Common Wordlist location:

/usr/share/wordlists
/usr/share/seclists
/usr/share/payloadsallthethings

Passive Enumeration:

WHOIS:

whois domain.com

Active Enumeration:

Nmap:

Service and Version Detection:

nmap -sV target

Using scripts such as which HTTP methods enabled:

nmap -p 80 --script http-methods target

Banner grabbing:

curl (mainly for HTTP target):

curl -I http://target

netcat (mainly for non HTTP target):

netcat -v target port

Endpoint Discovery:

hakrawler:

echo "http://target" | hakrawler -u

dirb:

dirb http://target

gobuster:

gobuster dir -u http://asio -w /usr/share/wordlists/dirb/common.txt

With extensions (for example php):

dirb http://target -X .php

Fuzzing with FFUF (bruteforce):

ffuf -w users.txt -u http://target/login -X POST -d 'username=FUZZ&password=asd' -H 'Content-Type: application/x-www-form-urlencoded'

Creating custom wordlist with CeWL (in this example set to lowercase and min word length to 4):

cewl --write output.txt --lowercase -m 4 http://target/manual

Try all this for Offsec exam:

gobuster dir -f -u http://asio -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
gobuster dir -f -u http://asio -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
gobuster dir -f -u http://asio -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt