Essential Tools For Bug Bounty Hunting, Web App Hacking, Penetration Testing | Shubham Dhungana

Subh Dhungana
7 min readJun 2, 2023

Hello, Shubham Dhungana, this side. This article will be showcasing the essential tools required for bug bounty hunting, web application hacking and other penetration testing essential needed tool. These tools are very essential for web application hacking. These tools are equally important while doing bug bounty hunting. There are different phases while doing bug bounty hunting, penetration testing, etc. Each phases needs different sets of tools. Below I’ve mentioned important required tools for bug bounty and other vapt tools.

Beginners would find these tools extremely useful to get started into bug bounty hunting, web application hacking and penetration testing.

Subdomain Enumeration

  • Amass —A comprehensive tool for mapping attack surfaces and discovering assets.
  • Sublist3r — A rapid tool for penetration testers to enumerate subdomains.
  • massdns — A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
  • Findomain —The quickest cross-platform subdomain enumerator that saves you time.
  • subfinder — A subdomain discovery tool that identifies valid subdomains for websites.
  • assetfinder —Locate domains and subdomains associated with a specific domain.

OSINT Search Engines

  • Shodan — Shodan is a search engine that enables users to find internet-connected devices and explore their vulnerabilities.
  • Censys — Censys is a search engine that focuses on internet-wide scanning and provides information about devices, websites, and networks.
  • crt.sh — crt.sh is a website that provides access to Certificate Transparency logs, allowing users to search and analyze SSL/TLS certificates.
  • Virus Total — VirusTotal is a web service that analyzes files and URLs for potential malware infections by scanning them with multiple antivirus engines.
  • Crunchbase — Crunchbase is a platform that offers information and insights about companies, including their funding, key individuals, and industry trends.

Port Scanning

  • nmap —Nmap is a powerful network exploration and security auditing tool.
  • naabu —Naabu is a fast and reliable port scanner written in Go.
  • masscan —Masscan is a high-speed TCP port scanner that can scan the entire Internet in under 5 minutes.

Screenshots

  • httpscreenshot —HTTPScreenshot is a tool that captures screenshots and HTML content from a large number of websites efficiently.
  • EyeWitness —EyeWitness is a tool that captures website screenshots, provides server header information, and attempts to identify default credentials if available.
  • gowitness —gowitness is a utility written in Go that uses Chrome Headless to capture web screenshots, enabling users to automate the process effectively.
  • aquatone —Aquatone is a tool designed for inspecting websites across numerous hosts, allowing users to gain a quick overview of the HTTP-based attack surface visually.
  • screenshoteer —screenshoteer is a command-line tool for taking website screenshots and emulating mobile views, offering convenient automation capabilities.
  • WitnessMe —WitnessMe is a web inventory tool that uses Pyppeteer (headless Chrome/Chromium) to capture webpage screenshots and includes additional features for easier usage.

Mobile Hacking

  • jadx : JADX is a decompiler for Java bytecode, allowing users to reverse-engineer and analyze Android applications by transforming them into human-readable Java code, providing insights into the inner workings of the app.
  • andriller : Andriller is a forensic tool used for extracting data from Android devices, enabling investigators to acquire various types of data such as call logs, messages, contacts, and more, aiding in digital forensics investigations.
  • Mobile Security Framework (MobSF) : MobSF is an open-source framework that helps in the automated security assessment of mobile applications. It offers dynamic and static analysis, as well as web API testing, and supports popular platforms like Android and iOS.
  • Ghidra: Ghidra is a powerful reverse-engineering tool developed by the National Security Agency (NSA). It provides a wide range of features for analyzing binary executables, including disassembly, decompilation, scripting capabilities, and collaborative reverse engineering.
  • RMS — Runtime Mobile Security: Runtime Mobile Security: RMS is a framework that focuses on runtime application security for mobile devices. It provides security controls and monitoring features to detect and prevent potential security risks and vulnerabilities in mobile applications
  • dex2jar: dex2jar is a tool that converts Android DEX files (Dalvik Executable) to JAR files, enabling the decompilation and analysis of Android applications using standard Java tools and frameworks. It assists in understanding the inner workings of an application and identifying potential security issues.

Best Burp Suite Extensions

  • AuthMatrix: AuthMatrix is a Burp Suite extension that simplifies the testing and enumeration of access control vulnerabilities. It provides an intuitive interface to manage user roles and permissions, allowing testers to quickly identify and test for authorization flaws in web applications.
  • Autorize: Autorize is a Burp Suite extension designed to assist with the detection and exploitation of authorization vulnerabilities. It helps testers identify insecure direct object references, horizontal and vertical privilege escalation, and other authorization-related issues by automating common authorization attack techniques.
  • Param Miner: Param Miner is a Burp Suite extension that aids in the identification and exploitation of parameter-based vulnerabilities. It assists in the automated discovery of sensitive information, injection points, and potential security flaws by actively scanning and manipulating application parameters.
  • Logger++: Logger++ is a Burp Suite extension that enhances the request/response logging capabilities of Burp Proxy. It provides advanced filtering, highlighting, and search functionalities to efficiently analyze and manage captured HTTP traffic, enabling testers to focus on identifying security issues and anomalies within the requests and responses.

