The Arsenal of a Bug Bounty Hunter: 50 Essential Penetration Testing Tools by Beyonddennis

As Beyonddennis, I have navigated the complex landscape of bug bounty hunting since 2018, understanding that success isn't merely about possessing a vast collection of tools, but rather mastering the right ones and applying them strategically. This comprehensive guide unveils 50 indispensable penetration testing tools that form the bedrock of a bug bounty hunter's arsenal, implicitly categorized by their common use cases. My aim is to shed light on how these tools empower hunters to discover, analyze, and report vulnerabilities, transforming theoretical knowledge into actionable intelligence.

The Crucial Role of Tools in Bug Bounty Hunting

Bug bounty hunting demands a blend of reconnaissance, scanning, fuzzing, and exploitation skills. Tools serve as extensions of a hunter's capabilities, automating repetitive tasks, uncovering hidden attack surfaces, and providing insights that manual analysis alone might miss. They streamline workflows, enhance accuracy, and ultimately increase the chances of unearthing high-impact vulnerabilities. It's about knowing when and how to deploy each tool effectively, translating raw output into meaningful findings.

Phase 1: Reconnaissance and Information Gathering

Reconnaissance is the foundational phase, where bug bounty hunters gather as much information as possible about their target without actively engaging with its systems. This passive intelligence gathering reveals potential weak points, hidden endpoints, and misconfigured assets that might otherwise go unnoticed.

Subdomain Enumeration and Asset Discovery

• Amass: A powerful tool for in-depth attack surface mapping and asset discovery, pulling data from numerous sources and performing recursive brute-forcing to find forgotten assets.

  amass enum -d example.com

• Subfinder: A fast, passive subdomain enumeration tool that quickly identifies subdomains using multiple sources.

  subfinder -d example.com

• Assetfinder: Quickly discovers related domains and subdomains by pulling from various passive sources, often paired with other tools to check for live hosts.

  assetfinder example.com

• Sublist3r: A Python-based tool designed to enumerate subdomains using OSINT techniques and various search engines, providing a quick overview.

  python3 sublist3r.py -d example.com

• Findomain: Known for its speed and cross-platform compatibility in subdomain enumeration.

  findomain -t example.com

• Shuffledns: A wrapper around Massdns that allows for efficient subdomain enumeration through active bruteforce with accurate wildcard filtering.

  shuffledns -d example.com -w subdomains_wordlist.txt -r resolvers.txt

• Massdns: A high-performance DNS stub resolver for bulk lookups and reconnaissance, often used in conjunction with other tools for fast subdomain resolution.

  massdns -r resolvers.txt -w subdomains_list.txt

• Knockpy: A Python tool for DNS reconnaissance and subdomain enumeration, aiding in target discovery.

  python3 knockpy.py example.com

• Sudomy: An automated reconnaissance tool to collect and analyze domains for bug hunting and penetration testing.

  python3 sudomy.py -d example.com

• Censys CLI/API: Allows querying certificate transparency logs for subdomain enumeration.

  censys search "parsed.names: example.com" --index=certificates

• PureDNS: Fast domain resolver and subdomain bruteforcing with accurate wildcard filtering.

  puredns bruteforce wordlist.txt example.com -r resolvers.txt

Visual Inspection and OSINT (Open-Source Intelligence)

• Aquatone: Collects screenshots of web endpoints, enabling rapid visual assessment of live hosts and aiding in spotting interesting targets like login pages or dev portals.

  cat subdomains.txt | aquatone -ports 80,443,8000,8080

• EyeWitness: Gathers screenshots and metadata of web endpoints, helping in quick visual inspection and web application documentation.

  EyeWitness.py -f urls.txt --web

• theHarvester: An OSINT tool for finding emails, subdomains, and host information from various public sources.

  theharvester -d example.com -l 500 -b google

• SpiderFoot: A comprehensive OSINT tool that gathers data from public sources like WHOIS, DNS records, and IP data.

  python3 sf.py -s example.com

• Maltego CE: A graphical OSINT tool for linking entities and uncovering relationships between data points.
• Shodan: Referred to as the "search engine for the Internet of Things (IoT)", it allows hunters to discover internet-connected devices, analyze their security, and monitor network exposure.
• ClatScope: A powerful OSINT tool for gathering intelligence, mapping attack surfaces, and identifying vulnerabilities using publicly available data, including geolocation, DNS, WHOIS, and email breach information.
• ExifTool: Extracts metadata from images, PDFs, and documents, which can sometimes reveal sensitive information.

