Essential bug bounty hunting tools with installation guides and usage examples.
This section covers modern tools used in bug bounty hunting, including installation instructions, configuration tips, and practical usage examples.
- Installation
- Reconnaissance Tools
- Enumeration Tools
- Vulnerability Scanners
- Exploitation Tools
- Utility Tools
- Browser Extensions
# Install Go (if not installed)
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin
# Install ProjectDiscovery tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install -v github.com/projectdiscovery/katana/cmd/katana@latest
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install -v github.com/projectdiscovery/notify/cmd/notify@latest
# Update Nuclei templates
nuclei -update-templates# Install pip
sudo apt update
sudo apt install python3-pip -y
# Install common Python tools
pip3 install requests beautifulsoup4 urllib3
# SQLMap
sudo apt install sqlmap -y
# Arjun (parameter discovery)
pip3 install arjun
# XSStrike
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip3 install -r requirements.txt# ffuf (fuzzer)
go install github.com/ffuf/ffuf/v2@latest
# Feroxbuster
wget https://github.com/epi052/feroxbuster/releases/latest/download/feroxbuster_amd64.deb
sudo apt install ./feroxbuster_amd64.deb
# Amass
go install -v github.com/owasp-amass/amass/v4/...@master
# GoWitness (screenshots)
go install github.com/sensepost/gowitness@latest
# Dalfox (XSS scanner)
go install github.com/hahwul/dalfox/v2@latest
# Unfurl (URL analysis)
go install github.com/tomnomnom/unfurl@latest
# Anew (append unique lines)
go install github.com/tomnomnom/anew@latest
# Qsreplace (query string replace)
go install github.com/tomnomnom/qsreplace@latestPurpose: Subdomain enumeration using passive sources
Installation:
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestBasic Usage:
# Simple subdomain enumeration
subfinder -d target.com
# Output to file
subfinder -d target.com -o subdomains.txt
# Use all sources
subfinder -d target.com -all -o subs.txt
# Recursive enumeration
subfinder -d target.com -recursive -all -o recursive_subs.txt
# Silent mode (only results)
subfinder -d target.com -silentConfiguration:
# Configure API keys for better results
subfinder -pc ~/.config/subfinder/provider-config.yaml
# Example provider-config.yaml
# virustotal: [API_KEY]
# shodan: [API_KEY]
# securitytrails: [API_KEY]Purpose: Comprehensive attack surface mapping
Installation:
go install -v github.com/owasp-amass/amass/v4/...@masterBasic Usage:
# Passive enumeration
amass enum -passive -d target.com -o passive_subs.txt
# Active enumeration
amass enum -d target.com -o active_subs.txt
# Brute-force mode
amass enum -brute -d target.com -o brute_subs.txt
# Intel gathering
amass intel -whois -d target.com
# Using configuration file
amass enum -config config.ini -d target.comPurpose: Fast DNS resolution and probing
Installation:
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latestBasic Usage:
# Resolve A records
cat subdomains.txt | dnsx -silent -a -resp-only
# Multiple record types
cat subdomains.txt | dnsx -a -aaaa -cname -mx -ns -txt -resp
# DNS resolution with full details
cat subdomains.txt | dnsx -json -o dns_results.json
# Wildcard detection
cat subdomains.txt | dnsx -wd -o wildcard_filtered.txtPurpose: Next-gen crawling framework
Installation:
go install github.com/projectdiscovery/katana/cmd/katana@latestBasic Usage:
# Basic crawl
katana -u https://target.com
# With JavaScript parsing
katana -u https://target.com -jc
# Depth control
katana -u https://target.com -d 3
# Extract specific file types
katana -u https://target.com -ef js,json,xml
# Output to file
katana -u https://target.com -d 3 -jc -o crawled_urls.txt
# Multiple targets
cat targets.txt | katana -silentPurpose: Fast web fuzzer
Installation:
go install github.com/ffuf/ffuf/v2@latestBasic Usage:
# Directory fuzzing
ffuf -u https://target.com/FUZZ -w wordlist.txt
# With extensions
ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.html,.js
# Match status codes
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
# Filter by size
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# Recursive fuzzing
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
# Virtual host discovery
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w wordlist.txt
# POST data fuzzing
ffuf -u https://target.com/api -w wordlist.txt -X POST -d "username=admin&password=FUZZ"Purpose: Recursive content discovery
Installation:
wget https://github.com/epi052/feroxbuster/releases/latest/download/feroxbuster_amd64.deb
sudo apt install ./feroxbuster_amd64.debBasic Usage:
# Basic scan
feroxbuster -u https://target.com -w wordlist.txt
# With extensions
feroxbuster -u https://target.com -w wordlist.txt -x php,html,js,txt
