1. Tracking & Tracing every possible signature of the Target Application
  2. Subsidiary & Acquisition Enumeration (Depth - Max)​
    1. Owler
    2. Crunchbase
    3. Wikipedia & Google Search
  3. Reverse Lookup
    1. Amass
    2. Reverse IP
  4. Subdomain Enumeration
    1. Subfinder
    2. Assetfinder
    3. Sublist3r
    4. Amass
    5. Chaos
    6. Sudomy
    7. findomain
  5. Subdomain Bruteforcing
    1. dnsx
    2. DNS Validator (Generate Resolver List)
  6. Subdomain Takeover
    1. Nuclei Templates
    2. Subdomain Takeover (tool)
    3. Takeover
    4. Osmedeus Takeover Module
  7. Probing
    1. HTTPX
    2. HTTProbe
  8. Technology Fingerprinting
    1. Wappalyzer Plugin
    2. Whatweb
  9. Port Scanning
    1. NMap
    2. Naabu
  10. Known Vulnerabilites
    1. https://cve.mitre.org
    2. https://www.cvedetails.com
    3. https://www.exploit-db.com/
    4. https://snyk.io/
    5. https://www.cybersecurity-help.cz/vdb/
  11. Template Based Scanning (Nuclei / Jeales)
    1. Nuclei
    2. Jaeles
  12. Misconfigured Cloud Storage
    1. S3 Misconfig Article
  13. Broken Link Hijacking
    1. BurpSuite Plugin
    2. Tool
  14. Directory Enumeration
    1. Dirsearch
    2. FFUF
    3. Wordlists
  15. JavaScript Files for Hardcoded APIs & Secrets
    1. Automated tools for finding hardcoded information
    2. Automated tools for finding params, endpoints, etc.
    3. Compare JS files (current and old)
    4. Tools
      1. JFScan
      2. LinkFInder
      3. DetectDynamicJS
      4. Retire.js (Burp Plugin/Browser Extension/Standalone)
      5. JSLink Finder (Burp Plugin)
      6. SecretFinder
  16. Domain-Specific GitHub & Google Dorking
    1. Google Hacking DB
    2. GitDocker
    3. GitRob
    4. GirHound
    5. Interesting GitHub Dorks List
  17. Parameter Discovery
    1. ParamSpider
    2. Arjun
  18. Data Breach Analysis
    1. Intelx
    2. Hacking Forums
    3. Darkweb/Darknet Analysis
  19. Parameter Fuzzing
  20. Search Engine Discovery
    1. Shodan
    2. Spyse
    3. Censys
    4. Fofa
    5. BinaryEdge
  21. IP Range Enumeration (If In Scope)
  22. Wayback History
    1. Wayback Machine
    2. Waybackurls
    3. gau
  23. Potential Pattern Extraction with GF and automating further for XSS, SSRF , etc.
    1. GF
    2. GF Patterns
  24. Heartbleed Scanning
    1. MassBleed
  25. General Security Misconfig. Scanning
    1. CORS
    2. Security Headers
    3. SPF Record
    4. CRLF Inection
    5. HTTP Request Smuggling Detection (More false positives in Automation)
  26. Automated Recon Frameworks
    1. Project Bheem
    2. Osmedues
    3. ReconNote
  27. If any outdated software is found , then check for CVEs
  28. Reference : Harsh Bothra Mind Map
  29. by : Software Odyssey