Recon
Reconnaissance is the first and arguably most important phase of any security assessment. It involves systematically discovering and mapping a target's attack surface — subdomains, IP ranges, open ports, running services, technology stacks, and exposed endpoints — before any active testing begins.
Effective recon separates productive security testing from wasted effort. A thorough recon phase reveals forgotten assets, shadow IT, staging environments, and legacy systems that are often less hardened than primary applications. Many of the highest-impact bug bounty findings come from assets discovered during recon that other hunters overlook.
Modern recon combines passive and active techniques. Passive recon leverages certificate transparency logs, DNS records, web archives, search engine indexes, and public datasets to map infrastructure without touching the target. Active recon involves subdomain brute-forcing, port scanning, directory fuzzing, and technology fingerprinting. Tools like subfinder, httpx, nuclei, katana, and ffuf form the backbone of most researchers' recon pipelines.
Automation is essential at scale. Many hunters build continuous recon pipelines that monitor targets for new subdomains, changed DNS records, and newly exposed services — enabling them to test fresh attack surface before anyone else.
This page collects recon methodologies, tool guides, automation workflows, and techniques for comprehensive attack surface discovery.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-22 NEW 2026 | 4300 Outdated Routers Hijacked in Stealthy Spy Infrastructure by AryStinger malware news | The AryStinger malware has hijacked over 4,300 outdated routers, creating a stealthy spy infrastructure. This attack targets vulnerable devices, likely to conduct surveillance or other malicious activities. The scope of the compromise highlights the significant risks associated with unpatched and out-of-date networking equipment. Further details are available via the provided link. → securityaffairs.com |
| 2026-06-22 NEW 2026 | Scanning malicious websites with 'infinite' number of VPN tunnels (Part 1) advanced 9 min read | Library for creating a large number of VPN tunnels to scan malicious websites, leveraging Policy Based Routing and network namespaces. This approach aims to circumvent IP blocking by residential IP filters and other threat actor countermeasures, inspired by a previous system that utilized over 80 concurrent exit nodes. The method is adaptable for modern VPN protocols like Wireguard and addresses challenges in maintaining diverse geographical IP exit points. |
| 2026-06-19 NEW 2026 | CVE-2026-5667: Unauthenticated Remote Control of Mitsubishi MAC-577IF-2E WiFi Adapters via Probe Request Reconnaissance news 8 min read | Library for unauthenticated remote control of Mitsubishi MAC-577IF-2E WiFi Adapters, detailing how probe request reconnaissance leads to unauthorized access. The vulnerability, identified as CVE-2026-5667, allows attackers to discover devices broadcasting specific SSIDs, capture half-handshakes, crack passwords, and then exploit HTTP Basic Auth to control air conditioners and other connected Mitsubishi devices, including changing temperature and power states. |
| 2026-06-19 NEW 2026 | Making Sense of Kubernetes Initial Access Vectors Part 1 – Control Plane intermediate 5 min read | Library introducing a taxonomy of Kubernetes initial access vectors, focusing on control plane threats like unauthenticated API access, exposed Kubeconfig files, `kubectl proxy`, and misconfigured Kubelet APIs. It details associated risks, including those tied to AKS, EKS, and GKE, and outlines protection and detection strategies. The library also touches on risks from exposed management interfaces like Kubernetes Dashboard and Kubeflow. → wiz.io |
| 2026-06-19 NEW 2026 | Making Sense of Kubernetes Initial Access Vectors Part 2 - Data Plane intermediate 7 min read | Library on Kubernetes data plane initial access vectors, detailing risks from applications, container images, and execution-as-a-service. It covers attack paths through vulnerable pods, abuse of RBAC, and system privilege escalation, referencing vulnerabilities like Leaky Vessels and cross-tenant issues found in services like HuggingFace and Replicate. Recommendations include namespace separation, Pod Security Standards, image signature verification, and user namespaces to mitigate lateral movement and privilege escalation. → wiz.io |
| 2026-06-17 NEW 2026 | TryHackMe — Break Out The Cage | Full Write-Up beginner Bug Bounty | This TryHackMe room, "Break Out The Cage," is an easy-rated challenge themed around Nicolas Cage. It guides users through several real-world attack techniques, including anonymous FTP access, multi-layer cryptography, SSH lateral movement, and cron-based command injection. The write-up provides a detailed walkthrough for completing the room. No specific bug bounty payout amount is mentioned. → infosecwriteups.com |
| 2026-06-17 NEW 2026 | Mastery Hunt: Hidden API Endpoints — A Deep Dive into API Bug Bounty Recon & Exploitation intermediate API Sec Bug Bounty | API security testing is the crown jewel of modern bug bounty hunting. While front-end vulnerabilities still exist, APIs are where the real treasure lies — sensitive data, privileged operations, and bu... → infosecwriteups.com |
| 2026-06-14 2026 | IMDS Abused: Hunting Rare Behaviors to Uncover Exploits intermediate 10 min read SSRF | Library for detecting anomalous Instance Metadata Service (IMDS) usage, leading to the discovery of zero-day exploits. It identifies suspicious IMDS access patterns by establishing a baseline of normal behavior, then hunting for infrequent access by processes typically not interacting with IMDS. The library further refines detections by filtering for requests to sensitive IMDS endpoints like `/latest/meta-data/iam/info`, and by considering compute context. This methodology uncovered a CVE-2025-51591 SSRF vulnerability in pandoc exploited via HTML conversion. → wiz.io |
| 2026-06-13 2026 | Introducing Wiz ASM: Context-Driven Attack Surface Management beginner 5 min read | Tool that provides context-driven attack surface management across cloud, AI, on-premises, and SaaS environments. Wiz ASM leverages the Wiz Security Graph to discover external-facing assets, detect exploitable risks, and enrich them with context to prioritize remediation efforts. It identifies owners and provides AI-powered guidance, accelerating response times and reducing mean time to resolution (MTTR). The scanner has helped customers remediate risks like RCE through default credentials on CI/CD systems, exposed cloud and AI keys, and public buckets with sensitive AI training data. → wiz.io |
| 2026-06-09 2026 | Primer on GitHub Actions Security - Threat Model, Attacks and Defenses (Part 1/2) beginner 8 min read Supply Chain | Library detailing GitHub Actions security, this entry explains the threat model and three main risks including pull request pwnage and script injection. It analyzes common misconfigurations, such as the dangerous `pull_request_target` trigger, and examines their manifestation in real-world attacks like the Trivy supply chain breach. Defensive playbooks and strategies for mitigating these vulnerabilities are provided. → wiz.io |
| 2026-06-09 2026 | How to Harden GitHub Actions: An Updated Guide intermediate 13 min read Supply Chain | Library updating a guide to GitHub Actions security, detailing threats like cascading compromises from the tj-actions incident and credential exfiltration via poisoned actions such as TeamPCP / Trivy-action and Axios. It covers hardening GitHub organization settings, including read-only workflow permissions and allowlisting verified actions with SHA pinning, alongside branch protection rules and secure secrets management across repository, organization, and environment levels. The guide also emphasizes Immutable Releases for action maintainers to prevent tag-rewriting attacks. → wiz.io |
| 2026-06-03 2026 | https://github.com/Armur-Ai/Pentest-Swarm-AI beginner 6 min read AI XSS | Library for AI-driven penetration testing, implementing a true swarm intelligence architecture instead of a sequential pipeline. It utilizes stigmergy, emergence, and decentralization for agent coordination via a shared blackboard, allowing for emergent attack chains. The tool integrates with nmap, sqlmap, Burp, ZAP, and Metasploit, supporting various LLM providers and offering features like evidence capture and submission-ready reports. |
| 2026-05-05 2026 | GhostTrack Explained: Track IPs Phones and Usernames Easily beginner 6 min read OSINT | Tool for gathering publicly available data on phone numbers, IP addresses, and usernames. GhostTrack, a Python OSINT script currently at Version 2.2, consolidates IP tracking, phone lookup, and username search into a single menu-driven interface. While a useful learning aid and convenient for Termux users, it falls short compared to professional tools like PhoneInfoga and Sherlock, offering broader but shallower reconnaissance capabilities. The script primarily targets Debian-based Linux and Termux, and users should be aware that its phone tracking module identifies registration country and carrier, not live location. |
| 2026-04-22 2026 | ars0n-framework-v2: Bug Bounty Hunting Framework intermediate 24 min read | Framework that automates bug bounty hunting workflows, acting as a wrapper around 20+ tools like Amass, Nuclei, and Ffuf. It guides users through a methodology, centralizes scan results, and offers educational components to understand the "why" behind each step. The framework utilizes Docker containers for deployment and includes features for data visualization and learning. |
| 2026-04-22 2026 | Uncover Hidden Assets with Bug Bounty Recon: Fuzzing and JS Analysis intermediate 10 min read | Library for bug bounty reconnaissance that teaches parameter fuzzing, forced browsing, and JS analysis. It covers using tools like LinkFinder and bookmarklets for endpoint discovery, integrating Burp Suite extensions such as JSLinkFinder, GAP, and JSpector for automated JS analysis, and employing techniques like path and parameter fuzzing to uncover hidden assets and potential vulnerabilities. → yeswehack.com |
| 2026-04-22 2026 | Subdomain Takeover: Proof Creation for Bug Bounties intermediate 6 min read | Writeup detailing manual subdomain takeover proof creation for bug bounty hunters, focusing on cloud providers like Amazon S3, GitHub Pages, Heroku, and Readme.io. It outlines specific verification steps using regex patterns and HTTP requests, along with actionable takeover procedures for each service, referencing can-i-takeover-xyz. |
| 2026-04-22 2026 | Shodan and Censys for beginners: How to find more vulnerabilities beginner 8 min read | Guide for beginners on utilizing Shodan and Censys for vulnerability discovery, focusing on reconnaissance techniques. It details how to use specific search operators like `org`, `asn`, `http.status`, `ssl.cert.subject.CN`, `http.favicon.hash`, and `http.html` to identify exposed hosts, forgotten assets via expired certificates, and authentication panels. The guide also explains filtering by technologies such as PHP and finding directory listings. → intigriti.com |
| 2026-04-22 2026 | Hunting down subdomain takeover vulnerabilities intermediate 8 min read | Library for identifying and exploiting subdomain takeover vulnerabilities. It details how companies often use third-party services, leaving DNS records pointing to forgotten services that attackers can claim. The library covers identifying vulnerable cases like AWS S3 and distinguishing them from non-vulnerable ones like HubSpot and Atlassian StatusPage. It also discusses automating the discovery process with tools such as OWASP Amass, Subfinder, Subjack, and Subzy, and outlines exploitation methods including OAuth/SSO token leaks and cookie leaks via misconfigured cookie policies. → intigriti.com |
| 2026-04-22 2026 | FFuF Fuzzer Guide: Fuzz Faster u Fool for Bug Bounty Hunters intermediate 5 min read | Tool for web fuzzing: FFuF (Fuzz Faster u Fool) assists bug bounty hunters by rapidly discovering directories, files, and hidden parameters. It supports GET and POST requests, authenticated testing via cookies, recursive directory scanning, and allows customization of request delay, threading, and response code filtering. Installation involves obtaining the Go programming language and then using "go get" to install FFuF from its GitHub repository. → intigriti.com |
