Scanning and Recon
These tools will scan web applications for vulnerabilities and misconfigurations, remember that they will cause a lot of traffic making lots of requests.
NOTE: This is not an exhaustive list.
WAF detect
Your target may have a web application firewall (WAF) which might try to prevent scanning, exploitation and other security tests. It's important that we can identify what WAF is in place so we can try and bypass it. Some targets might be vulnerable and normally an exploit would work however the WAF is preventing the exploit from popping the box. You can try to encode the payload (Burpsuite is good for this) amongst other things to bypass the WAF.
- Blog: https://labs.detectify.com/2022/05/09/discovering-the-origin-host-to-bypass-waf
- Blog: https://blog.yeswehack.com/yeswerhackers/web-application-firewall-bypass
- https://github.com/EnableSecurity/wafw00f
- https://github.com/Ekultek/WhatWaf
- https://github.com/0xInfection/Awesome-WAF
- https://github.com/projectdiscovery/nuclei-templates/blob/master/technologies/waf-detect.yaml
Vulnerability scanners
To quickly cover a lot of ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.
- Axiom distributes the load of your scanning tools across multiple servers. https://github.com/pry0cc/axiom | Twitter Thread
- A fully automated recon tool (its great as a tool installer on a fresh VPS): https://github.com/six2dez/reconftw | Free scan config (no API)
- Nuclei offers scanning for a variety of protocols, it offers powerful and flexible templating which can be used to perform all kinds of security checks against a target: https://github.com/projectdiscovery/nuclei | The Ultimate Guide to Finding Bugs With Nuclei
- Use Osmedeus to build your own reconnaissance system (Great for scanning large amount of target hosts): https://github.com/osmedeus/osmedeus-base [Free and Paid]
- CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs: https://github.com/Tuhinshubhra/CMSeeK
- The Swiss Army knife for automated Web Application Testing: https://github.com/jaeles-project/jaeles | Jaeles Scanner
- Attack Surface Management Platform, used to discover hidden assets and vulnerabilities: https://github.com/1N3/Sn1per
- Enumerate subdomains and vulnerability scan them:
subfinder -d nasa.gov -silent | httpx -silent | nuclei -silent -s critical,high,medium,low -o vulns.txt
- Wordpress CMS specific vulnerability scanner: https://github.com/wpscanteam/wpscan | WPScan Documentation [Free and paid]
- Joomla CMS specific vulnerability scanner: https://github.com/OWASP/joomscan
- Drupal CMS specific vulnerability scanner: https://github.com/immunIT/drupwn
- Watch Catalan police union hack to learn how to utilize ZAP to discover vulnerabilities: https://www.zaproxy.org
- Pyfiscan is a web-application vulnerability and version scanner which can be used to locate out-dated versions of common web-applications: https://github.com/fgeek/pyfiscan
- https://github.com/rapid7/metasploit-framework | Metasploit - Cheatsheet
- User-Agent , X-Forwarded-For and Referer SQLI Fuzzer: https://github.com/root-tanishq/userefuzz
- Nmap Scripting Engine (NSE) can be used to perform version detection, network discovery and vulnerability scan/exploitation: https://nmap.org/book/man-nse.html | Nmap Scripting Engine | Scripts
- Scan for SQLi/XSS/LFI/RFI and other common vulnerabilities: https://github.com/v3n0m-Scanner/V3n0M-Scanner
- Quickly discover the attack surface, and identify vulnerabilities: https://github.com/yogeshojha/rengine
Subdomain enumeration
Enumerate your targets top level domain (TLD) as part of your recon to identify entry points in your targets infrastructure. Pay special attention to interesting subdomains such as test, dev, backup, etc. Your targets subdomains may also be running out of date software, subdomains might not be behind a WAF where the main page will be, less or no authentication where there should be and more vulnerabilities may exist as opposed to the TLD.
- https://github.com/OWASP/Amass
- https://github.com/aboul3la/Sublist3r
- You can also try using reconftw for a more comprehensive subdomain enumeration, using different tools and techniques.
