Resources
- Core Concepts
- Exploitation
Commands
- General Info’s
amass intel -whois -d facebook.com
dig facebook.com
- Reverse Lookup
https://viewdns.info/reverseip/?host=192.168.99.9&t=1
https://rapiddns.io/s/193.522.34.188#result
curl -s 'https://rapiddns.io/s/193.122.74.189?full=1#result' | awk -F'[<>]' '/<td>[a-z]/ {print $3}'
interlace -t 193.168.99.9/30 -c "curl -s 'https://rapiddns.io/s/_target_?full=1#result' | awk -F'[<>]' '/<td>[a-z]/ {print $3}'" # multi thredding
sudo apt purge *httpx*
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
export PATH=$HOME/go/bin:$PATH
masscan 193.111.11.119 -p1-65535,U:1-65535 --http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" -oL "output.txt" --max-rate 10000 --open-only
cat output.txt | grep tcp | awk ' {print $4,":",$3}' | tr -d ' ' | httpx -title -sc -cl
- ASN
https://bgp.he.net/
amass intel -asn 44384
for ipa in 91.23{6..2}.{0..255}.{0..255}; do wget -t 1 -T 5 http://${ipa}/phpinfo.php; done & # ASN search
- Text Search
amass intel -org "ACME Groups"
curl -s https://api.bgpview.io/search?query_term=paypal | jq # Text Search
- Subdomain Enum :
- Prequisites
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt
- Content Security Policy
curl -I -s https://api-s.sandbox.paypal.com | grep -iE 'content-security-policy|CSP' |tr " " "\n" | grep "\." | tr -d ";" | sed 's/\*\.//g' | sort -u
- Favicon
https://favicone.com/(domian_name)
curl -s www.paypalobjects.com/webstatic/icon/favicon.ico | base64 | python3 -c 'import mmh3, sys;print(mmh3.hash sys.stdin.buffer.read()))' | xargs -I{} shodan search http.favicon.hash:{} --fields hostnames | tr ";" "\n" # Manual Oneliner
python3 favienum.py https://facebook.com
cat urls.txt| python3 favfreak.py --shodan
- OSINT (WebArchive,cynsyc, …)
https://grep.app/
SecurityTrails API: https://api.securitytrails.com
AlienVault OTX API: https://otx.alienvault.com/api
URLScan: https://urlscan.io/
HackerTarget: https://hackertarget.com/
Pentest-Tools: https://pentest-tools.com/
DNSdumpster: https://dnsdumpster.com/
crt.sh: https://crt.sh
curl -s 'https://rapiddns.io/subdomain/facebook.com?full=1' | grep -Eo '[a-zA-Z0-9.-]+\.smart\.sa' | sort -u
urlfinder -d facebook.com -all
echo facebook.com | gau --subs
echo facebook.com | gau --subs | unfurl -u domains | sort -u
sublist3r -d facebook.com
python3 github-subdomains.py -t gph_lasdifj2389fjwe9ufhwe89fh234w -d facebook.com -s -e
subcat -d facebook.com -o sub.txt -title -ip --up -td -c config.yaml # The best
- Certificates
curl -s https://crt.sh/\?q\=\%.facebook.com\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
- Automation
amass enum -passive -d facebook.com
# Misc :
amass db -list
amass db -show -d owasp.org
amass viz -d3 -dir paypal
amass track -d paypal.com
- Random Commands
echo 'export PATH=$HOME/go/bin:$PATH' >> ~/.zshrc && source ~/.zshrc
Wordlists