1. Finding Seeds / Roots
    1. Scope Domains
    2. Acquisitions
      1. Crunchbase
    3. ASN Enumeration
      1. Hurricane Electric Services
      2. AMASS
    4. Reverse WHOIS
      1. Whoxy
      2. DOMLink
    5. Ad / Analytics Relationships
      1. Builtwith
    6. Google Fu
      1. Copyright text
      2. Terms of service text
      3. Privacy report text
      4. Copy them and search on google
    7. Shodan
  2. Finding Subdomains
    1. Linked and JS Discovery
      1. Linked Discovery
        1. GoSpider
        2. Hakrawler
    2. Subdomain Enumeration
      1. subDomainnizer
      2. Sublist3r
      3. Findomain
    3. Subdomain Scraping
      1. Google Dorking
      2. Amass
      3. Subfinder
      4. Github-subdomains.py
      5. Shosubgo
    4. Subdomain Bruteforcing
      1. Amass does this with -rf flag
        1. amass enum -brute -d twitch.tv -src
        2. amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list
        3. Amass offers bruteforcing via "enum" using "brute" switch. You can also specify any number of resolvers , as well as there is a built in list
      2. Massdns
      3. ShuffleDNS
      4. The Massive wordlist is attached here
    5. Alteration Scanning
      1. Altdns
      2. Amass
  3. Others
    1. Port Analysis
      1. Masscan
        1. Syntax Guide for Masscan eg . command : masscan -p1-65535 -iL $ipFile --max-rate 1800 -oG $outPutFile.log
      2. dnmasscan
    2. Service Scanning
      1. Brutespray
      2. Github Dorking
    3. Screenshoting
      1. Eyewitness
      2. Aquatone
      3. httpscreenshot
    4. Subdomain Takeover
      1. Can I takeover XYZ?
      2. Subover
  4. Automation ++
    1. Interlace
  5. 1. Masscan
  6. 3.Brutespray Credential Bruteforce
  7. 2.Nmap service scan -oG
  8. Frameworks
    1. C - Tier
      1. Automation built around scripting up other tools in bash or python. ** Step based, no workflow. Few Techniques . Little extensibility **
        1. AdmiralGaust - Bountyrecon
        2. Offhourscoding - recon
        3. Sambal0x - recon tools
        4. JoshuaMart - Autorecon
        5. Yourbuddy25 - Hunter
        6. Venom26 - ultimate recon
    2. B - Tier
      1. Automation writing a few of their own modules. Some GUI or advanced workfow. Medium Techniques Runs point - in - time . Flat files.
        1. Lazyrecon
        2. phspade - Automated Scanner
        3. OneForALl
        4. chomp-scan
        5. domained
        6. sudomy
        7. gorecon
        8. tugarecon
    3. A - Tier
      1. Automation writing all their own modules. Has GUI. Runs iteratively. Manages data via db.
        1. Findomain
        2. Rock-ON
        3. Recon-pipeline
    4. S - Tier
      1. Automation writing their own moduels. Has GUI. Runs Iteratively. Manages data via db. Scales across multiple boxes. Sends alerts to users. Uses Novel techniques and iterates quickly . ML+Ai
        1. Intrigue.io
        2. Spiderfoot
  9. Tomnomnom's Github
  10. The Bug Hunters Methodology (TBHM)