  exiftool image.jpg

• FOCA (Fingerprinting Organizations with Collected Archives): An automated tool for metadata and document analysis.
• Wayback Machine / Gau (GetAllUrls): Used to view old versions of websites and find removed sensitive data, or to quickly fetch URLs and indexed files from the Wayback Machine and other archiving engines.

  echo example.com | gau

• Google Dorking: While not a tool, it's a technique leveraging Google's advanced search operators (dorks) to find publicly exposed information, misconfigurations, or sensitive files.

  site:example.com intitle:"index of" "password"

Phase 2: Scanning and Analysis

Once the target's attack surface is mapped, scanning tools come into play to identify open ports, active services, technologies used, and potential vulnerabilities.

Port and Network Scanning

• Nmap (Network Mapper): A fundamental open-source tool for network exploration and security auditing, identifying hosts, open ports, services, and OS detection.

  nmap -sV -O <target_ip>

  For comprehensive port scanning, use:

  nmap -p- <target_ip>

• Masscan: A high-performance TCP port scanner capable of scanning the entire Internet in minutes, often used for initial rapid discovery before detailed Nmap scans.

  masscan -p1-65535 192.168.1.0/24 --rate 100000

• RustScan: A modern, fast port scanner written in Go and Rust designed to quickly find open ports, integrating well with Nmap.

  rustscan -a 192.168.1.1 -- -A

• Naabu: A fast port scanner written in Go with a focus on reliability and simplicity, ideal for large-scale scanning.

  naabu -host example.com -p 80,443,8080

• Wireshark: A free and open-source network protocol analyzer that allows users to capture and analyze network traffic in real-time, crucial for understanding data flow and identifying potential security vulnerabilities.
• Hping3: A network probing tool for security testing that can send custom TCP/IP packets, useful for firewall testing and crafting specific network requests.

  hping3 -S -p 80 example.com

Web Application Scanning and Fuzzing

• Burp Suite Professional: A comprehensive web application security testing platform, often considered the "Swiss Army knife" for web app testing. It includes:
  • Burp Proxy: Intercepts, inspects, and modifies HTTP/S traffic.
  • Burp Scanner: Automated vulnerability scanning for web applications, including SQL injection and XSS.
  • Burp Intruder: Automates custom attacks by sending a large number of HTTP requests with various payloads, useful for fuzzing and brute-forcing.
  • Burp Repeater: Manually sends and modifies individual HTTP requests, essential for testing specific vulnerabilities.
  • Burp Comparer: Highlights differences between responses.
  • Burp Sequencer: Analyzes the randomness of session tokens and other unpredictable data.
  • Burp Extensions (BApp Store): Provides additional functionality, such as identifying broken authentication or specific injection flaws. Popular extensions include:
    • Param Miner: Identifies hidden, unlinked parameters, useful for finding web cache poisoning vulnerabilities.
    • Autorize: Automatic authorization enforcement detection.
    • JS Link Finder (BurpJSLinkFinder): Passively scans JavaScript files for endpoint links.
    • Turbo Intruder: For sending large numbers of HTTP requests and analyzing results, often used for race conditions.
    • XSS Validator: Designed for automation and validation of XSS vulnerabilities.
• OWASP ZAP (Zed Attack Proxy): A popular open-source web application security testing tool providing features for vulnerability scanning, penetration testing, and web scraping.
• Nuclei: A fast, configurable, and template-based tool for targeted scanning, allowing users to create custom templates for specific vulnerabilities.

  nuclei -t cves/ -u http://example.com

• Nikto: A straightforward web server scanner that checks for outdated server software, dangerous files/scripts, and misconfigurations across over 6500+ malicious files and 250+ server types.

  nikto -h example.com

• Dirb/Dirbuster/Dirsearch: Tools for directory and file brute-forcing, uncovering hidden or unlinked directories, backup files, and forgotten admin panels. Dirsearch is often preferred for its speed and Python basis.

  dirsearch -u example.com -e php,html,js

• FFUF (Fast Fuzz Until Found): A fast web fuzzer often used for directory/file, parameter, and path fuzzing. It's excellent for uncovering hidden files, folders, and undocumented GET/POST parameters.

