First Scanning:
i use both nmap and rustscan(if you don't known about rustscan its nmap -p- on steroids)
nmap -sC -sV --min-parallelsim 64 -oN nmap/nmapfile $target-ip
Checking if the website has any sub-domains
wfuzz -c -f sub-fighter -w wordlist.txt -u http://cmess.thm -H "Host :FUZZ.cmess.thm" -hw 290
Target: http://cmess.thm/
Total requests: 4997
==================================================================
ID Response Lines Word Chars Request
==================================================================
00019: C=200 30 L 104 W 934 Ch "dev"
Total time: 0
Processed Requests: 2990
Filtered Requests: 2989
Requests/sec.: 0