Target

1st phase
1. roots
  1. BugCrowd/h1/intigriti
2. Acquisitions
  1. https://crunchbase.com/
  2. https://corp.owler.com/
  3. https://acquiredby.co/
  4. wikipidia
  5. https://tools.whoisxmlapi.com/domain-availability-check
3. ASN
  1. GUI
    1. http://bgp.he.net/
    2. https://ipinfo.io/
    3. asnlookup.com
    4. https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
    5. https://whois.arin.net/ui/query.do
    6. http://ipv4info.com/
    7. mxtoolbox.com
    8. https://book.hacktricks.xyz/external-recon-methodology#asns
  2. cmd line
    1. https://github.com/j3ssie/metabigor
      1. echo "tesla" | metabigor net --org -v
    2. https://github.com/OWASP/Amass
      1. amass intel -org tesla
      2. amass intel -asn 8911,50313,394161
    3. https://github.com/yassineaboukir/Asnlookup
4. Reverse Whois
  1. Whoxy.com
  2. BuiltWith
  3. https://viewdns.info/reversewhois
  4. https://www.reversewhois.io/
  5. http://ipv4info.com/
  6. https://opendata.rapid7.com/sonar.rdns_v2/
  7. http://dnsgoodies.com/
  8. https://domaineye.com/reverse-whois
  9. amass : https://github.com/OWASP/Amass
    1. amass intel -whois -d tesla.com
  10. https://github.com/jpf/domain-profiler
    1. ./profile zee.com
  11. https://github.com/vysecurity/DomLink
5. Ad/Analytics
  1. builtwith.com
  2. https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getrelationship.py
    1. cookie
  3. whatweb
6. Reverse DNS
  1. https://securitytrails.com/
  2. https://www.robtex.com/dns-lookup/eff.org
  3. https://community.riskiq.com/home
  4. https://www.circl.lu/services/passive-dns/
7. dorking [Manual]
  1. Google-Fu [manual]
    1. https://dorks.faisalahmed.me/#
  2. Github Dorking (manual)
    1. TOOLS
      1. JHaddix BS SCRIPT
      2. https://gist.github.com/jhaddix/1fb7ab2409ab579178d2a79959909b33
      3. github-search
      4. https://github.com/gwen001/github-search
      5. GitMiner
      6. https://github.com/UnkL4b/GitMiner
      7. GitDorker
      8. https://github.com/obheda12/GitDorker
      9. python3 GitDorker.py -t TOKEN -d Dorks/alldorksv3 -q DOMAIN.COM -o DOMAIN.COM.txt
      10. git-hound
      11. https://github.com/ezekg/git-hound
      12. gitrob
      13. https://github.com/michenriksen/gitrob
      14. Searching in repos and Orgs
      15. truffleHog
      16. https://github.com/trufflesecurity/truffleHog
      17. git-all-secrets
      18. https://github.com/anshumanbh/git-all-secrets
      19. repo-supervisor
      20. https://github.com/auth0/repo-supervisor
      21. Scan your code for security misconfiguration, search for passwords and secrets.
      22. repo-security-scanner
      23. https://github.com/UKHomeOffice/repo-security-scanner
      24. gitleaks
      25. https://github.com/zricethezav/gitleaks
      26. gittyleaks
      27. https://github.com/kootenpv/gittyleaks
    2. .git repositories available
      1. https://github.com/internetwache/GitTools.git
    3. Dorks
      1. https://github.com/gwen001/github-search/blob/master/dorks.txt
      2. https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
    4. GitHub Secrets Check
      1. smtper
      2. https://www.smtper.net/
  3. Specialized search engines
    1. Shodan
      1. tools
      2. https://github.com/incogbyte/shosubgo
      3. https://github.com/BullsEye0/shodan-eye
      4. https://github.com/BullsEye0/shodan-eye/blob/master/Shodan_Dorks_The_Internet_of_Sh*t.txt
      5. https://awesomeopensource.com/projects/shodan
      6. https://github.com/evilsocket/xray
      7. https://github.com/random-robbie/My-Shodan-Scripts
      8. https://t.co/BNw6JvTVH9?amp=1
      9. q
      10. http.html:”dev-int.bigcompanycdn.com”
      11. org:"Tesla, Inc."
