Enumerate Applications

Check List

• Enumerate the applications within scope that exist on a web server.

Cheat Sheet

Different URL

Subdomain Fuzzing

DNSEnum

dnsenum $WEBSITE -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

DNSRecon

dnsrecon -d $WEBSITE \
         -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
         -t brt

GoBuster

gobuster dns --wildcard \
             -d $WEBSITE \
             -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

URLFinder

urlfinder -d $WEBSITE

Amass

Passive Scan

amass enum -passive -d $WEBSITE

Active Scan

amass enum -active \
           -brute \
           -d $WEBSITE \
           -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

amass intel -ip -cidr $TARGET

amass intel -active -asn $ASN

OpenSSL

echo | \
openssl s_client -showcerts -servername $WEBSITE -connect $IP:443 2>/dev/null | \
openssl x509 -inform pem -noout -text

AssetFinder & HttpX

assetfinder $WEBSITE | httpx --status-code --title

SubFinder

Favicon Hashes

subfinder -d $WEBSITE -all -recursive | httpx -favicon -j | \
jq -r .favicon | grep -v null | sort-u

Subdomain Fuzzing

subfinder -d $WEBSITE -all -recursive -o /tmp/subdomains.txt

Alterx

Subdomain New Gen

cat /tmp/subdomains.txt | alterx -o /tmp/gen-subdomains.txt

Httpx-Toolkit

Resolve live subdomains

cat /tmp/gen-subdomains.txt | \
httpx-toolkit -ports 80,443,8080,8000,8888,8082,8083 \
              -threads 200 > /tmp/alive-subdomains.txt

Puredns

Resolve New Gen

puredns resolve /tmp/gen-subdomains.txt -r /tmp/resolve-subdomains.txt

Katana

Fetch URLs

katana -u /tmp/alive-subdomains.txt \
       -d 5 -ps \
       -pss waybackarchive,commoncrawl,alienvault \
       -kf -jc -fx \
       -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg \
       -o /tmp/all-urls.txt

SubFinder & ShuffleDNS

Recon and Resolve

echo "1.1.1.1" > /tmp/resolvers.txt
subfinder -d $WEBSITE -all -recursive | \
shuffledns -d $WEBSITE -r /tmp/resolvers.txt -mode resolve

Directory Fuzzing

DirB

dirb $WEBSITE /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

DirSearch

Dictionary

dirsearch -u $WEBSITE \
          -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Brute Force

dirsearch -u $WEBSITE \
          -e php,cgi,htm,html,shtm,sql.gz,sql.zip,shtml,lock,js,jar,txt,bak,inc,smp,csv,cache,zip,old,conf,config,backup,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,wasl,tar.gz,tar.bz2,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 \
          --random-agent \
          --deep-recursive \
          --exclude-status=404 \
          --follow-redirects \
          --delay=0.1

WFuzz

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt \
      --sc 200 "$WEBSITE/FUZZ"

GoBuster

gobuster dir -u $WEBSITE \
             -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Feroxbuster

feroxbuster --url $WEBSITE -C 200

FFUF & Katana

ffuf -u $WEBSITE/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Non-Standard Ports

Port Scans

Nmap

TCP Ports

nmap -sS -sV --mtu 5000 $WEBSITE

UDP Ports

nmap -sU -sV --mtu 5000 $WEBSITE

Netcat

TCP Ports

nc -zv -w 1 $WEBSITE 1-65535

UDP Ports

nc -zvu -w 1 $WEBSITE 1-65535

Naabu

naabu -host $TARGET -p $PORT

Msscan

masscan $TARGET -p1-1000 --rate 1000

CIDR Discovery

ASN Discovery

whois -h whois.cymru.com $TARGET

curl -s https://api.bgpview.io/ip/$TARGET | \
jq -r ".data.prefixes[] | {prefix: .prefix, ASN: .asn.asn}"

Virtual Hosts

DNS Zone Transfer

Nslookup

nslookup -type=ns $WEBSITE

Dig

dig $WEBSITE NS +noall +answer; \
dig {a|txt|ns|mx} $WEBSITE; \
dig AXRF @ns1.$WEBSITE $WEBSTITE; \
dig @$NS $WEBSITE

Host

host -t ns $WEBSITE; \
host -t {a|txt|ns|mx} $WEBSITE; \
host -a $WEBSITE; \
host -C $WEBSITE; \
host -R 3 $WEBSITE

GoBuster

gobuster vhost ‐u $WEBSITE \
               -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
               --append-domain

DNS Inverse Queries

Dig

dig -x $IP

DNSx

subfinder -silent -d $WEBSITE | dnsx -silent > /tmp/sub-domains.txt

DNSGen

dnsgen /tmp/sub-domains.txt > /tmp/gen-sub-domains.txt

Combine with ShuffleDNS

echo "1.1.1.1" > /tmp/resolver.txt
shuffledns -d $WEBSITE \
           -l /tmp/gen-sub-domains.txt \
           -mode resolve \
           -r /tmp/resolver.txt

Web Service Discovery

httpx -silent -u $WEBSITE

1. Host: [FUZZ]

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt \
     -u $TARGET \
     -H "Host: FUZZ"

1. Host: [FUZZ].$WEBSITE

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt \
     -u $TARGET \
     -H "Host: FUZZ.$WEBSITE"

1. Host: [FOUND-SUBDOMAINS]

ffuf -w /tmp/gen-sub-domains.txt -u $TARGET -H "Host: FUZZ"

Web Based DNS Search

ViewDNS

https://viewdns.info/viewdns.info

YouGetSignal

Network Tools by YouGetSignal.com

Website Informer

Website Informer

Reverse Whois

Reverse Whois Lookup - Domain search based on email or name

Whoxy

Whois API | Whois Lookup API | Domain Whois API

Security Insights

https://internetdb.shodan.io/$IPinternetdb.shodan.io

Reverse IP Service

1. Query DNS records of domains and subdomains to get IP

for domain in $(subfinder -d $WEBSITE -silent); do echo $domain | \
dnsx -a -silent -resp-only; done

1. Whois the IP addresses and extract the properties

whois $TARGET

1. Reverse Lookup on the properties

Query Ripe

mnt-by field

whois -h whois.ripe.net -i mnt-by $COMPANY 

person field

whois -h whois.ripe.net -- -i person $NAME 

admin-c field

whois -h whois.ripe.net -- -i admin-c $NAME 

Query Arin

Network address space (Net Handle) field

whois -h whois.arin.net -- 'n ! $NAME'

OrgId field

whois -h whois.arin.net -- 'o ! $NAME'

Amass

amass intel -org $ORG

amass intel -ip -cidr $TARGET

amass intel -active -asn $ASN

Digital Certificate

Crt

curl -s "https://crt.sh/?q=$WEBSITE&output=json" | \
jq -r ".[].common_name" | sort -u

curl -s "https://crt.sh/?q=$WEBSITE&output=json" | \
jq -r ".[].name_value" | sort -u

Censys

curl -X 'POST' 'https://search.censys.io/api/v2/certificates/search' -H 'Authorization: Basic API_SECRET' -H "content-type: application/json" --data '{"q":"parsed.subject.organization: Google"}' | \
jq -r '.result.hits[] | (.parsed.subject_dn | capture("CN=(?<cn>[^,]+)") | .cn), (.names | if type=="array" and (.[0] | type) == "array" then .[][] else .[] end)'

GitHub

github-subdomains -d $WEBSITE -t $TOKEN

waybackurls

waybackurls $WEBSITE