Back

Article: TBHMv4 Recon - Checklist


1. Finding Seeds/Roots

# Description Done
1.1 Check Scope Domains
1.2 Check ascquisitions on Crunchbase
1.3 Enumerate ASNs on bgp.he.net or via Metabigor, ASNLookup or Amass
1.4 Perform Reverse WHOIS with whoxy.com or DOMLink
1.5 Check relationships based on Ad/Analytics via buildwith.com
1.6 Perform Google-dorking using text of Copyright, ToS or Privacy Policy
1.1 Check Shodan

2. Finding Subdomains

# Description Done
2.1 Perform Linked Discovery with BurpSuitePro, Gospider or hakcrawler
2.2 Fetch subdomains by analyzing JavaScript using Subdomainizer or subscraper
2.3 Scrape subdomains using Amass or Subfinder , Github (using guthub-search) and Shosubgo
2.4 Bruteforce subdomains using Amass, Massdns, aisdnsbrute or shuffleDNS
2.5 Perform Alteration Scanning using altdns

3. Other

# Description Done
3.1 Anaylse ports using masscan or dnmasscan
3.2 Check services using brutespray
3.3 Utilize Github Dorking
3.4 Perform HTTP Screenshots by using aquatone, HTTPscreenshot and Eyewitness
3.5 Check for subdomain takeovers using can-i-take-over-xyz, SubOver and nuclei
3.6 Test for arbitrary redirection
3.7 Test for path traversal
3.8 Test for insecure direct object reference