====== Toolkit & Setup ======

Tools used in the zseano/drew combined methodology.

===== Recon Tools =====

^ Tool ^ Purpose ^ Command ^
| **amass** | subdomain enumeration | ''amass enum -brute -active -d domain.com -o amass-output.txt'' |
| **subfinder** | passive subdomain enum | ''subfinder -d domain.com -o subs.txt'' |
| **httprobe** | find live http/https servers | ''cat subs.txt | httprobe -p http:81 -p http:3000 -p https:8443 -c 50'' |
| **dnsgen** | subdomain permutations | ''cat subs.txt | dnsgen - | httprobe'' |
| **anew** | diff old vs new lists | ''cat new.txt | anew old.txt'' |
| **aquatone** | screenshots of domains | ''cat domains.txt | aquatone'' |
| **certspotter** | cert transparency | ''curl https://certspotter.com/api/v0/certs?domain=domain.com'' |
| **gau** | fetch known URLs | ''gau domain.com'' |
| **waybackurls** | historical URLs | ''waybackurls domain.com'' |

===== Testing Tools =====

^ Tool ^ Purpose ^
| **Burp Suite** | intercept, modify & repeat requests |
| **ffuf** | directory and file fuzzing |
| **sqlmap** | SQL injection automation |
| **nuclei** | template-based scanning |
| **parameth / Arjun** | brute force hidden parameters |
| **linkfinder** | scrape URLs from javascript files |
| **inputscanner** | scrape input names, IDs, JS params |
| **autorize** | Burp plugin for authorization testing |
| **retire.js** | detect vulnerable JS libraries |
| **dalfox** | XSS scanner |

===== Key Commands =====

==== Subdomain Pipeline ====

<code bash>
amass enum -brute -active -d target.com -o amass-output.txt
subfinder -d target.com -o subs.txt
cat amass-output.txt subs.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt
cat online.txt | aquatone
</code>

==== Directory Fuzzing ====

<code bash>
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
</code>

==== Historical URL Mining ====

<code bash>
gau target.com | sort -u > gau-urls.txt
waybackurls target.com | sort -u > wb-urls.txt
</code>

==== JS Endpoint Extraction ====

<code bash>
gau target.com | grep "\.js$"
cat file.js | grep -oP '(https?://[^\s"'"'"']+|/[a-zA-Z0-9_/-]+)'
</code>

==== SSRF Redirect Server ====

<code php>
<?php header("Location: ".$_GET['url']); ?>
</code>

<code bash>
php -S 0.0.0.0:8080
# then expose via ngrok
ngrok http 8080
</code>

===== Wordlists =====

  * **SecLists** -- danielmiessler/SecLists (everything)
  * **RAFT lists** -- directory bruteforcing
  * **commonspeak** -- pentester.io/commonspeak (bigquery-generated)
  * **Custom per-target** -- build as you go from discovered endpoints/params

===== See Also =====

  * [[zseano:recon|Recon Methodology]]
  * [[zseano:start|Methodology Index]]
  * [[tbhm:02_discovery|TBHM Discovery]]