Enumerate Applications

Check List

Cheat Sheet

Different URL

Subdomain Fuzzing

DNSEnum

dnsenum $WEBSITE -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

DNSRecon

dnsrecon -d $WEBSITE \
         -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
         -t brt

GoBuster

gobuster dns --domain $WEBSITE \
             -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

URLFinder

urlfinder -d $WEBSITE

RapidDNS

curl -s https://rapiddns.io/subdomain/${WEBSITE}?full=1 | \
grep -Eo '[a-zA-Z0–9.-]+\.[a-zA-Z]{2,}' | sort -u

Shodan CLI

Favicon

curl -s https://$WEBSITE/favicon.ico | \
base64 | python3 -c 'import mmh3, sys;print(mmh3.hash(sys.stdin.buffer.read()))' | \
xargs -I{} shodan search http.favicon.hash:{} --fields hostnames | tr ";" "\n"

Amass

Passive Scan

amass enum -passive -d $WEBSITE

Active Scan

amass enum -active \
           -brute \
           -d $WEBSITE \
           -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
amass intel -ip -cidr $TARGET
amass intel -active -asn $ASN

OpenSSL

echo | \
openssl s_client -showcerts -servername $WEBSITE -connect $IP:443 2>/dev/null | \
openssl x509 -inform pem -noout -text

AssetFinder & HttpX

assetfinder $WEBSITE | httpx --status-code --title

SubFinder

Favicon Hashes

subfinder -d $WEBSITE -all -recursive | httpx -favicon -j | \
jq -r .favicon | grep -v null | sort-u

Subdomain Fuzzing

subfinder -d $WEBSITE -all -recursive -o /tmp/subdomains.txt

Alterx

Subdomain New Gen

cat /tmp/subdomains.txt | alterx -o /tmp/gen-subdomains.txt

Httpx-Toolkit

Resolve Live Subdomains

cat /tmp/gen-subdomains.txt | \
httpx -ports 80,443,8080,8000,8888,8082,8083 \
      -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" \
      > /tmp/alive-subdomains.txt

Puredns

Resolve New Gen

puredns resolve /tmp/gen-subdomains.txt -r /tmp/resolve-subdomains.txt

Katana

Fetch URLs

katana -u /tmp/alive-subdomains.txt \
       -d 5 -ps \
       -pss waybackarchive,commoncrawl,alienvault \
       -kf -jc -fx \
       -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg \
       -o /tmp/all-urls.txt

SubFinder & ShuffleDNS

Recon and Resolve

echo "1.1.1.1" > /tmp/resolvers.txt
subfinder -d $WEBSITE -all -recursive | \
shuffledns -d $WEBSITE -r /tmp/resolvers.txt -mode resolve

Directory Fuzzing

DirB

dirb $WEBSITE /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

DirSearch

Dictionary

dirsearch -u $WEBSITE \
          -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Brute Force

dirsearch -u $WEBSITE \
          -e php,cgi,htm,html,shtm,sql.gz,sql.zip,shtml,lock,js,jar,txt,bak,inc,smp,csv,cache,zip,old,conf,config,backup,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,wasl,tar.gz,tar.bz2,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 \
          --random-agent \
          --deep-recursive \
          --exclude-status=404 \
          --follow-redirects \
          --delay=0.1

WFuzz

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt \
      --sc 200 "$WEBSITE/FUZZ"

GoBuster

gobuster dir -u $WEBSITE \
             -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Feroxbuster

feroxbuster --url $WEBSITE -C 200

FFUF & Katana

ffuf -u $WEBSITE/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Non-Standard Ports

Port Scans

Nmap

TCP Ports

nmap -sS -sV --mtu 5000 $WEBSITE

UDP Ports

nmap -sU -sV --mtu 5000 $WEBSITE

Netcat

TCP Ports

nc -zv -w 1 $WEBSITE 1-65535

UDP Ports

nc -zvu -w 1 $WEBSITE 1-65535

Msscan

Fast Scan TCP/UDP

TARGETS=$(dig +short A "$WEBSITE" | sed '/^\s*$/d' | awk -F. '{print $1"."$2"."$3".0/24"}' | sort -u | paste -s -d, -);
sudo masscan --range $TARGETS -p1-65535,U:1-65535 --rate=10000 --http-user-agent "Mozilla/5.0 (Windows NT10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" -oG /tmp/massscan.txt

Naabu

grep 'Host:' /tmp/massscan.txt \
  | sed -E 's/.*Host: ([0-9.]+) .*Ports: (.*)/\1 \2/' \
  | while read ip ports; do
      echo "$ports" | tr ',' '\n' | awk -v ip="$ip" -F'/' '{print ip ":" $1}'
    done \
  | sort -u > /tmp/masscan-ipports.txt

awk -F: '{print $1}' /tmp/masscan-ipports.txt | sort -u > /tmp/masscan-ips.txt
awk -F: '{print $2}' /tmp/masscan-ipports.txt | sort -n -u | paste -s -d, - > /tmp/masscan-ports.csv
sudo naabu -list /tmp/masscan-ips.txt -p $(cat /tmp/masscan-ports.csv) -rate 1000 -nmap-cli 'nmap -sV --mtu 5000' -o /tmp/naabu-raw.txt
cat /tmp/naabu-raw.txt | sed -n 's/^\([0-9.]*:[0-9]*\).*$/\1/p' | sort -u > /tmp/naabu-ports.txt

