| Name | Description | URL |
|---|---|---|
| Aquatone | A Tool for Domain Flyovers | https://github.com/michenriksen/aquatone |
| Can I takeover XYZ | "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records. | https://github.com/EdOverflow/can-i-take-over-xyz |
| EyeWitness | EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. | https://github.com/RedSiege/EyeWitness |
| gowitness | gowitness - a golang, web screenshot utility using Chrome Headless | https://github.com/sensepost/gowitness |
| nikto | Nikto web server scanner | https://github.com/sullo/nikto |
| Nuclei | Fast and customizable vulnerability scanner based on simple YAML based DSL. | https://github.com/projectdiscovery/nuclei |
| Shodan | Shodan is the world's first search engine for Internet-connected devices. | https://shodan.io |
| Sparta | Network Infrastructure Penetration Testing Tool | https://github.com/SECFORCE/sparta |
$ cat <FILE>.txt | aquatone$ sudo legion$ nikto -h <RHOST>
$ nikto -host 127.0.0.1 -useproxy http://<RHOST>:3128$ nuclei -target https://<DOMAIN> -t nuclei-templates$ nuclei -target https://<DOMAIN> -t nuclei-templates -rate-limit 5$ nuclei -target https://<RHOST> -t nuclei-templates -header "User-Agent: Pentest" -header 'X-Red-Team: Assessment'$ nuclei -l /PATH/TO/FILE/<FILE> -t /PATH/TO/TEMPALTES/ -debug-req -rl 10$ nuclei -tags cisa -list /PATH/TO/FILE/<FILE>$ ./nuclei -u https://<DOMAIN> -t /PATH/TO/TEMPLATES/exposures/configs/git-config.yaml
$ ./gitdumper.sh https://<DOMAIN>/.git/ /PATH/TO/FOLDER
$ ./extractor.sh /PATH/TO/FOLDER /PATH/TO/FOLDER/<FILE>
$ ./trufflehog filesystem /PATH/TO/FOLDER/<FILE>https://help.shodan.io/command-line-interface/0-installation
$ pip install shodan
$ shodan init <API_KEY>$ shodan search 'ASN:AS<ASN>'
$ shodan search 'ASN:AS<ASN> has_vuln:true'
$ shodan search --fields ip_str,port,org,hostnames 'asn:<ASN>'
$ shodan search --fields ip_str,port,org,hostnames 'asn:<ASN> port:443'
$ shodan search --fields ip_str,port,org,hostnames 'asn:<ASN> vuln:cve-2021-40449'
$ shodan stats --facets ssl.version asn:<ASN> has_ssl:true http
$ shodan domain <DOMAIN>
$ shodan honeyscore <RHOST>
$ shodan count vuln:cve-2021-40449
$ shodan stats --facets vuln country:US // top 10 vulnerabilities in America
$ shodan search 'd-Link Internet Camera, 200 OK' // d-link cameras
$ shodan search '230 login successful port:21' // ftp access
$ shodan search 'product:MySQL' // mysql databases
$ shodan search 'port:9200 json' // elastic search
$ shodan search 'hacked-router-help-sos' // hacked routers
$ shodan search 'IPC$ all storage devices' // attached storages
$ shodan search '"authentication disabled" port:5900,5901' // vnc servers without authentication
$ shodan search 'http.favicon.hash:81586312' // default jenkins installations
$ shodan search 'http.favicon.hash:-1028703177' // TP-Link Routers"220" "230 Login successful." port:21
"220" "230 Login successful." port:21
"Authentication: disabled" port:445
"MongoDB Server Information" port:27017 -authentication
"SERVER: EPSON_Linux UPNP" "200 OK"
"Serial Number:" "Built:" "Server: HP HTTP"
"Server: gSOAP/2.8" "Content-Length: 583"
"Server: yawcam" "Mime-Type: text/html"
"Set-Cookie: mongo-express=" "200 OK"
"X-Amz-Server-Side-Encryption"
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
"X-Plex-Protocol" "200 OK" port:32400
"authentication disabled" "RFB 003.008"
"city: London"
"port: 53" Recursion: Enabled
"port: 8080" product:"nginx"
Server: SQ-WEBCAM
Ssl.cert.subject.CN:"<DOMAIN>" -http.title:"Invalid URL" 200
asn:AS<ASN>
country:"UK"
geo:"51.5074, 0.1278"
hostname:<DOMAIN>
html:"AWS Elastic Beanstalk overview"
html:"AWS_ACCESS_KEY_ID"
html:"AWS_SECRET_ACCESS_KEY"
html:"AWS_SESSION_TOKEN"
html:"OpenSearch Dashboards"
html:"context"
http.favicon.hash:"<HASH>"
http.html:"/file"
http.status:200
http.title:"title"
mysql port:"3306"
os"windows 7
os:"Linux"
os:"Windows 10 Home 19041"
port:"11211" product:"Memcached"
port:"23"
port:"25" product:"exim"
port:"9200" all:"elastic indices"
port:5006,5007 product:mitsubishi
port:5432 PostgreSQL
port:8291 os:"MikroTik RouterOS 6.45.9"
product:"Apache httpd" port:"80"
product:"Microsoft IIS httpd"
product:"nginx"
product:"SimpleHTTPServer"
product:"SimpleHTTPServer" port:8080
proftpd port:21
server: "apache 2.2.3"
ssl.cert.expired:true
ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com
title:"AWS S3 Explorer"
title:"Directory listing for /"
title:"xzeres wind"$ shodan alert create <NAME> <XXX.XXX.XXX.XXX/XX> && shodan stream --alerts=all#!/bin/bash
input="hosts.txt"
while read -r line
do
shodan host $line; sleep 3
done < "$input"$ curl -s https://api.shodan.io/api-info?key=<API_KEY> | jq
$ curl -s https://api.shodan.io/shodan/host/1.1.1.1?key=<API_KEY> | jq$ shodan search vuln:CVE-2021-26855 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t /PATH/TO/TEMPLATES/CVE/2021/CVE-2021-26855.yaml<product> city:"<CITY>"
"Server: gws" hostname:"google"
cisco net:"216.219.143.0/24"
Apache city:"<CITY>" port:"8080" product:"Apache Tomcat/Coyote JSP engine"mqtt port:1883https://help.shodan.io/command-line-interface/0-installation
'http.html:/apis/apiextensions.k8s.io'Browse: /api/v1/secrets
"HTTP/1.1 404 Not Found" "Content-Type: text/plain" "Content-Length: 0" "Date" -"Server" -"Connection" -"Expires" -"Access-Control" -"Set-Cookie" -"Content-Encoding" -"Charset"ssl:"MetasploitSelfSignedCA" http.favicon.hash:"-127886975"http.html_hash:"611100469""HTTP/1.1 401 Unauthorized" "Date: Wed, 12 Sep 2012 13:06:55 GMT"