# Recursive depth
feroxbuster -u https://target.com -w wordlist.txt --depth 3
# Increased threads
feroxbuster -u https://target.com -w wordlist.txt -t 100
# Auto-tune for rate limiting
feroxbuster -u https://target.com -w wordlist.txt --auto-tunePurpose: Fast vulnerability scanner based on templates
Installation:
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
nuclei -update-templatesBasic Usage:
# Scan single URL
nuclei -u https://target.com
# Scan multiple URLs
nuclei -l urls.txt
# Scan with specific templates
nuclei -u https://target.com -t nuclei-templates/cves/
# Scan by severity
nuclei -l urls.txt -severity critical,high
# Custom template directory
nuclei -l urls.txt -t custom-templates/
# Silent mode with output
nuclei -l urls.txt -silent -o results.txt
# JSON output
nuclei -l urls.txt -json -o results.json
# Rate limiting
nuclei -l urls.txt -rl 100
# With notifications
nuclei -l urls.txt -severity critical,high | notifyCreating Custom Templates:
id: custom-check
info:
name: Custom Vulnerability Check
author: yourname
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/admin"
matchers:
- type: status
status:
- 200Purpose: XSS scanner and parameter analyzer
Installation:
go install github.com/hahwul/dalfox/v2@latestBasic Usage:
# Scan single URL
dalfox url "https://target.com?param=value"
# From URL list
cat urls.txt | dalfox pipe
# Silent mode with PoC only
cat urls.txt | dalfox pipe --silence --only-poc
# With custom payloads
dalfox url "https://target.com?param=value" -b custom_payloads.txt
# Scan POST parameters
dalfox url "https://target.com/api" --data "username=test&password=test"Purpose: Automatic SQL injection detection and exploitation
Installation:
sudo apt install sqlmap -yBasic Usage:
# Basic scan
sqlmap -u "https://target.com?id=1"
# With authentication
sqlmap -u "https://target.com?id=1" --cookie="session=abc123"
# POST request
sqlmap -u "https://target.com/login" --data="username=admin&password=test"
# Enumerate databases
sqlmap -u "https://target.com?id=1" --dbs
# Dump specific table
sqlmap -u "https://target.com?id=1" -D database -T users --dump
# From Burp request file
sqlmap -r request.txt
# Batch mode (no prompts)
sqlmap -u "https://target.com?id=1" --batch --level=3 --risk=2Purpose: Fast HTTP probe and swiss army knife
Installation:
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latestBasic Usage:
# Probe for live hosts
cat subdomains.txt | httpx -silent
# With status codes and titles
cat subdomains.txt | httpx -status-code -title
# Technology detection
cat subdomains.txt | httpx -tech-detect
# Follow redirects
cat subdomains.txt | httpx -follow-redirects
# Match status codes
cat urls.txt | httpx -mc 200,301,302
# Match regex in response
cat urls.txt | httpx -match-regex "admin|dashboard"
# Extract specific information
cat urls.txt | httpx -json -o results.jsonPurpose: URL analysis and manipulation
Installation:
go install github.com/tomnomnom/unfurl@latestBasic Usage:
# Extract domains
cat urls.txt | unfurl domains
# Extract paths
cat urls.txt | unfurl paths
# Extract parameters
cat urls.txt | unfurl keys
# Format URLs
cat urls.txt | unfurl format %s://%d%pPurpose: Append unique lines to file
Installation:
go install github.com/tomnomnom/anew@latestBasic Usage:
# Add only new lines to file
subfinder -d target.com -silent | anew subdomains.txt
# Use in continuous monitoring
while true; do
subfinder -d target.com -silent | anew subdomains.txt
sleep 3600
doneBurp Suite Integration
- FoxyProxy - Easy proxy switching
HTTP/Request Analysis
- EditThisCookie - Cookie manipulation
- Wappalyzer - Technology detection
- Shodan - Asset information
Development Tools
- JSON Viewer - Format JSON responses
- User-Agent Switcher - Change user agent
| Category | Tool | Speed | Accuracy | Best For |
|---|---|---|---|---|
| Subdomain Enum | Subfinder | ⚡⚡⚡ | ⭐⭐⭐ | Passive discovery |
| Subdomain Enum | Amass | ⚡⚡ | ⭐⭐⭐⭐ | Comprehensive mapping |
| Content Discovery | ffuf | ⚡⚡⚡ | ⭐⭐⭐ | Fast fuzzing |
| Content Discovery | Feroxbuster | ⚡⚡⚡ | ⭐⭐⭐ | Recursive scanning |
| Crawling | Katana | ⚡⚡⚡ | ⭐⭐⭐⭐ | Modern web apps |
| Vuln Scanning | Nuclei | ⚡⚡⚡ | ⭐⭐⭐⭐ | Template-based |
| XSS Detection | Dalfox | ⚡⚡⚡ | ⭐⭐⭐ | XSS hunting |
| SQLi Detection | SQLMap | ⚡⚡ | ⭐⭐⭐⭐ | SQL injection |
- Keep tools updated - Run update commands regularly
- Configure API keys - Better results with authenticated sources
- Respect rate limits - Use
-tand-rlflags appropriately - Chain tools - Combine outputs for better coverage
- Save outputs - Always save results for later analysis
- Use silent modes - Easier to pipe between tools
- Monitor resource usage - Some tools are resource-intensive
Next Steps: Check Resources for learning materials and references.