Scanning and Recon
These tools will scan web applications for vulnerabilities and misconfigurations, remember that they will cause a lot of traffic making lots of requests.
NOTE: This is not an exhaustive list.
Vulnerability scanners
To quickly cover a lot ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.
- https://github.com/pry0cc/axiom. Twitter Thread
- https://github.com/six2dez/reconftw. Free scan config (no API)
- https://github.com/lanmaster53/recon-ng
- https://github.com/Dionach/CMSmap
- https://github.com/edoardottt/cariddi
- https://github.com/jaeles-project/jaeles
- https://github.com/1N3/Sn1per
- https://github.com/projectdiscovery/nuclei
- https://github.com/wpscanteam/wpscan [Free and paid]
- https://github.com/OWASP/joomscan
- https://www.zaproxy.org
- https://github.com/fgeek/pyfiscan
- https://github.com/immunIT/drupwn
- https://github.com/rapid7/metasploit-framework
- https://github.com/Tuhinshubhra/RED_HAWK
- https://github.com/root-tanishq/userefuzz
- https://sourceforge.net/projects/grendel
- https://github.com/greenbone/openvas-scanner
- https://wapiti.sourceforge.io
- http://w3af.org
- https://nmap.org/book/man-nse.html
- https://github.com/osmedeus/osmedeus-base [Free and Paid]
- https://github.com/v3n0m-Scanner/V3n0M-Scanner
- https://github.com/yogeshojha/rengine
- https://github.com/streaak/keyhacks
- https://github.com/tomnomnom/waybackurls
Subdomain enumeration
You can also try ./reconftw.sh -d nasa.gov -s
for a more comprehensive subdomain enumeration.
Content discovery
- https://www.cirt.net/nikto2
- https://github.com/epi052/feroxbuster
- https://github.com/OJ/gobuster
- https://github.com/ffuf/ffuf
Word Lists
- https://wordlists.assetnote.io
- https://github.com/danielmiessler/SecLists
- https://github.com/ameenmaali/wordlistgen
Port scanners
When performing a port scan pay special attention to non-standard ports.
- https://github.com/nmap/nmap
- https://github.com/projectdiscovery/naabu
- https://github.com/robertdavidgraham/masscan
- https://github.com/zmap/zmap
- https://github.com/RustScan/RustScan
Technology scanners
NOTE: using browser add-ons will change your browser fingerprint and reduce anonymity.
When performing a penetration test we will want to know what technology is running on the target and what version it's running as so that later we can start looking for possible working public exploits.
- https://www.wappalyzer.com
- https://www.whatruns.com
- https://github.com/urbanadventurer/whatweb
- https://github.com/praetorian-inc/fingerprintx
Web Crawlers
- https://github.com/jaeles-project/gospider
- https://github.com/hakluke/hakrawler
- https://www.zaproxy.org
ASN scanners
- Map out an organizations network ranges using ASN information: https://github.com/projectdiscovery/asnmap
Google hacking
- https://github.com/Proviesec/google-dorks
- https://www.exploit-db.com/google-hacking-database
- https://dorksearch.com