AMASS (in Rengine?)

https://github.com/owasp-amass/amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

Information Gathering Techniques Used:

Technique	Data Sources
APIs	360PassiveDNS, Ahrefs, AnubisDB, BeVigil, BinaryEdge, BufferOver, BuiltWith, C99, Chaos, CIRCL, DNSDB, DNSRepo, Deepinfo, Detectify, FOFA, FullHunt, GitHub, GitLab, GrepApp, Greynoise, HackerTarget, Hunter, IntelX, LeakIX, Maltiverse, Mnemonic, Netlas, Pastebin, PassiveTotal, PentestTools, Pulsedive, Quake, SOCRadar, Searchcode, Shodan, Spamhaus, Sublist3rAPI, ThreatBook, ThreatMiner, URLScan, VirusTotal, Yandex, ZETAlytics, ZoomEye
Certificates	Active pulls (optional), Censys, CertCentral, CertSpotter, Crtsh, Digitorus, FacebookCT
DNS	Brute forcing, Reverse DNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing
Routing	ASNLookup, BGPTools, BGPView, BigDataCloud, IPdata, IPinfo, RADb, Robtex, ShadowServer, TeamCymru
Scraping	AbuseIPDB, Ask, Baidu, Bing, CSP Header, DNSDumpster, DNSHistory, DNSSpy, DuckDuckGo, Gists, Google, HackerOne, HyperStat, PKey, RapidDNS, Riddler, Searx, SiteDossier, Yahoo
Web Archives	Arquivo, CommonCrawl, HAW, PublicWWW, UKWebArchive, Wayback
WHOIS	AlienVault, AskDNS, DNSlytics, ONYPHE, SecurityTrails, SpyOnWeb, WhoisXMLAPI

Active Scanning

Consists of

Gathering Host Information

Gather Identity Information

Gather Network Information

Gather Org Information

Open Technical Infomation

References

What is OSINT?

Tools

Shodan

Huntr

HackerOne

Maltego

Recon-ng Framework

Ahmia.fi

Wayback Machine

theHarvester

TinEye

OSINT Framework

FFUF Tool

Lepus Tool

tomnomnom tools in Rengine

theFuzz (formerly known as fuzzywuzzy)

Lepus

CNAME Records

NMAP

MASSCAN: Mass IP port scanner

Naabu (in Rengine)

Rengine

Cross-origin resource sharing (CORS)

Password Reset Vulnerability

SNMP and HOST Header Injection

Clickjacking via IFRAME

Access Controls and Parameter Tampering

Burp Proxy Histroy for endpoint discovery

Arjun for hidden end point discovery

CSRF Discovery/Detection

SSRF Parameter Detection/Discovery

XSS and SSTI Discovery/Detection

Rate Limits

Directory Brute-Force

HTTP Request Smuggling

Open Redirect via WaybackURLs

Social-SignOn Bypass

Possible DOS vial multiple Cookies injection

File Upload via CSRF, XSS, SSRF, RCE, LFI, XXE

Buffer Overflow

AMASS (in Rengine?)

Nuclei (in Regine)

GoSpider

gau (get all urls)

Nikto

AMASS (in Rengine?)