How about some quick recon only using tools by @pdiscoveryio ?
๐งต๐
#bugbounty #recon #bugbountytips
๐งต๐
#bugbounty #recon #bugbountytips
1. Enumerate subdomains using subfinder
subfinder -silent -d target.com > lists.txt
subfinder -silent -d target.com > lists.txt
2. Extract A records for the given list of subdomains using dnsx
subfinder -silent -d target.com | dnsx -silent -a -resp-only > ips.txt
subfinder -silent -d target.com | dnsx -silent -a -resp-only > ips.txt
3. Use httpx for ASN fingerprint
subfinder -d target.com -silent | httpx -asn
subfinder -d target.com -silent | httpx -asn
4. Returns URLs running HTTP webserver from subdomain list using httpx
cat lists.txt | httpx > alive.txt
cat lists.txt | httpx > alive.txt
5. Extensive port scan using naabu
naabu -list alive.txt
naabu -list alive.txt
6. Run nuclei on interesting endpoints
nuclei -list interesting.txt
nuclei -list interesting.txt
These are some of the things I would like to do initially when testing a target.
What more would you like to include in the workflow
PS: Strictly using tools only from @pdiscoveryio
What more would you like to include in the workflow
PS: Strictly using tools only from @pdiscoveryio
@pdiscoveryio That's a wrap!
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
Loading suggestions...