Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- RECON AND DISCOVER
- ASN's =======================================================
- bgp.he.net << ASN search company name
- $ whois -h whois.cymru.com $(dig +short example.com)
- $ amass intel -org Company
- $ amass intel -asn XXXXX
- https://whois.arin.net/ui/query.do
- https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
- https://www.shodan.io/search?query=org%3a%22COMPANY%22
- =============================================================
- BRAND / TLD =================================================
- https://www.owler.com/company/COMPANY
- https://www.crunchbase.com/organization/COMPANY#section-acquisitions
- https://acquiredby.co/?s=COMPANY&submit=Search
- https://builtwith.com/example.com
- https://www.shodan.io/search?query=http.favicon.hash:81586312
- WIKIPEDIA
- LINKEDIN
- $ amass intel -d example.com -whois
- =============================================================
- SUBDOMAIN ENUMERATION =======================================
- $ amass enum -d example.com -ip
- $ subfinder -d example.com -silent
- * jhaddix all.txt
- * altdns = altdns -l ~/urls.txt -o output.txt
- * commonspeak = https://github.com/assetnote/commonspeak2/releases
- * massdns = massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results.txt
- * gobuster3
- * https://opendata.rapid7.com/sonar.fdns_v2/2019-07-26-1564183467-fdns_any.json.gz
- $ pv <filename> | pigz -dc | grep -E "\.example\.com\"," | jq -r '.name'
- $ certstream | grep -E "\.example\.com$"
- =============================================================
- FINGERPRINT =================================================
- https://builtwith.com/example.com
- * WAPPALYZER
- $ whatweb example.com
- $ masscan -p-65535 $(dig +short example.com) --rate 10000
- $ nmap -sV -p <ports from masscan> example.com
- $ cat urls.txt | aquatone
- =============================================================
- DORKING =====================================================
- https://www.shodan.io/search?query=org%3a%22COMPANY%22
- https://www.shodan.io/search?query=ssl%3a%22COMPANY%22
- https://www.shodan.io/search?query=ssl%3a%22COMPANY%22+http.component%3A%22Drupal%22
- https://www.shodan.io/search?query=ssl%3a%22COMPANY%22+http.title%3A%22login%22
- https://www.shodan.io/search?query=http.favicon.hash:81586312
- https://censys.io/ipv4?q=443.https.tls.certificate.parsed.subject.organizational_unit%3A+COMPANY
- --GITHUB--
- "example.com" "ssh|sftp|ftp|proxy|vpn|vsphere|internal|siem|firewall"
- "Company" password|secret|credentials|token|config|key|secret|pass|login|ftp|pwd
- "Company" security_credentials|connectionstring|JDBC|ssh2_auth_password|send_keys|send,keys
- "Company" language:{programming language} keyword
- "Company" language:{programming language} keyword NOT some_keyword_you_dont_want
- org:organization_name
- user:username_github
- "example.com" dotfiles
- --------
- https://github.com/codingo/dorky
- =============================================================
- CONTENT DISCOVERY ===========================================
- - Burp crawler
- * Linkfinder
- * jsparser
- $ gobuster dir -u https://example.com -w wordlist.txt
- $ recursebuster -u https://example.com -w wordlist.txt
- $ echo www.example.com | otxurls
- $ echo www.example.com | waybackurls
- ~ Burp Plugin Asset Discovery by redhuntlabs
- =============================================================
- PARAMETER DISCOVERY =========================================
- -- parameth
- ~ Burp Plugin backlash-powered-scanner by @albinowax
- =============================================================
- AUTOMATION ==================================================
- https://github.com/codingo/Interlace
- https://github.com/nahamsec/lazyrecon
- =============================================================
Add Comment
Please, Sign In to add comment