@@ -1,270 +1,208 @@
#find sub domain
@Identify IPs and main TLDs
ASNs (http://bgp.he.net)
Reverse Whois (https://whois.arin.net (Target IP Range) , https://reverse.report/ , http://domainbigdata.com/ , http://viewdns.info/ ,https://apps.db.ripe.net/db-web-ui/#/fulltextsearch)
Acquisitions (https://www.crunchbase.com/search/acquisitions)
Trademarks
Shodan (shodan.io)
https://censys.io
https://developers.facebook.com/tools/ct
https://www.zoomeye.org/
crt.sh (%.site.com)
https://transparencyreport.google.com/https/certificates?hl=en
https://github.com/anshumanbh/brutesubs
https://github.com/mandatoryprogrammer/cloudflare_enum
https://github.com/TheRook/subbrute
https://github.com/blechschmidt/massdns
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 (wordlist DNS)
https://github.com/jfrancois/SDBF
sublister
gobuster
https://github.com/vysecurity/DomLink
https://builtwith.com
https://github.com/blechschmidt/massdns
https://github.com/sa7mon/S3Scanner
#####Mobile
https://apkscan.nviso.be
######## other side on same domain
www.yougetsignal.com
##########################################
https://github.com/nahamsec/bbht
https://github.com/nahamsec/lazyrecon
##########################################
github amazonaws.com uber
############## Find Subdomains of Subdomain ##################
/subbrute.py target.com > sudomains.txt
./subbrute.py –t subdomains.txt
###########Leak ##############################################
gitrob
git-all-secrets
truffleHog
git-secrets
repo-supervisor
#AWS SS3
site:s3.amazonaws.com inurl:site
sandcastle (https://github.com/0xSearches/sandcastle)
https://github.com/nahamsec/lazys3
###################Dork:
site.com +inurl:dev -cdn
site:apkscan.nviso.be site
site:site.com -www.site.com -www.sanbox
-site:target.com filetype:php
- site:target.com filetype:aspx
- site:target.com filetype:swf (Shockwave Flash)
- site:target.com filetype:wsdl
- site: target.com inurl:.php?id=
- site: target.com inurl:.php?user=
- site: target.com inurl:.php?book=
- site: target.com inurl:login.php
- site: target.com intext: “login”
- site: target.com inurl:portal.php
- site: target.com inurl:register.php
-site: target.com intext: “index of /”
-site: target.com filetype:txt
- site: target.com inurl:.php.txt
-site: target.com ext:txt
CSP Headers
fofa.so
@Permutation scanning & Portscan
nmap -sS -A -PN -p- --script=http-title site.com
Altdns
Sdbf
nmap
masscan
@Visual Identification
eyewitness
@AUXiliary
spider
Github
@Platform Identification
Builtwith
Wappalyzer
Vulners Burp Plugin
@Content Discovery
#Mapping
https://github.com/zseano/InputScanner.git
https://github.com/zseano/JS-Scan.git
retire.js
SVN
git (https://github.com/arthaud/git-dumper.git , https://github.com/michenriksen/gitrob )
RAFT lists
Wapplyzer
Xssed.com
intrigue (https://github.com/intrigueio/intrigue-core)
https://github.com/cure53/Flashbang
Gobuster
Wordlists
Burp
@Parameter discovery
https://github.com/s0md3v/Arjun
Parameth
Burp analyze target
https://github.com/epinna/tplmap.git
https://github.com/jhaddix/domain
#Port scanner:
#Testing
#WAF
tip
ww1,ww2,ww3, ... site.com
x.sub.y.com
x-sub.y.com
#SQL
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
#SSL
https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
#IOS
idb tool (https://github.com/dmayer/idb)
######################################### SCRIPTS ####################################
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&
#Rundns
#!/bin/bash
./subbrute.py all.txt $1|/bin/massdns -r resolvers.txt -t A -a -o -w $1_massdns.txt
#certspotter.sh
#!/bin/bash
#curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed
's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p
80,443,21,22,8080,8081,8443 --open -n -oG -
#curl https://certspotter.com/api/v0/certs\?domain\=luminate.com | jq '.[].dns_names[]'
| sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i
- -p 80,443,21,22,8080,8081,8443 --open -n -oG -
curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed
's/\"//g' | sed 's/\*\.//g' | uniq
###AMASS
#!/bin/bash
mkdir $1
touch $1/$1.txt
amass -active -d $1 |tee /root/tools/amass/$1/$1.txt
###SubFinder
!/bin/bash
mkdir $1
touch $1/$1.txt
subfinder -d $1 |tee $1/$1.txt
####MASScan
#!/bin/bash
strip=$(echo $1|sed 's/https\?:\/\///')
echo ""
echo "##################################################"
host $strip
echo "##################################################"
echo ""
masscan -p1-65535 $(dig +short $strip|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1)
--max-rate 1000 |& tee $strip_scan
██████╗ ███████╗ ██████╗ ██████╗ ███╗ ██╗
██╔══██╗██╔════╝██╔════╝██╔═══██╗████╗ ██║
██████╔╝█████╗ ██║ ██║ ██║██╔██╗ ██║
██╔══██╗██╔══╝ ██║ ██║ ██║██║╚██╗██║
██║ ██║███████╗╚██████╗╚██████╔╝██║ ╚████║
╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝
@intx0x80
1- Assest discover
[+] subdomain
https://github.com/anshumanbh/brutesubs
https://michenriksen.com/blog/aquatone-now-in-go/
https://github.com/mandatoryprogrammer/cloudflare_enum
https://github.com/TheRook/subbrute
https://github.com/blechschmidt/massdns
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 (wordlist DNS)
https://github.com/jhaddix/domain
knockpy
https://github.com/tomnomnom/assetfinder
https://bgp.he.net
CSP Headers [https://github.com/0xbharath/domains-from-csp]
https://github.com/0xbharath/censys-enumeration
https://github.com/appsecco/the-art-of-subdomain-enumeration
https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration
https://github.com/0xbharath/assets-from-spf
https://github.com/0xbharath/cloudflare_enum
massdns
amass
subfinder
Altdns
sublister
crt.sh (%.site.com)
www.yougetsignal.com
[+] CERT
censys [443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:[site.com] ]
google [https://transparencyreport.google.com/https/certificates?hl=en]
facebook [https://developers.facebook.com/tools/ct]
2-OSINT
https://github.com/intrigueio/intrigue-core
[+] ARIN
https://whois.arin.net
https://reverse.report/
http://domainbigdata.com/
http://viewdns.info/
https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
http://bgp.he.net
[+] Shodan [shodan.io]
Ports: 8443, 8080, 8180, etc
Title: “Dashboard [Jenkins]”
Product:Tomcat
Hostname: somecorp.com
Org: evilcorp
ssl: Google
fofa.so
[+] doc
stroage.googleapis.com/site.com
[+] Acquisitions
https://www.crunchbase.com/search/acquisitions
[+]get live domains [https://github.com/tomnomnom/httprobe]
3-Vendor Services
[+] Leak creeds
https://apkscan.nviso.be
gitrob
git-all-secrets
truffleHog
git-secrets
repo-supervisor
[+]gitlab
gitlab /explore
[+] github dork
https://github.com/0xbharath/github-dorks
"company.com" "dev"
"dev.company.com”
"company.com" API_key
"company.com" password
"api.company.com" authorization
APP_SECRET
consumerkey
JIRA_Password
jdbc
“authorization bearer”
auth_key
consumer_secret
SECURITY-SIGNATURE
X-API
X-Paypal
secret_key
JWK/JWT
SSO_LOGIN
defaultEndpointsProtocol
access_key
accountKey
AWS_Secret
aws_secret_access_key
rexis
api_key
3-Visual Identification
eyewitness
webscreenshot
gowitness
4-scanning
[+]nmap
nmap -sS -A -PN -p- --script=http-title site.com
[+]common ports
3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443
[+]masscan
masscan -p1-65535 $(dig +short $1|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head - --max-rate 1000
5-Platform Identification
[*]Builtwith
[*]Wappalyzer
[*]Vulners Burp Plugin
6-Content Discovery
[*]Gobuster
[*]dirbuster
[*]dirsearch
[*]wfuzz
[*]meg [https://github.com/tomnomnom/meg]
[*]waybackurls [https://github.com/tomnomnom/waybackurls]
[+]SVN
https://github.com/cure53/Flashbang
[+]git
https://github.com/arthaud/git-dumper.git
https://github.com/michenriksen/gitrob
7-Parameter discovery
Parameth [https://github.com/maK-/parameth]
Arjun [https://github.com/s0md3v/Arjun]
8-scripts
[+]phpinfo
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&
[+]certspotter
curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq
[+]crtsh
curl -s https://crt.sh/?q=%.$1 | sed 's/<\/\?[^>]\+>//g' | grep $1
for i in `cat list.txt`
do
curl -s https://crt.sh/?q=$i | sed 's/<\/\?[^>]\+>//g' |tee -a domain.txt
done
echo "[+] httprope"
cat domain.txt|httprobe|tee -a live-domain.txt
9-AWS SS3
sandcastle [https://github.com/0xSearches/sandcastle]
https://github.com/nahamsec/lazys3
[+]dork
site:s3.amazonaws.com inurl:site
10-Dorks
-site.com +inurl:dev -cdn
- site:site.com -www.site.com -www.sanbox
- site:target.com filetype:php
- site:target.com filetype:aspx
- site:target.com filetype:swf (Shockwave Flash)
- site:target.com filetype:wsdl
- site: target.com inurl:.php?id=
- site: target.com inurl:.php?user=
- site: target.com inurl:.php?book=
- site: target.com inurl:login.php
- site: target.com intext: “login”
- site: target.com inurl:portal.php
- site: target.com inurl:register.php
- site: target.com intext: “index of /”
- site: target.com filetype:txt
- site: target.com inurl:.php.txt
- site: target.com ext:txt
- site:trello.com intext:ftp
- site:trello.com intext:ORG
- site:target.com filetype:php
- site:target.com filetype:aspx
- site:target.com filetype:swf (Shockwave Flash)
- site:target.com filetype:wsdl
- site:example.com -www [ Bing, DuckDuckGo, Yahoo]
███████╗███╗ ██╗██████╗
██╔════╝████╗ ██║██╔══██╗
█████╗ ██╔██╗ ██║██║ ██║
██╔══╝ ██║╚██╗██║██║ ██║
███████╗██║ ╚████║██████╔╝
╚══════╝╚═╝ ╚═══╝╚═════╝
cyberheartmi9 revised this gist