You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
massdns -r /usr/share/sniper/plugins/massdns/lists/resolvers.txt $LOOT_DIR/domains/domains-$TARGET-alldns.txt -o S -t A -w $LOOT_DIR/domains/domains-$TARGET-massdns.txt
Tools
exploit
:msfconsole
sqlmap
jexboss
[python][maybe]
# JBoss verify and exploitation toolshocker.py
[python][maybe]
# Shellshock testerpython $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
smuggler
[python][maybe]
# HTTP request smuggling / desync testing toolclusterd
[python][maybe]
# JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfishzarp
# Local networks exploitation toolutils
:gf
# pattern matchingarjun
# parameter detectionsearchsploit
# search exploit from CVEscook
# wordlist generatorvuln
:nuclei
nmap
NSE scripts:vulscan
vulners
dalfox
# LFI / XSS automated testergrype
# Scan vulnerabilities in code, containers and repositoriesgitleaks
# Scan secrets in Git repositoriesdeepfense/SecretScanner
# unprotected secrets in container images and file systemsnosqli
# Scan NoSQLI vulnstrivy
# Scan vulnerabilities and misconfigurations in code, containers, repositories, GKE, EKS, ...tfsec
# Terraform security scannernikto
[perl][maybe, obsolete]
# HTTP vulnerability scannercmsmap
[python][maybe]
# Find vulnerabilities in common CMS (Wordpress, Joomla, Drupal, Moodle)arachni
->scnr
Inject-X fuzzer
[python][maybe]
# Scan dynamic URLs for common OWASP vulnswapiti3
[python][maybe]
vuls
bruteforce
:hydra
# Network service pentest toolBruteX
binary
:AFplusplus
# Binary fuzzer for dinosaursrecon
:recon/multi
:blackwidow
[python][maybe]
scilla
bane
# Python-based XSS / RCE tester + attack frameworkV3n0m-Scanner
# LFI / RCE / XSS / Dorks / AdminPage finder, DNS bruteforce, FTP scanlegion
# cmd automator, can get some good CLI commands hererecon/windows
:recon/network/internal
:recon/network
:nmap
fingerprintx
# Service detection on open portswafwoof
whois
[shell][maybe]
# Network utility (WHOIS)ssh-audit
[python][maybe]
# SSH server and client auditingarp
sslscan
:sslscan --no-failed $TARGET
asnip
:asnip -t $TARGET
hackertarget
[python][maybe]
# Network utilities (traceroute, ping, reverse DNS, zone transfer, whois, ip loc, port scan, subnet lookup)BruteX
[shell][maybe]
# Bruteforce all servicescurl -s https://www.ultratools.com/tools/ipWhoisLookupResult\?ipAddress\=$TARGET | grep -A2 label | grep -v input | grep span | cut -d">" -f2 | cut -d"<" -f1 | sed 's/\ \;//g'
wget -q http://www.intodns.com/$TARGET -O $LOOT_DIR/osint/intodns-$TARGET.html
curl -s -L --data "ip=$TARGET" https://2ip.me/en/services/information-service/provider-ip\?a\=act | grep -o -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}'
# subnet retrievalrecon/http
:gau
gospider
ffuf
httpx
dirsearch
feroxbuster
katana
openapi-fuzzer
crawlergo
autoscrape-py
geziyor
jsluice
gobuster
wfuzz
# can use FUZZ keyword in other parts of the URL not just at the end likeffuf
kiterunner
# API routes discoverygoscrape
# download websites to diskwapiti3
[python][maybe]
whatweb
[ruby][nope]
wig
webtech
wpscan
[ruby]
# Wordpress scancurl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json"
# passive spidercurl -s GET "https://api.hackertarget.com/pagelinks/?q=https://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links"
recon/dns
:subfinder
[go]
# passive subdomain finderspyse
: # subdomain finderspyse -target $TARGET --subdomains
censys
: # subdomain finderpython $PLUGINS_DIR/censys-subdomain-finder/censys_subdomain_finder.py --censys-api-id $CENSYS_APP_ID --censys-api-secret $CENSYS_API_SECRET $TARGET
