Recon

bugcrowd
Ways to find Brand / TLD Discovery

Discover IP Space

look for different asns
http://bgp.he.net
prefixes v4
presents different IP ranges inside the CIDR notation
whois -h whois.cymru.com $(dig +short tesla.com) #finds CIDR notation for tesla.com - finds ip address for website
careful not to pick up shared hosting
amass
find subdomains for each of of these ASNs
amass intel -asn 123456
#find more details about ip ranges/countries etc
whois.arin.net
ripe.net
shodan.io
org:"Tesla"
#maybe some false positives

Discovering New Targets and TLDs

Find different attack surfaces which other people might not have discovered, ie from acquisitions
Wikipedia
search for subsiduries
Crunchbase.com
search for org
look for acquisitions
Owler.com
search for org
look for acquisitions
Acquiredby.co
search for org
acquisitions
LinkedIn
affiliated pages or similiar pages
Reversewhois
amass intel -d tesla.com -whois
Builtwith
Relationship Profile
look for anaylitical codes under ID # google tracking codes that are linked to different sites
GoogleDorks
intext:"copyright tesla motors"
ShodanDorks
http.favicon.hash:81586312 # Jenkins favicon hash
can narrow it down after that

Subdomain Enumeration

https://github.com/tomnomnom/assetfinder/
assetfinder -subs-only offsecnewbie.com
amass enum -d tesla.com -ip
setup config.ini file get access to a lot more data than baseline tool
subfinder # not used much but has a few extra sources
subfinder -d tesla.com -t 25 -timeout 5 -silent
DNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802
all.txt + goaltdns + commonspeak --> massdns / gobuster3
https://github.com/subfinder/goaltdns
massdns
#download all.txt
sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file
massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results
#massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives
rapid 7 fdns
#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/
pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'
certstream
certstream | grep -E "\.tesla\.com$"
#Real-time certificate transparency log update stream

Fingerprinting

what is running, narrow down attack surface

builtwith.com
whatweb #follows redirection http-->https
massscan & nmap
masscan -p1-65535 $(dig +short tesla.com) --rate 1000

Dorking

shodan dork
org:"Tesla"
ssl:"Tesla" #accurate and can prove ownership to organisation
ssl:"Tesla" http.component:"Drupal"
ssl:"Tesla" http.title:"Login"
censys.io
443.https.tls.certificate.parsed.subject.organizational_unit: Tesla Motors
github dork
"tesla.com" password
"tesla.com" key
"tesla.com" api
https://github.com/condingo/dorky #automate the dorking process - tool to be released

Content Discovery

Burpcrawler
crawl site
Linkfinder https://github.com/GerbenJavado/LinkFinder
jsparser - similar to above
gobuster & recursebuster # recurse only does directory
otxurls
echo "www.tesla.com" | otxurls | head -n 300 #attempts to find urls within alienvault
waybackurls
echo "www.tesla.com" | waybackurls | head -n 300 #similar to above, you can get parameters back which can be useful when fuzzing

Parameter Discovery

https://github.com/maK-/parameth

Automation

https://github.com/codingo/Interlace
Interlace #multithreads other tools
interlace -tL domains.txt -c "amass enum-d _target_" -o siubdomains.txt -threads 20
LazyRecon #outofdate but still good baseline

GHDB + others GUI tool

https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/