HTTP

1. look at wappalyzer CMS

2. whatweb

3. /admin, /login, robots.txt

4. gospider gospider -o ./10.129.11.13.spider -w -s "http://10.129.11.13:80" -t 10 -d 5 --sitemap --robots --depth 100 -v # IP ONLY

5. ffuf ffuf -of html -o ffuf_subs_dom.html -c -u http://facts.htb:80/ -H "Host: FUZZ.facts.htb" -w /usr/share/wordlists/dnscan/subdomains-10000.txt ffuf -of html -o ffuf_dir_dom.html -c -w /usr/share/wordlists/customDirectories.txt -recursion -recursion-depth 5 -t 500 -u http://facts.htb:80/FUZZ

6. look for creating user account

7. look up recent cve

8. nikto

WFUZZ

DIRB

Gobuster

metasploit

dirsearch

wpscan

recon-ng

lynis

skipfish

oscanner

sidguess (oracle)

nikto

golismero