- Shodan
- Censys
- crt.sh
- fofa
- Web archive
- w3techs.com. Help with technologies on the site
- Whois
- Whois Freaks
- ViewDNS.info
- YouGetSignal.com. Remote Address Lookup, Port Forwarding Tester, Whois Lookup, Visual Trace Route, Reverse IP Lookup, Network Location Tool and much more
- Rapiddns.io. DNS data
- Securitytrails.com
- Dnsdumpster.com
- centralops.net
- Urlscan.io
dig domain.com ANY(dig @ns1.domain.com domain AXFR),nslookup domain.com,host domain.com- theHarvester
- Social Media
- GitHub, GitLab
- Google Dorking
- sublist3r
- subfinder
- urlfinder is a high-speed, passive URL discovery tool
- assetfinder
- spyhunt. Comprehensive network scanning and vulnerability assessment tool
- dnsmap
- httpx. Check active subdomains
- masscan
- Nmap
- RustScan
- ffuf
- gobuster:
- feroxbuster
- dirb
- dirbuster
- Arjun
- dnsenum, fierce, dnsrecon, puredns
- WhatWeb
- Striker
- /robots.txt
- /sitemap.xml
- /.git
- /.well-known/openid-configuration and other /.well-known/... More info
- View source code
- Otx.alienvault.com
- amass.
amass enum -d example.com- active,amass enum -passive -d example.com- passive - Wappalyzer (browser extension)
- whatweb, wafw00f (CLI)
curl -I <TARGET_HOST>- to get server bannernikto -h <TARGET_HOST> -Tuning b
Dork like this help to find subdomains and don`t forget check setting for include Virtual Hosts
(services.tls.certificates.leaf_data.names: <TARGET_DOMAIN>) and services.http.response.status_code=”200"
gobuster dns -d <TARGET_DOMAIN.com> -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txtgobuster vhost -u <TARGET_URL> -w /usr/share/SecLists/Discovery/Web-Content/common.txt --append-domain