You are on page 1of 3

ASN’s – autonomous system number

Bgp.he.net

Registered IP’s

Whois.arip.net

Apps.db.ripe.net

Reverse.report

Shodan.io

Brand/TLD Discovery

Wikipedia

Crunchbase acquisitions section

*Burp* Spidering

Turn off passive scanning

Set forms auto to submit (if you are feeling frisky)

Set scope to advanced control and use string of target name (not a normal FQDN)

Walk+Browse, then spider all hosts recursively

Domlink

Builtwith

Trademark or policy in google

Discovering subdomains

CertDB

Netcraft

Robtex

Wayback machine

Amass

Subfinder

Subdomain bruteforcing
Massdns

Commonspeak

Scans.io

Dnssec

Github recon

Google dorking

Enumeration target

Port scanning:

Masscan (just IP’s)

Nmap

Credential bruteforce:

Brutespray

Eyewitness and takes a screenshot

Wayback enumeration (tomnomnom/waybackurls)

Platform identification and CVE searching (Retire.js, Wappalyzer, burp-vulners-scanner)

Coverage for heavy javascript sites (ZAP Ajax spider, JSParser, Linkfinder)

Content Discovery

Gobuster

Burp content discovery

Robots disallowed

Parameter bruting (parameth)

XSS

Blind XSS Frameworks (bXSS, ezXSS)

CSRF

Cloud_metadata.txt (github)

IDOR watch ID’s, emails and hashes on URL (POST and GET)

Infraestructure and Config (can-i-take-over-xyz)


Robbing misconfigured (S3Scanner)

WAF: try with wwX.$target.com, where X is a number