gobuster vhost -u timing.htb -w ~/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50
dnsenum --noreverse company.com
dnsmap company.com
findomain -qt hackerone.com | unimap --fast-scan --stdin --url-output | fhc
subfinder -d ups.com -all -silent | waybackurls | gf redirect | qsreplace '<http://example.com>' | httpx -fr -title -match-string 'Example Domain'
sudo apt install **subfinder**
git clone <https://github.com/pwnesia/dnstake>; cd dnstake/cmd/dnstake; sudo apt install golang; go build .; mv cmd dnstake; sudo mv dnstake /usr/local/bin; chmod +x /usr/local/bin/dnstake;
**subfinder -silent -d** company**.kz | dnstake**
curl "<https://crt.sh/?output=json&Identity=company.kz>" | jq
sslscan <https://web2.company.kz>
**curl -v -I --http1.0 <https://pm>.**company**.kz/ -H 'Host:'**
#BLUTO
<https://github.com/stealthcopter/deepce>
wget <https://github.com/stealthcopter/deepce/raw/main/deepce.sh>
curl -sL <https://github.com/stealthcopter/deepce/raw/main/deepce.sh> -o deepce.sh
# Or using python requests
python -c 'import requests;print(requests.get("<https://github.com/stealthcopter/deepce/raw/main/deepce.sh>").content)' > deepce.sh
python3 -c 'import requests;print(requests.get("<https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8>"))' > deepce.sh