| 2026-04-22 2026 | Open Source Intelligence Gathering: Techniques, Automation, and Visualization beginner 19 min read | Reference detailing techniques for gathering open-source intelligence, focusing on mapping networks, discovering domains via reverse WHOIS with tools like WhoXY, and enumerating subdomains using services such as crt.sh and Censys. It covers resolving domains to IP addresses, analyzing DNS records including MX and TXT for email spoofing potential via DMARC and SPF, and emphasizes automation for efficiency. |
| 2026-04-22 2026 | OWASP Test for Subdomain Takeover beginner 3 min read | Library for testing subdomain takeover vulnerabilities, which occurs when a subdomain record points to a non-existent or inactive external service and the service provider does not verify ownership. This allows attackers to claim subdomains, leading to attacks like phishing or credential theft. The library covers testing various DNS record types, including A, CNAME, and NS, and details methods for black-box and gray-box testing using tools like `dig` and `dnsrecon`. → owasp.org |
| 2026-04-22 2026 | Maximizing Security Outcomes: The Role of ASM in Bug Bounty Programs beginner 30 min read | Library for optimizing bug bounty programs, focusing on attacker mentality and high-impact findings. It emphasizes continuous, wide-breadth attack surface analysis and deep mapping, reflecting principles born from the bug bounty space. The library helps companies attract top talent by aligning with hunter motivations, who prioritize high payouts and focus on a limited number of programs that offer significant returns for their manual hacking efforts. → assetnote.io |
| 2026-04-22 2026 | Building a Fast One-Shot Recon Script for Bug Bounty intermediate 10 min read | Library for building a one-shot reconnaissance script for bug bounty hunting, automating asset discovery, subdomain enumeration using tools like puredns and shuffledns, HTTP server enumeration with nmap and tew, and vhosting resolution. It also incorporates HTTP crawling with gospider and response capture inspired by Tomnomnom's techniques, aiming to efficiently gather essential information for initial bug bounty assessments. |
| 2026-04-19 2026 | The 2026 State of Attack Surface Management — ProjectDiscovery news 1 min read | Whitepaper on Attack Surface Management in 2026, detailing how AI adversaries operate at machine speed and render legacy ASM tools insufficient. It explains why traditional visibility-focused approaches fail against autonomous, adaptive attackers, and introduces the concept of "Proof-Based Intelligence" as the future of ASM. The document highlights the need for deterministic validation, application exposure logic, and adaptive learning, supported by real-world case studies demonstrating significant reductions in alerts and operational savings. → projectdiscovery.io |
| 2026-04-19 2026 | The Ultimate Guide to Attack Surface Management Tools in 2025 news 5 min read | Guide to 20 Attack Surface Management (ASM) tools for 2025, featuring FireCompass, Intruder, Detectify, CrowdStrike Falcon, Trend Vision One, Darktrace, Qualys CSAM, CyCognito, Tenable ASM, SentinelOne Singularity, Wiz, Mandiant Advantage, UpGuard, Palo Alto Networks, WithSecure ASM, CTM360 HackerView, IBM Security Randori, Scrut Automation, Risk-based Vulnerability Management, and Cyber Asset Management. This resource details automated asset discovery, vulnerability scanning, threat detection, and risk prioritization capabilities offered by these solutions. |
| 2026-04-19 2026 | Top 10 Attack Surface Management Tools for 2026 — Intruder news 5 min read | Library of attack surface management tools for 2026, including Intruder, Detectify, Rapid 7, Qualys, Tenable, Microsoft Defender, CyCognito, CrowdStrike Falcon Surface, Mandiant Advantage, and Cymulate. These solutions help uncover exposed assets, identify vulnerabilities, and reduce business risk by providing continuous monitoring and automated security testing for dynamic cloud environments and web applications. |
| 2026-04-19 2026 | 12 Attack Surface Management Tools to Know in 2026 news 21 min read | Tools for Attack Surface Management (ASM) continuously discover and map externally accessible assets, validate their security posture, and prioritize vulnerabilities for remediation. These solutions identify domains, sub-domains, APIs, and cloud services, creating comprehensive inventories. By assessing exploitability and business context, ASM tools help organizations reduce their digital footprint, detect hidden threats like shadow IT, and proactively manage risks arising from expanding cloud environments and third-party services. |
| 2026-04-19 2026 | SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025 intermediate | SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025 |
| 2026-04-17 2026 | Naabu Zero to Hero Guide (Cyber Aryan) beginner | Library for high-speed SYN-based port scanning, Naabu enables rapid identification of open ports. Designed for reconnaissance pipelines, it accepts domains or hosts as input and outputs open ports. Usable for stealth scans, firewall bypass with TCP connect, or integration with Nmap for further analysis, Naabu is frequently chained with tools like Subfinder and Httpx to create efficient attack surface enumeration pipelines. |
| 2026-04-17 2026 | Mastering Network Scanning: Nmap and Masscan Guide beginner | Mastering Network Scanning: Nmap and Masscan Guide |
| 2026-04-17 2026 | Naabu Cheat Sheet: Commands & Examples (HighOn.Coffee) intermediate 2 min read | Cheatsheet on Naabu, a fast Go-based port scanner from Project Discovery, detailing its features like automatic IP deduplication, SYN/CONNECT/UDP scanning, and passive Shodan integration. It provides installation instructions for Linux and Kali, along with practical command examples for scanning all ports, verifying specific ports, and integrating with Nmap for service enumeration. |
| 2026-04-17 2026 | naabu: Fast Go port scanner (ProjectDiscovery) beginner 9 min read | Library for fast SYN, CONNECT, and UDP port scanning. naabu supports numerous input and output formats, including JSON, and offers features like CDN/WAF exclusion, NMAP integration for service discovery, and custom UDP payloads. It can scan hosts from lists, CIDRs, or ASNs, and provides options for rate limiting, IPv4/IPv6 scanning, and proxy support. |
| 2026-04-17 2026 | Recon series #4: Port scanning methods (YesWeHack) beginner 8 min read | Library for reconnaissance techniques, detailing passive and active port scanning methods to uncover open ports and hidden services. It explores tools like Nmap, Masscan, and Naabu, and techniques such as TCP SYN, CONNECT, and UDP scanning, alongside banner grabbing for service identification. The resource also covers evasion strategies for firewalls and IDS, referencing methods like decoys and scan delays to improve stealth. → yeswehack.com |
| 2026-04-17 2026 | bountyRecon: Bash automation for bug bounty recon intermediate | bountyRecon: Bash automation for bug bounty recon |
| 2026-04-17 2026 | JSFScan.sh: JavaScript recon automation (KathanP19) intermediate 2 min read | Tool for automating JavaScript reconnaissance in bug bounty programs. JSFScan.sh gathers JavaScript file links from various sources, extracts endpoints and secrets, fetches JS files for manual analysis, generates wordlists, identifies variables, scans for DOM XSS, and produces HTML reports. It can be run locally or within a Docker container, offering options for targeted scans or comprehensive analysis using tools like hakrawler. |
| 2026-04-17 2026 | Reconky: Content discovery bash script intermediate 1 min read | Library for automated reconnaissance and information gathering. This Bash script, Reconky, uses tools like assetfinder, Sublist3r, amass, knockpy, httprobe, nmap, waybackurls, and eyewitness to gather subdomains, check for duplex, perform dictionary attacks, identify alive domains, investigate subdomain takeovers, scan open ports, extract parameters, collect files, and capture screenshots. It also assists in assembling possible parameters from wayback_url data and pulling json/js/php/aspx/ files. |
| 2026-04-17 2026 | Bug-Bounty-Automation: Bash recon (Retr0-45809) intermediate | Library automating bug bounty reconnaissance using Bash scripting. It orchestrates tools like Sublister, Eyewitness, Assetfinder, Amass, Httprobe, Nmap, and Sqlmap, requiring Kali Linux, Python, and Golang. The script executes multiple recon tools sequentially, storing their outputs for a comprehensive view of web application, mobile app, and other platform vulnerabilities. |
| 2026-04-17 2026 | Recon-Script: automation with Nuclei (s1d6point7bugcrowd) intermediate 2 min read | Library for automating Nuclei vulnerability scans, integrating features like voice notifications via espeak, proxychains support, and optional cloud uploads to ProjectDiscovery Cloud Platform (PDCP). It allows for out-of-scope filtering, custom bug bounty headers, and detailed scan logging with timestamps, supporting tools such as subfinder, dnsx, and httpx. |
| 2026-04-17 2026 | Bug-Bounty-Recon-Automation shell script (Amangupta1234) intermediate 1 min read | Library for automating bug bounty reconnaissance tasks. This Bash script streamlines project documentation, subdomain enumeration using Sublist3r and assetfinder, subdomain resolution with httprobe, and directory bruteforcing/fuzzing with dirsearch. It also includes subdomain takeover detection via Subjack and JavaScript file discovery with subjs, simplifying repetitive processes for hunters. |
| 2026-04-17 2026 | The Ultimate Guide to Finding Bugs With Nuclei (ProjectDiscovery) beginner 43 min read | Library for efficient, extensible vulnerability scanning using YAML-based templates. Nuclei supports HTTP, DNS, SSL, and raw TCP protocols, allowing detection of CVEs, misconfigurations, and sensitive file exposures. It integrates into workflows with other tools and offers features like custom template creation, fuzzing, advanced DSL for matchers, and various scan modes including headless and network. Advanced options include rate limiting, template filtering by technology, severity, or name, and resuming interrupted scans. → projectdiscovery.io |
| 2026-04-17 2026 | The Ultimate Recon Arsenal: 25+ Commands for Bug Bounty Workflow intermediate 4 min read | Library of 25+ reconnaissance commands streamlines bug bounty workflows, covering advanced subdomain enumeration with tools like Amass and MassDNS, asset discovery and service fingerprinting using HTTPX, directory brute-forcing with Feroxbuster, and JavaScript analysis with LinkFinder. It also details automating these processes with a Bash workflow script and validating critical vulnerabilities using Nuclei. The library emphasizes the necessity of automation for efficient, large-scale target mapping and attack surface assessment, highlighting techniques that move beyond basic automation to masterful enumeration. → undercodetesting.com |
| 2026-04-17 2026 | xpfarm: Automated bug bounty & recon framework (GitHub) intermediate 8 min read | Library wrapping offensive security tools like Subfinder, Naabu, Httpx, Nuclei, Nmap, and Gowitness into a unified web UI. It offers distributed scanning, AI-generated reports via Overlord, a smart scan planner, and an interactive attack graph, supporting multiple AI providers and specialized agents for analysis. |
| 2026-04-17 2026 | Automate Your Nuclei Recon Pipeline with VPN + Discord Alerts intermediate 3 min read | Script automates bug bounty reconnaissance by enumerating subdomains with subfinder, probing live hosts via httpx, rotating NordVPN IPs, and running Nuclei scans with specific templates and filters. It sends Discord alerts for any found vulnerabilities, detailing the count, severity, template ID, matched target, and current IP. The process is designed for repeatable, single-command execution on a list of target domains. |
| 2026-04-17 2026 | Advanced Recon: Taking Your Subdomain Discovery to the Next Level intermediate | Advanced Recon: Taking Your Subdomain Discovery to the Next Level |
