Approach
Recon
Sub Domain
Public Exploits
Assest Discovery
Google Search
Censys
censys.io
Look for SSL certificates
443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_name:bugcrowd.com
Look for Internal certificates
"COMPANY" + internal (get creative)=> might allow you to find a company internal subdomain or IP address not mentioned anywhere
Shodan
Web Archive
Sensitive info from public resources - github, gist, pastebin , Trello , google sites , google groups , prezi , scribd , slideshare , online IDE's , github wiki , Graffana , zookeeper
Javascript Recon / Client Side Recon
Reverse DNS / Whois
Retrive HTTP Status - https://twitter.com/HusseiN98D/status/1159912979695116293
Broken link hijacking
Reffere Header Check
Rate Limiting
BFAC - BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code. - https://github.com/mazen160/bfac
Bruteforce GET / POST methods
Vhost bruteforcing
content discovery - For Content Discovery : gau, Paramspider, Waybackurl, httpx, Subfinder, sublist3r,
urlscan.io Get directory and files from@urlscanio public scans for fun & profit url(){ gron "https://urlscan.io/api/v1/search/?q=domain:$1…" | grep 'url' | gron --ungron } $source .bash_profile $url http://target.com Make sure you have@TomNomNom gron installed
Last updated
Was this helpful?