyt/bounty-targets-data # This repo contains data dumps of Hackerone and Bugcrowd scopes (i.e. the domains that are eligible for bug bounty reports).

----------------------------------------------------------------------------------------

VULN WEBSITES

----------------------------------------------------------------------------------------

CTF

----------------------------------------------------------------------------------------

Table of Contents

Discovering

  • Targets

  • IP Enumeration

  • Subdomain Enumeration

  • Wayback Machine

  • Google Dorks

  • Github Dorks

  • Content Security Policy (CSP)

  • Web Cache Poisoning

  • Crawling

  • Wordlists

  • Directory Bruteforcing

  • Parameter Bruteforcing

  • DNS and HTTP detection

  • Acquisitions/Names/Addresses/Contacts/Emails/etc.

  • HTML/JavaScript Comments

  • Tiny URLs Services

  • GraphQL

  • General

Enumerating

  • Fingerprint

  • Buckets

  • Cloud Enumeration

  • Containerization

  • Visual Identification

Scanning

  • Static Application Security Testing

  • Dependency Confusion

  • Send Emails

  • Search Vulnerabilities

  • Web Scanning

Monitoring

  • CVE

  • Nuclei Authomation

  • Notify: Discord

-----------------------------------------------------------------------------------------------------

1. Discovering

1.1 IP Enumeration

http://www.asnlookup.com # This tool leverages ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes.

https://github.com/pielco11/fav-up # Lookups for real IP starting from the favicon icon and using Shodan.

python3 favUp.py --favicon-file favicon.ico -sc

https://stackoverflow.com/questions/16986879/bash-script-to-list-all-ips-in-prefix # List all IP addresses in a given CIDR block

nmap -sL -n 10.10.64.0/27 | awk '/Nmap scan report/{print $NF}'
nmap -sV -sC website.com

Fast simple scan
$ nmap 10.11.1.111

Nmap ultra fast
$ nmap 10.11.1.111 --max-retries 1 --min-rate 1000

Get open ports
$ nmap -p - -Pn -n 10.10.10.10

Comprehensive fast and accurate
$ nmap --top-ports 200 -sV -n --max-retries 2 -Pn --open -iL ips.txt -oA portscan_active

Get sV from ports
$ nmap -pXX,XX,XX,XX,XX -Pn -sV -n 10.10.10.10

Full complete slow scan with output
$ nmap -v -A -p- -Pn --script vuln -oA full 10.11.1.111

Network filtering evasion
$ nmap --source-port 53 -p 5555 10.11.1.111
    # If work, set IPTABLES to bind this port
    iptables -t nat -A POSTROUTING -d 10.11.1.111 -p tcp -j SNAT --to :53

Scan for UDP
$ nmap 10.11.1.111 -sU
$ nmap -sU -F -Pn -v -d -sC -sV --open --reason -T5 10.11.1.111

FW evasion
$ nmap -f <IP>
$ nmap --mtu 24 <IP>
$ nmap --data-length 30 <IP>
$ nmap --source-port 53 <IP>

Nmap better speed flags
--max-rtt-timeout: Time response per probe
--script-timeout: Time response per script
--host-timeout: Time response for host
--open: Avoid detection if filtered or closed
--min-rate

-----------------------------------------------------------------------------------------------------

1.2 Technologies

Browser:

  • wappalyzer - Identify technology on websites.

  • webanalyze - Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.

  • retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities

Automated:

https://github.com/projectdiscovery/httpx # httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

./httpx -l /home/kali/Desktop/rockstarnorth.txt -probe -status-code -tech-detect -title

IP Ranges:

https://kaeferjaeger.gay/?dir=cdn-ranges/ # Lists of IP ranges used by CDNs (Cloudflare, Akamai, Incapsula, Fastly, etc). Updated every 30 minutes.

https://kaeferjaeger.gay/?dir=ip-ranges/ # Lists of IP ranges from: Google (Cloud & GoogleBot), Bing (Bingbot), Amazon (AWS), Microsoft (Azure), Oracle (Cloud) and DigitalOcean. Updated every 6 hours.

https://netlas.io/ # Internet intelligence apps that provide accurate information on IP addresses, domain names, websites, web applications, IoT devices, and other online assets.

https://github.com/zidansec/CloudPeler # This tools can help you to see the real IP behind CloudFlare protected websites.

-----------------------------------------------------------------------------------------------------