| 2026-04-17 2026 | GitHub dorking for beginners: find more vulnerabilities (Intigriti) beginner 7 min read | Guide detailing how to leverage GitHub's advanced search operators for bug bounty hunting. It covers essential techniques like using `org:`, `user:`, `extension:`, and boolean operators, alongside advanced filters such as `filename:`, `language:`, and `path:`. Specific examples demonstrate finding hard-coded secrets like Stripe API keys, AWS access keys, and OpenAI API keys, as well as sensitive configuration files, hard-coded URLs, database connection strings, and JWT secrets. → intigriti.com |
| 2026-04-17 2026 | google-dorks-bug-bounty (TakSec, GitHub) intermediate 2 min read | Library of Google Dorks for bug bounty hunting, web application security, and penetration testing. This collection includes dorks for discovering configuration files, error messages, API endpoints, potential vulnerabilities, sensitive documents, administrative interfaces, and various subdomain structures. It also provides example queries for identifying specific technologies like Apache and Drupal, and for searching on platforms like Pastebin, GitHub, and cloud storage services. |
| 2026-04-17 2026 | How I Found Sensitive Information using GitHub Dorks (Part 3) intermediate | How I Found Sensitive Information using GitHub Dorks (Part 3) |
| 2026-04-17 2026 | The Ultimate Subdomain Recon Playbook beginner 4 min read | Library for systematic subdomain enumeration, progressing from passive OSINT tools like crt.sh, DNSDumpster, SecurityTrails, Shodan, and Censys, to offline command-line tools including Subfinder, Amass, Assetfinder, puredns, and dnsx. It further incorporates web archive crawling with gau and waybackurls, JS file analysis using linkfinder and hakrawler, and advanced DNS permutation attacks via dnsgen and altdns. The library also facilitates automation through tools like Chaos, httpx, OneForAll, and ReconFTW, and includes post-recon workflows for subdomain takeover checks with subjack and nuclei, port scanning with naabu, and vulnerability scanning with nuclei. |
| 2026-04-17 2026 | Complete Guide to Amass Tool (2025 Edition) beginner 12 min read | Library for comprehensive Amass recon and subdomain enumeration, covering installation on Kali Linux, Termux, and Windows WSL. It details Amass modules like Enum, Intel, Viz, Track, and DB, and provides basic usage examples for discovering subdomains, mapping DNS, and performing passive and active recon. The guide also includes pro tips for bug bounty hunters and installation via GitHub binary. |
| 2026-04-17 2026 | Mastering Passive Reconnaissance for Bug Bounty and Pentesting beginner | Mastering Passive Reconnaissance for Bug Bounty and Pentesting |
| 2026-04-17 2026 | Mastering OSINT for Bug Bounty: Advanced Deep Recon intermediate 4 min read | Library for performing deep reconnaissance in bug bounty hunting, this resource details advanced Open-Source Intelligence (OSINT) tools and techniques. It covers subdomain enumeration with Amass and Subfinder, exposed service discovery using Shodan and Censys, and secret finding via GitHub Dorks and Gitleaks. The guide also explores identifying technologies and employees through LinkedIn and Twitter, and extracting metadata with ExifTool and FOCA, outlining a comprehensive workflow for mapping targets and identifying vulnerabilities. |
| 2026-04-17 2026 | Mastering Passive Information Gathering: Extensive OSINT Guide beginner 30 min read | Guide detailing passive information gathering, also known as OSINT, crucial for penetration testing and threat research. It covers objectives, methodologies including domain reconnaissance, metadata analysis, SOCMINT, and public records. Core tools such as WHOIS, Dig, ExifTool, FOCA, and platforms like LinkedIn and GitHub are discussed, alongside ethical considerations, operational security (OPSEC) practices, and data analysis techniques using tools like Maltego. Real-world use cases, reporting, and future trends like AI-assisted OSINT are also explored. |
| 2026-04-17 2026 | 9 Attack Surface Monitoring Tools in 2026 (SentinelOne) news 16 min read | Library for discovering and managing attack surface exposures, including open ports, subdomains, misconfigurations, and public-facing APIs. It integrates with SIEMs and incident response teams, providing real-time risk assessment and addressing multi-cloud and hybrid complexities. SentinelOne Singularity™ Cloud Security, a CNAPP solution, offers features like CSPM, CIEM, EASM, AI-SPM, CWPP, and CDR, with autonomous AI-based protection and secret detection. → sentinelone.com |
| 2026-04-17 2026 | Recon Methodology: Subdomain Enumeration beginner | Recon Methodology: Subdomain Enumeration |
| 2026-04-17 2026 | Recon Guide: Subdomain Enumeration beginner | Recon Guide: Subdomain Enumeration |
| 2026-04-17 2026 | Bug-Bounty-recon: Automated recon framework (GitHub) intermediate 2 min read | Library for automated reconnaissance in authorized security testing and bug bounty programs. It chains tools like subfinder, assetfinder, httpx, and nuclei to discover subdomains, identify login pages, admin panels, APIs, and perform Nmap scans. The framework detects changes between runs, reporting only new subdomains, open ports, and findings, ideal for scheduled or continuous monitoring on VPS. |
| 2026-04-17 2026 | Subdomain enumeration: expand attack surface with active, passive methods intermediate 9 min read | Library for advanced subdomain enumeration, this resource details passive techniques using tools like Censys, Shodan, Subfinder, and Amass, alongside active methods such as DNS brute-forcing with Gobuster. It emphasizes expanding the attack surface by discovering hidden subdomains through analyzing public databases, SSL logs, and web archives, and through direct interaction with the target, offering practical examples for bug bounty hunting and penetration testing. → yeswehack.com |
| 2026-04-16 2026 | Passive Reconnaissance Using OSINT beginner 6 min read | Library for performing passive reconnaissance using OSINT, detailing methodologies for mapping public-facing infrastructure without direct interaction. It emphasizes techniques like Google Advanced Search, analyzing client-side scripts with tools like LinkFinder, and leveraging external services such as crt.sh, Findsubdomains.com, and Censys.io to discover subdomains, exposed services, and potential vulnerabilities like token leaks or privilege escalation. The library highlights real-world examples, including bounties from Snapchat and Shopify, and the discovery of misconfigured Jenkins instances. |
| 2026-04-16 2026 | From Recon to Sensitive Key Exposure Using Nuclei intermediate | From Recon to Sensitive Key Exposure Using Nuclei |
| 2026-04-16 2026 | reconFTW: Automated Recon Tool intermediate 25 min read | Library for automated reconnaissance, reconFTW automates subdomain enumeration, vulnerability scanning for XSS, SSRF, SQLi, and more, and OSINT gathering. It supports distributed scanning via AX Framework, integrates with Faraday for reporting, and leverages tools like subfinder, nuclei, ffuf, and SQLMap for comprehensive intelligence. |
| 2026-04-16 2026 | A Deep Dive on Katana Field Extraction intermediate 4 min read | Tool for headless web crawling and field extraction. Katana, a Golang-based CLI tool from ProjectDiscovery, efficiently spiders web applications and supports customizable field extraction using regex. It reduces unstructured data by allowing users to filter and utilize output for reconnaissance pipelines or to identify specific data like unique parameters for fuzzing XSS vulnerabilities. Katana supports predefined fields and custom regex-based extraction for enhanced data processing. → projectdiscovery.io |
| 2026-04-16 2026 | Subdomain Takeover in 2025: New Methods and Tools intermediate 3 min read | Library detailing subdomain takeover techniques, focusing on their continued effectiveness in 2025 due to widespread cloud adoption. It covers the fundamental mechanism of takeovers, their inherent dangers such as brand reputation damage and facilitating phishing, and outlines a step-by-step workflow involving subdomain enumeration with tools like `subfinder` and `dnsx`, followed by exploitation checks. The resource also highlights essential tools such as `httpx` and `subzy`, and demonstrates an automated exploitation example on Heroku. |
| 2026-04-16 2026 | My Complete Recon Workflow for Bug Bounty Hunting (2025) intermediate 4 min read | Library of tools and techniques for bug bounty hunting reconnaissance, detailing subdomain enumeration with Subfinder, Amass, Sublist3r, and Aquatone; DNS discovery using DNSrecon and DNSEnum; host discovery with httpx; automation via ReconFTW; and port scanning and fingerprinting with Nmap, Rustscan, and Masscan. |
| 2026-04-16 2026 | Internet-Wide Recon: Moving Past IP-Centric Approaches intermediate 20 min read | Reference on internet-wide reconnaissance challenges, this resource discusses the limitations of IP-centric scanning approaches due to modern cloud architectures, complex routing, WAFs, CDNs, and TLS-SNI. It highlights how relying solely on IP addresses can miss significant attack surface by failing to identify numerous subdomains pointing to the same IP, leading to incorrect host header values and application routing. The discussion emphasizes the need for more robust discovery methods that consider subdomain data and associated metadata for comprehensive attack surface mapping. → assetnote.io |
| 2026-04-16 2026 | The Art of Recon: Strategies for Modern Asset Discovery beginner 36 min read | Technique outlining modern asset discovery and reconnaissance strategies, moving beyond purely tool-centric approaches. This method emphasizes a conceptual framework comprising breadth, depth, context, amplification, and focus to achieve outcome-driven reconnaissance, enabling the discovery of critical vulnerabilities and unique insights into an organization's attack surface. The approach acknowledges the evolution of IT infrastructure, from traditional data centers to cloud-native environments, and adapts reconnaissance techniques accordingly. → assetnote.io |
| 2026-04-14 2026 | GitHub - retlehs/quien: A better WHOIS lookup tool beginner 3 min read | Tool for domain and IP intelligence, offering an interactive TUI with tabbed views for WHOIS, DNS, mail configuration (SPF, DMARC, DKIM, BIMI), SEO analysis, and tech stack detection. It supports RDAP and WHOIS lookups, IP analysis with ASN discovery, and optional Core Web Vitals field data from the CrUX API. Features include JSON output for scripting, automatic retries, and customizable resolvers. |
| 2026-04-12 2026 | Why Security Researchers and Red Teams Are Turning to Workflow Automation intermediate 5 min read | Library for workflow automation in security, enabling SOC analysts, red teamers, and bug bounty hunters to streamline tasks. It supports automated threat intelligence aggregation from sources like BreachForums and Telegram, IOC enrichment using VirusTotal and AbuseIPDB, and reconnaissance pipeline automation with tools like n8n for subdomain enumeration and tech stack fingerprinting. The library emphasizes self-hosting, auditable code, flexible logic, and an API-first architecture for secure and efficient security operations. → hackread.com |
| 2026-04-10 2026 | Recon Roundup: Ultimate Reconnaissance Guide beginner 3 min read | Guide summarizing Bug Bounty reconnaissance techniques, including subdomain enumeration, port scanning, HTTP fingerprinting, hidden-parameter mapping, Google dorking, and archive-based recon. It details how to use tools like Nmap, Shodan, and the Wayback Machine, and covers manual methods such as force browsing and fuzzing for hidden directories, aiming to uncover high-impact vulnerabilities overlooked by automated scanners. → yeswehack.com |
| 2026-04-10 2026 | From Recon to Report: Complete Workflow 2025 intermediate 4 min read Bug Bounty | Library for bug bounty hunters detailing a complete workflow from reconnaissance to reporting, including tools like Subfinder, Amass, Nuclei, Burp Suite, and Dalfox. It covers passive and active reconnaissance, enumeration techniques, vulnerability scanning for XSS and SQLi, manual testing, and effective report writing with examples for IDOR and SSRF. The resource also lists bug bounty platforms such as HackerOne and Bugcrowd, and emphasizes strategy, patience, and continuous learning. |
| 2026-04-10 2026 | Mastering Recon in Bug Bounty: Advanced Techniques 2025 advanced | Mastering Recon in Bug Bounty: Advanced Techniques 2025 |