Httpx

Find HTTP Services

cat /tmp/naabu-ports.txt \
  | httpx --follow-redirects \
      -ports -sc -td -auto-referer -title -favicon -server -location -ip \
      -o /tmp/httpx-results.txt

CIDR Discovery

ASN Discovery

whois -h whois.cymru.com $TARGET
curl -s https://api.bgpview.io/ip/$TARGET | \
jq -r ".data.prefixes[] | {prefix: .prefix, ASN: .asn.asn}"

Nmap Script

nmap --script targets-asn --script-args targets-asn.asn=$ASN

Virtual Hosts

DNS Zone Transfer

Nslookup

nslookup -type=ns $WEBSITE

Dig

dig $WEBSITE NS +noall +answer; \
dig {a|txt|ns|mx} $WEBSITE; \
dig AXRF @ns1.$WEBSITE $WEBSTITE; \
dig @$NS $WEBSITE

Host

host -t ns $WEBSITE; \
host -t {a|txt|ns|mx} $WEBSITE; \
host -a $WEBSITE; \
host -C $WEBSITE; \
host -R 3 $WEBSITE

GoBuster

gobuster vhost ‐u $WEBSITE \
               -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
               --append-domain

DNS Inverse Queries

Dig

dig -x $IP

DNSx

subfinder -silent -d $WEBSITE | dnsx -silent > /tmp/sub-domains.txt

DNSGen

dnsgen /tmp/sub-domains.txt > /tmp/gen-sub-domains.txt

Combine with ShuffleDNS

echo "1.1.1.1" > /tmp/resolver.txt
shuffledns -d $WEBSITE \
           -l /tmp/gen-sub-domains.txt \
           -mode resolve \
           -r /tmp/resolver.txt

Web Service Discovery

httpx -silent -u $WEBSITE

  1. Host: [FUZZ]

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt \
     -u $TARGET \
     -H "Host: FUZZ"

  1. Host: [FUZZ].$WEBSITE

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt \
     -u $TARGET \
     -H "Host: FUZZ.$WEBSITE"

  1. Host: [FOUND-SUBDOMAINS]

ffuf -w /tmp/gen-sub-domains.txt -u $TARGET -H "Host: FUZZ"

Web Based DNS Search

ViewDNS

https://viewdns.info/viewdns.info

YouGetSignal

LogoNetwork Tools by YouGetSignal.comwww.yougetsignal.com

Website Informer

LogoWebsite Informerwebsite.informer.com

Reverse Whois

LogoReverse Whois Lookup - Domain search based on email or namewww.reversewhois.io

Whoxy

LogoWHOIS API | WHOIS Lookup API | Domain WHOIS APIwww.whoxy.com

Security Insights

https://internetdb.shodan.io/$IPinternetdb.shodan.io

Reverse IP Service

  1. Query DNS records of domains and subdomains to get IP

for domain in $(subfinder -d $WEBSITE -silent); do echo $domain | \
dnsx -a -silent -resp-only; done

  1. Whois the IP addresses and extract the properties

whois $TARGET

  1. Reverse Lookup on the properties

RapidDNS

Reverse Lookup

domain="$WEBSITE"
curl -s "https://rapiddns.io/sameip/${domain}#result" \
  | pup 'table tr td:nth-child(2) text{}' \
  | sed '/^[[:space:]]*$/d' \
  | nl -ba

Query Ripe

mnt-by field

whois -h whois.ripe.net -i mnt-by $COMPANY

person field

whois -h whois.ripe.net -- -i person $NAME

admin-c field

whois -h whois.ripe.net -- -i admin-c $NAME

Query Arin

Network address space (Net Handle) field

whois -h whois.arin.net -- 'n ! $NAME'

OrgId field

whois -h whois.arin.net -- 'o ! $NAME'

Amass

amass intel -org $ORG
amass intel -ip -cidr $TARGET
amass intel -active -asn $ASN

Digital Certificate

Crt

curl -s "https://crt.sh/?q=$WEBSITE&output=json" | \
jq -r ".[].common_name" | sort -u
curl -s "https://crt.sh/?q=$WEBSITE&output=json" | \
jq -r ".[].name_value" | sort -u

Censys

curl -X 'POST' 'https://search.censys.io/api/v2/certificates/search' -H 'Authorization: Basic API_SECRET' -H "content-type: application/json" --data '{"q":"parsed.subject.organization: Google"}' | \
jq -r '.result.hits[] | (.parsed.subject_dn | capture("CN=(?<cn>[^,]+)") | .cn), (.names | if type=="array" and (.[0] | type) == "array" then .[][] else .[] end)'

GitHub

github-subdomains -d $WEBSITE -t $TOKEN

waybackurls

waybackurls $WEBSITE
PreviousReview Webserver MetafilesNextReview Webpage Content

Last updated