1.3 Subdomain Enumeration

bevigil: https://bevigil.com/
binaryedge: https://www.binaryedge.io/
bufferover: https://buffer.com/developers/api
builtwith: https://pro.builtwith.com/
c99: https://subdomainfinder.c99.nl/
censys: https://censys.com/
# Censys is the most reputable, exhaustive, and up-to-date source of Internet scan data in the world, so you see everything.
certspotter: https://sslmate.com/certspotter/
chaos: https://www.chaossearch.io/
chinaz: https://www.chinaz.com/
dnsdb: https://www.domaintools.com/products/farsight-dnsdb/
dnsrepo: https://dnsrepo.noc.org/
facebook: https://developers.facebook.com/docs/
fofa: https://en.fofa.info/
# FOFA (Cyberspace Assets Retrieval System) is the world's IT equipment search engine with more complete data coverage, and it has more complete DNA information of global networked IT equipment.
fullhunt: https://fullhunt.io/
# If you don't know all your internet-facing assets, which ones are vulnerable, FullHunt is here for you.
github: https://docs.github.com/en/rest
hunter: https://hunter.io/search
intelx: https://intelx.io/tools
leakix: https://leakix.net/
netlas: https://netlas.io/
passivetotal: https://community.riskiq.com/
quake: 
redhuntlabs: https://redhuntlabs.com/
robtex: https://www.robtex.com/
securitytrails: https://securitytrails.com/
shodan: https://www.shodan.io/
# Shodan is the world's first search engine for Internet-connected devices.
threatbook: https://threatbook.io/
virustotal: https://www.virustotal.com/gui/
whoisxmlapi: https://www.whoisxmlapi.com/
zoomeyeapi: www.zoomeye.org
# ZoomEyeis China's first and world-renowned cyberspace search engine driven by 404 Laboratory of Knownsec. Through a large number of global surveying and mapping nodes, according to the global IPv4, IPv6 address and website domain name databases,it can continuously scan and identify multiple service port and protocols 24 hours a day, and finally map the whole or local cyberspace.

https://web.archive.org/web/20211127183642/https://appsecco.com/books/subdomain-enumeration/ # This book intendes to be a reference for subdomain enumeration techniques.

https://github.com/knownsec/ksubdomain # ksubdomain是一款基于无状态子域名爆破工具,支持在Windows/Linux/Mac上使用,它会很快的进行DNS爆破,在Mac和Windows上理论最大发包速度在30w/s,linux上为160w/s的速度。

ksubdomain -d example.com

https://github.com/OWASP/Amass # The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

amass enum -passive -dir /tmp/amass_output/ -d example.com -o dir/example.com

https://github.com/projectdiscovery/subfinder # subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.

subfinder -r 8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 -t 10 -v -d example.com -o dir/example.com

https://github.com/projectdiscovery/httpx # httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

cat hosts.txt | httpx

-status-code 
-title 
-tech-detect 
-m, --method GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD 
-h, --headers <NAME VALUE> ...  Include additional HTTP headers in the request.                                                        
--cookies <NAME VALUE> ...      Cookies to include in the request.  

$ httpx -status-code -title -tech-detect -f -list ampol-subs.txt

https://github.com/projectdiscovery/uncover # uncover is a go wrapper using APIs of well known search engines to quickly discover exposed hosts on the internet.

https://github.com/nsonaniya2010/SubDomainizer # SubDomainizer is a tool designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL.

python3 SubDomainizer.py -u example.com -o dir/example.com

https://cramppet.github.io/regulator/index.html # Regulator: A unique method of subdomain enumeration

https://github.com/xiecat/fofax # fofax is a fofa query tool written in go, positioned as a command-line tool and characterized by simplicity and speed.

fofax -q 'app="APACHE-Solr"'

-------------------------------------------------------------------------------------------------

1.4 Crawling

https://github.com/Nekmo/dirhunt #Dirhunt is a web crawler optimize for search and analyze directories. dirhunt https://rampf-group.com https://github.com/jaeles-project/gospider # Fast web spider written in Go.

gospider -s "https://example.com/" -o output -c 20 -d 10

https://github.com/hakluke/hakrawler # Fast golang web crawler for gathering URLs and JavaScript file locations. This is basically a simple implementation of the awesome Gocolly library.

echo https://example.com | hakrawler

https://github.com/projectdiscovery/katana # A next-generation crawling and spidering framework.

katana -u https://example.com

https://geotargetly.com/geo-browse # Geo Browse is a tool designed to capture screenshots of your website from different countries.

https://commoncrawl.org/ # We build and maintain an open repository of web crawl data that can be accessed and analyzed by anyone.

https://github.com/bitquark/shortscan # Shortscan is designed to quickly determine which files with short filenames exist on an IIS webserver. Once a short filename has been identified the tool will try to automatically identify the full filename.

shortscan https://example.com/

-----------------------------------------------------------------------------------------------------

1.5 Wayback Machine

https://github.com/tomnomnom/waybackurls # Accept line-delimited domains on stdin, fetch known URLs from the Wayback Machine for *.domain and output them on stdout.

cat domains.txt | waybackurls > urls
cat subdomains.txt | waybackurls > waybackurls.txt

https://github.com/tomnomnom/hacks # Hacky one-off scripts, tests etc.

cat waybackurls.txt | go run /root/Tools/hacks/anti-burl/main.go | tee waybackurls_valid.txt

https://github.com/lc/gau # getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.

cat domains.txt | gau --threads 5

-----------------------------------------------------------------------------------------------------

1.6 Google Dorks

https://www.exploit-db.com/google-hacking-database # Google Hacking Database

https://taksec.github.io/google-dorks-bug-bounty # Google Dorks for Bug Bounty

https://dorkgpt.com/ # Ai search for Google Dorks

Search on AWS

site:amazonaws.com company

https://github.com/opsdisk/pagodo # The goal of this project was to develop a passive Google dork script to collect potentially vulnerable web pages and applications on the Internet.

