Google dork your target
site: google.com
Also go to the site and click View Certificate
Go to Details
Look for data like subdomains
The tool nmap can also be used to search for vulnerabilities
nmap -v --script vuln google.com
nmap -v --script dos tryhackme.com
nmap -v --script /root/hacking/http-enum.nse hackthebox.com
Run sublist3r on your target
sublist3r -v -d google.com -b
Execute subbrute on your target
./subbrute.py google.com
./subbrute.py google.com gmail.com blogger.com
./subbrute.py -t list.txt
./subbrute.py gmail.com > gmail.out
./subbrute.py -t gmail.out
./subbrute.py dev-cbsandyou.cbs.com > results.txt
Enumerate subdomains
- Zone transfers
- Use Google
site:.technoherder.com -site:www.technoherder.com -site:multimedia.technoherder.com -site:lootbox.technoherder.com -site:hack.technoherder.com
Run traceroute
traceroute tryhackme.com
Execute a dig on your target
dig technoherder.com
Check DNS with dnsenum
dnsenum sans.org -f /usr/share/dirbuster/wordlists/directories.jbrofuzz
dnsenum -p 20 -s 100 --threads 5 cbs.com
Another fun tool is whatweb
whatweb dev-cbsandyou.cbs.com -v
whatweb mydronereviews.com -v
Track where the call came from with dnstracer
dnstracer -r 3 -v mydronereviews.com
Execute theharvester on them
theharvester -d technoherder.com -b bing
Scan your target with nikto
nikto -h {IP_ADDRESS}
nikto -h {IP_ADDRESS}:{PORT_NBR}
Enumerate the directories with gobuster and dirsearch
gobuster dir -e -u technoherder.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -s "200,204,302,307,401,403"
gobuster dir -u http://{IP_ADDRESS}/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
gobuster dir -e -u https://test.com/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o /home/kali/Documents/PenetrationTesting/bounty/killAcademy2.txt -x .php -c 'PHPSESSID=f5c37cd8621c31e564d9b222e596e5dd' -S 9822
dirsearch -u "https://technoherder.com/" -e html -t 50 -w ./killAcadDir.dat -x 403
References
https://whois.domaintools.com/
VirusTotal
VirusTotal
DNSdumpster.com - dns recon and research, find and lookup dns records
Find dns records in order to identify the Internet footprint of an organization. Recon that enables deeper security assessments and discovery of the attack surface.

Shodan

Offensive Security’s Exploit Database Archive
The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers.

Offensive Security’s Exploit Database Archive
The Exploit Database - Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.

Netcraft
Internet Research, Cybercrime Disruption and PCI Security Services
