1 - Use Xmind to Note Take flawless
2 - Find acquisitions through Crunchbase
3 - ASP Enumeration - bgp.he.net
4 - ASN Enumeration = cmdline (Tool metabigor) (tool ASN lookup online) > With Amass(e.i root@TBox4:~/tools/Asnlookup# amass intel -asn 34343)
5 - Reverse WHOIS {With Whoxy.com} (For automation use Domlink)
6 - Ad/Analytics Relationships (builtwith.com) (Firefox extension too)
7 - Google-Fu - google the following - Copyright test,terms of service text, privacy policy text." (E.i C 2019 Twitch Interactive, Inc "inurl:twitch)
8 - Shodan (Architecture scanning)
Next is finding subdomains
Subdomain Enumeration:
1 - Linked and JS Discovery
2 - Subdamin Scraping ++
3 - Subdomain Bruteforce
1 The workflow, Linked Discovery (with Burp Suite Pro - preference)
when going into scope tag, use advance scope, and add the host (ie twitch) show only in scope items checkbox
export data, not clean
1 - Select all hosts in the site tree
2 - in PRO ONLY right click the selected hosts
3 - Go to "Engagement tools" -> "Analyze target"
4 - Save report as an html file
5 - Copy the hosts from the "Target" section
automation uses two tools - GoSpider & hakrawler
Subdomain Enumeration (with SubDomainizer)
1 - Find subdomains referenced in js files
2 - Find cloud services referenced in js files
3 - Use the Shannon Entropy formula to find potentially sensitive items in js files
NOTE: It will take a whole page and scan for js files to analyze
2 Subdomain Scraping
Subdomain Scraping Sources, Infrastructure Sources, Search Sources, Certifcate Sources, Security Sources
Subdomain Scraping Example(Google)
site:twitch.tv -www.twitch.tv -watch.twitch.tv -dev.twitch.tv
Subdomain Scraping (Amass)
Subdomain Scraping (Subfinder v2)
Subdomain Scraping (github-subdomains.py) written by Gwendal Le Coguic
Subdomain Scraping (shosubgo)
Subdomain Scraping (Cloud Ranges) Sam Erb has a good tool
3 Subdomain Bruteforcing
Subdomain Bruting, guessing for live subdomains
Subdomain Bruting (Amass)
Enum tool using Brute Switch
amass enum -brute -d twitch.tv -src
You can also specify any numbero f resolvers
amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list
Subdomain Bruting (ShuffleDNA) Acts as a wrapper for Amass
Subdomain Bruting Lists
Tailored Wordlists
Massive Wordlists
Customized wordlists
AssetNote can be useful
Alteration Scanning (WAF Bypass)
Other
Port Analysis (masscan) for IPs
Port Analysis (dnmasscan) for domains and acts as a wrapper for masscan
Service Scanning (brutespray) masscan > Nmap service scan -oG > Brutespray credential bruteforce
Github Dorking (MANUAL) - reveals forgotten info that is public
Screenshotting is important (Aquatone, Httpscreenshot, Eyewitness.
Subdomain takeover (Can I take over xyz) finds exposes CNAMES
Subdomain takeover (Subover & nuclei)
AUTOMATION++
Extending tools (interlace) Interlace by Michael Skelton aka Codingo, This tool helps you automate
Extending Tools(Anything TomNomNom writes) his extensive repo tools are awesome
Frameworks C,B,A,S from C to rough to S to very clean frameworks
C-tiers fit good into automation
Intrigue.io & AssetNote & Spiderfoot & Project Discovery Framework(Unreleased) are S-tier. These good programs cost a lot to an individual doing bug bounties.