      12. ssl:"Tesla Motors"
      13. resources
      14. https://equatorial-soldier-1bb.notion.site/Hegazy-Group-c7b83ba0e7d540a19db6f55e9884aace
      15. https://github.com/shifa123/shodandorks/blob/master/shodandorks
      16. https://www.youtube.com/results?reload=9&app=desktop&search_query=shodan+dorking+for+bug+bounty
    2. Cencys
      1. https://github.com/yamakira/censys-enumeration
      2. https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/censys_subdomain_enum.py
    3. ZoomEye
      1. https://www.zoomeye.org/
    4. FOFA
      1. https://fofa.so/
    5. Check List
2nd phase
1. Finding Subdomains
  1. Subdomain Scraping
    1. Search Engines
    2. Infrastructure Sources
      1. https://www.netcraft.com/
      2. https://censys.io/
      3. https://dnsdumpster.com/
      4. http://ptrarchive.com/
    3. Certificate Sources
      1. https://crt.sh/
      2. sslmate
      3. certpotter
      4. https://spyse.com/tools/ssl-lookup
      5. https://github.com/yassineaboukir/sublert
      6. https://github.com/eslam3kl/crtfinder
      7. https://developers.facebook.com/tools/ct/
      8. https://google.com/transparencyreport/https/ct/
    4. Security Sources
      1. https://securitytrails.com/
      2. https://www.virustotal.com/
      3. https://www.threatcrowd.org/
      4. https://www.threatminer.org/
    5. Amass
      1. https://github.com/OWASP/Amass
      2. cheat sheet
      3. https://blog.intigriti.com/2021/06/08/hacker-tools-amass-hunting-for-subdomains/?cn-reloaded=1
      4. commands
      5. amass intel -active -addr 8.8.8.8
      6. amas intel -org “google”
      7. amass intel -active -asn 15169
      8. amass intel -timeout 60 -d google.com
      9. amass enum -passive -d owasp.org -src -config config.ini
      10. amass enum -active -d owasp.org -src -config config.ini
      11. amass enum -aw <PATH> -d owasp.org
      12. amass enum -df domains.txt
      13. amass track -d owasp.org
      14. amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list
    6. assetfinder
      1. https://github.com/tomnomnom/assetfinder
      2. assetfinder -subs-only DOMAIN.COM -o subdomains-asset
    7. Subfinder v2
      1. https://github.com/projectdiscovery/subfinder
      2. subfinder -dL scope -all -silent >> subdomains
      3. subfinder -d DOMAIN.COM -all
    8. github-subdomains.py
      1. https://github.com/gwen001/github-search/blob/master/github-subdomains.py
      2. python3 github-subdomains.py -t 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 -d DOMAIN.COM > c-sub-github.txt
    9. Knock.py
      1. https://github.com/guelfoweb/knock
      2. python3 ~/Tools/knock/knockpy/knockpy.py -o knock DOMAIN.COM
    10. Sublist3r
      1. https://github.com/aboul3la/Sublist3r
      2. sublist3r -d DOMAIN.COM -b -t 100 -o sublister.txt
    11. Turbolist3r
      1. https://github.com/fleetcaptain/Turbolist3r
      2. python3 ~/Tools/Turbolist3r/turbolist3r.py -d DOMAIN.COM -b -t 100 -o ~/recon/thesun.co.uk/turbolist3r.txt
    12. OneForAll
      1. https://github.com/shmilylty/OneForAll
    13. Findomain
      1. https://github.com/Findomain/Findomain
      2. findomain -f scope -u find-sub.txt
      3. findomain -t thesun.co.uk
    14. Sudomy
      1. https://github.com/screetsec/Sudomy
      2. ~/Tools/Sudomy/./sudomy -o ~/recon/thesun.co.uk/sudomy -d thesun.co.uk
    15. API
      1. https://github.com/Screetsec/Sudomy
    16. DB
      1. https://github.com/xrootshell/chaospy
  2. Subdomain Bruteforce
    1. Gobuster
      1. https://github.com/OJ/gobuster
    2. Subdomain Bruting Lists
      1. https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
      2. https://github.com/assetnote/commonspeak2
      3. https://book.hacktricks.xyz/external-recon-methodology#dns-brute-force-v2
  3. DNS enum [ips / cdir]
    1. https://rapiddns.io/
    2. https://github.com/darkoperator/dnsrecon
      1. dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
      2. dnsrecon -r 157.240.221.35/24 -n 1.1.1.1 #Using cloudflares dns
      3. dnsrecon -d facebook.com -r 157.240.221.35/24 #Using facebooks dns
      4. dnsrecon -r <DNS Range> -n <IP_DNS> #DNS reverse of all of the addresses
    3. https://github.com/evilsocket/dnssearch
    4. aiodnsbrute
      1. https://github.com/blark/aiodnsbrute
    5. shuffleDNS
      1. https://github.com/projectdiscovery/shuffledns
    6. altdns
      1. https://github.com/infosec-au/altdns
    7. dnsx
      1. https://github.com/projectdiscovery/dnsx
    8. puredns.