./reconftw.sh -d nasa.gov -s
- https://github.com/projectdiscovery/subfinder
- Subdomain enumeration dork:
site:.nasa.gov
- https://github.com/projectdiscovery/shuffledns
- https://github.com/projectdiscovery/dnsx
- https://github.com/infosec-au/altdns
- https://github.com/resyncgg/ripgen
Subdomain takeover
A subdomain takeover allows us to gain control over a misconfigured or abandoned subdomain. This is done by exploiting vulnerabilities in DNS settings, expired or deleted services, or incomplete migrations. Once control is established, we can employ social engineering tactics such as phishing, this could be hosting phishing pages on legitimate company subdomains that are already trusted by employees.
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://github.com/Ice3man543/SubOver
- https://github.com/projectdiscovery/nuclei-templates/tree/main/http/takeovers
- https://www.hackerone.com/application-security/guide-subdomain-takeovers
Subdomain monitoring
Monitor your target for new subdomains whenever they pop up. Sometimes developers will create a new and temporary subdomain for testing and development, be notified whenever this happens. Include vulnerability scanners into the below bash script such as nuclei to automate some security testing as well.
- https://github.com/projectdiscovery/subfinder
- https://github.com/tomnomnom/anew
- https://github.com/projectdiscovery/notify
while true; do subfinder -silent -dL domains.txt -all | anew subdomains.txt | notify; sleep 3600; done
Content discovery
Find endpoints, URLs, Parameters, Resources and much more with content discovery.
- https://github.com/praetorian-inc/fingerprintx
- https://github.com/projectdiscovery/httpx
- https://github.com/tomnomnom/waybackurls
- Find AWS S3 buckets and test their permissions: https://github.com/gwen001/s3-buckets-finder
- Scan for open S3 buckets and dump the contents: https://github.com/sa7mon/S3Scanner
- Chrome extension that lists Amazon S3 Buckets while browsing: https://github.com/AlecBlance/S3BucketList
Fuzzing
- https://github.com/sullo/nikto
- https://github.com/epi052/feroxbuster
- https://github.com/OJ/gobuster
- https://github.com/ffuf/ffuf
- https://github.com/maurosoria/dirsearch
Word Lists
Word lists can be used in your content discovery when performing directory bruteforcing and subdomain bruteforcing.
- All the best word lists for different tools and content discovery goals: https://wordlists.assetnote.io
- Repository of many different kinds of word lists: https://github.com/danielmiessler/SecLists
- Quickly generate context-specific wordlists for content discovery from lists of URLs or paths : https://github.com/ameenmaali/wordlistgen
- Content discovery URLs and files word list: https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10
- File and directory discovery word list: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
- Subdomain enumeration word list: https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a
Port scanners
When performing a port scan pay special attention to non-standard ports.
- https://github.com/nmap/nmap
- https://github.com/projectdiscovery/naabu
- https://github.com/robertdavidgraham/masscan
- https://github.com/zmap/zmap
- https://github.com/RustScan/RustScan
Technology scanners
NOTE: using browser add-ons will change your browser fingerprint and reduce anonymity.
When performing a penetration test we will want to know what technology is running on the target and what version it's running as so that later we can start looking for possible working public exploits.
- https://www.wappalyzer.com
- https://www.whatruns.com
- https://builtwith.com
- https://github.com/urbanadventurer/whatweb
- https://github.com/rverton/webanalyze
subfinder -d nasa.gov -silent | httpx -silent | nuclei -t technologies -silent
Web Crawlers
Crawl a website, extract all URL endpoints and save them for further analysis.
- https://github.com/projectdiscovery/katana
- https://github.com/jaeles-project/gospider
- https://github.com/hakluke/hakrawler
- https://www.zaproxy.org
- https://github.com/edoardottt/cariddi
ASN scanners
Map out an organizations network ranges using ASN information.
- https://github.com/projectdiscovery/asnmap
- https://github.com/banviktor/asnlookup
amass intel -asn AS21556
echo 'nasa' | metabigor net --org -v
echo 'AS21556' | metabigor net --asn -v
Google hacking
- (Book) Google Hacking for Penetration Testers 3rd Edition
- https://github.com/Proviesec/google-dorks
- https://www.exploit-db.com/google-hacking-database
- https://dorksearch.com
Intercepting proxies
Exploitation
For automatic exploit tools and payloads, see exploitation.