Skip to content


Shortcut to Extract Subdomains and running services

Website Comment

Powerful. Search automatically for exploits on running services
Allows only 20 requests on free tier Search engine built for a quick cyber intelligence of IT infrastructures, networks, and even the smallest parts of the internet. Powerful search, helps for a quick recon on infrastructure targets

Useless. Low data

Useless/Marketing stuff

Very impressive. There are many emails with passwords extracted of many databases leaked. Very helpfull to Redteams Companies which have to see whats is going on with your employes email

Limited. You must have an API key to see more than one page

Useless, Single target

Powerfull. Can filter by iot, ports, products, ASN. Allows 250 requests per month

Top tool. Expensive. You should buy when it is on chinese blackfriday. Also, recommend you to monitor shodan's twitter for new update or promotions

Few contents, although makes automatically exploits on running services, e.g: Its seems exploitable to eternal blue

Use Zeek (formerly known as Bro), Argus and Nfdump/ Isnt Website tool

Amazing table view. No search limits, although doesn't make advanced things. It's make like a research about service or product

There are a lot of contents, but seems useless. I cant see anything sensitive A Powerful and Fast Domain Name Data AP


1. Attacks(Test on Subdomains first if Target has no subdomains or not juicy subdomains then go for main Domain.)

All Subdomains:-
1) XSS
2) Host Header Injection
3) Open Redirection through WaybackURLS
4) Improper Access Control & Parameter Tampering(Forgot password,price etc)
5) HTML Injection(like xss,reflect back our HTML code)
6) File Inclusion(upload malicious file using LFI,RFI(search in burp for file://,url,redirect etc.) , path traversal(var/www/html),run with url)
7) SPF(no valid SPF Records)-Sender Policy Framework
8) CORS -Cross Origin Resource Sharing(Change Origin by curl or burp search:Access control.. and get XML code)
9) SSRF- Server Side Request Forgery(../etc/passwd)(Read Unrestrted file,Scn intrnl network,Rfi(Execute Own Code))
10) Critical file Search (use wordlist and on main domain)
11) Sorce Code Disclosure(use burp search file://login.php,try to find sql code, index.of.backup)
12) CSRF-GET ,POST(html file)
13) API search using grep(Use tool for that)
14) Authentication Bypass(use my writeup)
15) SSTI-Server Side Template Injection (use Portswigger for help)
16) Unicode Injection in Mail address param and use burp collborator for receiving mails.
17) for business logic error(use fuzzdb github)
18) Sub Domain Takeover(HostileSubbruteforcer, sub404)
19) Email Header Injection On Reset password Function 20) SMTP and Host Header Injection
21) Iframe (for Clickjacking)
22) Check Burp History,Arjun,Hakcrawler for finding Endpoint
23) Check Cryptography in Reset Password Token
24) Bypassing Rate Limit
25) Check Headers:
26) Directory Bruteforce
27) Http Request Smuggling
28) Check for Social Signon Bypass
29) File Upload CSRF, SSRF, RCE, LFI, XXE
30) Buffer Overflow
31) SQL Injection(use SQLmap)


Find Subdomains(use Amass,Subfinder,Sublister,Nahamsec repo,crtsh,virustotal,)

ex: 1. amass enum -brute -d -src
    2. amass enum -brute -d -rf resolvers.txt -w bruteforce.list
Github Recon
    Search for Goodies
    ADS key,Priv pol,TOS,AWS,S3

Use Directory Finder Tool(massdns,Dirbuster,GoBuster,dns-parallel-prober,blacksheepwall) also for subdomain brute force. commonspeak for wordlist- subdomain & url data(Not Recommended). Nahamsec Wordlist- Sec-list


  • Port Scanning
    Massscan ex: masscan -p1-65535 -iL $ipFile --max-rate 1800 -oG $outPutFile.log Nmap
  • Credential Bruteforcing
  • Use Eyewitness for Screenshots webscreenshot Aquatone
  • WayBackurl -get API's -to see previous version of URLs
  • Xmind Organisation -to track the Enum process.
  • Burp Vuln Scanner -Platform Identification CVE Searching
  • Parsing javascript(Links parsing,or extracting Links from js files),Coverage for Heavy javascript sites
        Link finder
            burp>>Engagement tools>>Find Scripts>>Copy Selected URLs and pass this to these         tools
  • Platform Identification
  • Content Discovery/Directory Bruting
            Digger Wordlists
        Burp Content Discovery
        Robots Disallowed
  • Parameter Bruting     Parameth     Burp Analyze Target
  • Param Spider(find urls which have parameters)

Blind XSS Frameworks





IDOR-MFLAC(Insecure Direct Object Reference)


Subdomain Takever






Security testing against Akamai?look for, bypass the filtering by going to the source.

