x1mdev
commented
4 years ago pulled in the other one, closing this.
Closed maverickNerd closed 4 years ago
x1mdev
commented
4 years ago pulled in the other one, closing this.
Short Summary of changes:
Methodology gatherResolvers gatherSubdomains checkTakeovers getCNAME gatherIPs gatherScreenshots startMeg fetchArchive fetchEndpoints runNuclei checkShodan portScan notifySlack Subdomain Enumeration:
Sublert
Subfinder
assetfinder
amass passive and active enum
findomain (Add findomain sources token to get better result)
github-subdomains
dns.bufferover.run
Mutate above Subdomains using commonspeak subdomain list
Combine and Sort above result -> Use shuffledns to resolve -> dnsgen(to mutate) -> httprobe (to get alive hosts)
Check takeover using subjack and nuclei
Get CNAME to check manually for takeovers
Use dnsprobe to gather IP, ignore if they fall in cloudflare ip range
Do masscan and then nmap scan on them, also use http-title and vulners script.
Take Screenshot for visual recon
Use gau to to get archive urls, get paramlist, jsurls, phpurls, aspxurls, and jspurls in there own files.
Get Endpoints using Linkfinder
Run Nuclei Scripts on alive hosts
Check IPs for vulnerability on Shodan
Notify on Slack channel if token is specified.
Directory Buteforcing (Not enabled, as it takes long time, it is better to do manually)