python3 pagodo.py -d example.com -g dorks.txt -l 50 -s -e 35.0 -j 1.1

-----------------------------------------------------------------------------------------------------

1.7 Github Dorks

GitDorker # https://github.com/obheda12/GitDorker

Git Repositories Scanning

https://github.com/zricethezav/gitleaks # Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.

https://github.com/michenriksen/gitrob # Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.

https://github.com/dxa4481/truffleHog # Searches through git repositories for secrets, digging deep into commit history and branches.

https://github.com/awslabs/git-secrets # Prevents you from committing passwords and other sensitive information to a git repository.

https://github.com/eth0izzle/shhgit # shhgit helps secure forwar d-thinking development, operations, and security teams by finding secrets across their code before it leads to a security breach.

https://pinatahub.incognita.tech/ # PinataHub allows you to explore a fraction of the 4M+ passwords and secrets committed in public GitHub repositories, detected by GoldDigger.

https://github.com/adamtlangley/gitscraper # A tool which scrapes public github repositories for common naming conventions in variables, folders and files.

php gitscraper.php {GitHub Username} {GitHub Personal KEY}

https://www.gitguardian.com/ # Secure your software development lifecycle with enterprise-grade secrets detection. Eliminate blind spots with our automated, battle-tested detection engine.

https://docs.gitguardian.com/secrets-detection/detectors/supported_credentials # Here is an exhaustive list of the detectors supported by GitGuardian.

-----------------------------------------------------------------------------------------------------

2. Word-lists

CUSTOM

https://portswigger.net/bappstore/21df56baa03d499c8439018fe075d3d7 # Scrapes all unique words and numbers for use with password cracking.

https://github.com/ameenmaali/wordlistgen # wordlistgen is a tool to pass a list of URLs and get back a list of relevant words for your wordlists.

cat hosts.txt | wordlistgen

INFO

https://github.com/danielmiessler/RobotsDisallowed/tree/master # The RobotsDisallowed project is a harvest of the robots.txt disallowed directories of the world's top websites---specifically those of the Alexa 100K and the Majestic 100K.

https://github.com/AlbusSec/Penetration-List/blob/main/01_Information_Disclosure_Vulnerability_Material/Dorks-list/Github-Dork-list.txt # Google Dorks

https://github.com/DhineshAngamuthu/Google-Dorks/blob/main/wordlist.txt

PARAMETERS

https://github.com/s0md3v/Arjun/blob/master/arjun/db/large.txt
https://github.com/s0md3v/Arjun/blob/master/arjun/db/medium.txt
https://github.com/s0md3v/Arjun/blob/master/arjun/db/small.txt
https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-lowercase-all.txt
https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt

SUBDOMAINS

https://github.com/danielmiessler/SecLists # SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

https://github.com/swisskyrepo/PayloadsAllTheThings # A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques.

https://github.com/fuzzdb-project/fuzzdb # FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing.

https://github.com/google/fuzzing # This project aims at hosting tutorials, examples, discussions, research proposals, and other resources related to fuzzing.

https://wordlists.assetnote.io # This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet.

https://github.com/trickest/wordlists # Real-world infosec wordlists, updated regularly.

-----------------------------------------------------------------------------------------------------

3. Links

https://jsfiddle.net # Test your JavaScript, CSS, HTML or CoffeeScript online with JSFiddle code editor.

BurpSuite:

  • BurpJSLinkFinder - Burp Extension for a passive scanning JS files for endpoint links.

Automated:

  • JSLeak - jsleak is a tool to find secret , paths or links in the source code during the recon.

┌──(kali㉿kali)-[~/go/bin]
└─$ echo http://example.com/ | jsleak -s
echo http://example.com/ | jsleak -l
echo http://example.com/ | jsleak -e
echo http://example.com/ | jsleak -c 20 -k

  • LinkFinder - A python script that finds endpoints in JavaScript files

┌──(kali㉿kali)-[~/.config/LinkFinder]
└─$ python3 linkfinder.py -i https://example.com -d

  • JS-Scan - a .js scanner, built in php. designed to scrape urls and other info

// Some code

  • LinksDumper - Extract (links/possible endpoints) from responses & filter them via decoding/sorting

  • GoLinkFinder - A fast and minimal JS endpoint extractor

  • urlgrab - A golang utility to spider through a website searching for additional links.

  • gau - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.

  • getJS - A tool to fastly get all javascript sources/files

  • linx - Reveals invisible links within JavaScript files

-----------------------------------------------------------------------------------------------------

4. Parameters

https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943 # PortSwigger/param-miner - Burp extension to identify hidden, unlinked parameters.

https://github.com/devanshbatham/ParamSpider #Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing

┌──(kali㉿kali)-[~]
└─$ paramspider -d indeed.com   

┌──(kali㉿kali)-[~]
└─$ paramspider -l /home/kali/Desktop/file.txt

https://github.com/s0md3v/Arjun https://github.com/s0md3v/Arjun/wiki # Arjun can find query parameters for URL endpoints.

arjun -u https://example.com/
arjun -u https://exodussec.com/ --stable

https://github.com/Sh1Yo/x8 # Hidden parameters discovery suite written in Rust.

x8 -u "https://example.com/" -w <wordlist>

https://github.com/xnl-h4ck3r/xnLinkFinder # This is a tool used to discover endpoints (and potential parameters) for a given target.

