Enter the target domain:
- whois target.com - Retrieves domain registration information. - nslookup target.com - Performs a DNS query to find the IP address of the domain. - dig target.com - Performs a detailed DNS lookup. - curl http://ipinfo.io/<ip> - Retrieves information about the IP address. - host -t ns target.com - Lists the authoritative nameservers. - host -t mx target.com - Lists the mail servers for the domain. Web Technology Fingerprinting: - whatweb -i live_hosts.txt - Identifies technologies used by the web application. DNS Enumeration: - dnsrecon -d target.com - Enumerates DNS records. - censys search target.com - Searches for SSL certificates and associated assets. - github-search target.com - Searches GitHub for sensitive data related to the target. - gitrob -repo target.com - Scans for sensitive information in GitHub repositories. - github-dorker -d target.com - Automates GitHub dorking to find exposed secrets. - gf redirect > gf_redirects.txt - Looks for potential redirect vulnerabilities.
Subdomain Discovery Tools: - sublist3r -d target.com -o target.com.txt - Enumerates subdomains using multiple sources. - amass enum -d target.com | tee -a target.com.txt - Comprehensive subdomain enumeration. - assetfinder --subs-only target.com | tee -a target.com.txt - Finds subdomains via various APIs. - findomain -t target.com | tee -a target.com.txt - Another subdomain enumeration tool. - subfinder -d target.com -o subfinder_results.txt -silent - Finds subdomains using multiple sources. Subdomain Resolution and Probing: - massdns -r resolvers.txt -t A -o S -w results.txt subs.txt - Resolves subdomains to IPs. - httprobe < results.txt > live_subdomains.txt - Finds live subdomains. - httpx -l live_subdomains.txt -o live_hosts.txt - Probes HTTP services on subdomains.
Network and Service Scanning: - nmap -iL live_hosts.txt -oA nmap_scan - Scans for open ports and services. - masscan -iL live_hosts.txt -p0-65535 -oX masscan_results.xml - High-speed port scan. Automated Vulnerability Scanning: - nuclei -l live_hosts.txt -t templates/ - Scans for known vulnerabilities using templates. - metabigor net --org target.com - Gathers network information from external sources. - theHarvester -d target.com -l 500 -b all - Harvests email addresses, subdomains, and more from public sources. - dnsenum target.com - Enumerates DNS records including subdomains and zone transfers. - shuffledns -d target.com -list resolvers.txt -o shuffledns_results.txt - Performs DNS enumeration with resolver validation.
Directory Brute Forcing: - feroxbuster -u https://target.com -e * - Directory brute force tool with recursion. - dirsearch -u target.com -e * - Brute forces directories and files on the target. - dirb https://target.com/ -o dirb_output.txt - Performs a directory brute force attack. - target="target.com"; (gau $target > gau_output.txt | lolcat -a -d 5 -s 20 && echo "Cooldown for 3 seconds after gau..." | lolcat -a -d 5 -s 20 && sleep 3 & waybackurls $target > waybackurls_output.txt | lolcat -a -d 5 -s 20 && echo "Cooldown for 3 seconds after waybackurls..." | lolcat -a -d 5 -s 20 && sleep 3 & katana -u $target --depth 3 > katana_output.txt | lolcat -a -d 5 -s 20 && echo "Cooldown for 3 seconds after katana..." | lolcat -a -d 5 -s 20 && sleep 3 & wait; cat gau_output.txt waybackurls_output.txt katana_output.txt | sort | uniq | tee results.txt | lolcat -a -d 5 -s 20) CMS Scanning: - wpscan --url target.com - Scans WordPress sites for known vulnerabilities.
Parameter Brute Forcing and Mining: - parameth - Brute forces to discover GET and POST parameters. - param-miner - Finds hidden, unlinked parameters that can be exploited. - arjun -u https://target.com -oT arjun_output.txt - Finds GET and POST parameters. - ParamSpider --domain target.com --output paramspider_output.txt - Mines parameters from web archives. GET Parameter Discovery: assetfinder target.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done
Advanced and Extended Scanning: - recon-ng -w workspace -i target.com - Framework for performing automated reconnaissance. - xray webscan --basic-crawler http://target.com - Automated vulnerability scanner with crawling capabilities. - dnsgen -f subdomains.txt | massdns -r resolvers.txt -t A -o S -w dnsgen_results.txt - Generates and resolves potential subdomains. Additional Techniques: Bypass Rate Limits: - X-Originating-IP: IP - X-Forwarded-For: IP - X-Remote-IP: IP - X-Remote-Addr: IP - X-Client-IP: IP - X-Host: IP - X-Forwarded-Host: IP
Wordlist Examples: - /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt - Directory/Page Wordlist - /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt - Domain Wordlist - /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt - Parameters Wordlist
Reports: - Pentester.land Writeups: https://pentester.land/writeups/ - HackerOne Reports: https://github.com/reddelexc/hackerone-reports Resources: - Bug Bounty Tips: https://gowsundar.gitbook.io/book-of-bugbounty-tips - PentestBook: https://pentestbook.six2dez.com/ https://shell.segfault.net/#/dashboard adm-U6g3lrwnTgIt9wPSueTPnkso