| 2026-04-10 2026 | Recon to Master: Complete Bug Bounty Checklist beginner Bug Bounty | Recon to Master: Complete Bug Bounty Checklist |
| 2026-04-10 2026 | Awesome Bug Bounty Tools - GitHub beginner 27 min read Bug Bounty XXE | Library is a curated list of bug bounty tools categorized by vulnerability types such as SQL Injection, XSS, and Server-Side Request Forgery, along with specialized tools for subdomain enumeration (e.g., Subfinder, Findomain), port scanning (e.g., masscan, nmap), web technology identification (e.g., Wappalyzer, whatweb), and content discovery (e.g., gobuster, feroxbuster). |
| 2026-04-10 2026 | Automating Subdomain Enumeration: Tools and Techniques at Scale intermediate | Automating Subdomain Enumeration: Tools and Techniques at Scale → osintteam.blog |
| 2026-04-10 2026 | Ultimate Guide to Subdomain Enumeration for Bug Bounty beginner | Ultimate Guide to Subdomain Enumeration for Bug Bounty |
| 2026-04-10 2026 | Amass Cheat Sheet: 70+ Commands for Recon & Bug Bounty beginner 3 min read | Cheatsheet of 70+ Amass commands for reconnaissance and bug bounty hunting, detailing installation on Kali Linux, beginner and advanced techniques, and real penetration testing scenarios. This resource helps cybersecurity professionals discover subdomains, exposed infrastructure, and attack surfaces by leveraging open-source intelligence, DNS queries, and brute force methods. It also covers Amass's legal usage, its inclusion in Kali Linux, and alternatives like Subfinder and Sublist3r for comprehensive domain enumeration. |
| 2026-04-10 2026 | The Complete Bug Bounty Recon Playbook: 2025 Edition beginner | The Complete Bug Bounty Recon Playbook: 2025 Edition |
| 2026-04-10 2026 | Master Bug Bounty Hunting with Top Recon Tools beginner 3 min read | Library for automating bug bounty reconnaissance, ReconFTW gathers extensive target information using OSINT, subdomain enumeration (passive and active), port scanning, service enumeration, and web application scanning for common vulnerabilities like SQL injection, XSS, and OWASP Top Ten issues. It also performs content discovery, takes screenshots, and generates comprehensive reports with remediation recommendations, aiding bug bounty hunters, penetration testers, and security researchers. |
| 2026-04-10 2026 | Recon for Bug Bounty: 8 Essential Tools beginner 7 min read Bug Bounty | Library of eight essential bug bounty reconnaissance tools, including Amass for asset enumeration, Google/Bing/GitHub dorking, Eyewitness for live host screenshotting and fingerprinting, Wappalyzer for technology identification, GAU (GetAllUrls) for fetching URLs from archives, ffuf for content discovery and bruteforcing, Arjun for parameter discovery, and LinkFinder for extracting links from JavaScript files. → intigriti.com |
| 2026-04-10 2026 | Bug Bounty 101: Top 10 Reconnaissance Tools beginner 18 min read OSINT | Library for passive reconnaissance that aids bug bounty hunters in mapping a target's digital footprint by uncovering domains, subdomains, IP ranges, open ports, services, and historical URLs. It integrates with other tools like Maltego, Subfinder, and theHarvester, offering API and CLI access for automation. |
| 2026-04-10 2026 | 2025 Bug Bounty Methodology and Persistent Recon intermediate Bug Bounty | 2025 Bug Bounty Methodology and Persistent Recon |
| 2026-04-10 2026 | Bug Bounty Recon Methodology 2025 - GitHub intermediate 4 min read Bug Bounty | Library enumerating subdomains, APIs, and cloud assets for bug bounty hunting. This resource details techniques and tools like Subfinder, Amass, CRTSH, Github-Search, MassDNS, GAU, Waybackurls, CloudEnum, AWSBucketDump, S3Scanner, LinkFinder, GitDorker, Feroxbuster, FFuF, and Kiterunner. It also covers testing for vulnerabilities such as CSRF, LFI, RCE, and SQLi, along with reporting methodologies and evidence gathering. |
| 2026-04-08 2026 | AI Foundations and Reconnaissance (Hacking with AI) beginner 4 min read | Workshop slides from DEF CON 32 covering hardware fault injection on embedded systems, focusing on side-channel analysis and voltage glitching techniques. The material includes practical demonstrations and theoretical explanations of how to extract sensitive information from microcontrollers and IoT devices, detailing common vulnerabilities and mitigation strategies. It highlights the use of tools like ChipWhisperer for advanced penetration testing in hardware security. |
| 2026-04-06 2026 | Masriyan/Aegis: Windows Attack Surface Discovery Tool intermediate 3 min read | Tool for automated attack surface discovery, Aegis consolidates OSINT, active reconnaissance, and threat intelligence into a single interface. It features 30+ modules for tasks like subdomain enumeration, technology stack identification, SSL/TLS analysis, and mapping findings to MITRE ATT&CK techniques, with risk scoring and export capabilities to PDF, JSON, CSV, and STIX formats. Aegis operates locally without requiring API keys for core functionality. |
| 2026-04-06 2026 | External Attack Surface Management (EASM) beginner 16 min read | Library that identifies, monitors, and analyzes an organization’s public-facing digital assets, such as websites, APIs, and cloud services, to detect vulnerabilities, misconfigurations, and potential entry points. It provides an attacker's-eye view of the digital perimeter, focusing on risks from exposed services, web application flaws, cloud misconfigurations, subdomain takeovers, credential-based attacks, shadow IT exploitation, and legacy assets. |
| 2026-04-06 2026 | Using OWASP Amass with Netlas Module intermediate 3 min read | Library for reconnaissance and attack surface mapping, OWASP Amass integrates with the Netlas module. This guide details Amass installation via pre-built packages, source compilation, or Homebrew, and its configuration to leverage Netlas API keys within `datasources.yaml` for enhanced subdomain enumeration. Users can then execute `amass enum -d <domain> -include Netlas` to specifically query Netlas data or `amass enum -d <domain> -o <output_file>` to combine Netlas with other configured sources. |
| 2026-04-06 2026 | The Complete Beginner's Guide to Bug Bounty Reconnaissance beginner | The Complete Beginner's Guide to Bug Bounty Reconnaissance → infosecwriteups.com |
| 2026-04-06 2026 | How I Built an Automated Recon Pipeline for Bug Bounty Hunting intermediate | How I Built an Automated Recon Pipeline for Bug Bounty Hunting |
| 2026-04-03 2026 | A Step-by-Step Android Penetration Testing Guide | Hack The Box intermediate 26 min read | Guide on Android penetration testing fundamentals, offering step-by-step instructions and detailing techniques like local data storage enumeration, APK extraction, reverse engineering with JADX, decompiling/recompiling APKs, and intercepting network traffic. It emphasizes utilizing the OWASP Mobile Top Ten vulnerabilities, including improper platform usage, insecure data storage, insecure communication, and insecure authentication, while referencing real-world incidents like the Klarna and ParkMobile breaches. |
| 2026-04-03 2026 | Mobile App Pentest Cheatsheet intermediate 15 min read | Cheatsheet compiling high-value information for mobile application penetration testing, mapped to OWASP Mobile Top 10 risks. It covers distributions, frameworks like MobSF and Needle, Android and iOS testing techniques, and numerous tools including Appie, Android Tamer, Vezir Project, Mobexler, APKTool, Jadx, Qark, SUPER, AndroBugs, Simplify, GDA, Cydia Substrate, Xposed, PID Cat, Inspeckage, Frida, Fridump, House, AndBug, and Drozer. Essential commands for disassembly, rebuilding, deoptimization, and debugging are also included. |
| 2026-04-03 2026 | GarudRecon - Automated Domain Recon with XSS, SQLi, LFI, RCE Detection intermediate 13 min read | Tool automating asset discovery and vulnerability assessment, GarudRecon integrates over 80 open-source tools. It supports subdomain enumeration with tools like subfinder and amass, port scanning via naabu and nmap, and vulnerability detection for XSS, SQLi, LFI, and RCE. GarudRecon offers flexible modes for small, medium, and large scope engagements, along with workflow and fleet capabilities for complex or distributed tasks, and scheduled monitoring through cronjobs. |
| 2026-04-03 2026 | Automating Subdomain Enumeration to Discover Critical Vulnerabilities intermediate | Automating Subdomain Enumeration to Discover Critical Vulnerabilities |
| 2026-04-03 2026 | SubdomainX: All-in-One Subdomain Enumeration and Reconnaissance Tool intermediate 3 min read | Tool for comprehensive subdomain enumeration and reconnaissance, SubdomainX integrates over 12 popular enumeration tools and 7 API services including SecurityTrails, VirusTotal, and Censys. It features a multi-threaded architecture for high performance, intelligent checkpointing for resuming scans, and advanced reporting capabilities with HTML, JSON, and CSV exports compatible with security tools like OWASP ZAP, Burp Suite, and Nessus. SubdomainX supports custom wordlists, smart filtering, and detailed HTTP probing with httpx, alongside fast port scanning via smap. |
| 2026-04-03 2026 | How to Use Amass for Subdomain Enumeration and Recon Like a Pro intermediate 8 min read | Library for comprehensive subdomain enumeration and attack surface discovery. Amass employs passive OSINT techniques, leveraging Certificate Transparency logs, Shodan, Censys, and public datasets, alongside active methods like DNS brute-forcing, permutations, and scraping. It supports DNS resolution and validation, brute-forcing with custom wordlists, reverse WHOIS and ASN lookups, and infrastructure mapping via graph databases, enabling visualization with `amass viz` and change detection with `amass track`. |
| 2026-04-03 2026 | Subfinder Complete Guide 2025: Subdomain Enumeration Mastery intermediate 4 min read | Library for stealthy subdomain enumeration, Subfinder gathers subdomains from passive online sources to map an organization's attack surface. It supports extensive configuration options, including selecting sources, filtering patterns, using custom resolvers, and integrating API keys for services like BinaryEdge, Censys, GitHub, Shodan, and VirusTotal. Subfinder can output results in plain text or JSON, and it integrates well with other ProjectDiscovery tools like httpx and nuclei for comprehensive reconnaissance. |
| 2026-04-03 2026 | Reconnaissance 102: Subdomain Enumeration | ProjectDiscovery beginner 4 min read | Tool series exploring subdomain enumeration for penetration testing and bug bounty hunting, detailing passive techniques with `subfinder` and active methods including brute-forcing with `amass` and `puredns`. This resource emphasizes the importance of efficient information gathering through both active and passive reconnaissance to identify potential attack vectors. → projectdiscovery.io |
| 2026-04-03 2026 | GitHub - backendsystems/nibble: easy to use command line network scanner, with a clickable tui interface intermediate 2 min read | Tool for local network scanning, featuring a clickable TUI and headless JSON output. It rapidly discovers hosts, hardware manufacturers (including Raspberry Pi, Ubiquiti, Apple), and open ports with service banners for SSH, HTTP, SMB, and more. Nibble supports custom port lists, targeted scans, and remembers past scan history, offering flexibility for both interactive and scripted network analysis. |
| 2026-03-19 2026 | RECOX — Recon & Bug Bounty Toolkit intermediate Bug Bounty | Library for bug bounty hunters that automates subdomain and endpoint discovery from passive sources, guiding users through a post-recon workflow. It leverages historical web archives to find known endpoints, paths, and URLs for a given domain without active scanning, offering a structured approach to mapping attack surfaces and identifying further avenues for vulnerability research. |
| 2026-03-05 2026 | Tips to automate your hacking using N8N | @Bugcrowd beginner Bug Bounty | Implementing automation for the first time can feel overwhelming, as there is so much to learn. Get tips to use N8N to automate hacking. → bugcrowd.com |
