enum

PORTSCANNING

Copy 
nmap -p- -sT -sV -A $IP
nmap -p- -sC -sV $IP --open
nmap -p- --script=vuln $IP

HTTP-Methods

Copy 
nmap --script http-methods --script-args http-methods.url-path='/website' --script smb-enum-shares
rustscan -a $IP -- -sT -sV
rustscan -a $IP -- -sC -sV --open
rustscan -a $IP -- -sV -sC -T4

WPSCAN

WPScan & SSL

Copy 
wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u

WPScan Brute Forceing:

Copy 
wpscan --url $URL --disable-tls-checks -U users -P /usr/share/wordlists/rockyou.txt

Aggressive Plugin Detection:

Copy 
wpscan --url $URL --enumerate p --plugins-detection aggressive

SCANNERS

Copy 
nikto --host $IP -ssl -evasion 1

SEE EVASION MODALITIES.

wafw00f -a domain.com

SUBDOMAIN RECON

Discovery

Copy 
subfinder -d <domain> -all
sublist3r -d <domain>

Probing

Copy 
httpx -l <domain_list> -sc -location -cdn -server -fc 404 -rl <int>

Screenshots

Copy 
httpx -l <domain_list> -fc 404 -o <resolved_list> -rl <int>
cat <resolved_list> | aquatone

DNSRECON

Copy 
dnsrecon –d yourdomain.com
dnsenum --noreverse -s 1 yourdomain.com
amass enum -d yourdomain.com

SPIDERING

Copy 
gospider -s https://site.com -c 1 -k 1000 // Spider single site with a delay of 1s
gospider -S sites.txt -c 1 -k 1000 // Spider urls from a file with a delay of 1s

echo "https://site.com" | hakrawler // Single site hakrawl
cat sites.txt | hakrawler // Multiple Urls

subjs -i sites.txt // Gather JS files

xnlinkfinder -i endpoints.txt -sf site.com -prefixed // Parse from gathered endpoints or js files and find more paths

GOBUSTER

Copy 
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30

gobuster files

Copy 
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30

gobuster for SubDomain brute forcing:

Copy 
gobuster dns -d domain.org -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30

"just make sure any DNS name you find resolves to an in-scope address before you test it"

Extract IPs from a text file.

Copy 
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' nmapfile.txt

FFUF

Copy 
ffuf -w /usr/share/SecLists/Fuzzing/XSS/XSS-BruteLogic.txt "$URL"
ffuf -w /usr/share/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt "$URL"

COMMAND INJECTION WITH POST DATA

Copy 
ffuf -w /usr/share/SecLists/Fuzzing/command-injection-commix.txt -d "doi=FUZZ" "$URL"

Test for Paramter Existence!

Copy 
ffuf -w /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt "$URL"

AUTHENTICATED FUZZING DIRECTORIES:

Copy 
ffuf -w /usr/share/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 -d "SESSIONID=value" "$URL"

AUTHENTICATED FILE FUZZING:

Copy 
ffuf -w /usr/share/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 -d "SESSIONID=value" "$URL"

FUZZ Directories:

Copy 
ffuf -w /usr/share/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"

FUZZ FILES:

Copy 
ffuf -w /usr/share/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"

FUZZ LARGE WORDS:

Copy 
ffuf -w /usr/share/SecLists/Discovery/Web-Content/raft-large-words.txt --hc 404 "$URL"

FUZZ USERS:

Copy 
ffuf -w /usr/share/SecLists/Usernames/top-usernames-shortlist.txt --hc 404,403 "$URL"

Command Injection with commix, ssl, waf, random agent.

Copy 
commix --url="https://supermegaleetultradomain.com?parameter=" --level=3 --force-ssl --skip-waf --random-agent

SQLMap

Copy 
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=T --force-ssl
sqlmap -u $URL --threads=2 --time-sec=10 --level=4 --risk=3 --dump
/SecLists/Fuzzing/alphanum-case.txt

Social Recon

Copy 
theharvester -d domain.org -l 500 -b google

Nmap HTTP-methods

Copy 
nmap -p80,443 --script=http-methods  --script-args http-methods.url-path='/directory/goes/here'

SMTP USER ENUM

Copy 
smtp-user-enum -M VRFY -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M RCPT -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t $IP

Command Execution Verification - [Ping check]

Copy 
tcpdump -i any -c5 icmp

Check Network

Copy 
netdiscover /r 0.0.0.0/24

INTO OUTFILE D00R

Copy 
SELECT “” into outfile “/var/www/WEROOT/backdoor.php”;

Follow me on : Medium Linkedin Researchgate