Google dork your target
site: google.com

Also go to the site and click View Certificate
Go to Details
Look for data like subdomains

The tool nmap can also be used to search for vulnerabilities

nmap -v --script vuln google.com
nmap -v --script dos tryhackme.com
nmap -v --script /root/hacking/http-enum.nse hackthebox.com

Run sublist3r on your target

sublist3r -v -d google.com -b

Execute subbrute on your target

./subbrute.py google.com
./subbrute.py google.com gmail.com blogger.com
./subbrute.py -t list.txt
./subbrute.py gmail.com > gmail.out
./subbrute.py -t gmail.out
./subbrute.py dev-cbsandyou.cbs.com > results.txt

Enumerate subdomains

  • Zone transfers
  • Use Google
site:.technoherder.com -site:www.technoherder.com -site:multimedia.technoherder.com -site:lootbox.technoherder.com -site:hack.technoherder.com

Run traceroute

traceroute tryhackme.com

Execute a dig on your target

dig technoherder.com

Check DNS with dnsenum

dnsenum sans.org -f /usr/share/dirbuster/wordlists/directories.jbrofuzz
dnsenum -p 20 -s 100 --threads 5 cbs.com

Another fun tool is whatweb

whatweb dev-cbsandyou.cbs.com -v
whatweb mydronereviews.com -v

Track where the call came from with dnstracer

dnstracer -r 3 -v mydronereviews.com

Execute theharvester on them

theharvester -d technoherder.com -b bing

Scan your target with nikto

nikto -h {IP_ADDRESS}
nikto -h {IP_ADDRESS}:{PORT_NBR}

Enumerate the directories with gobuster and dirsearch

gobuster dir -e -u technoherder.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -s "200,204,302,307,401,403"
gobuster dir -u http://{IP_ADDRESS}/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
gobuster dir -e -u https://test.com/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o /home/kali/Documents/PenetrationTesting/bounty/killAcademy2.txt -x .php -c 'PHPSESSID=f5c37cd8621c31e564d9b222e596e5dd' -S 9822
dirsearch -u "https://technoherder.com/" -e html -t 50 -w ./killAcadDir.dat -x 403

References

https://crt.sh/

https://whois.domaintools.com/

VirusTotal
VirusTotal
DNSdumpster.com - dns recon and research, find and lookup dns records
Find dns records in order to identify the Internet footprint of an organization. Recon that enables deeper security assessments and discovery of the attack surface.
Shodan
Offensive Security’s Exploit Database Archive
The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers.
Offensive Security’s Exploit Database Archive
The Exploit Database - Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.
Netcraft
Internet Research, Cybercrime Disruption and PCI Security Services