| 2026-02-25 2026 | DotNetRussell/hackmap: HackMap — a local pentest mapping tool with real-time command execution, persistent history per target, visual attack paths, and one-click PDF reporting. Run on localhost only. No auth. Pure power. intermediate 1 min read | Tool for local penetration testing that visually maps attack paths with real-time command execution. HackMap allows users to create workspaces, add nodes with custom icons, connect them with editable edges, and execute shell commands like `whoami` or `netstat` with streaming output. It features persistent command history per node, subgraphs for hierarchical organization, ownership tracking with a skull icon, and generates detailed, hierarchical PDF reports with statistics and node connections. The application runs locally with Python 3 and Flask, requiring no authentication. |
| 2026-02-21 2026 | samugit83/redamon: An AI-powered agentic red team framework that automates offensive security operations, from reconnaissance to exploitation to post-exploitation, with zero human intervention. advanced 19 min read AI | Framework that automates offensive security operations through AI agents, chaining reconnaissance, exploitation, and post-exploitation. It features agents for credential policy validation using Hydra, CVE exploit path verification, and XSS vulnerability mapping. RedAmon utilizes a Neo4j knowledge graph to store findings, employs an AI triage agent for deduplication and ranking, and a CodeFix agent to implement fixes and create GitHub pull requests. It supports various LLM providers like OpenAI and Anthropic, integrates with OSINT tools such as Shodan and SerpAPI, and offers tunneling via ngrok or chisel. |
| 2026-02-18 2026 | Maniesh-Neupane/BugBounty-Recon-Methodology beginner 3 min read Bug Bounty | Methodology detailing bug bounty reconnaissance, covering global footprint identification using `asnmap`, `dnsx`, `whois`, and various third-party API scraping for IP ranges. It outlines subdomain enumeration techniques with tools like `subfinder`, `findomain`, `amass`, and `Chaos`, followed by data validation and permutation scanning via `puredns` and `alterx`. The process includes service mapping with `naabu` and `nmap`, virtual host discovery using `ffuf`, and web application analysis with `httpx` and `nuclei` for CVEs and misconfigurations. Finally, it details JavaScript mining with `waymore` and `katana`, sensitive file extraction, and automated vulnerability testing for injection and XSS using `arjun`, `gf`, and `ffuf`. |
| 2026-02-17 2026 | vxcontrol/pentagi: ✨ Fully autonomous AI Agents system capable of performing complex penetration testing tasks advanced 57 min read AI | Library for fully autonomous AI agents designed to perform complex penetration testing tasks. PentAGI integrates over 20 professional security tools, including nmap, metasploit, and sqlmap, within a sandboxed Docker environment. It features a smart memory system, knowledge graph integration with Neo4j, and web intelligence capabilities. The system supports external search systems like Tavily and Perplexity, delegating tasks to specialized AI agents. It offers comprehensive monitoring via Grafana/Prometheus, detailed reporting, and scalable microservices architecture with support for numerous LLM providers and REST/GraphQL APIs. |
| 2026-02-16 2026 | How I Built a 5-Path AI “Recon Beast” with n8n and Gemini (2026 Guide) intermediate AI Bug Bounty | In 2026, the bug bounty landscape requires more than just speed, with AI enhancing attacker capabilities. The article discusses building a 5-Path AI "Recon Beast" using n8n and Gemini. This innovative approach leverages automation and AI to enhance reconnaissance processes for bug bounty hunting. The focus is on utilizing technology to improve efficiency and effectiveness in identifying vulnerabilities. |
| 2026-01-22 2026 | Recon to Master: The Complete Bug Bounty Checklist beginner Bug Bounty | “” is published by 𝙇𝙤𝙨𝙩𝙨𝙚𝙘 in InfoSec Write-ups. → infosecwriteups.com |
| 2026-01-22 2026 | My 5-Minute Workflow to Find Bugs on Any Website beginner Bug Bounty | My 5-Minute Workflow to Find Bugs on Any Website A step-by-step guide to my most effective, shortcut methods for bug bounty hunting. Introduction Hi everyone, welcome back! Today, I’m going to show … → infosecwriteups.com |
| 2026-01-20 2026 | MantisSTS/JSReconduit: Passive JavaScript reconnaissance for penetration testers — bridging Burp Suite traffic into structured, AST-based analysis in VSCode. intermediate 5 min read Burp | Library for passive JavaScript reconnaissance, JSReconduit bridges Burp Suite traffic into VSCode for AST-based analysis. It captures JavaScript assets via a Burp extension, then the VSCode extension analyzes them, rendering findings like HTTP/WebSocket endpoints, drift detection, cluster analysis, dataflow traces, secrets, and signature matches in a sidebar. This tool supports deobfuscation, sourcemap resolution, and generates various reports, including endpoint lists, sink analysis, and risk-ranked asset triage. |
| 2026-01-18 2026 | 0x0FB0/pulsar: Network footprint scanner platform. Discover domains and run your custom checks periodically. intermediate 3 min read | Platform for automated network footprint scanning, Pulsar discovers organization public-facing assets like subdomains, TLDs, and cloud resources. It provides network data visualization, assigns basic vulnerability scores, and functions as a custom scanner for broad scopes, free of API key requirements. Installation involves Git and Docker, with separate scripts for Windows and Linux. |
| 2025-12-03 2025 | ✨ How to get private invitations on #BugBounty platforms ✨ beginner Bug Bounty | 🗨️ Answer: You don’t have to! I noticed that around 70% of my HackerOne private invitations also have public self-hosted bug bounty programs 🙂 Here’s the dorks list I use to find these platforms 🫡 |
| 2025-11-24 2025 | GitHub - tg12/dns-honeypot: dns-honeypot intermediate 5 min read | Tool for deploying a DNS honeypot using Docker Compose, integrating Unbound, Loki, Prometheus, Grafana, and Traefik. This setup passively logs and visualizes DNS queries from the internet, capturing traffic patterns, top queried domains like `scb.se` and `atlassian.com`, and busy client IPs. It facilitates analysis of internet noise, misconfigurations, and scanning activity through detailed dashboards and exportable CSV data. |
| 2025-11-21 2025 | WebRecon from @D4rk_Intel is another OSINT multi-tool worth knowing about. 🧠 beginner OSINT | It automates web crawling, tech stack detection, DNS & WHOIS intel, email harvesting, Wayback lookups, and exports clean JSON reports. Try it here: https://t.co/6inbXMqnsZ |
| 2025-11-08 2025 | robre/jsmon: a javascript change monitoring tool for bugbounties beginner 2 min read Bug Bounty | Tool for monitoring JavaScript file changes on websites. JSMon fetches configured files, compares them to previous versions, and sends notifications via Telegram or Slack upon detection of changes. Notifications include the affected files, size differences, and a diff file for easy inspection. The tool supports cron scheduling for regular checks and allows configuration of notification tokens and target files. |
| 2025-08-14 2025 | ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ on Twitter: "RT @SecurityTrybe: Top 25 Recon Tools and thei beginner | Daniel Miessler shared a tweet about the top 25 Recon Tools, but the content seems to be cut off. It likely refers to a list of tools used for reconnaissance in cybersecurity. Recon tools are essential for gathering information about potential targets to assess vulnerabilities and plan security measures. Daniel Miessler's tweet may have been promoting or sharing valuable resources related to cybersecurity tools and practices. |
| 2025-08-14 2025 | https://github.com/Ekultek/Zeus-Scanner beginner 5 min read | Tool for advanced web application reconnaissance, Zeus automates the process of finding URLs through multiple search engines and bypassing captchas. It supports various proxy types, extracts URLs from ban and webcache results, and integrates with tools like sqlmap for SQL injection assessments and nmap for port scanning. Zeus also enumerates WAF/IPS/IDS protection and performs header analysis, offering a comprehensive approach to discovering vulnerabilities such as XSS and clickjacking. |
| 2025-08-14 2025 | https://github.com/m0rtem/CloudFail beginner 1 min read | Tool for tactical Cloudflare reconnaissance, CloudFail aims to discover origin server IPs. It employs Tor for masked requests and features three attack phases: misconfigured DNS scanning via DNSDumpster.com, Crimeflare.com database lookup, and a brute-force scan of over 2500 subdomains. CloudFail is a Proof of Concept for academic and controlled environment testing only. |
| 2025-08-14 2025 | https://github.com/leebaird/discover beginner 4 min read | Library of custom bash scripts automating penetration testing tasks, including recon with tools like theHarvester, DNSRecon, and dnstwist; scanning using Nmap and Metasploit; web security checks for IDOR and SSL issues; and malicious payload creation with Metasploit. It also supports container security analysis for Docker and Kubernetes environments using Trivy, and facilitates parsing of scan results from Burp, Nessus, and Nmap. |
| 2025-08-14 2025 | https://github.com/BishopFox/GitGot beginner 2 min read | Tool for rapidly searching public GitHub data for sensitive secrets using a semi-automated, feedback-driven approach. GitGot allows users to blacklist files by filename, repository, username, or fuzzy content matches, with saved blacklists reusable across similar queries. It supports session pausing and resuming, utilizes GitHub's advanced search syntax, and requires a GitHub API token for rate limiting. Installation involves installing the `ssdeep` dependency and then Python dependencies. |
| 2025-08-14 2025 | https://github.com/s0md3v/Striker beginner | Library for automated web application security scanning. Striker 2.0, in prototype, finds subdomains, scans common TCP ports, and analyzes HTTP headers for misconfigurations and sensitive files. It crawls subdomains to detect outdated JavaScript libraries using data from Retire.js, identifies CMS and technologies via Wappalyzer signatures, and analyzes WAF signatures sourced from sqlmap. HTML forms are collected for later vulnerability testing. |
| 2025-08-14 2025 | https://github.com/s0md3v/ReconDog beginner 2 min read | Tool that automates reconnaissance by extracting targets from STDIN and utilizing APIs to gather information without direct contact. It integrates with services like Censys, Shodan, and Wappalyzer to perform tasks such as port scanning, CMS and technology detection, subdomain enumeration, WHOIS lookups, and honeypot identification. Recon Dog supports both wizard and command-line interfaces and can parse input from other tools using regular expressions. |
| 2025-04-11 2025 | Nmap for Beginners: Easy Tips to Scan Networks Like a Pro beginner | So, Think this :::: one night when you are trying to sleep , suddenly you imagine what’s happening on your network .. what devices are connected? What services are they running? {JUST 2 AM THOUGHTS… → infosecwriteups.com |
| 2025-04-09 2025 | From Recon to Exploits: Uncovering XSS, Open Redirects, and More using this script intermediate Bug Bounty XSS | Step by Step guide to hunt info disclosure, xss and more → osintteam.blog |
| 2025-03-31 2025 | Javascript Recon for Bug Bounty & Pentesting intermediate Bug Bounty XSS | Hidden endpoints, secrets, and DOM XSS using Automated JS Analysis |
| 2025-03-22 2025 | A Deep Dive into Nmap Scripts for Web Application Testing | by Khaleel Khan | System Weakness intermediate | A Step-by-Step Guide to Leveraging Nmap’s Most Advanced Scripts for Comprehensive Web Application Security Analysis This scenario showcases how an experienced penetration tester could leverage Nmap’s… |
| 2025-02-22 2025 | GitHub - Arcanum-Sec/msftrecon beginner 1 min read | Tool for red teamers and security professionals to map Microsoft 365 and Azure tenant infrastructure. MSFTRecon performs comprehensive, unauthenticated enumeration, identifying potential security misconfigurations and attack vectors. It reveals identity attack vectors, application attack surfaces including OAuth abuse, infrastructure insights like Azure service mapping, and security control awareness such as conditional access configurations. The tool supports targeting government and China cloud instances. |
