Table of Contents

Toolkit & Setup

Tools used in the zseano/drew combined methodology.

Recon Tools

Tool Purpose Command
amass subdomain enumeration amass enum -brute -active -d domain.com -o amass-output.txt
subfinder passive subdomain enum subfinder -d domain.com -o subs.txt
httprobe find live http/https servers cat subs.txt | httprobe -p http:81 -p http:3000 -p https:8443 -c 50
dnsgen subdomain permutations cat subs.txt | dnsgen - | httprobe
anew diff old vs new lists cat new.txt | anew old.txt
aquatone screenshots of domains cat domains.txt | aquatone
certspotter cert transparency curl https://certspotter.com/api/v0/certs?domain=domain.com
gau fetch known URLs gau domain.com
waybackurls historical URLs waybackurls domain.com

Testing Tools

Tool Purpose
Burp Suite intercept, modify & repeat requests
ffuf directory and file fuzzing
sqlmap SQL injection automation
nuclei template-based scanning
parameth / Arjun brute force hidden parameters
linkfinder scrape URLs from javascript files
inputscanner scrape input names, IDs, JS params
autorize Burp plugin for authorization testing
retire.js detect vulnerable JS libraries
dalfox XSS scanner

Key Commands

Subdomain Pipeline

amass enum -brute -active -d target.com -o amass-output.txt
subfinder -d target.com -o subs.txt
cat amass-output.txt subs.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt
cat online.txt | aquatone

Directory Fuzzing

ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt

Historical URL Mining

gau target.com | sort -u > gau-urls.txt
waybackurls target.com | sort -u > wb-urls.txt

JS Endpoint Extraction

gau target.com | grep "\.js$"
cat file.js | grep -oP '(https?://[^\s"'"'"']+|/[a-zA-Z0-9_/-]+)'

SSRF Redirect Server

<?php header("Location: ".$_GET['url']); ?>
php -S 0.0.0.0:8080
# then expose via ngrok
ngrok http 8080

Wordlists

See Also