Mapping the Site

Attack Surface Mapping and Asset Discovery


The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
Collection of open source tools for attack surface management or Bug Bounties.
  • ​nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.
  • ​subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
  • ​naabu - A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
  • ​httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
  • ​proxify - Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go.
  • ​dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

Other tools

  • ​Intrigue - Intrigue Core is a framework for discovering attack surface. It discovers security-relevant assets and exposures within the context of projects and can be used with a human-in-the-loop running individual tasks, and/or automated through the use of workflows.
  • ​Odin - ODIN is Python tool for automating intelligence gathering, asset discovery, and reporting.
  • ​AttackSurfaceMapper - AttackSurfaceMapper (ASM) is a reconnaissance tool that uses a mixture of open source intelligence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets.
  • ​Goby - Goby is a new generation network security assessment tool. It can efficiently and practically scan vulnerabilities while sorting out the most complete attack surface information for a target enterprise.
  • ​Asnip - Asnip retrieves all IPs of a target organizationβ€”used for attack surface mapping in reconnaissance phases.
  • ​ - Powerful tools for third-party risk, attack surface management, and total intel
  • ​ - Domain & IP Data Intelligence for Greater Enterprise Security
  • ​ - RiskIQ Digital Footprint gives complete visibility beyond the firewall. Unlike scanners and IP-dependent data vendors, RiskIQ Digital Footprint is the only solution with composite intelligence, code-level discovery and automated threat detection and exposure monitoringβ€”security intelligence mapped to your attack surface.
  • ​ - Scan domain for indicators found in breaches

Content Discovery

  • ​Photon - Incredibly fast crawler designed for OSINT.
  • ​URLgrab - A golang utility to spider through a website searching for additional links.
  • ​hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application. Also built by the Legendary Hakluke
  • ​gospider - This package contains a Fast web spider written in Go.
  • ​filebuster - Filebuster is a HTTP fuzzer / content discovery script with loads of features and built to be easy to use and fast! It uses one of the fastest HTTP classes in the world (of PERL) - Furl::HTTP. Also the thread modelling is optimized to run as fast as possible.
  • ​feroxbuster - feroxbuster is a tool designed to perform Forced Browsing. Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.


Enumeration Tools

  • ​dnsdumpster - A tool to perform DNS reconnaissance on target networks. Among the DNS information got from include subdomains, mx records, web application firewall detection and more fingerprinting and lookups
  • ​DNSRecon - The Original DNS recon script.
  • ​dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
  • ​dnsenum - Dnsenum is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
  • ​dnsmap - dnsmap scans a domain for common subdomains using a built-in or an external wordlist
  • ​dnstracer - determines where a given Domain Name Server (DNS) gets its information from for a given hostname, and follows the chain of DNS servers back to the authoritative answer.
  • ​Lepus - A tool for enumerating subdomains, checking for subdomain takeovers and perform port scans - and boy, is it fast!
  • ​Knock - Knockpy is a python3 tool designed to enumerate subdomains on a target domain through dictionary attack.
  • ​HostileSubBruteForcer - Aggressive SubDomain brute forcing tool written by Nahamsec.
  • ​altdns - a DNS recon tool that allows for the discovery of subdomains that conform to patterns.
  • ​assetfinder - A tool to find domains and subdomains potentially related to a given domain.
  • ​fierce - Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.
  • ​cansina - a Web Content Discovery Application. Help you making requests and filtering and inspecting the responses to tell apart if it is an existing resource or just an annoying or disguised 404.
  • ​subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains.
  • ​dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

Subdomain Takeover

  • ​TKO-subs - A tool that can help detect and takeover subdomains with dead DNS records
  • ​Subjack - Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.
  • ​Second-Order - Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match some specific rules, or respond in a specific way.
  • ​dnstake - A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

Subdomain wordlists

Directory Enumeration

​Go Buster

Directory/File, DNS and VHost busting tool written in Go.​
Gobuster quick directory busting
gobuster -u -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
Gobuster comprehensive directory busting
gobuster -s 200,204,301,302,307,403 -u -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
Gobuster search with file extension
gobuster -u -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php