Books

1. The web application hacker's handbook
2. owasp testing guide
3. web hacking 101
4. breaking into infromation security
5. mastering mordern web peneteration testing

Recon

• ASN's(autonomous system numbers) - (ip ranges , keyword searches)

• ARIN & RIPE - arin ripe whoislookups all

• Rev whois - rev

• shodan - shodan

• we cannot miss out on burp

• domlink domlink

• builtwith - they also has a browser plugin it tells about stack that site is bult on and analytics

  Subdomain scraping enumeration

  • google dorks
  • robtex
  • waybackmachine
  • sublist3r
  • Amass
  • subfinder
  • Cloudflare Enumeration Tool

  subdomain bruteforcing

  • massdns

    ex: .subbrute.py /root/work/bin/all.txt $TARGET.com | ./bin/massdns -r resolvers.txt -t A -a -o -w massdns_output.txt -

  • gobuster

    ex gobuster -m dns -u $TARGET.com -t 100 -w all.txt

  • best dictonary file : all.txt

  • scans.io

  • commonspeak

  Enumeration

  • masscan

    ex: masscan -p1-65535 -iL $TARGET_LIST --max-rate 10000 -oG $TARGET_OUTPUT

  • nmap

  • brutespray

    masscan output => map services scan -oG => brutespray credential bruteforcing.

    ex: python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

  • Eyewitness

  • waybackursls enumeration using wayback

Keeping track of all this

  Xmind organization

Identification and cve searching

• buldwith
• retire.js
• burp-vulners-scanner
• wappanalyzer

Parsing Heavy javascript sites

• zap Ajax spider - owasp zap
• [Linkfinder]
• [jsparser]

Content Discovery

• Gobuster
• Burp content discovery
• Robots disallowed
• wpscan
• Seclists / RAFT / Digger wordlists
• cmsmap
• custom wordlist

XSS

• blind xss frameworks
  • bXSS
  • ezXSS
  • XSS hunter
  • KnoXSS
  • Sleepy Puppy
• XSS polyglot *
• XSS Mindmap

SSRF

• for testing in cloud https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

Subdomain Takeover info

Work in progress..