Get ASN for IP ranges (amass, asnlookup, metabigor, bgp)
Review latest acquisitions
Get relationships by registrants (viewdns)
BuiltWith
Breach Data, leaked credentials
Pillaging Git - (TruffleHog, GitGot, Wraith, GitLeaks)
FOIA Dorks (https://search.foia.gov)
CloudScraper -> VSFP s3 locations
Censys.io
Metadata analysis of documents found
DNS Recon (securitytrails Recon-NG)
Employee data (LinkedIn, job postings, current employees)
Look for a public Github/documentation
dig, Nmap DNS NSE Scripts, DNSRecon, dig, Nmap DNS NSE Scripts, DNSRecon, Farsight Security's DNSDB
https://sitereport.netcraft.com/
https://www.exploit-db.com/google-hacking-database
https://github.com/smicallef/spiderfoot
https://github.com/blacklanternsecurity/bbot
crt.sh -> httprobe -> EyeWitness Automated domain screenshotting
jsendpoints Extract page DOM links
certSniff Certificate transparency log keyword sniffer
CloudBrute Cloud infrastructure brute force
spoofcheck SPF/DMARC record checker
AWSBucketDump S3 bucket enumeration
Dismap Asset discovery/identification
Gitrob GitHub sensitive information scanner
Enumerate subdomains (amass or subfinder with all available API keys)
Subdomain bruteforce (puredns with wordlist)
Permute subdomains (gotator or ripgen with wordlist)
Identify alive subdomains (httpx)
Subdomain takeovers (nuclei-takeovers)
Check for cloud assets (cloudenum)
Shodan search
Transfer zone
Subdomains recursive search
Take screenshots (gowitness, webscreenshot, aquatone)
Subdomain Takeover (sublist3r, DNSReaper)
Identify web server, technologies and database (httpx)
Try to locate /robots.txt , /crossdomain.xml /clientaccesspolicy.xml /sitemap.xml and /.well-known/
/robots.txt
/crossdomain.xml
/clientaccesspolicy.xml
/sitemap.xml
/.well-known/
Review comments on source code (Burp Engagement Tools)
Directory enumeration
Web fuzzing (ffuf and wordlist)
Find leaked ids, emails (pwndb)
Identify WAF (wafw00f)
Google dorking
GitHub dorking/Github tools (githound, gitdorks_go)
Get urls (gau , waybackurls, gospider)
Check potential vulnerable urls (gf-patterns)
Automatic XSS finder (dalfox)
Locate admin and login panel
Broken link hijacking (blc)
Get all JS files (subjs, xnLinkFinder)
JS hardcoded APIs and secrets (nuclei-tokens)
JS analysis (subjs, JSA, xnLinkFinder, getjswords, retire.js burp extension)
Run automated scanner (nuclei)
Test CORS (CORScanner, corsy)
Test AJAX by clicking on every button and analyzing in Burp
If request esus XML data, look for XXE
Find Postman collections of API and lookup swagger. You can import swagger into Postman
Last updated 1 month ago