Enumeration

Finding Subdomains with Assetfinder

go get -u github.com/tomnomnom/assetfinder
assetfinder tesla.com >> tesla-subs.txt

Finding Subdomains with Amass

export GO111MODULE=on

go get -v github.com/OWASP/Amass/v3/...

amass enum -d tesla.com

Finding Subdomains with WFuzz

sudo wfuzz -c -f sub-fighter -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://10.10.10.197/' -H "Host: FUZZ.sneakycorp.htb" --hw 290

Finding Subdomains with Gobuster

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://

Finding Subdomains with ffuf

ffuf -w /usr/share/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.181.76 -fs 2395

-fs ignores results with that size must be run before without this flag

Finding Alive Domains with Httprobe

go get -u github.com/tomnomnom/httprobe

Sort domains and find out which are alive.

Enumerating HTTP/HTTPS

GoBuster

gobuster dir -u http://IP -w wordlist -o gobuster.log -t 50
-x for extension (-x php)
-c for cookie ( -c 'PHPSESSID=3852937265978')

-s 302,307...403 to add status codes -x sh,pl to add file extensions -k to ignore ssl certificate e.g.(with extensions)

gobuster dir -u http://dev.holo.live -w /usr/share/wordlists/dirb/big.txt -x php,html,htm,txt,bak,zip,~

Wordlists

Better one
/opt/SecLists/Discovery/Web-Content/raft-small-words.txt

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/wordlists/dirb/small

Nikto

nikto -host IP -port PORT

Dirb

dirb http://IP wordlist

WPScan

wpscan -u "url" --disable-tls-checks
wpscan --url http://IP/wp -e ap,t,u --log wpscan.out

--enumerate p,t,u option to enumerate plugins, themes, and users

For brute forcing a user
wpscan --url http://10.10.212.130:80/blog -e p,t,u --usernames admin --passwords /usr/share/wordlists/rockyou.txt --max-threads 50

Multiple users
wpscan -U users.txt -P /usr/share/wordlists/fasttrack.txt --url URL

Fuzzing parameters with FFuf

ffuf -u "http://url/?FUZZ=id;whoami||ls" -w /usr/seclist/discovery/web-content/burp-parameter-names.txt -fs 5829

ffuf -u "http://url/?FUZZ=/etc/passwd" -w /usr/seclist/discovery/web-content/burp-parameter-names.txt -fs 5829

User enumeration with FFuf

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists"

DNS

dig axfr @10.10.10.13 cronos.htb
nslookup
>server 10.10.10.13
>cronos.htb

Scripts that merge these tools

The cyber mentor script

https://pastebin.com/MhE6zXVt