1. Passive
    1. roots
      1. BugCrowd/h1/intigriti
    2. Acquisitions
      1. https://crunchbase.com/
      2. https://corp.owler.com/
      3. https://acquiredby.co/
      4. wikipidia
      5. https://tools.whoisxmlapi.com/domain-availability-check
    3. ASN
      1. http://bgp.he.net/
      2. asnlookup.com
      3. http://ipv4info.com/
      4. https://github.com/j3ssie/metabigor
        1. echo "tesla" | metabigor net --org -v
      5. https://github.com/OWASP/Amass
        1. amass intel -org tesla
        2. amass intel -asn 8911,50313,394161
          1. without AS
      6. https://github.com/yassineaboukir/Asnlookup
        1. python3 ~/Tools/Asnlookup/asnlookup.py -o shopify
    4. Reverse Whois
      1. whois
      2. Whoxy.com
      3. http://ipv4info.com/
      4. amass : https://github.com/OWASP/Amass
        1. amass intel -whois -d tesla.com
      5. https://github.com/jpf/domain-profiler
        1. ./profile zee.com
          1. alias: profile $1
    5. Ad/Analytics
      1. builtwith.com
      2. whatweb
    6. Reverse DNS
      1. https://securitytrails.com/
      2. https://community.riskiq.com/home
  2. dorking [Manual]
    1. Google-Fu [manual]
      1. https://dorks.faisalahmed.me/#
    2. Github Dorking (manual)
      1. TOOLS
        1. JHaddix sh SCRIPT
          1. https://gist.github.com/jhaddix/1fb7ab2409ab579178d2a79959909b33
        2. github-search
          1. https://github.com/gwen001/github-search
        3. GitMiner
          1. https://github.com/UnkL4b/GitMiner
        4. GitDorker
          1. https://github.com/obheda12/GitDorker
          2. python3 GitDorker.py -t TOKEN -d Dorks/alldorksv3 -q DOMAIN.COM -o DOMAIN.COM.txt
        5. git-hound
          1. https://github.com/ezekg/git-hound
        6. Searching in repos and Orgs
          1. truffleHog
          2. https://github.com/trufflesecurity/truffleHog
          3. git-all-secrets
          4. https://github.com/anshumanbh/git-all-secrets
          5. repo-supervisor
          6. https://github.com/auth0/repo-supervisor
          7. Scan your code for security misconfiguration, search for passwords and secrets.
          8. repo-security-scanner
          9. https://github.com/UKHomeOffice/repo-security-scanner
          10. gitleaks
          11. https://github.com/zricethezav/gitleaks
          12. gittyleaks
          13. https://github.com/kootenpv/gittyleaks
      2. .git repositories available
        1. https://github.com/internetwache/GitTools.git
      3. Dorks
        1. https://github.com/gwen001/github-search/blob/master/dorks.txt
        2. https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
      4. GitHub Secrets Check
        1. smtper
          1. https://www.smtper.net/
    3. Specialized search engines
      1. Shodan
        1. tools
          1. https://github.com/incogbyte/shosubgo
          2. https://github.com/BullsEye0/shodan-eye
          3. https://github.com/BullsEye0/shodan-eye/blob/master/Shodan_Dorks_The_Internet_of_Sh*t.txt
          4. https://awesomeopensource.com/projects/shodan
          5. https://github.com/evilsocket/xray
          6. https://github.com/random-robbie/My-Shodan-Scripts
          7. https://t.co/BNw6JvTVH9?amp=1
        2. q
          1. http.html:”dev-int.bigcompanycdn.com”
          2. org:"Tesla, Inc."
          3. ssl:"Tesla Motors"
          4. When we query using org:”organization name” in shodan it just gives all the IP’s which belong to the organization. So to get all the IP’s which belong to the organization plus all the IP’s which the organization hosts on cloud service provider we use the SSL filter. To get this we use this shodan query ssl:”organization name”.
