## 📜 Table of Contents
| Section | Description |
|---|---|
| 1. Reconnaissance | Subdomain Enumeration & Initial Scanning |
| 2. Discovery | HTTP Probing & Asset Discovery |
| 3. Enumeration | Advanced Techniques & Parameter Discovery |
| 4. Testing | Vulnerability Assessment |
| 5. Two-Eye Approach | What is that? |
| 6. POC Creation | Documentation & Evidence |
| 7. Reporting | Final Documentation |
🛠️Tools: Subfinder, Amass, CRTSH, Github-Search
Subfinder
subfinder -d target.com -silent -all -recursive -o subfinder_subs.txtAmass (Passive Mode)
amass enum -passive -d target.com -o amass_passive_subs.txtCRT.sh Query
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | anew crtsh_subs.txtGithub Dorking
github-subdomains -d target.com -t YOUR_GITHUB_TOKEN -o github_subs.txtResults Combination
cat *_subs.txt | sort -u | anew all_subs.txt🛠️Tools: MassDNS, Shuffledns, DNSX, SubBrute, FFuF
MassDNS
massdns -r resolvers.txt -t A -o S -w massdns_results.txt wordlist.txtShuffledns
shuffledns -d target.com -list all_subs.txt -r resolvers.txt -o active_subs.txtDNSX Resolution
dnsx -l active_subs.txt -resp -o resolved_subs.txtSubBrute
python3 subbrute.py target.com -w wordlist.txt -o brute_force_subs.txtFFuF Subdomain
ffuf -u https://FUZZ.target.com -w wordlist.txt -t 50 -mc 200,403 -o ffuf_subs.txt🛠️Tools: GAU, Waybackurls, Katana, Hakrawler
GAU
gau target.example.com | anew gau_results.txtWaybackurls
waybackurls target.example.com | anew wayback_results.txtKatana
katana -u target.example.com -silent -jc -o katana_results.txtHakrawler
echo "https://target.example.com" | hakrawler -depth 2 -plain -js -out hakrawler_results.txt🛠️Tools: CloudEnum, AWSBucketDump, S3Scanner
Reverse DNS
dnsx -ptr -l resolved_subs.txt -resp-only -o reverse_dns.txtASN Enumeration
amass intel -asn <ASN_NUMBER> -o asn_results.txtCloud Asset Enumeration
cloud_enum -k target.comResults Validation
cat all_subs.txt | httpx -silent -title -o live_subdomains.txtHTTPX Probing
httpx -l resolved_subs.txt -p 80,443,8080,8443 -silent -title -sc -ip -o live_websites.txtCustom Filtering
cat live_websites.txt | grep -i "login\|admin" | tee login_endpoints.txt🛠️Tools: LinkFinder, subjs, JSFinder, GF
JS Extraction
cat live_websites.txt | waybackurls | grep "\.js" | anew js_files.txtLinkFinder Analysis
python3 linkfinder.py -i js_files.txt -o js_endpoints.txtSensitive Pattern Search
cat js_files.txt | gf aws-keys | tee aws_keys.txt
cat js_files.txt | gf urls | tee sensitive_urls.txtAPI Key Validation
curl -X GET "https://api.example.com/resource" -H "Authorization: Bearer <extracted_key>"🛠️Tools: GitDorker
Automated Dorking
python3 GitDorker.py -tf <github_token.txt> -q target.com -d dorks.txt -o git_dorks_output.txtAdmin/Login Files
site:*.example.com inurl:"*admin | login" | inurl:.php | .aspConfig Files
site:*.example.com ext:env | ext:yaml | ext:iniPublic Keys
site:*.example.com inurl:"id_rsa.pub" | inurl:".pem"🛠️Tools: Katana, Gospider, Hakrawler
Katana Crawling
katana -list live_websites.txt -jc -o katana_urls.txtGospider
gospider -s "https://target.com" -d 2 -o gospider_output/Hakrawler
echo "https://target.com" | hakrawler -depth 3 -plain -out hakrawler_results.txt🛠️Tools: GAU, Waybackurls, ParamSpider
Archive URL Collection
gau --subs target.com | anew archived_urls.txt
waybackurls target.com | anew wayback_urls.txtParameter Extraction
cat archived_urls.txt | grep "=" | anew parameters.txt🛠️Tools: Arjun, ParamSpider, FFuF
Arjun Parameter Discovery
arjun -u "https://target.example.com" -m GET,POST --stable -o params.jsonParamSpider Web Parameters
python3 paramspider.py --domain target.com --exclude woff,css,js --output paramspider_output.txtFFuF Parameter Bruteforce
