Br4dl3y
← Back to Resources

Security Tools & Resources

A curated collection of tools used in bug bounty hunting and web application penetration testing. Organized by phase — from initial reconnaissance to exploitation.

Table of Contents

Reconnaissance

Tools for passive and active enumeration — subdomains, live hosts, ports, URLs, and crawling.

|Tool|Install|Description| |---|---|---| |subfinder|go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest|Fast passive subdomain discovery from 50+ sources (ProjectDiscovery)| |amass|sudo apt install -y amass|Deep attack surface mapping — OSINT, DNS bruteforce, ASN mapping| |assetfinder|go install github.com/tomnomnom/assetfinder@latest|Quick subdomain finder using crt.sh, Facebook, and more| |httpx|go install github.com/projectdiscovery/httpx/cmd/httpx@latest|HTTP probing — live hosts, titles, status codes, tech detection| |dnsx|go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest|Multi-purpose DNS toolkit for mass resolution, CNAME, A/AAAA records| |naabu|go install github.com/projectdiscovery/naabu/v2/cmd/naabu@latest|Fast port scanner from ProjectDiscovery — pairs with subfinder + httpx| |nmap|sudo apt install -y nmap|Gold-standard network & port scanner with version/script detection| |katana|go install github.com/projectdiscovery/katana/cmd/katana@latest|Next-gen web crawler — JS rendering, form detection, API endpoint discovery| |gau|go install github.com/lc/gau/v2/cmd/gau@latest|Fetch known URLs from Wayback Machine, Common Crawl, OTX, URLScan| |waybackurls|go install github.com/tomnomnom/waybackurls@latest|Pull historical URLs from the Wayback Machine for a domain| |hakrawler|go install github.com/hakluke/hakrawler@latest|Speedy web crawler for endpoints, links, forms, and JS files| |gospider|go install github.com/jaeles-project/gospider@latest|Fast web spider — links, robots.txt, sitemaps, JS sources|

Directory & Fuzzing

Tools for brute-forcing directories, files, parameters, virtual hosts, and DNS.

|Tool|Install|Description| |---|---|---| |gobuster|sudo apt install -y gobuster|Dir/file/DNS/vhost brute-forcer — fast, written in Go| |ffuf|go install github.com/ffuf/ffuf/v2@latest|The fastest web fuzzer — dirs, params, headers, VHosts| |feroxbuster|sudo apt install -y feroxbuster|Recursive content discovery in Rust — extremely fast| |dirsearch|pip3 install dirsearch|Python dir/file brute-forcer with large built-in wordlists| |wfuzz|sudo apt install -y wfuzz|Web fuzzer for params, auth, paths, cookies — very flexible| |SecLists|sudo git clone https://github.com/danielmiessler/SecLists /opt/SecLists|The ultimate wordlist collection for all fuzzing and enumeration tasks|

Vulnerability Scanners

Automated tools for detecting known vulnerabilities, CVEs, misconfigurations, and common web bugs.

|Tool|Install|Description| |---|---|---| |nuclei|go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest|Template-based vuln scanner — 7000+ community templates, CVEs, misconfigs| |nikto|sudo apt install -y nikto|Web server scanner — outdated software, dangerous files, misconfigs| |whatweb|sudo apt install -y whatweb|Identify web tech stack, CMS, frameworks, server type| |wpscan|sudo gem install wpscan|Black-box WordPress vulnerability scanner| |dalfox|go install github.com/hahwul/dalfox/v2@latest|XSS scanner with DOM analysis, parameter discovery and blind XSS support| |sqlmap|sudo apt install -y sqlmap|Automated SQL injection detection and database takeover| |XSStrike|git clone https://github.com/s0md3v/XSStrike /opt/XSStrike|Advanced XSS detection with fuzzing, DOM analysis and CSP bypass| |commix|sudo apt install -y commix|Automated command injection and OS command execution tool| |arjun|pip3 install arjun|HTTP parameter discovery — finds hidden GET/POST/JSON params| |ParamSpider|git clone https://github.com/devanshbatham/ParamSpider /opt/paramspider|Mines URLs and parameters from web archives for fuzzing| |interactsh|go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest|Out-of-band interaction server for blind XSS, SSRF, XXE, RCE|

Proxy & Intercept

Tools for intercepting, replaying, and modifying HTTP/S traffic.

