Scanning and Recon: Difference between revisions
Line 40: | Line 40: | ||
* https://github.com/projectdiscovery/subfinder | * https://github.com/projectdiscovery/subfinder | ||
* Subdomain enumeration dork: <code>[https://www.google.com/search?q=site:*.nasa.gov site:*.nasa.gov]</code> | * Subdomain enumeration dork: <code>[https://www.google.com/search?q=site:*.nasa.gov site:*.nasa.gov]</code> | ||
* https://github.com/projectdiscovery/shuffledns | |||
=== Content discovery === | === Content discovery === |
Revision as of 20:15, 19 April 2023
These tools will scan web applications for vulnerabilities and misconfigurations, remember that they will cause a lot of traffic making lots of requests.
NOTE: This is not an exhaustive list.
Vulnerability scanners
To quickly cover a lot ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.
- https://github.com/pry0cc/axiom. Twitter Thread
- https://github.com/six2dez/reconftw. Free scan config (no API)
- https://github.com/lanmaster53/recon-ng
- https://github.com/Dionach/CMSmap
- https://github.com/edoardottt/cariddi
- https://github.com/jaeles-project/jaeles
- https://github.com/1N3/Sn1per
- https://github.com/projectdiscovery/nuclei
- https://github.com/wpscanteam/wpscan [Free and paid]
- https://github.com/OWASP/joomscan
- https://www.zaproxy.org
- https://github.com/fgeek/pyfiscan
- https://github.com/immunIT/drupwn
- https://github.com/rapid7/metasploit-framework
- https://github.com/Tuhinshubhra/RED_HAWK
- https://github.com/root-tanishq/userefuzz
- https://sourceforge.net/projects/grendel
- https://github.com/greenbone/openvas-scanner
- https://wapiti.sourceforge.io
- http://w3af.org
- https://nmap.org/book/man-nse.html
- https://github.com/osmedeus/osmedeus-base [Free and Paid]
- https://github.com/v3n0m-Scanner/V3n0M-Scanner
- https://github.com/yogeshojha/rengine
- https://github.com/streaak/keyhacks
- https://github.com/tomnomnom/waybackurls
- Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key: https://github.com/j3ssie/Metabigor
Subdomain enumeration
You can also try ./reconftw.sh -d nasa.gov -s
for a more comprehensive subdomain enumeration.
- https://github.com/projectdiscovery/subfinder
- Subdomain enumeration dork:
site:*.nasa.gov
- https://github.com/projectdiscovery/shuffledns
Content discovery
- https://www.cirt.net/nikto2
- https://github.com/epi052/feroxbuster
- https://github.com/OJ/gobuster
- https://github.com/ffuf/ffuf
- https://github.com/maurosoria/dirsearch
Word Lists
Word lists can be used in your content discovery when performing directory bruteforcing, subdomain bruteforcing and password attacks.
- https://wordlists.assetnote.io
- https://github.com/danielmiessler/SecLists
- https://github.com/ameenmaali/wordlistgen
Port scanners
When performing a port scan pay special attention to non-standard ports.
- https://github.com/nmap/nmap
- https://github.com/projectdiscovery/naabu
- https://github.com/robertdavidgraham/masscan
- https://github.com/zmap/zmap
- https://github.com/RustScan/RustScan
Technology scanners
NOTE: using browser add-ons will change your browser fingerprint and reduce anonymity.
When performing a penetration test we will want to know what technology is running on the target and what version it's running as so that later we can start looking for possible working public exploits.
- https://www.wappalyzer.com
- https://www.whatruns.com
- https://github.com/urbanadventurer/whatweb
- https://github.com/praetorian-inc/fingerprintx
- https://github.com/rverton/webanalyze
Web Crawlers
- https://github.com/jaeles-project/gospider
- https://github.com/hakluke/hakrawler
- https://www.zaproxy.org
ASN scanners
- Map out an organizations network ranges using ASN information: https://github.com/projectdiscovery/asnmap
- https://github.com/banviktor/asnlookup
amass intel -asn AS21556
echo 'nasa' | metabigor net --org -v
echo 'AS21556' | metabigor net --asn -v
Google hacking
- https://github.com/Proviesec/google-dorks
- https://www.exploit-db.com/google-hacking-database
- https://dorksearch.com