Tools

Multiple hosts inside a .txt file

subfinder -dL root-domains.txt -o subfinder-company.txt

Single host:

subfinder -d company.com -o hosts.txt

Github subdomains discovery:

github-subdomains -d company.com -t [git-api-token]

AltDNS (dns bruteforce):

altdns -i all-subdomains.txt -o results -w words.txt -r -s all-dns-domains.txt

HTTProbe with critical ports

cat all-hosts.txt | httprobe -p https:8089 httprobe -p https:10250 -p https:2375 -p https:8080 -p https:8443 -p https:9200 -p https:5200 -p https:9300 -p https:5601 -p https:21 -p https:3389 -p htpps:22 -c 50 > httprobe-allCriticalPorts.txt

only HTTP(s)

cat all-hosts.txt | httprobe -c 50 --prefer-https > httprobe-allHTTPs.txt

Naabu tool – full port scan excluding CDN hosts

sudo ./naabu -iL scp-httprobe-allHTTPs.txt -p - --exclude-cdn -o naabu-results.txt -v

Gospider in all hosts list

gospider -S httprobe-hosts.txt -o gospider-results --other-source --include-subs

Get All URLs (GAU)

cat all-subdomains.txt | gau -t 500 -b css,png,jpeg,jpg,svg,gif,ttf,woff,woff2,eot,otf,ico,js > gau-results.txt

Fuzzing endpoints/parameters with ffuf

ffuf -w daniel-v-compilation.txt -u http://company.com.br/FUZZ -fc 401,403

Alienvault passive URLs discovery:

for sub in $(cat domains.txt);do /usr/bin/gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq |egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a file.txt ;done

Basic subjack tool usage

subjack -w all-hosts.txt -t 100 -timeout 30 -o subjack-results.txt -ssl

Nuclei active takeovers

nuclei -l allhosts.txt -t takeovers/ -etags info -H "User-Agent: User-Agent: Mozilla/5.0 Windows NT 10.0"

Eyewitness tool:

./EyeWitness.py -f all-domains.txt --timeout 8

Webscreenshot tool:

python webscreenshot.py -i all-domains.txt -w 40

Fuzzing multiple hosts at the same time:

ffuf -w "https-domains.txt:DOMAIN" -w daniel_v_compilation.txt -u DOMAIN/FUZZ -t 50 -fc 301,401,403 -v -od ffuf-multipleHosts-results -of md

Cloud environment enumeration:

python cloud_enum.py -kf keyfile-company.txt -m enum_tools/fuzz.txt -b enum_tools/fuzz.txt -t 10 -l cloudEnv-results.txt

nmap top ports with hosts file

nmap -A -PN -oN nmap-all.txt -iL subdomains.txt --top-ports 1000

Single host:

nmap -sT -sU -A -v --top-ports 100 company.com

Multiple hosts path fuzzing with MEG tool (golang)

meg --savestatus 200

• Bypass SSL with Frida:

Connect ADB with device

adb connect localhost:port

Start Frida server on mobile device(after pushing it to tmp folder)

adb shell /data/local/tmp/frida-server &

Bypass certificate with custom JavaScripts (frida code share)

frida -U -l bypass-ssl-frida.js --no-pause -f com.company.apk

• OBJECTION

First make a regular ADB connection and start Frida server in the device.

Attach objection with apk

objection --gadget com.company.apk explore

SSL Pinning with objection

android sslpinning disable

Disable root detection

android root disable

DYNAMIC HOOKING:

Search for classes inside apk

android hooking search classes com.company.apk

Excract the methods from a class

android hooking search methods com.company.apk MainActivity

Discover parameters for the methods

android hooking list class_methods com.company.apk.MainActivity

List all classes being used by the app

android hooking list classes

OTHERS:

Extract URLs/endpoints from apks

apkurlgrep -a ~/path/to/file.apk

Decompile apk

apktool d name.apk

Convert an apk to jar file

d2j-dex2jar.sh application.apk

Reverse shared object files

python retdec-decompiler.py libmain.so