Medium Scope

Subdomain Enumeration
1. Subfinder
2. Assetfinder
3. Sublist3r
4. Amass
5. Chaos
6. Sudomy
7. findomain
Subdomain Bruteforcing
1. dnsx
2. DNS Validator (Generate Resolver List)
Subdomain Takeover
1. Nuclei Templates
2. Subdomain Takeover (tool)
3. Takeover
4. Osmedeus Takeover Module
Probing
1. HTTPX
2. HTTProbe
Technology Fingerprinting
1. Wappalyzer Plugin
2. Whatweb
Port Scanning
1. NMap
2. Naabu
Known Vulnerabilites
1. https://cve.mitre.org
2. https://www.cvedetails.com
3. https://www.exploit-db.com/
4. https://snyk.io/
5. https://www.cybersecurity-help.cz/vdb/
Template Based Scanning (Nuclei / Jeales)
1. Nuclei
2. Jaeles
Misconfigured Cloud Storage
1. S3 Misconfig Article
Broken Link Hijacking
1. BurpSuite Plugin
2. Tool
Directory Enumeration
1. Dirsearch
2. FFUF
3. Wordlists
JavaScript Files for Hardcoded APIs & Secrets
1. Automated tools for finding hardcoded information
2. Automated tools for finding params, endpoints, etc.
3. Compare JS files (current and old)
4. Tools
  1. JFScan
  2. LinkFInder
  3. DetectDynamicJS
  4. Retire.js (Burp Plugin/Browser Extension/Standalone)
  5. JSLink Finder (Burp Plugin)
  6. SecretFinder
Domain-Specific GitHub & Google Dorking
1. Google Hacking DB
2. GitDocker
3. GitRob
4. GirHound
5. Interesting GitHub Dorks List
Parameter Discovery
1. ParamSpider
2. Arjun
Data Breach Analysis
1. Intelx
2. Hacking Forums
3. Darkweb/Darknet Analysis
Parameter Fuzzing
Search Engine Discovery
1. Shodan
2. Spyse
3. Censys
4. Fofa
5. BinaryEdge
IP Range Enumeration (If In Scope)
Wayback History
1. Wayback Machine
2. Waybackurls
3. gau
Potential Pattern Extraction with GF and automating further for XSS, SSRF , etc.
1. GF
2. GF Patterns
Heartbleed Scanning
1. MassBleed
General Security Misconfig. Scanning
1. CORS
2. Security Headers
3. SPF Record
4. CRLF Inection
5. HTTP Request Smuggling Detection (More false positives in Automation)
If any outdated software is found , then check for CVEs
Reference : Harsh Bothra Mind Map
by : Software Odyssey