| 2025-02-12 2025 | GitHub - Chocapikk/wpprobe: A fast WordPress plugin enumeration tool beginner 3 min read | Tool for fast WordPress plugin and theme enumeration, detecting over 5000 plugins without brute-force and thousands more with it. It utilizes REST API enumeration and HTML parsing, mapping findings to CVEs from Wordfence and WPScan databases, including vulnerabilities like PHP Object Injection. The tool supports stealthy, brute-force, and hybrid scanning modes, with optional Wordfence and WPScan API key integration for enhanced database updates. |
| 2025-02-10 2025 | GitHub - LuffySec/Automation-JS-Recon: This tools used for Automating finding of subdomain, and checking for alive subdomain, and gathering js files from all the subdomain and then automating finding of sensitive information on all the js files intermediate | Tool for automating reconnaissance, including subdomain discovery using subfinder and login endpoint identification with dorkscaper.py. It verifies live subdomains via LUcek, fetches URLs with waybackurls, filters JavaScript files, and then uses nuclei to analyze these JS files for sensitive information. |
| 2025-02-10 2025 | GitHub - g4xyk00/JSrecon: Reconnaissance on browser using Javascript intermediate | Reconnaissance on browser using Javascript . Contribute to g4xyk00/JSrecon development by creating an account on GitHub. |
| 2025-02-01 2025 | A Burpsuite Extension For JS Reconnaissance - Jsmon intermediate 2 min read Burp | Library for enhancing JavaScript reconnaissance within Burp Suite. Jsmon automatically scans and monitors JavaScript files, providing real-time alerts for client-side exposures, secrets, and vulnerabilities. It offers seamless integration, scope filtering to conserve API calls, and manual analysis options, streamlining web security testing and improving the detection of exploitable JavaScript issues. |
| 2025-01-30 2025 | Advanced DNS Attacks: Poisoning and Exploitation advanced | Understanding DNS Vulnerabilities and Practical Techniques for Exploitation and Defense → infosecwriteups.com |
| 2025-01-29 2025 | GitHub - Chleba/netscanner: Terminal Network scanner & diagnostic tool with modern TUI beginner 1 min read | Tool for terminal-based network scanning and diagnostics featuring a modern TUI. It lists hardware interfaces, allows switching active interfaces for scanning and packet-dumping, scans WiFi networks and signal strength with charts, and performs IPv4 pinging of CIDRs with hostname, OUI, and MAC address resolution. The tool also supports IPv4 and IPv6 packet dumping (TCP, UDP, ICMP, ARP, ICMP6), pausing packet dumps, scanning open TCP ports, filtering packet logs, exporting scanned data to CSV, and traffic counting with DNS records. It relies on Ratatui and libpnet libraries. |
| 2025-01-28 2025 | GitHub - aceberg/WatchYourLAN: Lightweight network IP scanner. Can be used to notify about new hosts and monitor host online/offline history beginner 2 min read | Tool for lightweight network IP scanning, WatchYourLAN detects new hosts, monitors online/offline history, and logs all devices. It supports data export to InfluxDB2 or Prometheus for Grafana dashboards. While lacking built-in authentication, it can integrate with SSO tools like Authelia or ForAuth. Installation is available via Docker, with binary packages for various Linux distributions and architectures, and dependencies include `arp-scan` and `tzdata`. |
| 2025-01-19 2025 | GitHub - blacklanternsecurity/bbot: The recursive internet scanner for hackers. 🧡 beginner 4 min read | Library for automated reconnaissance and bug bounty hunting, BEE·bot (bbot) acts as a recursive internet scanner. It excels at subdomain enumeration, often finding 20-50% more than other tools by utilizing passive API sources and recursive DNS brute-forcing with target-specific mutations. BBOT also features a recursive web spider for crawling and extracting information, email enumeration modules, and various web scanning presets, including a "kitchen-sink" option for comprehensive scans. The tool supports multiple target types and integrates with third-party APIs via keys for services like SecurityTrails and VirusTotal. |
| 2025-01-12 2025 | GitHub - RustScan/RustScan: 🤖 The Modern Port Scanner 🤖 beginner 2 min read | Library for fast port scanning; it scans all 65k ports in as little as 3 seconds. Features include a scripting engine supporting Python, Lua, and Shell for custom analysis, automatic piping of results into Nmap, and adaptive learning that improves scan performance over time. RustScan also prioritizes accessibility and offers installation via package managers like Homebrew and Pacman. |
| 2024-12-14 2024 | 🚀 Introducing ShodanSpider v2: Your Ultimate Free Tool for CVE Searching and Shodan Data Analysis… news | In today’s fast-paced cybersecurity world, staying ahead of vulnerabilities is critical. ShodanSpider v2 takes your security research to… |
| 2024-09-24 2024 | xssorRecon/xss0rRecon.sh at main · xss0r/xssorRecon beginner 25 min read Bug Bounty XSS | Tool that automates XSS reconnaissance, featuring functions for installing prerequisites like `python3-venv`, creating virtual environments, and handling installation errors with suggested solutions. It provides a menu-driven interface for users to select options such as installing all tools, entering target domains, performing domain and URL enumeration, finding hidden parameters with HiddenParamFinder, preparing for XSS detection, and launching the xss0r tool itself. The script also includes guidance on deploying xss0r on VPS servers, recommending Contabo and providing relevant commands for tmux session management. |
| 2024-09-13 2024 | GitHub - xss0r/xssorRecon: Automate Recon XSS Bug Bounty intermediate Bug Bounty XSS | Library for automating XSS bug bounty reconnaissance, xss0rRecon requires users to download tools, wordlists, and the main application, then extract them into a single directory for execution. A free 5-day PRO plan license is available from the 10th to the 15th of each month via store.xss0r.com. |
| 2024-09-09 2024 | GitHub - mohdh34m/TraceNinja: TraceNinja is a subdomain enumeration tool . And much much more on the future ^_^ beginner | Tool for Python-based subdomain enumeration. TraceNinja efficiently gathers domain information in real-time across multiple platforms, offering a fast and user-friendly experience. Installation is available via pip or manual cloning. Users can execute scans with `TraceNinja -d example.com` and access all options using `TraceNinja -h`. The project welcomes contributions and is released under the MIT License. |
| 2024-07-28 2024 | security-study-plan/web-pentest-study-plan.md at main · jassics/security-study-plan beginner 6 min read Bug Bounty | Guide for aspiring web penetration testers, detailing a comprehensive study plan. It covers fundamental concepts like HTTP security, authentication, authorization, and various vulnerabilities including XSS, SQLi, IDOR, JWT, and SSRF. Essential tools such as Burp Suite, OWASP ZAP, Metasploit, and Nmap are introduced, alongside practical lab resources like Hack The Box, TryHackMe, and OWASP Juice Shop. Recommended reading includes "The Web Application Hacker's Handbook" and the OWASP Testing Guide, with optional courses and certifications like eJPT and OSCP also mentioned. |
| 2023-12-12 2023 | Finding that one weird endpoint with Bambdas intermediate 4 min read | Library of Burp Suite Bambdas designed to discover unusual HTTP endpoints and potential vulnerabilities. These mini-extensions, coded directly within the proxy, facilitate rapid experimentation for security researchers. Examples include detecting oversized redirect responses, identifying HTML content-type responses with multiple closing tags, flagging discrepancies between declared and real `Content-Length` headers, and finding servers using unexpected ports. The library also includes Bambdas for locating JSON responses with incorrect `text/html` content types, discovering non-standard GraphQL endpoints, and identifying JSONP endpoints exploitable via CSP bypass. → portswigger.net |
| 2023-11-21 2023 | Find My Ports | Modern Web Dev Booster beginner | Find My Ports | Modern Web Dev Booster https://ift.tt/RsXCgFY |
| 2023-11-09 2023 | assetnote beginner | assetnote https://ift.tt/I84SATb |
| 2023-11-05 2023 | TrafficWatch - TrafficWatch A Packet Sniffer Tool Allows You To Monitor And Analyze Network Traffic From PCAP Files beginner | TrafficWatch - TrafficWatch, A Packet Sniffer Tool, Allows You To Monitor And Analyze Network Traffic From PCAP Files https://ift.tt/c1tg2uv → kitploit.com |
| 2023-10-17 2023 | enumerating 24 million users intermediate 14 min read AuthN | Library for enumerating Microsoft 365 users by leveraging the OneDrive enumeration technique. This method utilizes simple HTTP requests to identify valid users without requiring authentication or making logon attempts, as demonstrated by tools like AAD-Internals and TREVORspray. The library facilitates infrastructure setup with a central TRON server for data management and CLU bots for scraping, enabling the discovery of millions of user accounts. |
| 2023-10-05 2023 | Useful Websites for Pentesters & Hackers beginner Bug Bounty | Useful Websites for Pentesters & Hackers https://ift.tt/wL3ZVXG |
| 2023-10-05 2023 | Bug Bounty Hunting Guide: Essential Tools and Strategies beginner Bug Bounty | Bug Bounty Hunting Guide: Essential Tools and Strategies https://ift.tt/oqOZFys |
| 2023-10-05 2023 | How to build custom scanners for web security research automation intermediate 5 min read Burp Fuzzing | Extension for Burp Suite that automates the detection of web race conditions and infoleaks, inspired by research into vulnerabilities like Cloudbleed. It leverages techniques such as single-packet attacks and "gadgets" to probe for anomalies and identify potential race-condition indicators, reporting differing status codes to minimize false negatives, and is available as part of the Backslash Powered Scanner. → portswigger.net |
| 2023-10-04 2023 | Directory Listing beginner | Directory Listing https://ift.tt/hdv6BCV |
| 2023-09-26 2023 | trickest/wordlists beginner 1 min read | Library of wordlists derived from CMS source code, including WordPress, Joomla, Drupal, Magento, Ghost, and Tomcat. Each entry offers base wordlists with full file paths and all-levels wordlists that account for directory structure variations. Additional lists are generated from robots.txt files of top websites, subdomains discovered via bug bounty programs, and subdomains extracted from SSL certificates. These wordlists are created using Trickest workflows that clone repositories, fetch robots.txt, enumerate subdomains, and process data for security testing. |
| 2023-09-05 2023 | How to Set up a Reverse Proxy (Step-By-Steps for Nginx and Apache) beginner 23 min read | Library for configuring Nginx and Apache as reverse proxies, enhancing web server security, performance, and reliability. It enables unified domain management, load balancing with techniques like Global Server Load Balancing, and powerful caching for static and dynamic content, while also offering enhanced security by cloaking origin server details and defending against DDoS attacks. |
| 2023-08-20 2023 | Pentest-Cheat-Sheets beginner 7 min read Bug Bounty | Cheatsheet for penetration testing commands and techniques, aiding in efficient reconnaissance, brute-forcing, network scanning with nmap and dnsenum, SMB and RDP exploitation using tools like xfreerdp and crowbar, SQL injection with sqlmap, and cross-site scripting payloads. It also includes snippets for SNMP enumeration, MySQL connections, and basic HTTP requests. |
| 2023-08-07 2023 | Malwarize/webpalm beginner | Library for structured web-tree generation and regex-based data extraction. Webpalm features high-speed multi-threading, multiple export formats including JSON and XML, and colorized output with robust error handling. It supports including or excluding specific domains and status codes, and allows saving results to files. Users can configure traversal depth, worker threads, and utilize regexes for data extraction, with examples like `webpalm -u https://example.com -l2 --regexes comments="\<\!--.*?-->" -o results.json`. |
| 2023-08-07 2023 | devanshbatham/DNSleuth beginner | Library for sniffing DNS packets and displaying queries with color-coding. Installation involves cloning the repository, granting execute permissions to `setup.sh`, and running the script. Once installed, DNSleuth can be launched from the command line to monitor all network interfaces for DNS traffic. It requires Python 3.x, Scapy, and Colorama as dependencies. |