Other Useful Tools-

Eyewitness- for Screenshots

webscreenshot -for screenshots

Aquatone -for screenshots

HTTPSscreenshot -for screenshots

Openlist Chrome Extension- open tabs with specified urls

ASN Lookup,net,,Crunchbase for Aquistions(Other Organisations),

DOMLink,, Google Fu,

Shodan API,

and juicy Subdomains

tips to crawl


meg -path find

ffuf -path ' '

concurl -path ' '

comm -compares sorted files

gau -fetch js files

find -to list directory

Arjun - Find parameters on a specific endpoint

Advance Payloads:-

for XSS

1. <marquee loop=1 width=0 onfinish=pr\u006fmpt(document.cookie)>Y000</marquee>  

        '">><marquee><img src=x onerror=confirm(1)></marquee>"



        formaction=javascript:alert(/XSS/) type=submit>'-->"


        1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="">

        “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

for SQL injection used URL encode

2. /*!50000%75%6e%69on*/%73%65%6cect 1,2,3,4,...                                     

for subdomains

  1. Subfinderv2, Amass, Sublister, crtsh

for Finding Parameters

2. Arjun, ParamSpider, Parameth 
ex: for paramspider:- python3 --domain --exclude woff,css,js,png,svg,php,jpg --output healthifyme.txt

for Separating https & http

  1. httpx(With Title), httprobe

for Subdomains,cloud Services subdomains in js files, Use the Shannon Entropy

  1. SubDomainizer 5.Link Discovery by GoSpider|Hakrawler|Burp Suite Pro & use advance scope as keyword 'Twitch'

Juicy Domains by Google,Crtsh,WayBackMachine

6. SubDomain Scraping
    ex:- (subtract main domain)

by shodan scraped subdomains

  1. Shosubgo

for Subdomain Bruting

  1. Amass, ShuffleDNS, commonspeak2

Service Scanning

  1. brutespray


  1. Eyewitness, Aquatone, httpscreenshot

Subdomain takeover

  1. (can i take over xyz),SubOver & nuclei


  1. Interlace, Pwnkey, Lazyrecon, Spiderfoot(GUI)

for links,endpoints

  1. Linkfinder

for API and different Payloads

  1. PayloadsAllTheThings

Automation Tools by different Hunters:-


1. wc -l   ---for word count

2. grep -v ".tmi"

3. amass enum -brute -d -src

4. echo $PATH -----To show all the paths where apps are installed 

    use export PATH=$PATH:/pathtofolder   --for path set(Temp) and add in bash.rc(for permanent)

    ln -s /opt/hackerEnv/hackerEnv /usr/local/bin/ --another command to create a link like shortcut

5. /.config/amass/config.ini -----to config api of amass

6. shodan init 61TvA2dNwxNxmWziZxKzR5aO9tFD00Nj7.bYD);n%?Le984)xg2Ye3n^3Eb)9(8*g

8.       to analyze Target

9.                              online subdomain finder

10.                  Great tools for Analysis and subdoamin finder in secs.

11.           XSS Cheat Sheet

12.          Bash For Eyeryone

13.                                Bulk url Status Checker

14.                              Free Collection of Tools

15.                 List of Bug Bounty Writeups

Tools to Install:-

  • DNS Validator

  • Bug Bounty Dorks\

  • waybackurl


  • Bugcrowd

  • Hackerone

  • Hackenproof

  • Bugbountyjp

  • Intigriti

  • Open Bug Bounty

  • Yogosha

Best Books

  • Web Application Haackers Handbook

  • Web hacking 101

  • Mastering Modern Web Pen Testing

  • Bug Bounty Playbook

  • Real World Bug Hunting

  • Owasp Testing Guide

  • Mobile Application Hackers Handbook

Burp Extensions


Github Repositories For API findings on Targets