$ nikto -h http://127.0.0.1 -Cgidirs all
Perform reverse DNS lookup for IPs in subnet 10.10.10.0/24 with a name server at 192.168.1.11:
$ dnsrecon -r 10.10.10.0/24 -n 192.168.1.11 -d DoesNotMatter
- https://github.com/OJ/gobuster/releases
- https://blog.assetnote.io/2021/04/05/contextual-content-discovery/
$ gobuster dir -ku 'https://127.0.0.1' -w /usr/share/wordlists/dirbuster/directory-list[-lowercase]-2.3-medium.txt -x php,asp,aspx,jsp,ini,config,cfg,xml,htm,html,json,bak,txt -t 50 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0' -s 200,204,301,302,307,401 -o gobuster/127.0.0.1
$ gobuster dir -ku 'https://127.0.0.1' -w /usr/share/seclists/Discovery/Web-Content/raft-small-words[-lowercase].txt -x php,asp,aspx,jsp,ini,config,cfg,xml,htm,html,json,bak,txt -t 50 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0' -s 200,204,301,302,307,401 -o gobuster/127.0.0.1
$ wfuzz -e encoders
$ wfuzz -c -u 'http://10.10.13.37/index.php?id=FUZZ' -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -f wfuzz.out --hh 1337
$ wfuzz -c -u 'http://10.10.13.37' --basic 'FUZZ:FUZ2Z' -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -w /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt --hc 1337
- https://github.com/ffuf/ffuf
- https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html
Default ports:
$ cat targets.txt | ./aquatone -ports 80,443,8000,8080,8443 -out 10.0-255.0-255.0-255
From Nmap XML:
$ ports=`cat nmap/tcp.gnmap | grep -ioP '\d+/open/tcp//http' | awk -F/ '{print $1}' | sort -u | awk 1 ORS=',' | sed 's/.$//'`
$ cat targets.txt | ./aquatone -ports $ports -out 10.0-255.0-255.0-255_nmap
Or
$ cat nmap/tcp.xml | ./aquatone -out 10.0-255.0-255.0-255_nmap
{% embed url="https://snovvcrash.github.io/2020/05/10/subdomain-discovery.html" caption="Об обнаружении субдоменов" %}
$ amass intel -active -config config.ini -whois -df domains.txt -ipv4 -src -v -o intel.out
$ amass enum -active -brute -config config.ini -df domains.txt -ipv4 -src -v -o enum.out
$ subfinder -all -config config.yaml -d hackerone.com -o subdomains.txt [-oI -nW]
$ shuffledns -d hackerone.com -r /opt/dnsvalidator/resolvers.txt -w /usr/share/commonspeak2-wordlists/subdomains/subdomains.txt -o subdomains.txt -t 500
$ massdns -r /opt/dnsvalidator/resolvers.txt domains.txt -w domains-resolved.txt -o S
$ dnsx -l dns.txt -resp -a -aaaa -cname -mx -ns -soa -txt
$ dnsx -d megacorp.local -r 192.168.0.11,192.168.0.22 -w /usr/share/seclists/Discovery/DNS/... -a -t 25 -o ~/ws/log/dnsx.log -silent
$ chaos -d megacorp.com -key <API_KEY> -http-status-code -http-title -http-url -o chaos.out
{% embed url="https://twitter.com/reconone_/status/1540666730829082624" %}
$ nuclei -update-templates
$ nuclei -l domains.txt [-t cves] -o nuclei.out
Sort results:
# Manually
cat nuclei.out | grep -v info | grep '\] \[' | sort -k3
# Automated
curl -sSL "https://github.com/DingyShark/nuclei-scan-sort/raw/main/nuclei_sort.py" -o nuclei_sort.py
sed -i '1 i #!/usr/bin/env python3' nuclei_sort.py
chmod +x nuclei_sort.py
python3 nuclei_sort.py -i nuclei.out | grep -v info | grep . --color=noneSSL / TLS:
$ nuclei -l domains.txt -t ssl -o nuclei-ssl.out
$ cat nuclei-ssl.out | grep -e deprecated-tls -e detect-ssl -e expired-ssl -e mismatched-ssl -e self-signed -e weak-cipher | sort -u
$ httpx -l domains.txt -vhost -http2 -pipeline -title -content-length -status-code -follow-redirects -tls-probe -content-type -location -csp-probe -web-server -stats -ip -cname -cdn -ports 80,81,300,443,591,593,832,981,1010,1311,2082,2087,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,12443,16080,18091,18092,20720,28017 -threads 300 -o httpx.out