┌──(kali㉿kali)-[~/.config/xnLinkFinder]
└─$ python3 xnLinkFinder.py -i /home/kali/Desktop/file.txt

-----------------------------------------------------------------------------------------------------

5. Directory Brute-forcing

https://github.com/xmendez/wfuzz # Wfuzz is more than a web content scanner. Wfuzz is based on a simple concept: it replaces any reference to the keyword FUZZ by the value of a given payload. A payload in Wfuzz is a source of input data.

wfuzz -e payloads
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.11.1.11/FUZZ

https://github.com/ffuf/ffuf # A fast web fuzzer written in Go.

$ ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/FUZZ'
$ ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/FUZZ'

Discover content
$ ffuf -recursion -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','.xml' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u https://url.com/FUZZ

Headers discover
$ ffuf -u https://hackxor.net -w /usr/share/SecLists/Discovery/Web-Content/BurpSuite-ParamMiner/both.txt -c -H "FUZZ: Hellothereheadertesting123 asd"

Ffuf - burp
$ ffuf -replay-proxy http:127.0.0.1:8080

Importing Requests 
$ vim /Desktop/ExodusSec
$ ffuf -request /home/kali/Desktop/exodussec -w /home/kali/Desktop/RobotsTxtPaths.txt

Wordlist Modes 
Defult = Clusterbomb 
-mode pitchfork = 

Request Throtting and Delays 

ffuf -recursion -mc all -ac -c -w /home/kali/Desktop/RobotsTxtPaths.txt -w /home/kali/Desktop/Randomfiles.fuzz.txt -u https://www.rampf-group.com/FUZZ/FUZZ
ffuf -mc all -u https://rampf-group.com/W1/W2 -w /home/kali/Desktop/RobotsTxtPaths.txt:W1 -w /home/kali/Desktop/Randomfiles.fuzz.txt:W2
ffuf -mc all -u https://W1.rampf-group.com/W2 -w /home/kali/Desktop/RobotsTxtPaths.txt:W1 -w /home/kali/Desktop/Randomfiles.fuzz.txt:W2

https://github.com/tomnomnom/anew # This tool is used to compare the output with old file and give us what is newly added in the file 

cat subs.txt | anew newsubs.txt

https://www.kali.org/tools/dirsearch/ # An advanced command-line tool designed to brute force directories and files in webservers

dirsearch -r -f -u https://10.11.1.111 --extensions=htm,html,asp,aspx,txt -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt --request-by-hostname -t 40

https://www.kali.org/tools/dirb/ # DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.

dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt

https://www.kali.org/tools/gobuster/ # Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.

gobuster dir -u http://10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
gobuster dir -e -u http://10.11.1.111/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
gobuster dir -u http://$10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt
gobuster dir -e -u http://10.11.1.111/ -w /usr/share/wordlists/dirb/common.txt
gobuster dir -a 'Mozilla' -e -k -l -t 30 -w mydirfilelist.txt -c 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/'

https://github.com/iustin24/chameleon # Chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.

chameleon --url https://example.com -a

https://github.com/tomnomnom/meg # meg is a tool for fetching lots of URLs but still being 'nice' to servers.

meg -c 50 -H 'User-Agent: Mozilla' -s 200 weblogic.txt example.txt weblogic

https://github.com/deibit/cansina # Cansina is a Web Content Discovery Application.

python3 cansina.py -u 'https://example.com/' -p mydirfilelist.txt --persist

https://github.com/epi052/feroxbuster # A simple, fast, recursive content discovery tool written in Rust.

feroxbuster -u 'https://example.com/' -x pdf -x js,html -x php txt json,docx

https://github.com/assetnote/kiterunner # Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also bruteforcing routes/endpoints in modern applications.

-------------------------------------------------------------------------------------------------

6. DNS and HTTP detection

DNS

https://dns.bufferover.run/dns?q=example.com # Powered by DNSGrep (https://github.com/erbbysam/DNSGrep) # A utility for quickly searching presorted DNS names. Built around the Rapid7 rdns & fdns dataset.

https://github.com/Josue87/gotator # Gotator is a tool to generate DNS wordlists through permutations.

gotator -sub domains.txt -perm permutations.txt -depth 2 -numbers 5 > output.txt

https://github.com/infosec-au/altdns # Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.

altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt

https://github.com/d3mondev/puredns # Fast domain resolver and subdomain bruteforcing with accurate wildcard filtering.

https://securitytrails.com/list/email/dns-admin.example.com # Total Internet Inventory with the most comprehensive data that informs with unrivaled accuracy.

curl --request POST --url 'https://api.securitytrails.com/v1/domains/list?apikey={API_Key}&page=1&scroll=true' --data '{"filter":{"apex_domain":"example.com"}}' | jq -Mr '.records[].hostname' >> subdomains.txt
curl --request POST --url 'https://api.securitytrails.com/v1/domains/list?apikey={API_Key}&page=1&scroll=true' --data '{"filter":{"whois_email":"domains@example.com"}}' | jq -Mr '.records[].hostname' >> domains.txt

https://viewdns.info/reversewhois # This free tool will allow you to find domain names owned by an individual person or company.