| 2023-08-06 2023 | hakoriginfinder beginner 1 min read | Tool for discovering origin hosts behind reverse proxies, aiding in WAF bypass. It sends HTTP requests to provided IP addresses with a manipulated `Host` header, comparing responses to an initial request using the Levenshtein algorithm. Key options include setting the target hostname (`-h`), specifying ports (`-p`), adjusting the Levenshtein threshold (`-l`), and configuring thread count (`-t`). Output details matches, tested URLs, and Levenshtein scores. |
| 2023-07-26 2023 | Web Application Black-Box testing intermediate API Sec Bug Bounty | Web Application Black-Box testing https://ift.tt/d1Mrqn4 |
| 2023-07-02 2023 | DNS Analyzer - Finding DNS vulnerabilities with Burp Suite intermediate 7 min read Burp | Library for finding DNS vulnerabilities in web applications using Burp Suite. This extension leverages Burp Collaborator to analyze DNS name resolution, similar to the earlier DNS Analysis Server but with simplified setup. It helps identify resolvers susceptible to Kaminsky-style attacks by examining UDP source port and DNS ID randomness through a Kaminsky status, scatter plots, and statistics. The library aids in detecting vulnerabilities like account takeover via email redirection by analyzing DNS interactions triggered through features like password resets. |
| 2023-06-08 2023 | Snoop Project beginner 9 min read | Tool for OSINT investigations, Snoop searches over 5400 websites and a local database for user nicknames. It can extract geocoordinates from unstructured data, visualize them on an OSM map, and generate reports in various formats including CSV, TXT, and HTML. Snoop supports searching multiple users, excluding specific regions, and allows for customizable search parameters like timeout and pool size. It runs natively on Windows and Linux without requiring Python dependencies. |
| 2023-06-08 2023 | Google dork cheatsheet beginner 1 min read OSINT | Cheatsheet of Google Dorking techniques, demonstrating how to leverage operators like `intext:`, `intitle:`, `-inurl:`, `filetype:`, and `~` for targeted information retrieval. Examples include finding indexed files, specific document types containing sensitive terms like "confidential salary," and bypassing common extensions. |
| 2023-06-08 2023 | kargisimos/offensive-bookmarks beginner 1 min read Bug Bounty OSINT | Collection of browser bookmarks for penetration testers, bug bounty hunters, and reverse engineers. This curated list, named "offensive-bookmarks," categorizes resources across OSINT, cheat sheets, malware development and analysis, shells, obfuscation techniques for various languages (including PowerShell and Python), privilege escalation methods for Windows and Linux, password cracking tools, and cybersecurity labs. |
| 2023-06-02 2023 | The Ultimate Guide to Port Scanning using Nmap | Nmap Notes beginner 14 min read | Library for port scanning with Nmap, detailing target specification, host discovery methods like ARP, ICMP, and TCP SYN pings, and port specification techniques. It covers service and version detection, along with leveraging the Nmap Scripting Engine (NSE) for advanced exploitation. |
| 2023-05-04 2023 | Hacking Techniques and Intrusion Detection beginner 6 min read Bug Bounty | Tutorial on using GDB and Immunity Debugger for software exploitation. It details debugging fundamentals for pentesters, including step-by-step execution, breakpoints, variable tracking, and memory examination. The tutorial demonstrates finding a NULL pointer dereference bug in a C program using GDB, highlighting its power for analyzing and understanding program behavior. |
| 2023-04-20 2023 | Wazuh and NMAP integrarion for Network Vulnerability Scans intermediate | Wazuh and NMAP integrarion for Network Vulnerability Scans https://ift.tt/YLbjMJ9 |
| 2023-04-02 2023 | Writing a Network Scanner using Python intermediate Python | Writing a Network Scanner using Python https://ift.tt/DAWbHwz |
| 2022-05-05 2022 | Favorite tweet by @_zwink intermediate Python | Favorite tweet: Just created a Python script which given a list of /24 IP address ranges, will crawl them, extract domains and subdomains from SSL certs, check the domains, and write out a CSV file o... |
| 2022-04-25 2022 | Favorite tweet by @JasonFord intermediate OSINT Python | Favorite tweet: I'm continuing to work on my python skills to gather data using threat intel APIs. I've shared this script on GitHub that you can use (with your own API key) to query @EmergingThreats... |
| 2022-04-06 2022 | Favorite tweet by @harshbothra_ beginner Bug Bounty | Favorite tweet: 14 Payload Repositories to find all the required Payloads & Attack Vectors. 🧵 — Harsh Bothra (@harshbothra_) Apr 1, 2022 |
| 2022-04-02 2022 | Favorite tweet by @clintgibler beginner | Favorite tweet: ☁️ What to look for when reviewing a company's infrastructure @lancinimarco's structured approach for reviewing security architecture of a multi-cloud SaaS company & finding critical ... |
| 2022-03-19 2022 | Favorite tweet by @NandanLohitaksh beginner Bug Bounty | Favorite tweet: Pentest-Book: A collection of some awesome tools or techniques, tricks that might be useful in pentests/bugbounties (by @Six2dez1) #cybersecurity #bughunting #hacking #malware https:/... |
| 2022-03-18 2022 | Favorite tweet by @NandanLohitaksh intermediate XSS | Favorite tweet: Mass Blind XSS 🔥👇 By @HackerGautam ✅ One-Liner : hakrawler -plain -usewayback -wayback -url https://t.co/UWTXcbtzMq | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|wo... |
| 2022-03-18 2022 | Favorite tweet by @HackerGautam intermediate XSS | Favorite tweet: Mass Blind XSS 🔥👇 ✅ One-Liner : hakrawler -plain -usewayback -wayback -url https://t.co/Tmo5ijSdeM | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|t... |
| 2022-03-17 2022 | Favorite tweet by @0xAsm0d3us beginner Bug Bounty | Favorite tweet: Pentest-Book: A collection of some awesome tools or techniques, tricks that might be useful in pentests/bugbounties (by @Six2dez1) #cybersecurity #bughunting #hacking #malware https:/... |
| 2022-03-14 2022 | Favorite tweet by @harshbothra_ beginner OSINT | Favorite tweet: 17 Search Engines every Security Professional Must Know 🧵 — Harsh Bothra (@harshbothra_) Mar 14, 2022 |
| 2022-03-06 2022 | Favorite tweet by @AnubhavSingh_ beginner Bug Bounty | Favorite tweet: Tips and Resources to learn about pentesting 28 Attack Surface by @0xAwali A thread 🧵 ↓ #AppSec #infosec #bugbountytips #Pentesting — Anubhav Singh🇮🇳 (@AnubhavSingh_) Mar 6, 2022 |
| 2022-03-06 2022 | Favorite tweet by @fardeenahmed411 beginner Bug Bounty Burp | Favorite tweet: Top 10 essential tools for Bug-Bounty Hunting : 1. Burp Suite / ZAP-Proxy 2. Google Dorking Script 3. DNS-Discovery 4. Reverse IP Lookup 5. Wapiti 6. INalyzer 7. IronWASP 8. Wfuzz 9. ... |
| 2022-03-05 2022 | Favorite tweet by @harshbothra_ beginner | Favorite tweet: 4 Subdomain Enumeration Tools you must have in your Arsenal 💻 🧵 — Harsh Bothra (@harshbothra_) Mar 5, 2022 |
| 2022-03-02 2022 | Favorite tweet by @ptracesecurity intermediate Burp | Favorite tweet: Nuclei-Burp Extension: run nuclei scanner directly from burp https://t.co/5eXxgjapf7 #Pentesting #BurpSuite #WebSecurity #Infosec https://t.co/xwhsoQfhRo — Ptrace Security GmbH (@ptr... |
| 2022-01-16 2022 | How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes intermediate Fuzzing SQLi | How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes |
| 2022-01-15 2022 | Must-Have Tools For Hacking beginner Bug Bounty | Must-Have Tools For Hacking |
| 2022-01-10 2022 | ffuf - Fuzz Faster U Fool beginner 9 min read Fuzzing | Library for fast web fuzzing written in Go. `ffuf` supports fuzzing URLs, headers, and POST data using the `FUZZ` keyword, and can filter responses by size (`-fs`) or status code (`-fc`). It offers features like recursive scanning, maximum runtime limits (`-maxtime`, `-maxtime-job`), and integrates with mutators via `--input-cmd`, enabling complex fuzzing scenarios such as JSON payload generation with Radamsa. Prebuilt binaries are available, and installation can be done via Homebrew or `go install`. |
| 2022-01-10 2022 | Install Nuclei beginner 13 min read Fuzzing | Library for fast, template-based vulnerability scanning using simple YAML templates. It supports multiple protocols like HTTP, DNS, and TCP, and can be integrated into CI/CD pipelines. Nuclei allows for custom vulnerability detection scenarios to reduce false positives and includes integrations with tools like Jira, Splunk, and GitHub. The tool requires Go version 1.24.2 or later for installation. |
| 2022-01-10 2022 | Nuclei Templates beginner 1 min read Fuzzing | Library of community-curated templates for the nuclei scanner, designed to detect various application security vulnerabilities. This repository houses templates developed by the project team and contributions from the security community, covering diverse attack vectors. Detailed documentation for creating custom templates is available, alongside statistics on template attributes like tags, author, severity, and type. Community engagement is encouraged through GitHub discussions and a Discord server for direct interaction with maintainers. |
| 2022-01-10 2022 | A @TomNomNom Recon Tools Primer beginner 5 min read | Library of reconnaissance tools by @tomnomnom, including `gf` for security-pattern matching, `httprobe` for webserver detection, `unfurl` for URL parsing, `meg` for parallel requests, `anew` for de-duplicating lists, and `waybackurls` for archived URLs, all designed with the Unix philosophy for granular, composable workflows. → danielmiessler.com |
| 2022-01-03 2022 | webapp-wordlists beginner | Library of over 100,000 web application and CMS wordlists, meticulously curated for specific versions of popular platforms like WordPress, Drupal, Typo3, and Craft CMS. Each wordlist enumerates files and directories for a given version, aiding in security assessments and vulnerability discovery. Contributions and requests for additional wordlists are welcomed via pull requests and issues. |
| 2021-12-31 2021 | https://awesomeopensource.com/project/projectdiscovery/naabu beginner | https://awesomeopensource.com/project/projectdiscovery/naabu |
| 2021-12-31 2021 | https://awesomeopensource.com/projects/go/nmap beginner | https://awesomeopensource.com/projects/go/nmap |
| 2021-12-31 2021 | How To: Use GoScan to Quickly Enumerate Networks & Services intermediate 11 min read | Tool that automates network and service enumeration by leveraging Nmap and integrating with other scanners like Nikto and sqlmap. GoScan features interactive tab auto-completion and an SQLite backend for data persistence, and functions as a framework to abstract and streamline reconnaissance tasks. It allows for target loading, host discovery, port scanning, and service enumeration with various options, including dry runs and aggressive scans. While it offers a streamlined approach, users must be aware of limitations such as the inability to issue OS commands directly within the framework and a less direct method for canceling long scans. → null-byte.wonderhowto.com |
| 2021-12-06 2021 | How to run BeEF behind an nginx reverse proxy with SSL correctly intermediate 4 min read | Library for configuring BeEF behind an nginx reverse proxy with SSL, addressing "Blocked Mixed Active Content" errors. It details BeEF's `config.yaml` settings for `allow_reverse_proxy`, `public`, and `public_port`, along with Nginx `proxy_pass` directives to correctly handle HTTPS requests and ensure BeEF hooks function on secure pages. → stackoverflow.com |
| 2021-11-24 2021 | Install Nuclei beginner 13 min read Bug Bounty | Library for high-performance vulnerability scanning. Nuclei utilizes simple YAML-based templates to detect vulnerabilities, allowing users to create custom scenarios that minimize false positives by simulating real-world conditions. It supports multiple protocols (TCP, DNS, HTTP, SSL, and more) and integrates with CI/CD pipelines and various platforms like Jira, Splunk, and GitHub. Installation requires Go version 1.24.2 or later. |
| 2021-11-21 2021 | HTB: BountyHunter intermediate 10 min read Bug Bounty | Writeup detailing a penetration test on the HTB: BountyHunter machine, which begins with an XXE vulnerability allowing file reads from `/etc/passwd`. This initial access leads to discovering credentials for SSH, enabling further privilege escalation via a Python `eval` injection in a root-level ticket validation script. |
