Google dork your target

Also go to the site and click View Certificate
Go to Details
Look for data like subdomains

The tool nmap can also be used to search for vulnerabilities

nmap -v --script vuln
nmap -v --script dos
nmap -v --script /root/hacking/http-enum.nse

Run sublist3r on your target

sublist3r -v -d -b

Execute subbrute on your target

./ -t list.txt
./ > gmail.out
./ -t gmail.out
./ > results.txt

Enumerate subdomains

  • Zone transfers
  • Use Google

Run traceroute


Execute a dig on your target


Check DNS with dnsenum

dnsenum -f /usr/share/dirbuster/wordlists/directories.jbrofuzz
dnsenum -p 20 -s 100 --threads 5

Another fun tool is whatweb

whatweb -v
whatweb -v

Track where the call came from with dnstracer

dnstracer -r 3 -v

Execute theharvester on them

theharvester -d -b bing

Scan your target with nikto

nikto -h {IP_ADDRESS}
nikto -h {IP_ADDRESS}:{PORT_NBR}

Enumerate the directories with gobuster and dirsearch

gobuster dir -e -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -s "200,204,302,307,401,403"
gobuster dir -u http://{IP_ADDRESS}/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
gobuster dir -e -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o /home/kali/Documents/PenetrationTesting/bounty/killAcademy2.txt -x .php -c 'PHPSESSID=f5c37cd8621c31e564d9b222e596e5dd' -S 9822
dirsearch -u "" -e html -t 50 -w ./killAcadDir.dat -x 403


VirusTotal - dns recon and research, find and lookup dns records
Find dns records in order to identify the Internet footprint of an organization. Recon that enables deeper security assessments and discovery of the attack surface.
Offensive Security’s Exploit Database Archive
The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers.
Offensive Security’s Exploit Database Archive
The Exploit Database - Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.
Internet Research, Cybercrime Disruption and PCI Security Services