ffuf -u https://target.com/page.php?FUZZ=test -w /usr/share/wordlists/params.txt -o parameter_results.txt🛠️Tools: CloudEnum, AWSBucketDump, S3Scanner
Cloud Bucket Enumeration
cloud_enum -k target.com -b buckets.txt -o cloud_enum_results.txtS3 Bucket Access Test
aws s3 ls s3://<bucket_name> --no-sign-requestS3 Bucket Content Dump
python3 AWSBucketDump.py -b target-bucket -o dumped_data/🛠️Tools: Feroxbuster, FFuF, Dirsearch
Feroxbuster
feroxbuster -u https://target.com -w /usr/share/wordlists/common.txt -r -t 20 -o recursive_results.txtDirsearch
dirsearch -u https://target.com -w /usr/share/wordlists/content_discovery.txt -e php,html,js,json -x 404 -o dirsearch_results.txtFFuF Recursive
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/content_discovery.txt -mc 200,403 -recursion -recursion-depth 3 -o ffuf_results.txt🛠️Tools: Kiterunner, Postman, Burp Suite
Kiterunner
kr scan https://api.target.com -w /usr/share/kiterunner/routes-large.kite -o api_routes.txt🛠️Tools: Amass, Shodan, Censys
ASN Lookup
amass intel -asn <ASN_Number> -o asn_ips.txtShodan Enumeration
shodan search "net:<ip_range>" --fields ip_str,port --limit 100Censys Asset Search
censys search "autonomous_system.asn:<ASN_Number>" -o censys_assets.txt🐞CSRF Testing
cat live_websites.txt | gf csrf | tee csrf_endpoints.txt🐞LFI Testing
cat live_websites.txt | gf lfi | qsreplace "/etc/passwd" | xargs -I@ curl -s @ | grep "root:x:" > lfi_results.txt🐞RCE Testing
curl -X POST -F "file=@exploit.php" https://target.com/upload🐞SQLi Testing
ghauri -u "https://target.com?id=1" --dbs --batch🐞Sensitive Data Search
cat js_files.txt | grep -Ei "key|token|auth|password" > sensitive_data.txt🐞Open Redirect Test
cat urls.txt | grep "=http" | qsreplace "https://evil.com" | xargs -I@ curl -I -s @ | grep "evil.com"- First Eye: Focus on testing every gathered subdomain, endpoint, or parameter for common vulnerabilities.
- Second Eye: Identify “interesting” findings like exposed credentials, forgotten subdomains, or admin panels.
- If a vulnerability is identified, create a proof of concept (POC) and test its impact.
- If no vulnerabilities are found, pivot to deeper testing on unique subdomains or endpoints.
Demonstrate vulnerabilities in action using screen recording tools like Greenshot or OBS Studio.
Capture clear screenshots with annotations to explain each step.
- 🛠️Tool: Greenshot.
-
Executive Summary
- Target Scope
- Testing Timeline
- Key Findings Summary
- Risk Ratings
-
Technical Details
- Vulnerability Title
- Severity Rating
- Affected Components
- Technical Description
- Steps to Reproduce
- Impact Analysis
- Supporting Evidence (POC)
-
Remediation
- Detailed Recommendations
- Mitigation Steps
- Additional Security Controls
- References & Resources
-
Supporting Materials
- Video Demonstrations
- Screenshots & Annotations
- HTTP Request/Response Logs
- Code Snippets
- Timeline of Discovery
- Write clear, concise descriptions
- Include detailed reproduction steps
- Provide actionable remediation advice
- Support findings with evidence
- Use professional formatting
- Highlight business impact
- Include verification steps
# Vulnerability Report: [Title]
## Overview
- Severity: [Critical/High/Medium/Low]
- CVSS Score: [Score]
- Affected Component: [Component]
## Description
[Detailed technical description]
## Steps to Reproduce
1. [Step 1]
2. [Step 2]
3. [Step n...]
## Impact
[Business and technical impact]
## Proof of Concept
[Screenshots, videos, code]
## Recommendations
[Detailed fix recommendations]
## References
[CVE, CWE, related resources]All Rights Reserved © 2025 Amr Elsagaei (AmrSec).