From ac1ca41383606e265761bbf791a6b599275c5be0 Mon Sep 17 00:00:00 2001
From: Phil <phil@nncltech.org>
Date: Wed, 15 Dec 2021 16:00:50 +0000
Subject: [PATCH] Added More 2

---
 README.md | 73 +++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 47 insertions(+), 26 deletions(-)

diff --git a/README.md b/README.md
index 2a83df0..169eda9 100644
--- a/README.md
+++ b/README.md
@@ -3,21 +3,34 @@
 
 ## Stage 1 - Lay of the Land
 
-### Scans
+### enumeration
 
-#### Nmap
+* Passive Recon
+  * Shodan
+  * Wayback Machine
+  * The Harvester
+
+* Active Recon
+  * Nmap
+  * Masscan
+  * Network discovery
+  * RPCClient
+  * Enum4all
+
+* List all the subdirectories and files
+  * Gobuster
+  * Backup File Artifacts Checker
+
+* Web Vulnerabilities
+  * Repository Github
+  * Burp
+  * Web Checklist
+  * Nikto
+  * Payment functionality
+  
 
 
-##### Powershell
-```
-nmap -sn -n --disable-arp-ping IP | grep -v "host down"
-```
--sn : Disable port scanning. Host discovery only.
--n : Never do DNS resolution
-
-
-##### Bash
-> Basic Scan
+* Basic Scan
 ```
 sudo nmap -sSV -p- IP -oA nmap/initial -T4
 sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
@@ -27,38 +40,46 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
 • -iL INPUTFILE tells Nmap to use the provided file as inputs
 
-> This configuration is enough to do a basic check for a CTF VM
+* CTF Scan
 ```
 nmap -sV -sC -oA nmap/initial IP
+
+• -sV : Probe open ports to determine service/version info
+• -sC : to enable the script
+• -oA : to save the results
 ```
--sV : Probe open ports to determine service/version info
--sC : to enable the script
--oA : to save the results
-
 After this quick command you can add "-p-" to run a full scan while you work with the previous result
+```
+nmap -sV -sC -oA -p- nmap/initial IP
+```
 
-
-
-> Aggressive Nmap
+* Aggressive Nmap
 ```
 nmap -A -T4 scanme.nmap.org
+
 • -A: Enable OS detection, version detection, script scanning, and traceroute
 • -T4: Defines the timing for the task (options are 0-5 and higher is faster)
 ```
 
-#### Masscan
+* Masscan
 
 ```bash
 masscan IP -p 1-65535 --rate 100 -oX masscan.xml
 ```
 
-### enumeration
 
-#### GoBuster
+* Using DirBuster or GoBuster
 
-> Dir Mode
-```
-gobuster dir -u URL -w /secondary/wordlists/more-lists/dirb/
+```bash
+  ./gobuster -u http://buffered.io/ -w /secondary/wordlists/more-lists/dirb/ -t 10
+  -u url
+  -w wordlist
+  -t threads
+
+  More subdomain :
+  ./gobuster -m dns -w subdomains.txt -u google.com -i
+
+  gobuster -w wordlist -u URL -r -e /secondary/wordlists/more-lists/dirb/
 ```