      1. https://github.com/d3mondev/puredns
    9. dnsvalidator
      1. https://github.com/vortexau/dnsvalidator
      2. https://public-dns.info/nameservers-all.txt
    10. https://dnsdumpster.com/
    11. https://otx.alienvault.com/
    12. https://github.com/jonluca/Anubis-DB
  4. VHost Scan [ips / cdir]
    1. https://github.com/SpiderLabs/HostHunter
    2. resources
      1. https://book.hacktricks.xyz/external-recon-methodology#brute-force
      2. https://twitter.com/Th3G3nt3lman/status/1171826399956676609
2. Cloud Assets
  1. S3 buckets
    1. https://github.com/nahamsec/lazys3
    2. https://digi.ninja/projects/bucket_finder.php
    3. https://github.com/gwen001/s3-buckets-finder
    4. https://github.com/sa7mon/S3Scanner
    5. https://github.com/ghostlulzhacks/s3brute
    6. https://github.com/bbb31/slurp
    7. https://github.com/kromtech/s3-inspector
    8. writeups
      1. https://medium.com/techiepedia/misconfigured-3-bucket-a-semi-opened-environment-9cfb9dee782d
      2. https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
      3. https://notifybugme.medium.com/how-i-was-able-find-mass-leaked-aws-s3-bucket-from-js-file-6064a5c247f8
      4. https://githubmemory.com/repo/0x0sec/awesome-bugbounty-tools
  2. cloud_enum
    1. https://github.com/initstring/cloud_enum
      1. python3 cloud_enum.py -k meraki.com -k ikarem.io
  3. CloudScraper
    1. https://github.com/jordanpotti/CloudScraper
  4. https://github.com/jordanpotti/CloudScraper
  5. cloudlist
    1. https://github.com/projectdiscovery/cloudlist
  6. Cloudflare_enum
    1. https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/cloudflare_subdomain_enum.py
  7. https://github.com/jordanpotti/AWSBucketDump
4th phase
1. Content Discovery and fuzzing
  1. WFUZZ
    1. https://github.com/xmendez/wfuzz/
      1. https://www.youtube.com/watch?v=iLFkxAmwXF0
      2. https://www.youtube.com/watch?v=aN3Nayvd7FU
  2. FFuF
    1. https://github.com/ffuf/ffuf
      1. ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://MACHINE_IP/FUZZ
  3. https://github.com/maurosoria/dirsearch
  4. https://github.com/OJ/gobuster
    1. gobuster dir --url http://MACHINE_IP/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
  5. https://github.com/KajanM/DirBuster
  6. https://github.com/devanshbatham/ParamSpider
  7. dirb
    1. dirb http://MACHINE_IP/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
  8. waybackurls
    1. https://github.com/tomnomnom/waybackurls
  9. gau
    1. https://github.com/lc/gau
2. Linked and JS Discovery
  1. Endpoint Linked and GET JS Files
    1. Burp Suite Pro
    2. https://github.com/tomnomnom/waybackurls
    3. https://github.com/hakluke/hakrawler
    4. https://github.com/lc/gau
    5. https://github.com/jaeles-project/gospider
    6. https://github.com/003random/getJS
    7. https://github.com/GerbenJavado/LinkFinder
    8. https://github.com/lc/subjs
    9. https://github.com/KathanP19/JSFScan.sh
  2. Search JS Files
    1. https://github.com/nsonaniya2010/SubDomainizer
    2. https://github.com/Cillian-Collins/subscraper
    3. https://github.com/jobertabma/relative-url-extractor
    4. https://github.com/m4ll0k/SecretFinder
3rd phase
1. Favicon Analysis
  1. https://github.com/devanshbatham/FavFreak
  2. https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py
2. Port Analysis
  1. masscan
    1. https://danielmiessler.com/study/masscan/
  2. nmap
  3. naabu
    1. https://github.com/projectdiscovery/naabu
  4. https://github.com/x90skysn3k/brutespray
  5. dnmasscan
    1. https://github.com/rastating/dnmasscan
  6. Service Scanning
    1. https://github.com/x90skysn3k/brutespray
  7. subresolve
    1. https://github.com/melvinsh/subresolve
  8. https://github.com/x90skysn3k/brutespray
3. Screenshotting
  1. Good
    1. https://github.com/michenriksen/aquatone
    2. https://github.com/FortyNorthSecurity/EyeWitness
  2. Bad
    1. https://github.com/breenmachine/httpscreenshot
    2. https://github.com/maaaaz/webscreenshot
    3. https://github.com/mdhama/lazyshot
    4. https://shutter-project.org/downloads/
    5. https://bitbucket.org/al14s/rawr/wiki/Home
    6. https://bitbucket.org/LaNMaSteR53/peepingtom/src
    7. https://github.com/dafthack/PowerWebShot
https://github.com/1N3/Sn1per
https://github.com/streaak/keyhacks