Last updated 1 month ago
Get for IP ranges (, , , )
Review latest
Get relationships by registrants ()
BuiltWith
Breach Data, leaked credentials
Pillaging Git - (TruffleHog, GitGot, Wraith, GitLeaks)
FOIA Dorks ()
CloudScraper -> VSFP s3 locations
Censys.io
Metadata analysis of documents found
DNS Recon (securitytrails Recon-NG)
Employee data (LinkedIn, job postings, current employees)
Look for a public Github/documentation
dig, Nmap DNS NSE Scripts, DNSRecon, dig, Nmap DNS NSE Scripts, DNSRecon, Farsight Security's DNSDB
Automated domain screenshotting
Extract page DOM links
Certificate transparency log keyword sniffer
Cloud infrastructure brute force
SPF/DMARC record checker
S3 bucket enumeration
Asset discovery/identification
GitHub sensitive information scanner
Enumerate subdomains (amass or subfinder with all available API keys)
Subdomain bruteforce ( with )
Permute subdomains ( or with )
Identify alive subdomains ()
()
Check for ()
search
Subdomains recursive search
Take screenshots (, , )
Subdomain Takeover (sublist3r, DNSReaper)
Identify web server, technologies and database ()
Try to locate /robots.txt , /crossdomain.xml /clientaccesspolicy.xml /sitemap.xml and /.well-known/
/robots.txt
/crossdomain.xml
/clientaccesspolicy.xml
/sitemap.xml
/.well-known/
Review comments on source code (Burp Engagement Tools)
Web fuzzing ( and )
Find ()
Identify WAF ()
/Github tools (, )
Get urls ( , , )
Check potential vulnerable urls ()
Automatic XSS finder ()
Locate admin and login panel
Broken link hijacking ()
Get all JS files (, )
JS hardcoded APIs and secrets ()
JS analysis (, , , , burp extension)
Run automated scanner ()
Test CORS (, )
Test AJAX by clicking on every button and analyzing in Burp
If request esus XML data, look for XXE
Find collections of API and lookup . You can import swagger into Postman