| 2021-11-17 2021 | Spear Phishing And Subdomains Takeover intermediate | Spear Phishing And Subdomains Takeover |
| 2021-11-11 2021 | New Release: FullHunt Public API! news 1 min read | Library providing free public access to FullHunt's attack surface enumeration capabilities, including subdomains, domains, assets, and exposed services. Integrates with the OSINT tool TheHarvester, acting as a data source for it. Offers unlimited API access for enterprises, with custom APIs and advanced data analysis available through the FullHunt Enterprise Platform. |
| 2021-11-01 2021 | dhondta/webgrep beginner 3 min read | Tool for grepping web pages and associated resources, enhancing the functionality of the standard `grep` command. It supports deobfuscating JavaScript, applying OCR to images, and extracting EXIF data using external tools like `tesseract` and `exiftool`. The tool allows for searching across local or all linked resources, including HTTP headers, and offers extensive options for regular expression matching and output control. |
| 2021-10-28 2021 | Haklukes Guide to AmassHow to Use Amass More Effectively for Bug Bounties intermediate Bug Bounty | Haklukes Guide to AmassHow to Use Amass More Effectively for Bug Bounties |
| 2021-10-28 2021 | OWASP Amass - Users' Guide beginner 4 min read | Library for internet exposure investigation; this guide details OWASP Amass tool usage for subdomain enumeration via DNS and network mapping. It covers basic commands like `amass enum -d example.com` and advanced options including active enumeration (TLS certificates, zone transfers, web crawling) with `amass enum -active -d example.com`, passive data source utilization with `amass enum --passive -d example.com`, and Docker integration. The guide also explains configuration file management, API key storage, graph database persistence (file-based or PostgreSQL), and how findings from previous enumerations are leveraged. |
| 2021-10-28 2021 | Amass/config.ini at master OWASP/Amass beginner | Amass/config.ini at master OWASP/Amass |
| 2021-10-28 2021 | OWASP Amass - An Extensive Tutorial intermediate 10 min read | Library for passive and active reconnaissance, Amass facilitates subdomain discovery and external attack surface mapping using over 80 data sources. Its three subcommands, `intel`, `enum`, and `db`, support techniques like brute-forcing, DNS zone transfers, and certificate transparency log analysis, with findings stored in a graph database. |
| 2021-10-28 2021 | OWASP/Amass beginner 2 min read | Library for network asset discovery and attack surface mapping. This entry details installation instructions for Amass across various platforms including macOS (resolving "unidentified developer" warnings), Docker, Go compilation, Homebrew, FreeBSD, Kali Linux, NixOS, Gentoo, and Pentoo. It covers building Docker images, persisting graph databases, utilizing wordlists, and compiling from source with Go 1.18+. |
| 2021-10-28 2021 | How to Use OWASP Amass: An Extensive Tutorial intermediate 14 min read | Library for continuous subdomain discovery and external attack surface mapping, OWASP Amass offers multiple subcommands: `intel` for open-source intelligence gathering, `enum` for DNS enumeration and network mapping, `viz` for visualizing results, `track` for monitoring changes, and `db` for manipulating the graph database. It supports numerous data sources and techniques, including WHOIS, certificate transparency logs, DNS zone transfers, and brute-forcing, making it a comprehensive tool for penetration testers and security researchers. |
| 2021-09-29 2021 | Subnet Calculator beginner | Tool for calculating subnet information. Enter a subnet range in CIDR notation or use the optional mask pull-down to view IP address details. This is particularly useful for network operators and service providers who frequently work with subnet allocations, providing an easy way to understand Classless Inter-Domain Routing (CIDR) blocks. |
| 2021-09-17 2021 | Cloud Security Orienteering beginner 22 min read | Library for navigating unfamiliar AWS environments, this resource details a methodology for identifying risks, prioritizing remediation, and defining long-term cloud security strategies. It covers challenges in cloud security best practices, common adoption patterns, identifying ecosystem scope, and prioritizing important risks with open-source tools. The guide references the CIS benchmark for configuration, the Well-Architected Framework Security Pillar for architecture, and Scott Piper’s AWS Security Maturity Roadmap. → tldrsec.com |
| 2021-09-15 2021 | My Favorite Pentest Tools (Top 15) beginner Bug Bounty | My Favorite Pentest Tools (Top 15) |
| 2021-09-13 2021 | Haklukes Guide to NmapPort Scanning is Just The Beginning beginner | Haklukes Guide to NmapPort Scanning is Just The Beginning |
| 2021-09-07 2021 | Dan Miessler Talks About Recon/Automation Seclists Certifications Mental Health & More! beginner Talks | Dan Miessler Talks About Recon/Automation Seclists Certifications Mental Health & More! |
| 2021-08-30 2021 | api_wordlist beginner 1 min read API Sec | Library of API names for web application security testing. It includes files like `api_seen_in_wild.txt`, `actions.txt`, and `objects.txt`, along with variations for case sensitivity. The library provides guidance for using these lists with Burp Suite's Intruder in a Cluster Bomb attack to fuzz API function calls by sending requests and replacing function names with runtime files. |
| 2021-08-30 2021 | Hakluke's huge list of resources for beginner hackers beginner 6 min read Bug Bounty | Library containing a curated list of resources for beginner hackers, focusing on bug bounty hunting and penetration testing. It aggregates links to various "list of lists" from prominent figures like Nahamsec and Codingo, alongside hands-on labs from Pentesterlab, Portswigger, Tryhackme, Hackthebox, Kontra, Hacker101, and Vulnhub. The library also highlights essential YouTube channels such as John Hammond, Liveoverflow, and PwnFunction, and a comprehensive list of cybersecurity Twitter accounts and blogs like Hackerone Hacktivity and Intigriti's Medium publication. → labs.detectify.com |
| 2021-08-30 2021 | Introducing dirtywords - A Targeted Word List Generator intermediate | Tool for generating targeted word lists for password cracking and authentication testing. Dirtywords utilizes OSINT data such as names, dates, locations, and organizational terms to create custom lists optimized for identifying common, specific password patterns often missed by generic lists. It generates permutations by applying common construction techniques like CamelCase, leetspeak, appended numbers and special characters, and date formats. The source code is available on GitHub. |
| 2021-08-25 2021 | Recon as a Platform (RaaP)? beginner | Library for building reconnaissance platforms, RaaP addresses scenarios where existing tools are unknown, lack desired performance or features (e.g., specific subdomain scraping), or fail to enrich results through integration. It helps overcome limitations in system design scalability, aids in recalling past reconnaissance flows, and facilitates benchmarking of multiple projects for problems like subdomain takeovers. RaaP also serves as a reference for adding features to existing reconnaissance projects or for manual reconnaissance efforts, and helps avoid redundant research when building custom reconnaissance solutions. |
| 2021-08-25 2021 | RaaP beginner | RaaP |
| 2021-06-30 2021 | Web-Application-Pentest-Checklist intermediate API Sec Bug Bounty | This content is a checklist for web application penetration testing. It outlines a comprehensive set of steps and areas to cover when assessing the security of web applications. The checklist likely includes categories such as reconnaissance, authentication, authorization, input validation, session management, and common vulnerabilities like SQL injection and cross-site scripting (XSS). It serves as a guide for penetration testers to ensure thorough and systematic testing. No specific bug bounty payout amount is mentioned in the provided title or content. |
| 2021-05-31 2021 | Offensive Security Guide to SSH Tunnels and Proxies intermediate | This guide from Offensive Security explores the practical applications of SSH tunnels and proxies for penetration testers. It details how to leverage these techniques to bypass network restrictions, access internal systems, and exfiltrate data securely. The content covers different tunneling methods, including local, remote, and dynamic port forwarding, and provides real-world examples for reconnaissance, lateral movement, and command and control. The primary focus is on using SSH to establish covert communication channels and gain deeper access within target environments. |
| 2021-05-17 2021 | How to discover up to 10000 subdomains with your own tool beginner | The provided content is a title that states "How to discover up to 10000 subdomains with your own tool." The content itself is not present, only the title. Therefore, no summary can be generated beyond reiterating the title's topic. |
| 2021-05-11 2021 | VPS-web-hacking-tools beginner Bug Bounty | Library for automatically installing web hacking and bug bounty tools on Debian, Kali Linux, Linux Mint, and Ubuntu VPS systems. It supports both direct installation via an installer script and a Dockerized version for simplified deployment. Tools like Corsy and CORScanner are included, with users advised to configure them for optimal use, particularly for subdomain enumeration. |
| 2021-05-05 2021 | How to discover up to 10000 subdomains with your own tool intermediate Bug Bounty | This article details a method for discovering up to 10,000 subdomains using a self-created tool. It likely covers the technical steps and strategies involved in building and deploying such a tool for subdomain enumeration, a common practice in cybersecurity for identifying potential attack surfaces. The content focuses on practical application and achieving a significant scale of subdomain discovery. |
| 2021-05-04 2021 | Web App #Penetration Testing for Beginners: beginner Bug Bounty | This content is a beginner's guide to web application penetration testing. It aims to introduce fundamental concepts and techniques for identifying vulnerabilities in web applications. The focus is on providing a foundational understanding for those new to the field of cybersecurity and penetration testing. |
| 2020-03-08 2020 | GitHub - redhuntlabs/Awesome-Asset-Discovery: List of Awesome Asset Discovery Resources beginner 5 min read | Library of curated resources for asset discovery in security assessments, categorizing tools and techniques for content, IP, domain, email, network, cloud, and source code discovery. It lists specific utilities like `rustbuster`, `Mxtoolbox`, `Massdns`, `DataSploit`, `SubFinder`, `Amass`, `GoBuster`, `Hunter`, `Zmap`, `Masscan`, `Nmap`, `MicroBurst`, `Gitrob`, `CloudScraper`, `Buckets Grayhatwarfare`, `Shodan`, and `Censys`, alongside methods for identifying data leaks and social media profiling. |
Frequently Asked Questions
- What is reconnaissance in security testing?
- Reconnaissance is the process of discovering and mapping a target's attack surface before active testing. It includes finding subdomains, IP ranges, open ports, running services, technology stacks, and exposed endpoints. Thorough recon is often the difference between finding critical vulnerabilities and finding nothing.
- What are the essential recon tools?
- Core tools include subfinder and amass for subdomain enumeration, httpx for live host discovery, nmap for port scanning, nuclei for automated vulnerability scanning, katana and gospider for web crawling, ffuf for directory fuzzing, and waybackurls for historical URL discovery. Most hunters combine these into automated pipelines.
- What is continuous recon and why does it matter?
- Continuous recon monitors targets for changes over time — new subdomains, changed DNS records, newly exposed services, or updated technologies. Many high-impact findings come from assets that just appeared. Hunters automate this with cron jobs or services like Chaos by ProjectDiscovery, alerting them to fresh attack surface before competitors.
Weekly AppSec Digest
Get new resources delivered every Monday.