$ python3 sublist3r.py -d gitlab.com -o /root/Desktop/subdomain

Subfinder

Subfinder also is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed.

dmitry

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line program coded purely in C with the ability to gather as much information as possible about a host.

VirusTotal

Also, you can check virustotal website to get more information about your target and get more subdomain details

2. Check IPs used for your target by shodan.io, censys.io, ipinfo.io

nslookup

nslookup is a web based DNS client that queries DNS records for a given domain name. It allows you to view all the DNS records for a website

 3. Check SSL/TLS certfication by crt.sh, censys.io

sslscan

sslscan is a great tool to enumeration of server signature algorithms, scanSSLv2 and SSLv3 protocol

4. Check open/closed/filtered ports & DNS record & OS version by

nmap

If you don't know about Nmap close this methodology and go to your bed

masscan

This is an Internet-scale port scanner, It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.

rustscan

RustScan is a modern take on the port scanner. Sleek & fast. All while providing extensive extendability to you.

nikto

Nikto is a web server scanner to get some information that may be useful for you

5. Bruteforce directory to get more possible API endpoint don't forget to follow this rule more paths = more files, parameters -> more vulnerability

Gobuster

Gobuster is a tool used to brute-force: URIs (directories and files) in websites, DNS subdomains (with wildcard support), Virtual Host names on target web servers.

LinkFinder

This tool is great, i usually use it to search paths,links

TheHarvester

TheHarvester is a tool for gathering e-mail accounts and subdomain names from public sources

dirb

same thing in gobuster

Seclist

It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

 6. Screenshotting for server IPs, DNS record, Error message

HttpScreenShot

HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites. The goal is for it to be both thorough and fast which can sometimes oppose each other.

7. Using a recon-ng tool to enumerate and get more information about target

recon-ng

Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line, you enter a shell like environment where you can configure options, perform recon and output results to different report types.

• Check this article to know about this tool : https://hackertarget.com/recon-ng-tutorial/

8. Find collect possibly several javascript files

jsfinder

I'm recommend this tool you can crawl useful Endpoints and we can also do BLH discovery.

gau

This tool is great, i usually use it to search for as many javascript files as possible, many companies host their files on third parties, this thing is very for important for a bughunter because then really enumerate a lot js files!

9. Check Google dorks and Github resource

do-search

This is a tool by using google dorks for advanced searching in google and other google applications to find security holes in the configuration and computer code that used in the websites

GHDB

Google Dork Hacking Databases --> Check the link below

10. Happy Hacking

URLs For Tools