External Penetration Testing Commands

External Penetration Testing Commands

# External Penetration Testing Cheatsheet

## 1. Reconnaissance

### Cloud Enumeration

# Cloud Infrastructure Discovery
./cloud_enum.py -k somecompany

# Third Party Misconfigurations
./misconfig-mapper -target company -service "*"


### OSINT Collection

# Email Discovery
emailfinder -d domain
python3 LeakSearch.py -k domain -o emails.txt

#Username Enumeration
https://github.com/shellfarmer/WeakestLink

# Metadata Analysis
metafinder -d domain -l metafinder_limit -o osint -go -bi

# Domain Information
python3 365doms.py -d domain


### Dorks Discovery

# Using Flare (Preferred Method)
https://app.flare.io/#/actions

### GitHub Reconnaissance

# Comprehensive Secret Scanning (Preferred Method)
trufflehog github --org=$DOMAIN \
    --token=$GITHUB_TOKEN \
    --include-forks \
    --include-wikis \
    --include-members \
    --issue-comments \
    --pr-comments \
    --gist-comments \
    --comments-timeframe=180 \
    --include-detectors="all" \
    --filter-entropy=3.0 \
    --results=verified,unknown,unverified \
    --detector-timeout=45s \
    --archive-max-size=10MB \
    --archive-max-depth=10 \
    --concurrency=20

# GitHub Dorks
gitdorks_go -gd dorks.txt -target domain -tf tokens

# Repository Analysis
enumerepo -token-string token -usernames company
gitleaks detect --source repos -r gh_secret.json


## 2. Domain Enumeration

### Passive Subdomain Discovery

# Multiple Sources
subfinder -silent -all -d $DOMAIN
github-subdomains -d domain -t tokens
gitlab-subdomains -d domain -t tokens

# DNS Analysis
python3 servicelens.py -d example.com

echo domain | dnsx -recon


### Active Domain Discovery

# DNS Bruteforcing
puredns bruteforce wordlist.txt domain -r resolvers.txt
massdns -r resolvers.txt -t A -o S -w results.txt

# Resolution and Validation
dnsx -retry 3 -a -resp

#Wildcard removal
dnsx -silent -wd $DOMAIN


### Network Reconnaissance

# Find Related CIDRs
cat domains.txt | dnsx -silent -a -resp-only | python3 netscan.py

# Remote Desktop Discovery
rdwatool -u domain -k

# Analytics Relationships
analyticsrelationships -u domain


## 3. Service Discovery

### Technology Detection

# Web Technology Fingerprinting
httpx -tech-detect -status-code -title
whatweb -a 3 domain

# Screenshot Capture
nuclei -headless -id screenshot


### Port Scanning

# Fast TCP Scan
naabu -silent -p 80,443,8080,8443
smap -iL ips.txt

# Service Version Detection
nmap -sV -sC -p ports target

# Comprehensive Service Scan
masscan -p7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,\
179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,\
1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,\
3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,\
6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,\
49152-49157 --rate 10000


### Infrastructure Analysis

# WAF/CDN Detection
cdncheck -resp -silent -nc
wafw00f -i hosts.txt

# Virtual Host Discovery
ffuf -w wordlist -H "Host: FUZZ.domain"

# Service Analysis
nmap-parse-output scan.xml web-servers


## 4. Content Discovery

### Web Crawling

# Advanced Crawling (Preferred Method)
katana -u $URL -d 5 -jc -jsl -kf all -aff -timeout 15 -retry 3 \
       -s breadth-first -iqp \
       -sf url,path,fqdn,rdn,rurl,qurl,fqpath,file,urlkey,value,kv,dir,udir \
       -em png,jpeg,woff,woff2,gif,jpg

# Alternative Crawlers
gospider -s domain -d depth
hakrawler -url domain -depth depth


### Directory Enumeration

# Using Feroxbuster
feroxbuster --url $URL -w wordlist.txt -k --quiet --filter-status 401,403,404,405,500 --extract-links

# Using ffuf
ffuf -w wordlist.txt -u $URL/FUZZ -mc 200,301,302,401

### JavaScript Analysis

# JS Discovery and Analysis
cat js_urls.txt | ./gofuzz.py -s
subjs domain
getjswords.py domain


# JS Link Finding
python3 xnLinkFinder.py -i $JS_URL -sf "*.$DOMAIN" -nb


## 5. Vulnerability Testing

### Authentication Testing

# Password Spraying
brutespray -f nmap.gnmap -t threads -o output

# Admin Panel Discovery
egrep -i "/admin/|/administrator/" | httpx -title -sc -lc -nc

# API Testing
grep '/api' | httpx -title -sc -lc -nc -ct


### Injection Testing

# SSRF Testing
ffuf -w urls.txt:W1,headers.txt:W2 -H "W2: collaborator"

# LFI Testing
ffuf -w urls.txt -w lfi_wordlist -mr "root:"

# SSTI Testing
ffuf -w urls.txt -w ssti_wordlist -mr "ssti49"

# SQL Injection
sqlmap -m urls.txt --batch
ghauri -u urls.txt --batch

# Command Injection
commix --batch -m urls.txt


### Web Vulnerabilities

# XSS Testing
knoxnl -i urls.txt -o results.txt
gxss -c 100 -p Xss

# CORS Issues
python3 Corsy/corsy.py -i webs.txt -o cors.txt

# Open Redirects
python3 Oralyzer/oralyzer.py -l urls.txt -p payloads.txt

# Request Smuggling
python3 smuggler.py -u urls.txt

# Cache Poisoning
python3 Web-Cache-Vulnerability-Scanner -u urls.txt

# Prototype Pollution
ppmap < urls.txt

# 403 Bypass
python3 nomore403 -u urls.txt


### Parameter Analysis

# Discovery
cat urls.txt | python3 paramhunter.py -w wordlist.txt
x8 -v 0 -X GET POST -w params.txt -u $URL --output-format request
paramspider -d domain
arjun -u url -oJ params.json



nuclei -l httpx.txt -t /root/nuclei-templates/http/technologies/ -severity info -et /root/nuclei-templates/http/technologies/waf-detect.yaml -et /root/nuclei-templates/http/technologies/tech-detect.yaml -o nuclei.txt
sort -u nuclei.txt
cat nuclei.txt| grep default
urlfinder -d urls.txt -all -o output.txt |httpx