Discovery & Triage
-
Web Probing:
-
HTTPX:
httpx -l subdomains.txt -title -status-code -td(Identify tech stack and live web apps). -
Eyewitness:
eyewitness --web -f subdomains.txt(Visual triage for “Admin” or “Under Construction” pages).
-
-
Crawling & Logic:
-
Gospider:
gospider -s https://example.com -o output/(Extracts subdomains/endpoints from JS files). -
SecretFinder: Scan JS files for hardcoded credentials or hidden endpoints.
-
CeWL:
cewl -w wordlist.txt -d 2 -m 5 https://example.com(Generate targeted wordlists).
-
Fuzzing & Vulnerability Scanning
-
Directory Discovery:
- FFuF:
ffuf -w wordlist.txt -u https://example.com/FUZZ -mc 200,403
- FFuF:
-
Vulnerability Scanning:
-
Nuclei:
nuclei -l live_urls.txt -t nuclei-templates/(CVE and misconfig detection). -
Nikto:
nikto -h https://example.com(Check for outdated server software).
-
Document & Data Analysis
-
Metadata Analysis:
- Exiftool:
exiftool -r downloaded_docs/(Extract usernames, software versions, and internal paths).
- Exiftool:
-
Sensitive Files: Search for
.git,.env,backup.zip,config.php.bak.