  ffuf -w wordlist.txt -u http://example.com/FUZZ

• Wfuzz: A Python-based tool for brute-forcing web applications, useful for sniffing out unlinked resources, checking for injections in POST/GET parameters, and form parameter checking.

  wfuzz -c -z file,wordlist.txt -u http://example.com/FUZZ

• Arjun: A Python script specifically designed for finding hidden GET and POST parameters by bruteforcing, helpful in uncovering undocumented input vectors.

  python3 arjun.py -u http://example.com/

• XSStrike: An advanced XSS scanner known for its powerful capabilities in detecting cross-site scripting vulnerabilities.

  python3 xsstrike.py -u "http://example.com/search?q=test"

• DalFox (dalfox): A fast XSS scanning and parameter analysis tool based on Golang.

  dalfox url http://example.com/search?q=test

• Sn1per: An automated pentest framework for offensive security experts, capable of scanning for various vulnerabilities.
• Arachni: A comprehensive web application security scanner framework.
• Jaeles: A powerful web application testing framework with a plugin architecture for custom payloads.
• Retire.js: A scanner specifically designed to detect the use of JavaScript libraries with known vulnerabilities.

  retire.js --path ./ --scanFolder

• OWASP Dependency-Check: Identifies project dependencies and checks if there are any known, publicly disclosed vulnerabilities.
• BlackWidow: A Python-based web application scanner for OSINT gathering and fuzzing for OWASP vulnerabilities.
• Wapiti: A command-line application that audits website security using black-box scans, injecting payloads to check for script vulnerabilities, SSRF, XSS, and more.

  wapiti -u http://example.com

• SQLmap: An open-source tool that automates the detection and exploitation of SQL injection vulnerabilities, capable of database fingerprinting, data retrieval, and accessing the underlying file system/OS.

  sqlmap -u "http://example.com/page?id=1" --dbs

• SSTImap: A penetration testing software to check for and exploit Server-Side Template Injection vulnerabilities.

  sstimap -u http://example.com/template?name=test

• SSRFmap: An automatic SSRF fuzzer and exploitation tool.

  ssrfmap -r request.txt -p http_parameter

• Gopherus: Generates gopher links for exploiting SSRF and gaining RCE in various servers.
• Smuggler: An HTTP Request Smuggling / Desync testing tool written in Python 3.

  python3 smuggler.py -u http://example.com

• Crlfuzz: A fast tool to scan for CRLF injection vulnerabilities written in Go.

  crlfuzz -u http://example.com

Content Discovery and Link Extraction

• Gobuster: A popular directory/file, DNS, and VHost busting tool written in Go.

  gobuster dir -u http://example.com -w common.txt

• Feroxbuster: A fast, simple, recursive content discovery tool written in Rust.

  feroxbuster -u http://example.com -w common.txt

• Hakrawler: A simple and fast web crawler designed for quick discovery of endpoints and assets within a web application.

  echo http://example.com | hakrawler

• LinkFinder: A Python script that finds endpoints and other referenced files/endpoints in JavaScript files.

  python3 linkfinder.py -i http://example.com/app.js -o output.html

• ParamSpider: Mines parameters from web archives, useful for finding hidden or forgotten parameters.

  python3 paramspider.py -d example.com

• Waybackurls: Fetches all URLs that the Wayback Machine knows about for a given domain.

  waybackurls example.com

Phase 3: Exploitation and Post-Exploitation

Once vulnerabilities are identified, exploitation tools help demonstrate their impact and potentially gain further access.

Exploitation Frameworks and Tools

• Metasploit Framework: A widely used open-source penetration testing framework for identifying and exploiting vulnerabilities, with a vast database of exploit modules and payload generation capabilities.

  msfconsole

• SQLmap: (Re-iterated for exploitation) Automates exploitation of SQL injection flaws, including database dumping.
• John the Ripper: A fast password cracker, useful for offline password cracking of hashes obtained from vulnerable systems.

  john --wordlist=rockyou.txt hash.txt

• Hydra: A fast and flexible network logon cracker that supports numerous protocols, used for brute-forcing login credentials.

  hydra -l user -P passwords.txt ssh://target_ip

• Gitjacker: Helps detect and exploit exposed .git directories on web servers, allowing for reconstruction of repositories and potential access to source code or hardcoded secrets.

  gitjacker -u http://example.com/.git/

• YSOSerial / YSOSerial.net / PHPGGC: Tools for generating payloads that exploit unsafe object deserialization vulnerabilities in Java, .NET, and PHP applications, respectively.
• Liffy / LFISuite: Local file inclusion (LFI) exploitation tools, with LFISuite offering automated exploitation and reverse shell capabilities.

  python3 lfis.py -u "http://example.com/page.php?file=FUZZ" --rhost 192.168.1.100

Phase 4: API Testing and Mobile Application Testing

With the increasing prevalence of APIs and mobile applications, specialized tools are essential for thorough testing.

