This write-up is more application-based. I am writing tools and some commands for my reference that can be used to do recon when doing website security testing. For me, it is explicitly used for bug bounty purposes. I hope you can find some hints and ideas with that.

I found and learned these in my last 3 months of practice. There can be a more mature way to do it and if you know, please add value by commenting.

"Tools mentioned in this write-up work on Kali/Linux and can be downloaded from Github."



Related domain

cat domains.txt | haktrails associateddomains

host url.com

whatweb url.com

1. 
   https://bgp.he.net/ 2. whois -h whois.radb.net -- '-i originAS13414' | grep -Eo "([0-9.]+){4}/[0-9]+" | head

Subdomain

subfinder -d google.com | httpx | tee domains1.txt

assetfinder [google.com](<http://google.com>) | httpx | tee domain.txt

cat domains.txt | haktrails subdomains

massdns -r lists/resolvers.txt -t AAAA domains.txt > results.txt

amass enum --passive -d <DOMAIN>

python altdns.py -i input_domains.txt -o ./output/path -w altdns/words.txt

gospider -d 0 -s "
https://site.com" -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo '(http|https)://[^/"]+' | anew

curl -s "
https://crt.sh/?q=%25.att.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | httpx -title -silent | anew

URLS

assetfinder google.com | hakrawler -plain | hakcheckurl | grep -v 404 | tee live_urls.txt

waybackurls 
https://twitter.com


https://web.archive.org/cdx/search/cdx?url=*.coindcx.com/*&output=text&fl=original&collapse=urlkey

gospider -s "
https://coindcx.com/" -o output -c 10 -d 1 | gf sqli

Wordlist Gen

cat hosts.txt | waybackurls | wordlistgen

cat hosts.txt | wordlistgen -qv > urlComponents.txt

JavaScript Parser

python linkfinder.py -i 
https://coindcx.com/2-es2015.04cd7d3b5decbdd78e65.js

End point discovery

echo <https://google.com> | hakrawler

cat urls.txt | hakrawler -proxy http://localhost:8080

feroxbuster -u 
https://seek.com.au

Directory brute forcing

wfuzz -w wordlist/general/common.txt --hc 404 
http://testphp.vulnweb.com/FUZZ

ffuf -w wordlist -u 
https://domain.com/FUZZ/ -mc 200

python3 dirsearch.py -e php,html,js -u <https://target> -w /path/to/wordlist-t 20

python3 dirsearch.py -e php,html,js -u 
https://target -r --recursion-depth 3 --recursion-status 200-399 -t 20

python3 dirsearch.py -e php,html,js -u 
https://target -r --exclude-subdirs image/,media/,css/ -t 20

Shodan recon


https://twitter.com/AseemShrey/status/1508059759491964928

Scanner

nuclei -list urls.txt

nuclei -l urls.txt -t /home/kali/tools/nuclei-templates/cves


https://cheatsheet.haax.fr/web-pentest/tools/nuclei/




What are your suggestions? Do you use some other technique, let me know in the comments.

Thanks for reading.