General

Burp suite plugins

• CSRF scanner
• Authorize

Subdomain enumeration

• https://github.com/projectdiscovery/subfinder
• https://dnsdumpster.com/
• https://www.shodan.io/
• https://github.com/fwaeytens/dnsenum/
• https://github.com/tomnomnom/assetfinder
• https://crt.sh/
• amass
• findomain

Checking if our subdomains are live

• https://github.com/tomnomnom/httprobe

(optional if you don't httprobe) Putting HTTPS in front of subdomains

• https://pastebin.com/3ByVDTx4

Subdomain flyover

• https://github.com/FortyNorthSecurity/EyeWitness
• https://github.com/michenriksen/aquatone