Article: TBHMv4 Recon - Checklist
1. Finding Seeds/Roots
# | Description | Done |
---|---|---|
1.1 | Check Scope Domains | |
1.2 | Check ascquisitions on Crunchbase | |
1.3 | Enumerate ASNs on bgp.he.net or via Metabigor, ASNLookup or Amass | |
1.4 | Perform Reverse WHOIS with whoxy.com or DOMLink | |
1.5 | Check relationships based on Ad/Analytics via buildwith.com | |
1.6 | Perform Google-dorking using text of Copyright, ToS or Privacy Policy | |
1.1 | Check Shodan |
2. Finding Subdomains
# | Description | Done |
---|---|---|
2.1 | Perform Linked Discovery with BurpSuitePro, Gospider or hakcrawler | |
2.2 | Fetch subdomains by analyzing JavaScript using Subdomainizer or subscraper | |
2.3 | Scrape subdomains using Amass or Subfinder , Github (using guthub-search) and Shosubgo | |
2.4 | Bruteforce subdomains using Amass, Massdns, aisdnsbrute or shuffleDNS | |
2.5 | Perform Alteration Scanning using altdns |
3. Other
# | Description | Done |
---|---|---|
3.1 | Anaylse ports using masscan or dnmasscan | |
3.2 | Check services using brutespray | |
3.3 | Utilize Github Dorking | |
3.4 | Perform HTTP Screenshots by using aquatone, HTTPscreenshot and Eyewitness | |
3.5 | Check for subdomain takeovers using can-i-take-over-xyz, SubOver and nuclei | |
3.6 | Test for arbitrary redirection | |
3.7 | Test for path traversal | |
3.8 | Test for insecure direct object reference |