|Tool|Install|Description| |---|---|---| |Burp Suite|sudo apt install -y burpsuite|The #1 web proxy for interception, replay, fuzzing — essential for bug bounty| |OWASP ZAP|sudo apt install -y zaproxy|Free Burp alternative with built-in active/passive scanning| |mitmproxy|pip3 install mitmproxy|Interactive TLS-capable CLI/web proxy for traffic inspection| |proxychains|sudo apt install -y proxychains4|Route traffic through Tor/SOCKS/HTTP proxy chains|

Exploitation

Tools for exploiting discovered vulnerabilities — JWT attacks, SSRF, CORS, SQL injection, and more.

|Tool|Install|Description| |---|---|---| |Metasploit|sudo apt install -y metasploit-framework|The exploit framework — thousands of modules for post-exploitation| |searchsploit|sudo apt install -y exploitdb|Offline search of the Exploit-DB database| |jwt_tool|git clone https://github.com/ticarpi/jwt_tool /opt/jwt_tool|JWT analysis, fuzzing, and algorithm confusion attack tool| |SSRFmap|git clone https://github.com/swisskyrepo/SSRFmap /opt/ssrfmap|Automatic SSRF fuzzer and exploiter with built-in payloads| |Corsy|git clone https://github.com/s0md3v/Corsy /opt/corsy|CORS misconfiguration scanner| |ghauri|git clone https://github.com/r0oth3x49/ghauri /opt/ghauri|Advanced SQL injection detection — modern sqlmap alternative|

OSINT

Open-source intelligence tools for mapping organizations, emails, domains, and cloud assets.

|Tool|Install|Description| |---|---|---| |theHarvester|sudo apt install -y theharvester|OSINT email, subdomain, IP and name gathering from public sources| |Maltego|sudo apt install -y maltego|OSINT graph visualization — map domains, emails, orgs, IPs| |recon-ng|sudo apt install -y recon-ng|Full-featured OSINT framework with 100+ modules| |Shodan CLI|pip3 install shodan|Query Shodan for exposed services, devices, SSL certs| |gowitness|go install github.com/sensepost/gowitness@latest|Screenshot web pages at scale — great for large recon output| |cloud_enum|git clone https://github.com/initstring/cloud_enum /opt/cloud_enum|Enumerate public cloud resources on AWS, GCP and Azure|

Utilities & Pipeline Tools

Helpers for building efficient recon pipelines, managing output, and chaining tools together.

|Tool|Install|Description| |---|---|---| |anew|go install github.com/tomnomnom/anew@latest|Append new unique lines to files — deduplicate recon output in pipelines| |gf|go install github.com/tomnomnom/gf@latest|Grep patterns for bug bounty — find XSS, SQLi, SSRF params in URLs| |qsreplace|go install github.com/tomnomnom/qsreplace@latest|Replace query string values in URLs — pipe-friendly fuzzing helper| |notify|go install github.com/projectdiscovery/notify/cmd/notify@latest|Send recon output to Slack/Telegram/Discord as real-time alerts| |cariddi|go install github.com/edoardottt/cariddi/cmd/cariddi@latest|Crawl then scan for juicy files, endpoints, and secrets|

Quick Start Recon Pipeline

A simple pipeline to go from a domain to live hosts and vulnerabilities fast:

# 1. Passive subdomain enumeration
subfinder -d target.com -silent | tee subs.txt

# 2. Probe live hosts
cat subs.txt | httpx -silent -title -tech-detect -status-code | tee live.txt

# 3. Port scan live hosts
cat subs.txt | naabu -silent -top-ports 1000 | tee ports.txt

# 4. Crawl for endpoints
cat live.txt | awk '{print $1}' | katana -silent | tee endpoints.txt

# 5. Gather historical URLs
cat subs.txt | gau --threads 5 | tee gau_urls.txt

# 6. Run nuclei against live hosts
cat live.txt | awk '{print $1}' | nuclei -t ~/nuclei-templates/ -c 30 -o vulns.txt

# 7. Directory fuzzing on interesting targets
ffuf -w /opt/SecLists/Discovery/Web-Content/common.txt \
     -u https://target.com/FUZZ \
     -mc 200,301,302,403 \
     -t 50

# 8. Find juicy parameters in collected URLs
cat gau_urls.txt endpoints.txt | gf xss | qsreplace '"><script>alert(1)</script>'
cat gau_urls.txt endpoints.txt | gf sqli | dalfox pipe