Subdomain search

gobuster vhost -u timing.htb -w ~/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50

dnsenum --noreverse company.com

dnsmap company.com

findomain -qt hackerone.com | unimap --fast-scan --stdin --url-output | fhc

subfinder -d ups.com -all -silent | waybackurls | gf redirect | qsreplace '<http://example.com>' | httpx -fr -title -match-string 'Example Domain'

Subdomain Finder

sudo apt install **subfinder**
git clone <https://github.com/pwnesia/dnstake>; cd dnstake/cmd/dnstake; sudo apt install golang; go build .; mv cmd dnstake; sudo mv dnstake /usr/local/bin; chmod +x /usr/local/bin/dnstake;

**subfinder -silent -d** company**.kz | dnstake**

SSL Info

curl "<https://crt.sh/?output=json&Identity=company.kz>" | jq

sslscan <https://web2.company.kz>

WAF Bypass

nemesida-waf/waf-bypass

IIS Local IP Disclosure

**curl -v -I --http1.0 <https://pm>.**company**.kz/ -H 'Host:'**

SNMP

#BLUTO

Docker Enumeration

<https://github.com/stealthcopter/deepce>

wget <https://github.com/stealthcopter/deepce/raw/main/deepce.sh>
curl -sL <https://github.com/stealthcopter/deepce/raw/main/deepce.sh> -o deepce.sh
# Or using python requests
python -c 'import requests;print(requests.get("<https://github.com/stealthcopter/deepce/raw/main/deepce.sh>").content)' > deepce.sh 
python3 -c 'import requests;print(requests.get("<https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8>"))' > deepce.sh

LINUX