Technologies

  • wappalyzer —Wappalyzer is a tool used to identify the technologies utilized by websites, allowing users to determine the software frameworks, CMS platforms, and other technologies being employed.
  • fingerprintx —FingerprintX is a standalone utility designed for service discovery on open ports, which can be effectively integrated with other popular command-line tools used in bug bounty programs.
  • httpx —HTTPX is a high-speed and versatile HTTP toolkit that enables users to execute multiple probing activities concurrently using the retryablehttp library, ensuring reliable results even when using increased threads.
  • python-builtwith —Python-BuiltWith is a client for the BuiltWith API, providing a convenient way for developers to interact with the BuiltWith platform and retrieve information about the technologies used by websites.
  • whatweb —WhatWeb is an advanced web scanner that offers next-generation capabilities, allowing users to efficiently discover and analyze the technologies, frameworks, and other relevant details associated with web applications.

Links

  • gau —gau is a tool that retrieves known URLs from multiple sources such as AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.
  • LinkFinder — LinkFinder is a Python script specifically designed to locate endpoints within JavaScript files, helping users identify important URLs and endpoints within the code.
  • waybackurls —waybackurls is a tool that collects all the URLs associated with a specific domain that are archived by the Wayback Machine, providing users with a comprehensive list of historical URLs.
  • JS-Scan — JS-Scan is a PHP-based scanner for JavaScript files, primarily focused on scraping URLs and extracting relevant information from the code.
  • BurpJSLinkFinder —BurpJSLinkFinder is a Burp Suite extension that passively scans JavaScript files, aiming to identify endpoint links and provide valuable information for security testing purposes.
  • LinksDumper —LinksDumper is a tool that extracts links or potential endpoints from responses and applies filtering mechanisms like decoding and sorting to refine the results.

Content Discovery

  • hakrawler —hakrawler is a straightforward and efficient web crawler designed to quickly and easily discover endpoints and assets within a web application.
  • dirsearch —dirsearch is a tool specifically designed for scanning web paths, allowing users to identify directories and files present on a web server.
  • recursebuster — recursebuster is a content discovery tool that enables fast and recursive querying of webservers, making it particularly useful in pentesting and web application assessments.
  • gobuster —gobuster is a tool written in Go that performs directory/file, DNS, and VHost busting, aiding in the discovery of hidden or vulnerable resources on a web server.
  • feroxbuster —feroxbuster is a fast and straightforward content discovery tool written in Rust, designed to recursively search for and identify web content.

Other Essential Tools

  • SecLists: SecLists is a comprehensive collection of security-related wordlists, passwords, fuzzing payloads, and various other data sets that can be used for security assessments, penetration testing, and related tasks
  • CyberChef: CyberChef is a versatile web application that serves as a “Swiss Army Knife” for cybersecurity professionals. It provides a wide range of data transformation and analysis functions, allowing users to easily manipulate, convert, and analyze data in various formats, making it a valuable tool for data decoding, encryption, and analysis tasks.
  • PayloadsAllTheThings : PayloadsAllTheThings is a comprehensive collection of payloads, exploits, and bypass techniques that can be used during penetration testing and security assessments, providing a valuable resource for security researchers and professionals.
  • android-security-awesome : android-security-awesome is a curated list of resources, tools, and vulnerabilities specifically focused on Android application security, offering guidance and references for securing Android apps and conducting security assessments on Android platforms.
  • awesome-vulnerable-apps : awesome-vulnerable-apps is a curated list of intentionally vulnerable applications and services, designed for educational purposes to help individuals practice and enhance their skills in discovering and exploiting vulnerabilities.
  • nuclei: nuclei is a fast and customizable vulnerability scanner that helps automate security testing by scanning web applications and APIs for known vulnerabilities and misconfigurations, providing a streamlined approach to security assessments.
  • metasploit-framework: metasploit-framework is an open-source framework for developing, testing, and executing exploits against target systems. It provides a wide range of tools and modules for penetration testing, allowing users to assess and exploit vulnerabilities in a controlled environment.
  • nikto: nikto is a web vulnerability scanner that scans and assesses web servers for potential security issues and misconfigurations. It can identify common vulnerabilities and provide valuable insights for securing web applications.
  • Osmedeus : Osmedeus is an open-source tool that automates reconnaissance and vulnerability scanning, combining various scanning techniques and tools to perform tasks such as subdomain enumeration, port scanning, and security scanning, assisting in the assessment of the attack surface of web applications.

Hope you like the article. Thanks for sticking hereby :)

Shubham Dhungana
Cyber Security Researcher
VAPT | Red Team

--

--

Subh Dhungana

Security Analyst, Penetration Tester, Bug Bounty Hunter | Offensive, Red Team, VAPT