https://www.whoxy.com # Our WHOIS API returns consistent and well-structured WHOIS data in XML & JSON format. Returned data contain parsed WHOIS fields that can be easily understood by your application.

https://github.com/MilindPurswani/whoxyrm # A reverse whois tool based on Whoxy API based on @jhaddix's talk on Bug Hunter's Methodology v4.02.

whoxyrm -company-name "Example Inc."

https://opendata.rapid7.com/ # Offering researchers and community members open access to data from Project Sonar, which conducts internet-wide surveys to gain insights into global exposure to common vulnerabilities.

https://github.com/blechschmidt/massdns # MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions.

massdns -r resolvers.txt -o S -w massdns.out subdomains.txt

https://github.com/trickest/resolvers # The most exhaustive list of reliable DNS resolvers.

https://publicwww.com # Find any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code.

https://openintel.nl/ # The goal of the OpenINTEL measurement platform is to capture daily snapshots of the state of large parts of the global Domain Name System. Because the DNS plays a key role in almost all Internet services, recording this information allows us to track changes on the Internet, and thus its evolution, over longer periods of time. By performing active measurements, rather than passively collecting DNS data, we build consistent and reliable time series of the state of the DNS.

https://github.com/ninoseki/mihari # Mihari is a framework for continuous OSINT based threat hunting.

https://github.com/resyncgg/ripgen # A rust-based version of the popular dnsgen python utility.

https://github.com/projectdiscovery/dnsx # Fast and multi-purpose DNS toolkit allow to run multiple DNS queries.

https://github.com/glebarez/cero # Cero will connect to remote hosts, and read domain names from the certificates provided during TLS handshake.

https://ceye.io # Monitor service for security testing.

curl http://api.ceye.io/v1/records?token={API Key}&type=dns curl http://api.ceye.io/v1/records?token={API Key}&type=http

https://httpbin.org/ # A simple HTTP Request & Response Service.

http://pingb.in # Simple DNS and HTTP service for security testing.

https://github.com/ctxis/SnitchDNS # SnitchDNS is a database driven DNS Server with a Web UI, written in Python and Twisted, that makes DNS administration easier with all configuration changed applied instantly without restarting any system services.

http://dnslog.cn # Simple DNS server with realitme logs.

https://interact.projectdiscovery.io/ # Interactsh is an Open-Source Solution for Out of band Data Extraction, A tool designed to detect bugs that cause external interactions, For example - Blind SQLi, Blind CMDi, SSRF, etc.

https://canarytokens.org/ # You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests. # Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.

-----------------------------------------------------------------------------------------------------

HTML/JavaScript Comments

https://portswigger.net/support/using-burp-suites-engagement-tools # Burp Engagement Tools

-----------------------------------------------------------------------------------------------------

7. General

SSL Certificate

https://certificate.transparency.dev/ #

https://crt.sh/?q=example.com # Certificate Search

https://github.com/n0kovo/n0kovo_subdomains # An extremely effective subdomain wordlist of 3,000,000 lines, crafted by harvesting SSL certs from the entire IPv4 space.

https://github.com/glebarez/cero

cero example.com

https://github.com/UnaPibaGeek/ctfr

python3 ctfr.py -d domain.com

--------------------------------------------------------------------------------------------------

Secret Scanning

https://github.com/redhuntlabs/HTTPLoot # An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.

https://github.com/redhuntlabs/BucketLoot # BucketLoot is an automated S3-compatible Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

https://github.com/0xTeles/jsleak # jsleak is a tool to identify sensitive data in JS files through regex patterns.

https://github.com/channyein1337/jsleak # I was developing jsleak during most of my free time for my own need. It is easy-to-use command-line tool designed to uncover secrets and links in JavaScript files or source code. The jsleak was inspired by Linkfinder and regexes are collected from multiple sources.

-----------------------------------------------------------------------------------------------------

Employees

Automated:

https://github.com/piaolin/DetectDee # Hunt down social media accounts by username, email or phone across social networks

Names:

https://dashboard.fullcontact.com # Our person-first Identity Resolution Platform provides the crucial intelligence needed to drive Media Amplification, Omnichannel Measurement, and Customer Recognition.

https://www.peopledatalabs.com # Our data empowers developers to build innovative, trusted data-driven products at scale.

Emails:

https://hunter.io # Hunter lets you find email addresses in seconds and connect with the people that matter for your business.

https://github.com/mxrch/GHunt # GHunt is an OSINT tool to extract information from any Google Account using an email.

python3 ghunt.py email myemail@gmail.com

https://github.com/khast3x/h8mail # h8mail is an email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt's "Collection1" and the infamous "Breach Compilation" torrent.

h8mail -t target@example.com

Phone:

Address:

Search Engine:

https://intelx.io # Intelligence X is an independent European technology company founded in 2018 by Peter Kleissner. The company is based in Prague, Czech Republic. Its mission is to develop and maintain the search engine and data archive.

https://www.nerdydata.com # Find companies based on their website's tech stack or code.

