Enumerate Applications

Check List

Enumerate the applications within scope that exist on a web server.

Cheat Sheet

Different URL

Subdomain Fuzzing

DNSEnum

dnsenum $WEBSITE -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

DNSRecon

dnsrecon -d $WEBSITE -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t brt

GoBuster

gobuster dns --wildcard -d $WEBSITE -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

URLFinder

urlfinder -d $WEBSITE

Amass

Passive Scan

amass enum -passive -d $WEBSITE

Active Scan

amass enum -active -brute -d $WEBSITE -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

amass intel -ip -cidr $TARGET

amass intel -active -asn $ASN

OpenSSL

echo | openssl s_client -showcerts -servername $WEBSITE -connect $IP:443 2>/dev/null | openssl x509 -inform pem -noout -text

AssetFinder

assetfinder $WEBSITE

SubFinder

Subdomain Fuzzing

subfinder -d $WEBSITE -all -o subdomains.txt

Alterx

Subdomain New Gen

cat subdomains.txt | alterx | tree gen-subdomains.txt

Puredns

Resolve New Gen

puredns resolve gen-subdomains.txt -r resolve-subdomains.txt

Directory Fuzzing

DirB

dirb $WEBSITE /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

DirSearch

dirsearch -u $WEBSITE -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

WFuzz

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --sc 200 "$WEBSITE/FUZZ"

GoBuster

gobuster dir -u $WEBSITE -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

FFUF

ffuf -u $WEBSITE/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Feroxbuster

feroxbuster --url $WEBSITE -C 200

Non-Standard Ports

Port Scans

Nmap

TCP Ports

nmap -sS -sV --mtu 5000 $WEBSITE

UDP Ports

nmap -sU -sV --mtu 5000 $WEBSITE

Netcat

TCP Ports

nc -zv -w 1 $WEBSITE 1-65535

UDP Ports

nc -zvu -w 1 $WEBSITE 1-65535

Naabu

naabu -host $TARGET -p $PORT

Msscan

masscan $TARGET -p1-1000 --rate 1000

CIDR Discovery

ASN Discovery

whois -h whois.cymru.com $TARGET

curl -s https://api.bgpview.io/ip/$TARGET | jq -r ".data.prefixes[] | {prefix: .prefix, ASN: .asn.asn}"

Virtual Hosts

DNS Zone Transfer

Nslookup

nslookup -type=ns $WEBSITE

Dig

dig $WEBSITE NS +noall +answer; \
dig {a|txt|ns|mx} $WEBSITE; \
dig AXRF @ns1.$WEBSITE $WEBSTITE \
dig @$NS $WEBSITE

Host

host -t ns $WEBSITE; \
host -t {a|txt|ns|mx} $WEBSITE; \
host -a $WEBSITE; \
host -C $WEBSITE; \
host -R 3 $WEBSITE

GoBuster

gobuster vhost ‐u $WEBSITE -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

DNS Inverse Queries

Dig

dig -x $IP

ShuffleDNS

shuffledns -d $WEBSITE -list target-domains.txt -mode resolve -r resolver.txt

subfinder -d $WEBSITE | shuffledns -d $WEBSITE -r resolvers.txt -mode resolve

DNSx

subfinder -silent -d $WEBSITE | dnsx -silent

DNSGen

dnsgen target-domains.txt

Combine with shuffledns

cat target-domains.txt | dnsgen - | shuffledns -d $WEBSITE -list target-domains.txt -mode resolve -r resolver.txt

Web Service Discovery

httpx -silent -u $WEBSITE

Host: [FUZZ]

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u $TARGET -H "Host: FUZZ"

Host: [FUZZ].$WEBSITE

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u $TARGET -H "Host: FUZZ.$WEBSITE"

Host: [FOUND-SUBDOMAINS]

ffuf -w target-subdomains.txt -u $TARGET -H "Host: FUZZ"

Web Based DNS Search

ViewDNS

https://viewdns.info/viewdns.info

YouGetSignal

Network Tools by YouGetSignal.com

Website Informer

Reverse IP Service

Query DNS records of domains and subdomains to get IP

for domain in $(subfinder -d $WEBSITE -silent); do echo $domain | dnsx -a -silent -resp-only; done

Whois the IP addresses and extract the properties

whois $TARGET

Reverse Lookup on the properties

Query Ripe

mnt-by field

whois -h whois.ripe.net -i mnt-by $COMPANY

person field

whois -h whois.ripe.net -- -i person $NAME

admin-c field

whois -h whois.ripe.net -- -i admin-c $NAME

Query Arin

Network address space (Net Handle) field

whois -h whois.arin.net -- 'n ! $NAME'

OrgId field

whois -h whois.arin.net -- 'o ! $NAME'

Amass

amass intel -org $ORG

amass intel -ip -cidr $TARGET

amass intel -active -asn $ASN

Digital Certificate

Crt

curl -s "https://crt.sh/?q=$WEBSITE&output=json" | jq -r ".[].common_name" | sort -u

curl -s "https://crt.sh/?q=$WEBSITE&output=json" | jq -r ".[].name_value" | sort -u

Censys

curl -X 'POST' 'https://search.censys.io/api/v2/certificates/search' -H 'Authorization: Basic API_SECRET' -H "content-type: application/json" --data '{"q":"parsed.subject.organization: Google"}' | jq -r '.result.hits[] | (.parsed.subject_dn | capture("CN=(?<cn>[^,]+)") | .cn), (.names | if type=="array" and (.[0] | type) == "array" then .[][] else .[] end)'

GitHub

github-subdomains -d $WEBSITE -t $TOKEN

waybackurls

waybackurls $WEBSITE

PreviousReview Webserver Metafiles NextReview Webpage Content

Last updated 2 hours ago

Was this helpful?

Check List

Cheat Sheet

Different URL

Subdomain Fuzzing

Directory Fuzzing

Non-Standard Ports

Port Scans

CIDR Discovery

Virtual Hosts

Host

Web Based DNS Search

ViewDNS

YouGetSignal

Website Informer

Reverse Whois

Whoxy

Security Insights

Reverse IP Service

Query Ripe

Query Arin

Digital Certificate