Professional Documents
Culture Documents
???? ????? ??????????? 1
???? ????? ??????????? 1
???? ????? ??????????? 1
Note: This document is not created by a professional content writer so any mistake and
error is a part of great design
Disclaimer
credit, it’s mentioned on the first page. The information provided herein is for
educational purposes only and does not constitute legal or professional advice. While
we have made every effort to ensure the accuracy and reliability of the information
reliance you place on the information contained in this document is strictly at your
own risk. VIEH Group shall not be liable for any damages arising from the use of or
reliance on this document. also we highly appreciate the source person for this
document.
Happy reading !
Introduction
What is recon?
target or the victim you wanna hack as location , ip, open ports ,
First of all I am gonna talk only about web applications and how to
hacking
Subdomain Enumeration :
securitytrails.com
you can use securitytrails api for gathering all subdomains via terminal
but it’s paid not free and recommended only for huge organizations
recon
gathering subdomains
subdomainfinder.c99.nl
as you can see it gives you option for copy all live subdomains , also you
to use amass effectively you have to provide it with many api keys
(take your time to gather all possible apis even it takes week)
nano $HOME/.config/amass/config.ini
and start searching for apis as shodan , censys, cloudflare ,fofa and
after providing all apis you can gathered start using the amass tool as
following
first put all domains in file called domains.txt or any thing other
there are many other options you can see with #amass enum -h
5- virtual host
and after running the above command you will see many outputs with
the same size ex: 1301 then filter that size with -fs
after that you can go to subdomain from vhost but not working like
ffuf.me => 138.68.165.164 then any subdomain you put should indicate
origin domain ip save and go back to your browser and see you can
Observe that the page worked and downloaded secret file and you can
I think you have collected all possible subdomains and put them in file
duplicates
after that you can run httpx to get only live subdomain
Part 2 :
dirb https://example.com
dirsearch -u https://example.com
Part 3 :
1- arjun
arjun -u https://www.example.com/file.php
2- paramspider
paramspider -l domains.txt -s
3- gospider
4- burpsuite paraminer
go to request and right click >> extensions >> paraminer >> Guess
Part 4 :
1- waybackurls
2- Gau
3- Katana
4- hakrawler