⏩Directories & Subdomains

(curl -s "https://rapiddns.io/subdomain/$TARGET?full=1#result" 2>/dev/null | grep "<td><a" 2>/dev/null | cut -d '"' -f 2  2>/dev/null | grep http 2>/dev/null | cut -d '/' -f3 2>/dev/null | sed 's/#results//g' 2>/dev/null | sort -u 2>/dev/null) > output.txt


(curl -s https://dns.bufferover.run/dns?q=.$TARGET 2>/dev/null |jq -r .FDNS_A[] 2>/dev/null |cut -d',' -f2 2>/dev/null|sort -u 2>/dev/null ) >> output.txt

(curl -s "https://riddler.io/search/exportcsv?q=pld:${TARGET}" 2>/dev/null| grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null| sort -u 2>/dev/null ) >> output.txt

(curl -s "https://www.virustotal.com/ui/domains/${TARGET}/subdomains?limit=40" 2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt

(curl -s "https://certspotter.com/api/v1/issuances?domain=${TARGET}&include_subdomains=true&expand=dns_names"  2>/dev/null | jq .[].dns_names 2>/dev/null | tr -d '[]"\n ' 2>/dev/null | tr ',' '\n'2>/dev/null  ) >> output.txt

(curl -s "https://jldc.me/anubis/subdomains/${TARGET}"  2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+"  2>/dev/null | sort -u  2>/dev/null   ) >> output.txt

(curl -s "https://securitytrails.com/list/apex_domain/${TARGET}"  2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+"   2>/dev/null| grep "${TARGET}" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt

(curl --silent https://sonar.omnisint.io/subdomains/$TARGET 2>/dev/null | grep -oE "[a-zA-Z0-9._-]+\.$TARGET" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt

(curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2F$TARGET" 2>/dev/null| grep -oE "[a-zA-Z0-9._-]+\.$TARGET" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt

(curl -s "https://crt.sh/?q=%25.$TARGET&output=json" 2>/dev/null| jq -r '.[].name_value' 2>/dev/null| sed 's/\*\.//g' 2>/dev/null| sort -u 2>/dev/null ) >> output.txt

sublist3r -d [domain] -t [threads] -o [output] -v -b [brute force mode>]

python3 opendoor.py --host 10.10.10.6 --scan=directories -t 50

python ./cansina.py -u 10.10.10.6 -p ./directories.dat --persist -t 50 --show-type --full-path -b 403,404

dirb http://example.com -r

python3 dirsearch.py -u http://192.168.56.122 -e php,exe.elf.cgi,asp,txt,pdf,png,jpg -r  -t 5  -w db/dicc.txt -x 403,404

patator http_fuzz url=[url] method=POST body

gobuster dir -w /usr/share/wordlists/dirb/directory-list-2.3-medium.txt -u 10.10.10

-x → extention
dir → directory brutforce
dns → subdomain bruteforce
-c → cookie string
-e → print full url
-U → username for auth
-p → password for basic auth
-P → proxy [http(s)://host:port]
-s → set positive status codes will be overwritten with statuscodesblacklist if set) (default "200,204,301,302,307,401,403")
-u → url
-o → output to a file
-k → skip ssl
-a → set user agent

gobuster -u http:/// -w /usr/share/seclists/Discovery/ Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

gobuster dns -w /usr/share/seclists/Discovery/ DNS/subdomains-top1million-110000.txt -d target.com

gobuster vhost -u example.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 

wfuzz -u http://sneakycorp.htb -w /usr/share/wordlists/dirbuster/directory-list -2.3-small.txt -H 'Host: FUZZ.sneakycorp.htb' --hw 1

wfuzz -u http://10.10.15.205/firstdirc/seconddir/FUZZ.extension -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -c --hc 404