JH Methodology

• Scope is negotiable
• Never get attached to the bug

Start

• Find ASNs of organization from https://bgp.he.net
• WHOIS Lookup
  • https://www.arin.net
  • https://apps.db.ripe.net/db-web-ui/query
• Acquisitions
  • Crunchbase: https://www.crunchbase.com
  • OCCRP Aleph: https://aleph.occrp.org
• Cloud Recon
  • Will be using SSL certificate enumeration to find subdomains of our targets
  • They can also yield apex domains & internal domain names.
• Reverse WHOIS
  • Whoxy.com
• ReconGPT: https://chat.openai.com/g/g-7ywL4ClCz-recongpt
• SubReconGPT: https://github.com/jhaddix/SubreconGPT
• Dehashed: https://www.dehashed.com
• Subdomain Scraping:
  • Sublistr
  • Amass
  • BBOT
• Configuring APIs for the tools increases the their efficacy by up to 50%
  • amass enum -list
• GitHub Enumeration
  • GitHub Subdomains: https://github.com/gwen001/github-subdomains
  • https://10degres.net/posts/
• Subdomain Bruteforce
  • Puredns
  • Altdns
• Favicon Analysis
  • FavFreak
• Recon Framework
  • SNIPER
  • Findomain
  • reNgine
  • reconFTW
• Nuclei
  • AllForOne: https://github.com/AggressiveUser/AllForOne
  • CENT: https://github.com/xm1k3/cent
• echo bugcrowd.com | gau | wordlistgen | sort -u
• CEWL: https://github.com/digininja/CeWL
• admin/dashboard 401 -> admin/dashboard/members 200
• APKLeaks: https://github.com/dwisiswant0/apkleaks

- Broken Link Hijacking in PDF Files