Social Media:

https://www.social-searcher.com # Free Social Media Search Engine.

  • Indeed:

  • Twitter/X:

Acquisitions:

Tiny URLs Services

https://www.scribd.com/doc/308659143/Cornell-Tech-Url-Shortening-Research # Cornell Tech Url Shortening Research

https://github.com/utkusen/urlhunter # urlhunter is a recon tool that allows searching on URLs that are exposed via shortener services such as bit.ly and goo.gl.

urlhunter -keywords keywords.txt -date 2020-11-20 -o out.txt

https://shorteners.grayhatwarfare.com # Search Shortener Urls

--------------------------------------------------------------------------------------------------

https://github.com/redhuntlabs/Awesome-Asset-Discovery # Asset Discovery is the initial phase of any security assessment engagement, be it offensive or defensive. With the evolution of information technology, the scope and definition of assets has also evolved.

https://spyse.com # Spyse holds the largest database of its kind, containing a wide range of OSINT data handy for the reconnaissance.

https://github.com/yogeshojha/rengine # reNgine is an automated reconnaissance framework meant for information gathering during penetration testing of web applications.

https://github.com/phor3nsic/favicon_hash_shodan # Search for a framework by favicon

https://github.com/righettod/website-passive-reconnaissance # Script to automate, when possible, the passive reconnaissance performed on a website prior to an assessment.

https://dhiyaneshgeek.github.io/red/teaming/2022/04/28/reconnaissance-red-teaming/ # Reconnaissance is carried out in a Red Teaming Engagement.

https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs?tabs=azure-ad # The List Blobs operation returns a list of the blobs under the specified container.

https://myaccount.blob.core.windows.net/mycontainer?restype=container&comp=list

---------------------------------------------------------------------------------------

8. Enumerating

Fingerprint

https://github.com/urbanadventurer/WhatWeb # WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.

whatweb -a 4 -U 'Mozilla' -c 'NAME1=VALUE1; NAME2=VALUE2' -t 20 www.example.com

https://builtwith.com # Find out what websites are Built With.

https://www.wappalyzer.com # Identify technologies on websites.

https://webtechsurvey.com # Discover what technologies a website is built on or find out what websites use a particular web technology.

https://portswigger.net/bappstore/c9fb79369b56407792a7104e3c4352fb # Software Vulnerability Scanner Burp Extension

https://github.com/GrrrDog/weird_proxies # It's a cheat sheet about behaviour of various reverse proxies and related attacks.

Buckets

https://aws.amazon.com/cli/ # List s3 bucket permissions and keys

aws s3api get-bucket-acl --bucket examples3bucketname
aws s3api get-object-acl --bucket examples3bucketname --key dir/file.ext
aws s3api list-objects --bucket examples3bucketname
aws s3api list-objects-v2 --bucket examples3bucketname
aws s3api get-object --bucket examples3bucketname --key dir/file.ext localfilename.ext
aws s3api put-object --bucket examples3bucketname --key dir/file.ext --body localfilename.ext

https://github.com/eth0izzle/bucket-stream # Find interesting Amazon S3 Buckets by watching certificate transparency logs

https://buckets.grayhatwarfare.com/ # Search Public Buckets

https://github.com/VirtueSecurity/aws-extender # Burp Suite extension which can identify and test S3 buckets

Cloud Enumeration # Basic check

export AWS_ACCESS_KEY_ID=XYZ
export AWS_SECRET_ACCESS_KEY=XYZ
export AWS_SESSION_TOKEN=XYZ
aws sts get-caller-identity

https://github.com/andresriancho/enumerate-iam # Found a set of AWS credentials and have no idea which permissions it might have?

https://github.com/nccgroup/ScoutSuite # Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

https://github.com/streaak/keyhacks # KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can be used, to check if they are valid.

https://github.com/ozguralp/gmapsapiscanner # Used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.

https://github.com/aquasecurity/trivy # Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.

https://github.com/initstring/cloud_enum # Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.

https://github.com/toniblyx/prowler # Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness.

https://github.com/salesforce/cloudsplaining # Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.

https://github.com/cloudsploit/scans # CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.

https://github.com/RhinoSecurityLabs/pacu # Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments.

https://github.com/VirtueSecurity/aws-extender # This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.

https://github.com/irgoncalves/gcp_security # This repository is intented to have Google Cloud Security recommended practices, scripts and more.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html # Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.

https://cloud.google.com/compute/docs/storing-retrieving-metadata # Every instance stores its metadata on a metadata server. You can query this metadata server programmatically, from within the instance and from the Compute Engine API. You can query for information about the instance, such as the instance's host name, instance ID, startup and shutdown scripts, custom metadata, and service account information. Your instance automatically has access to the metadata server API without any additional authorization.

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service # The Azure Instance Metadata Service (IMDS) provides information about currently running virtual machine instances. You can use it to manage and configure your virtual machines. This information includes the SKU, storage, network configurations, and upcoming maintenance events.

https://www.alibabacloud.com/help/doc-detail/49122.htm # Metadata of an instance includes basic information of the instance in Alibaba Cloud, such as the instance ID, IP address, MAC addresses of network interface controllers (NICs) bound to the instance, and operating system type.