dnscan
[?][maybe]
# DNS bruteforcerpython3 $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_QUICK -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
crt.sh
# gather certificate subdomaincurl -s https://crt.sh/?q=%25.$TARGET
github-subdomains
(https://github.com/1N3/AttackSurfaceManagement/blob/master/bin/github-subdomains.py)urlcrazy
:urlcrazy $TARGET
# dns alterationsshodan
:shodan init $SHODAN_API_KEY
shodan search "hostname:*.$TARGET"
subbrute
:python "$INSTALL_DIR/plugins/massdns/scripts/subbrute.py" $INSTALL_DIR/wordlists/domains-all.txt $TARGET
altdns
:altdns -i /tmp/domain -w $INSTALL_DIR/wordlists/altdns.txt
dnsgen
:dnsgen /tmp/domain
massdns
:massdns -r /usr/share/sniper/plugins/massdns/lists/resolvers.txt $LOOT_DIR/domains/domains-$TARGET-alldns.txt -o S -t A -w $LOOT_DIR/domains/domains-$TARGET-massdns.txt
subover
: # subdomain hijackingsubover -l $LOOT_DIR/domains/domains-$TARGET-full.txt
subjack
: # subdomain hijacking scan~/go/bin/subjack -w $LOOT_DIR/domains/domains-$TARGET-full.txt -c ~/go/src/github.com/haccer/subjack/fingerprints.json -t $THREADS -timeout 30 -o $LOOT_DIR/nmap/subjack-$TARGET.txt -a -v
curl -fsSL "https://dns.bufferover.run/dns?q=.$TARGET"
curl -s "https://rapiddns.io/subdomain/$TARGET?full=1&down=1#exportData()"
dig $TARGET CNAME | egrep -i "netlify|anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|modulus|unbounce|uservoice|wpengine|cloudapp"
# CNAME subdomain hijackingrecon/windows
:PSPKIAudit
# audit windows AD misconfigspingcastle
# audit ADmimikatz
recon/cloud
:s3recon
# S3 reckonslurp
# S3 bucket enumerator./slurp-linux-amd64 domain --domain $TARGET
# S3 bucket scanrecon/osint
:3klector
# Company ASN informationdegoogle
# Google dorksmetagoofil
:python metagoofil.py -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html
# online documentsgitgraber
:python3 gitGraber.py -q "\"org:$ORGANIZATION\""
# github secret grabbergit-vuln-finder
# github vuln findergoohak
:goohak $TARGET
# google hacking queriesh8mail
:h8mail -q domain --target $TARGET -o $LOOT_DIR/osint/h8mail-$TARGET.csv
# checking compromised credentialsamass
:amass enum -ip -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -rf /usr/share/sniper/plugins/massdns/lists/resolvers.txt -d $TARGET
# dns subdomainsamass intel -whois -d $TARGET
# reverse whoissubfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -d $TARGET -nW -rL /sniper/wordlists/resolvers.txt
[python][maybe]
# OSInt toolcurl --insecure -L -s "https://urlscan.io/api/v1/search/?q=domain:$TARGET" 2> /dev/null | egrep "country|server|domain|ip|asn|$TARGET|prt"| sort -u
curl -s "https://api.hunter.io/v2/domain-search?domain=$TARGET&api_key=$HUNTERIO_KEY"
msfconsole -x "use auxiliary/gather/search_email_collector; set DOMAIN $TARGET; run; exit y"
# gather emails via metasploitphp /usr/share/sniper/bin/inurlbr.php --dork "site:$TARGET" -s inurlbr-$TARGET
curl -s https://www.email-format.com/d/$TARGET| grep @$TARGET | grep -v div | sed "s/\t//g" | sed "s/ //g"
dig
:dig $TARGET txt | egrep -i 'spf|DMARC|dkim'
# emaildig iport._domainkey.${TARGET} txt | egrep -i 'spf|DMARC|DKIM'
# emaildig _dmarc.${TARGET} txt | egrep -i 'spf|DMARC|DKIM'
# emailOther interesting tools:
gmapsapiscanner
# Check if API keys workdefparam/smuggler
# HTTP Request Smuggling / Desync testing toolexploit-searcher
habu
# Attack frameworkemba
# Firmware vuln analyzerLists
many-passwords
Nuclei templates
Third-party Integrations
References
The text was updated successfully, but these errors were encountered: