Penetration Testing
  • Web
    • Reconnaissance
      • Search Engine Discovery
      • Fingerprint Web Server
      • Review Webserver Metafiles
      • Enumerate Applications
      • Review Webpage Content
      • Identify Application Entry Points
      • Map Execution Paths
      • Fingerprint Web Application Framework
      • Map Application Architecture
    • Open Source Intelligence
      • Infrastructure
      • People Investigation
    • Misconfiguration
      • Network Configuration
      • App Platform Configuration
      • File Extensions Handling
      • Review Old Backup
      • Enumerate Admin Interfaces
      • HTTP Methods
      • HTTP Strict Transport Security
      • RIA Cross Domain Policy
      • File Permission
      • Subdomain Takeover
      • Cloud Storage
      • Content Security Policy
      • Path Confusion
    • Identity Management
      • Role Definitions
      • User Registration
      • Account Provisioning
      • Account Enumeration
      • Weak Username Policy
    • Broken Authentication
      • Credentials Encrypted Channel
      • Default Credentials
      • Weak Lock Out Mechanism
      • Bypassing Authentication Schema
      • Vulnerable Remember Password
      • Browser Cache Weaknesses
      • Weak Password Policy
      • Weak Security Question Answer
      • Weak Password Reset Functionalities
      • Weaker Authentication in Alternative Channel
      • Multi-Factor Authentication
    • Broken Authorization
      • Directory Traversal File Include
      • Bypassing Authorization Schema
      • Privilege Escalation
      • Insecure Direct Object References
      • OAuth Weaknesses
    • Session Management
      • Session Management Schema
      • Cookies Attributes
      • Session Fixation
      • Exposed Session Variables
      • Cross Site Request Forgery
      • Logout Functionality
      • Session Timeout
      • Session Puzzling
      • Session Hijacking
      • JSON Web Tokens
    • Input Validation
      • Reflected Cross Site Scripting
      • Stored Cross Site Scripting
      • HTTP Verb Tampering
      • HTTP Parameter Pollution
      • SQL Injection
      • LDAP Injection
      • XML Injection
      • SSI Injection
      • XPath Injection
      • IMAP SMTP Injection
      • Code Injection
      • Command Injection
      • Insecure Deserialization
      • Format String Injection
      • Incubated Vulnerability
      • HTTP Splitting Smuggling
      • HTTP Incoming Requests
      • Host Header Injection
      • Server Side Template Injection
      • Server Side Request Forgery
      • Mass Assignment
      • Regular Expression DoS
      • PHP Type Juggling
    • Error Handling
      • Improper Error Handling
      • Stack Traces
    • Weak Cryptography
      • Weak Transport Layer Security
      • Padding Oracle Attack
      • Information Unencrypted Channel
      • Weak Encryption
    • Business Logic
      • Logic Data Validation
      • Ability to Forge Requests
      • Integrity Checks
      • Process Timing
      • Race Conditions
      • Circumvention of Work Flows
      • Defenses Against Application Misuse
      • Upload of Unexpected File Types
      • Upload of Malicious Files
      • Payment Functionality
    • Client Side
      • DOM-Based Cross Site Scripting
      • JavaScript Execution
      • HTML Injection
      • Client Side URL Redirect
      • CSS Injection
      • Client Side Resource Manipulation
      • Cross Origin Resource Sharing
      • Client Side Template Injection
      • Cross Site Flashing
      • Clickjacking
      • WebSockets
      • Web Messaging
      • Browser Storage
      • Cross Site Script Inclusion
      • Reverse Tabnabbing
    • API Attacks
      • Broken Object Level Authorization
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources and Rate Limiting
      • Broken Function Level Authorization
      • Mass Assignment
      • Security Misconfiguration
      • Injection Attack
      • Improper Assets Management
      • Insufficient Logging and Monitoring
  • Mobile
    • Mobile App Taxonomy
    • Mobile App Security Testing
    • General
    • Android
    • iOS
  • Cloud
    • Reconnaissance
    • SaaS
    • IaaS
    • Azure
    • AWS
    • GCP
    • IBM
    • Digital Ocean
    • Kubernetes
    • CI/CD
    • Active Directory
  • Network
    • Introduction
    • Intelligence Gathering
    • Vulnerability Analysis
    • Logical Vulnerabilities
    • Exploitation of Remote Services (User-Mode)
    • Exploitation of Remote Services (Kernel-Mode)
  • Wireless
    • Page 4
  • iot
    • Page 5
Powered by GitBook
On this page
  • Check List
  • Cheat Sheet
  • Different URL
  • Non-Standard Ports
  • Virtual Hosts
  • Reverse IP Service
  • Digital Certificate

Was this helpful?

  1. Web
  2. Reconnaissance

Enumerate Applications

PreviousReview Webserver MetafilesNextReview Webpage Content

Last updated 1 month ago

Was this helpful?

Check List

Cheat Sheet

Different URL

Subdomain Fuzzing

dnsenum $WEBSITE -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

dnsrecon -d $WEBSITE \
         -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
         -t brt

gobuster dns --wildcard \
             -d $WEBSITE \
             -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
urlfinder -d $WEBSITE

Passive Scan

amass enum -passive -d $WEBSITE

Active Scan

amass enum -active \
           -brute \
           -d $WEBSITE \
           -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
amass intel -ip -cidr $TARGET
amass intel -active -asn $ASN
echo | \
openssl s_client -showcerts -servername $WEBSITE -connect $IP:443 2>/dev/null | \
openssl x509 -inform pem -noout -text
assetfinder $WEBSITE | httpx --status-code --title

Favicon Hashes

subfinder -d $WEBSITE -all -recursive | httpx -favicon -j | \
jq -r .favicon | grep -v null | sort-u

Subdomain Fuzzing

subfinder -d $WEBSITE -all -recursive -o /tmp/subdomains.txt

Subdomain New Gen

cat /tmp/subdomains.txt | alterx -o /tmp/gen-subdomains.txt

Resolve live subdomains

cat /tmp/gen-subdomains.txt | \
httpx-toolkit -ports 80,443,8080,8000,8888,8082,8083 \
              -threads 200 > /tmp/alive-subdomains.txt

Resolve New Gen

puredns resolve /tmp/gen-subdomains.txt -r /tmp/resolve-subdomains.txt

Fetch URLs

katana -u /tmp/alive-subdomains.txt \
       -d 5 -ps \
       -pss waybackarchive,commoncrawl,alienvault \
       -kf -jc -fx \
       -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg \
       -o /tmp/all-urls.txt

Recon and Resolve

echo "1.1.1.1" > /tmp/resolvers.txt
subfinder -d $WEBSITE -all -recursive | \
shuffledns -d $WEBSITE -r /tmp/resolvers.txt -mode resolve

Directory Fuzzing 

dirb $WEBSITE /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Dictionary

dirsearch -u $WEBSITE \
          -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Brute Force

dirsearch -u $WEBSITE \
          -e php,cgi,htm,html,shtm,sql.gz,sql.zip,shtml,lock,js,jar,txt,bak,inc,smp,csv,cache,zip,old,conf,config,backup,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,wasl,tar.gz,tar.bz2,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 \
          --random-agent \
          --deep-recursive \
          --exclude-status=404 \
          --follow-redirects \
          --delay=0.1
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt \
      --sc 200 "$WEBSITE/FUZZ"
gobuster dir -u $WEBSITE \
             -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
feroxbuster --url $WEBSITE -C 200
ffuf -u $WEBSITE/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Non-Standard Ports

Port Scans

TCP Ports

nmap -sS -sV --mtu 5000 $WEBSITE

UDP Ports

nmap -sU -sV --mtu 5000 $WEBSITE

TCP Ports

nc -zv -w 1 $WEBSITE 1-65535

UDP Ports

nc -zvu -w 1 $WEBSITE 1-65535
naabu -host $TARGET -p $PORT
masscan $TARGET -p1-1000 --rate 1000

CIDR Discovery

ASN Discovery

whois -h whois.cymru.com $TARGET
curl -s https://api.bgpview.io/ip/$TARGET | \
jq -r ".data.prefixes[] | {prefix: .prefix, ASN: .asn.asn}"