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ # Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments.

https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools # A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.

https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/ # This post gives a deep dive into a critical security flaw that was present in Flickr’s login flow.

https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p1/ https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2/ # Attacking AWS Cognito with Pacu.

Containerization

https://github.com/stealthcopter/deepce # Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE).

Visual Identification

https://github.com/InfosecMatter/default-http-login-hunter #

default-http-login-hunter.sh <URL>

https://github.com/FortyNorthSecurity/EyeWitness # EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known.

eyewitness --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" --threads 10 --timeout 30 --prepend-https -f "${PWD}/subdomains.txt" -d "${PWD}/eyewitness/"

https://github.com/michenriksen/aquatone # Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

cat targets.txt | aquatone

https://github.com/sensepost/gowitness # gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.

gowitness scan --cidr 192.168.0.0/24 --threads 20

https://github.com/BishopFox/eyeballer # Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts.

eyeballer.py --weights YOUR_WEIGHTS.h5 predict PATH_TO/YOUR_FILES/

--------------------------------------------------------------------------------------------------

9. Web Scanning

Web Scanning

https://github.com/psiinon/open-source-web-scanners # A list of open source web security scanners on GitHub.

NUCLEI:

https://github.com/projectdiscovery/nuclei # Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use. Nuclei is used to send requests across targets based on a template leading to zero false positives and providing fast scanning on large number of hosts.

nuclei -l urls.txt -t cves/ -t files/ -o results.txt

BurpSuite:

https://support.portswigger.net/customer/portal/articles/1783127-using-burp-scanner # Burp Scanner is a tool for automatically finding security vulnerabilities in web applications.

https://portswigger.net/burp/documentation/collaborator # Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities. # Tip https://www.onsecurity.co.uk/blog/gaining-persistent-access-to-burps-collaborator-sessions

Automated:

https://github.com/spinkham/skipfish # Skipfish is an active web application security reconnaissance tool.

skipfish -MEU -S dictionaries/minimal.wl -W new_dict.wl -C "AuthCookie=value" -X /logout.aspx -o output_dir http://www.example.com/

https://github.com/sullo/nikto # Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

nikto -ssl -host www.example.com

https://github.com/wpscanteam/wpscan # WordPress Security Scanner

wpscan --disable-tls-checks --ignore-main-redirect --user-agent 'Mozilla' -t 10 --force --wp-content-dir wp-content --url blog.example.com

https://github.com/droope/droopescan # A plugin-based scanner that aids security researchers in identifying issues with several CMS.

droopescan scan drupal -u example.com

https://github.com/six2dez/reconftw # reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform enumeration and finding out vulnerabilities.

reconftw.sh -d target.com -a

https://gobies.org # The new generation of network security technology achieves rapid security emergency through the establishment of a complete asset database for the target.

https://github.com/MrCl0wnLab/ShellShockHunter # Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014.

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl

https://github.com/crashbrz/WebXmlExploiter/ # The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.

https://github.com/stark0de/nginxpwner # Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.

  • Sn1per - Automated pentest framework for offensive security experts

  • metasploit-framework - Metasploit Framework

  • arachni - Web Application Security Scanner Framework

  • jaeles - The Swiss Army knife for automated Web Application Testing

  • Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning

  • getsploit - Command line utility for searching and downloading exploits

  • flan - A pretty sweet vulnerability scanner

  • Findsploit - Find exploits in local and online databases instantly

  • BlackWidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.

  • backslash-powered-scanner - Finds unknown classes of injection vulnerabilities

  • Eagle - Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities

  • cariddi - Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more...

  • OWASP ZAP - World’s most popular free web security tools and is actively maintained by a dedicated international team of volunteers

  • SSTImap - SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.

Static Application Security Testing

https://github.com/returntocorp/semgrep # Semgrep is a fast, open-source, static analysis tool that excels at expressing code standards — without complicated queries — and surfacing bugs early at editor, commit, and CI time.

https://owasp.org/www-project-dependency-check/ # Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

https://owasp.org/www-community/Source_Code_Analysis_Tools # Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws.

https://github.com/robotframework/robotframework # Robot Framework is a generic open source automation framework for acceptance testing, acceptance test driven development (ATDD), and robotic process automation (RPA). It has simple plain text syntax and it can be extended easily with generic and custom libraries.

https://github.com/google/osv-scanner # Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.

https://github.com/securego/gosec # Inspects source code for security problems by scanning the Go AST.

https://dotnetfiddle.net # We are a group of .NET developers who are sick and tired of starting Visual Studio, creating a new project and running it, just to test simple code or try out samples from other developers.

Dependency Confusion

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 # How I Hacked Into Apple, Microsoft and Dozens of Other Companies.

https://www.blazeinfosec.com/post/dependency-confusion-exploitation/ # This blog post provides an overview of Dependency Confusion attacks and explains in detail how they can be exploited in the wild, with examples using NPM packages and tips to prevent these vulnerabilities from occurring.

https://github.com/dwisiswant0/nodep # nodep check available dependency packages across npmjs, PyPI or RubyGems registry.

https://github.com/visma-prodsec/confused # A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python (pypi) requirements.txt, JavaScript (npm) package.json, PHP (composer) composer.json or MVN (maven) pom.xml.