API Testing Tools

• Postman: A popular tool for developing and controlling API requests, useful for manual API testing and exploring endpoints.
• OWASP ZAP (API Scanning): Can be used for automated API security testing, including GraphQL introspection.
• Burp Suite (API Testing): Used to intercept, inspect, modify, and replay HTTP requests to API endpoints, including automated crawling and auditing of OpenAPI documentation.
• GraphQL Playground: A GUI for testing GraphQL queries with autocompletion, aiding in understanding GraphQL API structures.
• Clairvoyance: Enables users to map GraphQL API structures even when introspection is disabled.
• Akto: An open-source API pentesting tool offering API discovery and automated testing, including business logic tests for OWASP and HackerOne's Top 10 bugs.

Mobile Application Testing Tools

• Frida: A dynamic instrumentation toolkit that allows for injecting scripts into running processes on Android, iOS, and other platforms, essential for mobile security testing.
• MobSF (Mobile Security Framework): An automated, all-in-one mobile application (Android/iOS/Windows) penetration testing, malware analysis, and security assessment framework.
• Burp Mobile Assistant: A Burp Suite extension designed to assist with mobile application testing.

Phase 5: Miscellaneous but Essential Tools and Concepts

Beyond specific attack phases, several tools support the overall bug bounty workflow.

• Mitmproxy: A free and open-source interactive SSL/TLS-capable intercepting proxy for HTTP/S, offering a command-line interface for interception and modification.

  mitmproxy -p 8080

• Proxychains: Forces any TCP connection made by a program to go through SOCKS5, SOCKS4, or HTTP proxies, useful for chaining proxies and anonymity.

  proxychains4 nmap -sT example.com

• Charles Proxy: A commercial web debugging proxy that allows users to intercept, examine, and change HTTP(S) traffic, providing a user-friendly interface.
• Ghidra: A software reverse engineering (SRE) framework developed by the NSA, invaluable for analyzing binaries and understanding compiled code.
• IDA Pro: A proprietary multi-processor disassembler and debugger, a powerful tool for reverse engineering software.
• Volatility Framework: A powerful open-source memory forensics framework for extracting digital artifacts from volatile memory (RAM) dumps, crucial for investigating malware and understanding system state at the time of compromise.

  volatility -f memory.dmp --profile=Win7SP1x64 pslist

• Foremost / Scalpel: Digital forensics tools used for file carving, recovering deleted files from raw disk images.
• Autopsy / FTK Imager / EnCase / Magnet AXIOM: Comprehensive digital forensics platforms and tools for acquiring, analyzing, and reporting on digital evidence from various sources like hard drives, memory, and mobile devices.
• Hackbar: A Firefox add-on for quickly testing website security, XSS, and SQL injections, allowing for easy modification of requests.
• WhatWeb: Identifies web technologies, including CMS, analytics packages, JavaScript libraries, web servers, and embedded devices, providing insights into the target's stack.

  whatweb example.com

• WPScan: A black box WordPress vulnerability scanner that finds security issues in WordPress installations, including themes and plugins.

  wpscan --url http://example.com

• CMSeeK: A CMS detection and vulnerability scanner, capable of identifying various Content Management Systems and known vulnerabilities within them.

  python3 cmseek.py -u http://example.com

• SecLists: Not a tool, but a collection of commonly used wordlists for fuzzing, brute-forcing, and other attack vectors. Absolutely essential.
• Recon-ng: A full-featured web reconnaissance framework written in Python, offering a modular approach to information gathering.

  recon-ng

This extensive compilation of tools, meticulously curated by Beyonddennis, represents the diverse and evolving landscape of bug bounty hunting. The true power lies not in merely possessing these tools, but in the knowledge and ingenuity to wield them effectively, adapting to new challenges and continuously refining one's approach. Knowledge is power, and with this knowledge, every angle of a user's question is considered, fostering a desire for them to return time and again.