Listen to this Post
In this VIM/BASH bug bounty tutorial, Tom Hudson (@tomnomnom) shares his command-line bug bounty pentesting recon secrets and demonstrates how to use some of his custom tools. This tutorial covers pro webapp pentesting from the command line, making it a must-watch for cybersecurity enthusiasts.
π Reference Video: VIM / BASH Bug Bounty Tutorial by Tomnomnom
You Should Know:
Essential VIM Commands for Pentesters
1. Basic Navigation:
– `h, j, k, l` β Move left, down, up, right
– `:wq` β Save and quit
– `:q!` β Quit without saving
– `i` β Insert mode
– `Esc` β Exit insert mode
2. Search & Replace:
– `:/search_term` β Search forward
– `:?search_term` β Search backward
– `:%s/old/new/g` β Replace all occurrences
3. File Manipulation:
– `:e filename` β Open another file
– `:vsplit` β Vertical split screen
– `:split` β Horizontal split screen
Tomnomnomβs Bug Bounty Tools & Commands
1. `httprobe` β Check live domains from a list:
cat domains.txt | httprobe
2. `waybackurls` β Fetch historical URLs from Wayback Machine:
echo "example.com" | waybackurls
3. `gf` (Grep for Patterns) β Extract useful data:
cat urls.txt | gf xss | tee xss_patterns.txt
4. `ffuf` (Fast Web Fuzzer) β Directory brute-forcing:
ffuf -w wordlist.txt -u https://example.com/FUZZ
5. `dalfox` β Automated XSS scanning:
cat urls.txt | dalfox pipe
Linux Terminal Tricks for Efficiency
- Quickly Edit a Command: Press `Ctrl + x + e` to open the last command in VIM.
- Repeat Last Command: `!!`
- Search Command History: `Ctrl + r`
- Send Process to Background: `Ctrl + z` then `bg`
What Undercode Say:
Mastering VIM and terminal tools like those from Tomnomnom can significantly enhance your bug bounty and pentesting workflow. Automation with httprobe, waybackurls, and `ffuf` speeds up reconnaissance, while VIMβs efficiency keeps you in control.
π Further Learning:
Expected Output:
A structured, actionable guide with verified commands and tools for cybersecurity professionals.
References:
Reported By: Chuckkeith Top – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
