zseano:toolkit
Table of Contents
Toolkit & Setup
Tools used in the zseano/drew combined methodology.
Recon Tools
| Tool | Purpose | Command |
|---|---|---|
| amass | subdomain enumeration | amass enum -brute -active -d domain.com -o amass-output.txt |
| subfinder | passive subdomain enum | subfinder -d domain.com -o subs.txt |
| httprobe | find live http/https servers | cat subs.txt | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 |
| dnsgen | subdomain permutations | cat subs.txt | dnsgen - | httprobe |
| anew | diff old vs new lists | cat new.txt | anew old.txt |
| aquatone | screenshots of domains | cat domains.txt | aquatone |
| certspotter | cert transparency | curl https://certspotter.com/api/v0/certs?domain=domain.com |
| gau | fetch known URLs | gau domain.com |
| waybackurls | historical URLs | waybackurls domain.com |
Testing Tools
| Tool | Purpose |
|---|---|
| Burp Suite | intercept, modify & repeat requests |
| ffuf | directory and file fuzzing |
| sqlmap | SQL injection automation |
| nuclei | template-based scanning |
| parameth / Arjun | brute force hidden parameters |
| linkfinder | scrape URLs from javascript files |
| inputscanner | scrape input names, IDs, JS params |
| autorize | Burp plugin for authorization testing |
| retire.js | detect vulnerable JS libraries |
| dalfox | XSS scanner |
Key Commands
Subdomain Pipeline
amass enum -brute -active -d target.com -o amass-output.txt subfinder -d target.com -o subs.txt cat amass-output.txt subs.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt cat online.txt | aquatone
Directory Fuzzing
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
Historical URL Mining
gau target.com | sort -u > gau-urls.txt waybackurls target.com | sort -u > wb-urls.txt
JS Endpoint Extraction
gau target.com | grep "\.js$" cat file.js | grep -oP '(https?://[^\s"'"'"']+|/[a-zA-Z0-9_/-]+)'
SSRF Redirect Server
<?php header("Location: ".$_GET['url']); ?>
php -S 0.0.0.0:8080 # then expose via ngrok ngrok http 8080
Wordlists
- SecLists – danielmiessler/SecLists (everything)
- RAFT lists – directory bruteforcing
- commonspeak – pentester.io/commonspeak (bigquery-generated)
- Custom per-target – build as you go from discovered endpoints/params
See Also
zseano/toolkit.txt · Last modified: by drew