Article: TBHMv4 Recon - Checklist
1. Finding Seeds/Roots
| # | Description | Done |
|---|---|---|
| 1.1 | Check Scope Domains | |
| 1.2 | Check ascquisitions on Crunchbase | |
| 1.3 | Enumerate ASNs on bgp.he.net or via Metabigor, ASNLookup or Amass | |
| 1.4 | Perform Reverse WHOIS with whoxy.com or DOMLink | |
| 1.5 | Check relationships based on Ad/Analytics via buildwith.com | |
| 1.6 | Perform Google-dorking using text of Copyright, ToS or Privacy Policy | |
| 1.1 | Check Shodan |
2. Finding Subdomains
| # | Description | Done |
|---|---|---|
| 2.1 | Perform Linked Discovery with BurpSuitePro, Gospider or hakcrawler | |
| 2.2 | Fetch subdomains by analyzing JavaScript using Subdomainizer or subscraper | |
| 2.3 | Scrape subdomains using Amass or Subfinder , Github (using guthub-search) and Shosubgo | |
| 2.4 | Bruteforce subdomains using Amass, Massdns, aisdnsbrute or shuffleDNS | |
| 2.5 | Perform Alteration Scanning using altdns |
3. Other
| # | Description | Done |
|---|---|---|
| 3.1 | Anaylse ports using masscan or dnmasscan | |
| 3.2 | Check services using brutespray | |
| 3.3 | Utilize Github Dorking | |
| 3.4 | Perform HTTP Screenshots by using aquatone, HTTPscreenshot and Eyewitness | |
| 3.5 | Check for subdomain takeovers using can-i-take-over-xyz, SubOver and nuclei | |
| 3.6 | Test for arbitrary redirection | |
| 3.7 | Test for path traversal | |
| 3.8 | Test for insecure direct object reference |