My useful stuff for HTB CPTS class

Subdomain Enumeration passive/active

Passive Subdomain Enumeration
Resource/Command Description
VirusTotal https://www.virustotal.com/gui/home/url
Censys https://censys.io/
Crt.sh https://crt.sh/
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r ‘.[]’ | sort -u All subdomains for a given domain.
curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r ‘.[]’ | sort -u All TLDs found for a given domain.
curl -s https://sonar.omnisint.io/all/{domain} | jq -r ‘.[]’ | sort -u All results across all TLDs for a given domain.
curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r ‘.[]’ | sort -u Reverse DNS lookup on IP address.
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r ‘.[]’ | sort -u Reverse DNS lookup of a CIDR range.
curl -s “https://crt.sh/?q=${TARGET}&output=json” | jq -r ‘.[] | “\(.name_value)\n\(.common_name)”‘ | sort -u Certificate Transparency.
cat sources.txt | while read source; do theHarvester -d “${TARGET}” -b $source -f “${source}-${TARGET}”;done Searching for subdomains and other information on the sources provided in the source.txt list.
Sources.txt
Code: txt
baidu
bufferoverun
crtsh
hackertarget
otx
projecdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye
Passive Infrastructure Identification
Resource/Command Description
Netcraft https://www.netcraft.com/
WayBackMachine http://web.archive.org/
WayBackURLs https://github.com/tomnomnom/waybackurls
waybackurls -dates https://$TARGET > waybackurls.txt Crawling URLs from a domain with the date it was obtained.
Active Infrastructure Identification
Resource/Command Description
curl -I “http://${TARGET}” Display HTTP headers of the target webserver.
whatweb -a https://www.facebook.com -v Technology identification.
Wappalyzer https://www.wappalyzer.com/
wafw00f -v https://$TARGET WAF Fingerprinting.
Aquatone https://github.com/michenriksen/aquatone
cat subdomain.list | aquatone -out ./aquatone -screenshot-timeout 1000 Makes screenshots of all subdomains in the subdomain.list.
Active Subdomain Enumeration
Resource/Command Description
HackerTarget https://hackertarget.com/zone-transfer/
SecLists https://github.com/danielmiessler/SecLists
nslookup -type=any -query=AXFR $TARGET nameserver.target.domain Zone Transfer using Nslookup against the target domain and its nameserver.
gobuster dns -q -r “${NS}” -d “${TARGET}” -w “${WORDLIST}” -p ./patterns.txt -o “gobuster_${TARGET}.txt” Bruteforcing subdomains.