Subdomain Enumeration

• subfinder -d target.com -all -recursive -t 200 -o subfinder.txt
• findomain -t target.com | tee findomain.txt
• amass enum -passive -d target.com -o amass.txt
• assetfinder -subs-only target.com | tee assetfinder.txt
• sublist3r -d target.com -t 50 -o sublist3r.txt

Combine All Subdomains / Domains

• cat *.txt | sort -u | tee all.txt && rm subfinder.txt findomain.txt amass.txt assetfinder.txt sublist3r.txt

HTTP Probing ( Identifying Live Web Services )

• cat all.txt | httpx-toolkit -title -sc -location -p 80,443,8000,8080,8443 -td -cl -probe -o httpx-toolkit.txt

Content Discovery ( Directory and File Bruteforcing )

• dirsearch -e php,asp,aspx,jsp,py,txt,conf,config,bak,backup,swp,old,db,sql,asp,aspx,asp~,py~,rb,rb~,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp~,lock,log,rar,old,sql.gz,sql.zip,sql.tar.gz,sql~,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip -i 200 --full-url --deep-recursive -w /usr/share/wordlists/custom.txt --exclude-subdirs .well-known/,wp-includes/,wp-json/,faq/,Company/,Blog/,Careers/,Contact/,About/,IMAGE/,Images/,Logos/,Videos/,feed/,resources/,banner/,assets/,css/,fonts/,img/,images/,js/,media/,static/,templates/,uploads/,vendor/ --exclude-sizes 0B --skip-on-status 429 --random-agent -u http://target.com/
• ffuf -w /usr/share/wordlists/custom.txt -t 75 -ac -mc 200,405,401,415,302,301 -u http://assets.engage.tesla.com/FUZZ

Parameter Discovery

• arjun -u "https://target.com" -m get --stable

Archived URLs ( Wayback Machine )