Send Emails

https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c # Ticket Trick

https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2 # Abusing autoresponders and email bounces

# Send multiple emails

while read i; do echo $i; echo -e "From: example1@gmail.com\nTo: ${i}\nCc: example2@gmail.com\nSubject: This is the subject ${i}\n\nThis is the body ${i}" | ssmtp ${i},example2@gmail.com; done < emails.txt

Search Vulnerabilities

https://pypi.org/project/urlscanio/ # URLScan.io is a useful tool for scanning and obtaining information from potentially malicious websites. The creators of URLScan have very helpfully made an API which can be used to add some automation to your workflow. urlscanio is a simple Python CLI utility which makes use of the aforementioned APIs to automate my own personal workflow when it comes to using URLScan.

urlscanio -i https://www.example.com

https://github.com/vulnersCom/getsploit # Command line search and download tool for Vulners Database inspired by searchsploit.

getsploit wordpress 4.7.0

https://www.exploit-db.com/searchsploit # Included in our Exploit Database repository on GitHub is searchsploit, a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go.

searchsploit -t oracle windows

https://github.com/vulmon/Vulmap # Vulmap is an open-source online local vulnerability scanner project. It consists of online local vulnerability scanning programs for Windows and Linux operating systems.

https://grep.app # Search across a half million git repos.

https://github.com/0ang3el/aem-hacker # Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.

python3 aem_hacker.py -u https://example.com --host your_vps_hostname_ip

https://github.com/laluka/jolokia-exploitation-toolkit # Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

https://github.com/cve-search/git-vuln-finder # Finding potential software vulnerabilities from git commit messages.

git-vuln-finder -r ~/git/curl | jq .

----------------------------------------------------------------------------------------

10. Monitoring

CVE

It's important to stay updated. Also, PoC is fun to play with!

//OWASP Top Ten (2021)

//CWE Top 25

NUCLEI

https://www.yamllint.com/ https://templates.nuclei.sh/templates https://docs.nuclei.sh/template-guide/introduction https://github.com/projectdiscovery/nuclei-templates/discussions

cd /root/.config/nuclei
nuclei -update

nuclei -t http/vulnerabilities -u https://paypal.com
nuclei -t http/miscellaneous -u https://paypal.com

UPDATE TEMPLATES 
$ nuclei -ut  

RATE LIMITING 
-rl 4
-bs
-c

TEMP FILTERING 
nuclei -tl 
nuclei -t nuclei-templates/vulnerabilities/wordpress -u http://exodussec.com
tree -L 1 -d .

WORKFLOWS 
nuclei -w ~/.local/nuclei-templates/workflows/

info:
  name: Example Template 
  author: ExodusSec
  severity: info
  description: Description of the Template
  reference: https://example-reference-link

requests:
  - method: GET
    path:
      - "{{BaseURL}}/test.php"

NOTIFY

cd root/.config/notify
nano provider-config.yaml

discord:
  - id: "crawl"
    discord_channel: "channel-name"
    discord_username: "username-here"
    discord_format: "{{data}}"
    discord_webhook_url: "https://discord.com/api/webhooks/xxx/xx-xx"

  - id: "subs"
    discord_channel: "channel-name"
    discord_username: "username-here"
    discord_format: "{{data}}"
    discord_webhook_url: "https://discord.com/api/webhooks/xxx/xx-xx"

subfinder -d hackerone.com | notify

-----------------------------------------------------------------------------------------------------

11. Automation

  1. First Run

The First Run is madatory for this process so that it will do subdomain enumeration for the list of domains that you give and save it in a .txt file.

subfinder -silent -dL domains.txt | anew subs.txt

Note : -dL - File containing list of domains to enumerate.

  1. Second Run

The Second Run is used to find new subdomains , check alive status , scan it with nuclei templates and notify us the output.

while true; do subfinder -dL domains.txt -all | anew subs.txt | httpx | nuclei -t nuclei-templates/ | notify ; sleep 3600; done
while true; do subfinder -dL domains.txt -all | anew subs.txt | httpx | nuclei -t file/xss/dom-xss.yaml | notify ; sleep 3600; done
while true; do subfinder -dL domains.txt -all | anew subs.txt | httpx | nuclei -t file/webshell | notify ; sleep 3600; done
while true; do subfinder -dL domains.txt -all | anew subs.txt | httpx | nuclei -t file/xss/ -t file/sql/ | notify ; sleep 14400; done
while true; do subfinder -dL domains.txt -all | anew subs.txt | httpx | nuclei -t file/xss/dom-xss.yaml | notify ; sleep 3600; done
while true; do subfinder -dL domains.txt -all | anew subs.txt | httpx | nuclei -t http/vulnerabilities | notify ; sleep 3600; done

Note : while true; do - Keeps the script alive. sleep 3600; done - Run after exactly every one hour.

---------------------------------------------------------------------------------------

PreviousAWS Certified Security - SpecialtyNext#2 Web Attack: Cheat Sheet

Last updated