#find sub domain @Identify IPs and main TLDs ASNs (http://bgp.he.net) Reverse Whois (https://whois.arin.net (Target IP Range) , https://reverse.report/ , http://domainbigdata.com/ , http://viewdns.info/ ,https://apps.db.ripe.net/db-web-ui/#/fulltextsearch) Acquisitions (https://www.crunchbase.com/search/acquisitions) Trademarks Shodan (shodan.io) https://censys.io https://developers.facebook.com/tools/ct https://www.zoomeye.org/ crt.sh (%.site.com) https://transparencyreport.google.com/https/certificates?hl=en https://github.com/anshumanbh/brutesubs https://github.com/mandatoryprogrammer/cloudflare_enum https://github.com/TheRook/subbrute https://github.com/blechschmidt/massdns https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 (wordlist DNS) https://github.com/jfrancois/SDBF sublister gobuster https://github.com/vysecurity/DomLink https://builtwith.com https://github.com/blechschmidt/massdns https://github.com/sa7mon/S3Scanner #####Mobile https://apkscan.nviso.be ######## other side on same domain www.yougetsignal.com ########################################## https://github.com/nahamsec/bbht https://github.com/nahamsec/lazyrecon ########################################## github amazonaws.com uber ############## Find Subdomains of Subdomain ################## /subbrute.py target.com > sudomains.txt ./subbrute.py –t subdomains.txt ###########Leak ############################################## gitrob git-all-secrets truffleHog git-secrets repo-supervisor #AWS SS3 site:s3.amazonaws.com inurl:site sandcastle (https://github.com/0xSearches/sandcastle) https://github.com/nahamsec/lazys3 ###################Dork: site.com +inurl:dev -cdn site:apkscan.nviso.be site site:site.com -www.site.com -www.sanbox -site:target.com filetype:php - site:target.com filetype:aspx - site:target.com filetype:swf (Shockwave Flash) - site:target.com filetype:wsdl - site: target.com inurl:.php?id= - site: target.com inurl:.php?user= - site: target.com inurl:.php?book= - site: target.com inurl:login.php - site: target.com intext: “login” - site: target.com inurl:portal.php - site: target.com inurl:register.php -site: target.com intext: “index of /” -site: target.com filetype:txt - site: target.com inurl:.php.txt -site: target.com ext:txt CSP Headers fofa.so @Permutation scanning & Portscan nmap -sS -A -PN -p- --script=http-title site.com Altdns Sdbf nmap masscan @Visual Identification eyewitness @AUXiliary spider Github @Platform Identification Builtwith Wappalyzer Vulners Burp Plugin @Content Discovery #Mapping https://github.com/zseano/InputScanner.git https://github.com/zseano/JS-Scan.git retire.js SVN git (https://github.com/arthaud/git-dumper.git , https://github.com/michenriksen/gitrob ) RAFT lists Wapplyzer Xssed.com intrigue (https://github.com/intrigueio/intrigue-core) https://github.com/cure53/Flashbang Gobuster Wordlists Burp @Parameter discovery https://github.com/s0md3v/Arjun Parameth Burp analyze target https://github.com/epinna/tplmap.git https://github.com/jhaddix/domain #Port scanner: #Testing #WAF tip ww1,ww2,ww3, ... site.com x.sub.y.com x-sub.y.com #SQL SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ #SSL https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL #IOS idb tool (https://github.com/dmayer/idb) ######################################### SCRIPTS #################################### #!/bin/bash for ipa in 98.13{6..9}.{0..255}.{0..255}; do wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&