Virtual Hosts

DNS Zone Transfer 

nslookup -type=ns $WEBSITE
dig $WEBSITE NS +noall +answer; \
dig {a|txt|ns|mx} $WEBSITE; \
dig AXRF @ns1.$WEBSITE $WEBSTITE; \
dig @$NS $WEBSITE

Host

host -t ns $WEBSITE; \
host -t {a|txt|ns|mx} $WEBSITE; \
host -a $WEBSITE; \
host -C $WEBSITE; \
host -R 3 $WEBSITE
gobuster vhost ‐u $WEBSITE \
               -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
               --append-domain

DNS Inverse Queries 

dig -x $IP
subfinder -silent -d $WEBSITE | dnsx -silent > /tmp/sub-domains.txt
dnsgen /tmp/sub-domains.txt > /tmp/gen-sub-domains.txt
echo "1.1.1.1" > /tmp/resolver.txt
shuffledns -d $WEBSITE \
           -l /tmp/gen-sub-domains.txt \
           -mode resolve \
           -r /tmp/resolver.txt

Web Service Discovery

httpx -silent -u $WEBSITE

  1. Host: [FUZZ]

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt \
     -u $TARGET \
     -H "Host: FUZZ"

  1. Host: [FUZZ].$WEBSITE

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt \
     -u $TARGET \
     -H "Host: FUZZ.$WEBSITE"

  1. Host: [FOUND-SUBDOMAINS]

ffuf -w /tmp/gen-sub-domains.txt -u $TARGET -H "Host: FUZZ"

Web Based DNS Search

ViewDNS

YouGetSignal

Website Informer

Reverse Whois

Whoxy

Security Insights

Reverse IP Service

  1. Query DNS records of domains and subdomains to get IP

for domain in $(subfinder -d $WEBSITE -silent); do echo $domain | \
dnsx -a -silent -resp-only; done

  1. Whois the IP addresses and extract the properties

whois $TARGET

  1. Reverse Lookup on the properties

Query Ripe

mnt-by field

whois -h whois.ripe.net -i mnt-by $COMPANY

person field

whois -h whois.ripe.net -- -i person $NAME

admin-c field

whois -h whois.ripe.net -- -i admin-c $NAME

Query Arin

Network address space (Net Handle) field

whois -h whois.arin.net -- 'n ! $NAME'

OrgId field

whois -h whois.arin.net -- 'o ! $NAME'
amass intel -org $ORG
amass intel -ip -cidr $TARGET
amass intel -active -asn $ASN

Digital Certificate 

curl -s "https://crt.sh/?q=$WEBSITE&output=json" | \
jq -r ".[].common_name" | sort -u
curl -s "https://crt.sh/?q=$WEBSITE&output=json" | \
jq -r ".[].name_value" | sort -u
curl -X 'POST' 'https://search.censys.io/api/v2/certificates/search' -H 'Authorization: Basic API_SECRET' -H "content-type: application/json" --data '{"q":"parsed.subject.organization: Google"}' | \
jq -r '.result.hits[] | (.parsed.subject_dn | capture("CN=(?<cn>[^,]+)") | .cn), (.names | if type=="array" and (.[0] | type) == "array" then .[][] else .[] end)'
github-subdomains -d $WEBSITE -t $TOKEN
waybackurls $WEBSITE

&

&

&

Combine with

DNSEnum
DNSRecon
GoBuster
URLFinder
Amass
OpenSSL
AssetFinder
HttpX
SubFinder
Alterx
Httpx-Toolkit
Puredns
Katana
SubFinder
ShuffleDNS
DirB
DirSearch
WFuzz
GoBuster
Feroxbuster
FFUF
Katana
Nmap
Netcat
Naabu
Msscan
Nslookup
Dig
GoBuster
Dig
DNSx
DNSGen
ShuffleDNS
Amass
Crt
Censys
GitHub
waybackurls
https://viewdns.info/viewdns.info
LogoNetwork Tools by YouGetSignal.com
LogoWebsite Informer
LogoReverse Whois Lookup - Domain search based on email or name
LogoWhois API | Whois Lookup API | Domain Whois API
https://internetdb.shodan.io/$IPinternetdb.shodan.io