Bounty 2 | Notion

saved_urls.txt gau [target.com](http://target.com/) | tee gau urls.txt hakrawler -url [target.com](http://target.com/) -depth 2-plain | tee hakrawler output.txt github-search [target.com]"> saved_urls.txt gau [target.com](http://target.com/) | tee gau urls.txt hakrawler -url [target.com](http://target.com/) -depth 2-plain | tee hakrawler output.txt github-search [target.com]"> saved_urls.txt gau [target.com](http://target.com/) | tee gau urls.txt hakrawler -url [target.com](http://target.com/) -depth 2-plain | tee hakrawler output.txt github-search [target.com]">

Bounty 2

whois [target.com](<http://target.com/>)

nslookup [target.com](<http://target.com/>)

dig [target.com](<http://target.com/>)

host-t ns [target.com](<http://target.com/>)

host -t mx [target.com](<http://target.com/>)

sublist3r -d [target.com](<http://target.com/>) 

amass enue -d [target.com](<http://target.com/>)

assetfinder —subs-only [target.com](<http://target.com/>)

findomain -t [target.com](<http://target.com/>)

massdns -r resolvers.txt -t A -o S -w results.txt subdomains.txt

httprobe < subdomains.txt > live_subdomains.txt

httpx -l subdomains.txt -o live_hosts.txt

nmap -iL live_hosts.txt -oA nmap_scan

whatweb -i live_hosts.txt

aquatone-discovere -d [target.com](<http://target.com/>)

waybackurls [target.com](<http://target.com/>) tee waybackurls.txt or echo "single.domain.com" | waybackurls > saved_urls.txt

gau [target.com](<http://target.com/>) | tee gau urls.txt

hakrawler -url [target.com](<http://target.com/>) -depth 2-plain | tee hakrawler output.txt

github-search [target.com](<http://target.com/>)

gitrob -repo [target.com](<http://target.com/>)

Fierce —domain [target.com](<http://target.com/>)

dirsearch [target.com](<http://target.com>) -e*

ffuf -w wordlist.txt -u <https://target.com/FUZZ> 

gowitness file -f live_hosts.txt -P screenshots/

nuclei -u <live-domain> -t ./path/to/templates -o nuclei_results.json -json ( for specific urls with template)

nuclei -l live_hosts.txt -t templates/

metabigor net —org [target.com](<http://target.com/>)

metagoofil -d [target.com](<http://target.com>) -t doc,pdf,xls,docx,xlsx,ppt,pptx -l 100

theHarvester -d target.con -l 500 -b all

dnsenum [target.com](<http://target.com/>)

dnsrecon -d [target.com](<http://target.com/>)

shodan search hostname:[target.com](<http://target.com/>)

censys search [target.com](<http://target.com/>)
<https://www.shop.monash.edu/static>
spiderfoot -s [target.com](<http://target.com>) -o spiderfoot_report.html

sn1pert -t [target.com](<http://target.com/>)

subfinder -s [target.com](<http://target.com>) -o subfinder_results.txt

wafw00f [torget.com](<http://torget.com/>)

arjun -u [<https://target.com>](<https://target.com/>) -oT arjun_output.txt

subjack -w subdomains.txt -t 20 -o subjack_results.txt

meg -d 1000 -v /path/to/live subdomains.txt

waymore -u [target.com](<http://target.com/>) -o waymore_results.txt

unfurl -u [target.com](<http://target.com>) -o unfurl_results.txt

dalfox file live hosts.txt

gospider -S live_hosts.txt -o gospider_output/

recon-ng -w workspace -i [target.co](<http://target.co/>)

xray webscan --basic-crawler [<http://target.com>](<http://target.com/>)

vhost -u [target.com](<http://target.com>) -o vhost_results.txt

gf xss | tee xss payloads.txt 

gf sqli | tee sqli payloads.txt

gf lfi | tee ifi payloads.txt

gf ssrf | tee ssrf payloads.txt

gf idor | tee idor payloads.txt

gf ssti | tee ssti payloads.txt

git-secrets --scan

shuffledns -d [target.com](<http://target.com/>) -list resolvers.txt -o shuffledns_results.txt

dnsgen -f subdomains.txt | massdns -r resolvers.txt -t A -o S -w dnsgen_results.txt

mapcier -silent -cidr [target.com](<http://target.com>) -o mapcidr_results.txt 

[tko-subs -domains=target.com](<http://tko-subs-domains-target.com/>) -data=providers-data.csv

kiterunner wordlist.txt - [<https://target.com>](<https://target.com/>)

github-dorker [target.com](<http://target.com/>) gfredirect [target.com](<http://target.com/>)

paramspider --domain [target.com](<http://target.com>) --output paramspider_output.txt

dirb [<https://target.com/> -o](<https://target.com/o>) dirb_output.txt

wpscan —url [torget.com](<http://torget.com/>)

cloud_enum -k [target.com](<http://target.com/>) -1 cloud_enus_output.txt

gobuster dns -d [target.com](<http://target.com>) -t 50 -w wordlist.txt

subzer0 -d [target.com](<http://target.com/>).

dnswalk [target.com](<http://target.com/>)

masscan -iL live_hosts.txt -p0-65535 -oX masscan_results.xml

xsstrike -u [<https://target.com>](<https://target.com/>)

byp4xx <https://target.com/FUZZ>

dnsx-1 subdomains.txt resp-only-o dnsx_results.txt

waybackpack [target.com](<http://target.com/>) -d output/

puredes resolve subdomains.txt -r resolvers.txt -w puredns_results.txt

ctfr -d [target.com](<http://target.com>) -o ctfr_results.tat

dnsvalidator -t 100 -f resolvers.txt -o validated_resolvers.txt

httpx-silent -I live_subdomains.txt -mc 200 -title -tech-detect -o httpx_results.txt

cloud_enuek -k 
[target.com](<http://target.com/>) -l cloud_enum_results.txt

Hunting