        3. resources
          1. https://equatorial-soldier-1bb.notion.site/Hegazy-Group-c7b83ba0e7d540a19db6f55e9884aace
          2. https://github.com/shifa123/shodandorks/blob/master/shodandorks
          3. https://www.youtube.com/results?reload=9&app=desktop&search_query=shodan+dorking+for+bug+bounty
      2. Cencys
        1. https://github.com/yamakira/censys-enumeration
        2. https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/censys_subdomain_enum.py
      3. ZoomEye
        1. https://www.zoomeye.org/
      4. FOFA
        1. https://fofa.so/
      5. Check List
      6. shodan Notes
  3. Subdomains Enumeration
    1. Tools
      1. Subdomain Scraping
        1. Chaos
          1. chaos -d domain.com -silent >> subdomains.txt
        2. haktrials
          1. https://github.com/hakluke/haktrails
          2. echo "domain.com" | haktrails subdomains
        3. github-subdomains.py
          1. https://github.com/gwen001/github-search/blob/master/github-subdomains.py
          2. python3 github-subdomains.py -t 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 -d DOMAIN.COM > c-sub-github.txt
          3. alias:
          4. git-subs $1
        4. Subfinder v2
          1. https://github.com/projectdiscovery/subfinder
          2. subfinder -dL scope -all -silent >> subdomains
          3. subfinder -d domain.com -silent -all
        5. assetfinder
          1. https://github.com/tomnomnom/assetfinder
          2. assetfinder -subs-only domain.com -o subdomains-asset
        6. Turbolist3r
          1. https://github.com/fleetcaptain/Turbolist3r
          2. python3 ~/Tools/Turbolist3r/turbolist3r.py -d DOMAIN.COM -b -t 100 -o ~/recon/thesun.co.uk/turbolist3r.txt
        7. Findomain
          1. https://github.com/Findomain/Findomain
          2. findomain -f scope -u find-sub.txt -q
          3. findomain -t domain.com -q
        8. Amass
          1. cheat sheet
          2. https://blog.intigriti.com/2021/06/08/hacker-tools-amass-hunting-for-subdomains/?cn-reloaded=1
          3. commands
          4. amass track -d owasp.org
          5. amas intel -org “google”
          6. amass enum -df domains.txt
          7. amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list
        9. Sudomy
          1. https://github.com/screetsec/Sudomy
          2. ~/Tools/Sudomy/./sudomy -o ~/recon/thesun.co.uk/sudomy -d thesun.co.uk
        10. Favicon Analysis
          1. https://github.com/devanshbatham/FavFreak
          2. https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py
      2. DNS Resolving
        1. Tools
          1. https://rapiddns.io/
          2. https://github.com/projectdiscovery/shuffledns
          3. https://github.com/infosec-au/altdns
          4. https://github.com/projectdiscovery/dnsx
          5. https://github.com/d3mondev/puredns
          6. https://github.com/blark/aiodnsbrute
          7. https://github.com/evilsocket/dnssearch
        2. Subdomain Bruting Lists
          1. https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
          2. https://github.com/assetnote/commonspeak2
          3. https://book.hacktricks.xyz/external-recon-methodology#dns-brute-force-v2
      3. Monitor subdomains
        1. sublert
          1. https://github.com/yassineaboukir/sublert/blob/master/sublert.py
    2. Vhost & s3 & cloud
      1. Vhost
        1. https://github.com/SpiderLabs/HostHunter
      2. s3
        1. https://github.com/nahamsec/lazys3
      3. cloud
        1. https://github.com/initstring/cloud_enum
          1. python3 cloud_enum.py -k meraki.com -k ikarem.io
    3. un filterd subdomains.txt
      1. httpx
        1. Filterd subdomains.txt
  4. URLS & js
    1. Urls
      1. https://github.com/bp0lr/gauplus
      2. https://github.com/tomnomnom/waybackurls
      3. https://github.com/hakluke/hakrawler
      4. URO TOOL
        1. https://github.com/s0md3v/uro
    2. js
      1. Auto - JSFscan
        1. https://github.com/KathanP19/JSFScan.sh
          1. bash ~/Tools/JSFScan/./JSFScan.sh -l ../../subdomains/live_subdomains.txt --all -r -o jsfscan_output
    3. gf
  5. screen shots
    1. aquatone
      1. https://github.com/michenriksen/aquatone
        1. cat ../subdomains/live_subdomains.txt | aquatone
  6. Port Analysis
    1. Tools
      1. masscan
        1. https://danielmiessler.com/study/masscan/
      2. nmap
      3. naabu
        1. https://github.com/projectdiscovery/naabu
    2. scan services
      1. https://github.com/x90skysn3k/brutespray
  7. auto scanner
    1. nuclei
      1. https://github.com/projectdiscovery/nuclei
    2. jaeles
      1. https://github.com/jaeles-project/jaeles