Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
- Proxy & Network Sniffer
- Burp Extensions
- Recon, OSINT & Discovery
- Exploitation
- Scanners
- Mobile Hacking
- Notes & Organization
- Others
| Name | Description | Written in | Created by |
|---|---|---|---|
| Burp Suite | A Proxy to intercept and manipulate Web Traffic (free & paid version). Here you can find Tips & Tricks to get started with Burp. | Java | Port Swigger |
| OWASP Zap Proxy | A Proxy to intercept and manipulate Web Traffic (free). | Java | OWASP |
| Wireshark | Wireshark is a network protocol analyzer that lets you capture and read network packets. | C, C++ | The Wireshark team |
| Name | Description | Written in |
|---|---|---|
| Logger++ | "This extension can be used to log the requests and responses made by all Burp tools, and display them in a sortable table. It can also save the logged data in CSV format." | Java |
| Flow | "This extension provides a Proxy history-like view along with search filter capabilities for all Burp tools." | Java |
| AuthMatrix | "AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modeling methodologies." | Python (Needs Jython version 2.7.0 or later) |
| Autorize | "Autorize is an extension aimed at helping the penetration tester to detect authorization vulnerabilities..." | Python (Needs Jython) |
| Auto Repeater | "This extension automatically repeats requests, with replacement rules and response diffing. It provides a general-purpose solution for streamlining authorization testing within web applications." | Java |
| Progress Tracker | "Burp Suite extension to track vulnerability assessment progress" | Python |
| Name | Description | Written in | Created by |
|---|---|---|---|
| FFuF | A very fast Fuzzing Tool to brute force directories or other parameters. Highly configurable. | Go | |
| Sublist3r | Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. | Python | Ahmed Aboul-Ela |
| dirsearch | dirsearch is a simple command-line tool designed to brute force directories and files in websites. | Python | Mauro Soria |
| Amass | Uses a variety of different techniques to gather subdomains and can build a network map of the target. Very good export options. | Go | OWASP |
| BuiltWith | A very handy Browser Extension (for Chrome, Firefox) that checks for more than 18,000 types of internet technologies. Gives you a very quick glance on what a Web Application is built. | BuiltWith® | |
| findomain | Very fast cross-platform subdomain enumerator | Rust | Eduard Tolosa |
| waybackurls | Fetch all the URLs that the Wayback Machine knows about for a domain | Go | Tom Hudson |
| meg | meg is a tool for fetching lots of URLs but still being 'nice' to servers. It can be used to fetch many paths for many hosts; fetching one path for all hosts before moving on to the next path and repeating. | Go | Tom Hudson |
| httprobe | Take a list of domains and probe for working http and https servers. | Go | Tom Hudson |
| Osmedeus | Fully automated offensive security framework for reconnaissance and vulnerability scanning | Python | j3ssie |
| hakrawler | hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files | Go | @hakluke |
| Reconness | A Web App Tool to Run and Keep all your #recon in the same place. | C# | @reconness |
| Knockpy | A python tool designed to enumerate subdomains on a target domain through a wordlist | Python | @guelforweb |
| crithit | Takes a single wordlist item and tests it one by one over a large collection of hosts before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts. | C++ | codingo |
| nuclei | "Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use." | Go | ProjectDiscovery |
| SpiderFoot | SpiderFoot is an OSINT automation tool that queries over 100 data sources to build up a complete profile of your target, from host enumeration, to breached e-mail addresses and more. | Python | SpiderFoot |
| subfinder | subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well. | Go | ProjectDiscovery |
| SUBway | Enumerate subdomains by either using DNS lookup or by virtual hosting HTTP requests, useful for things like Hack The Box or Try Hack Me. SUBway requires a wordlist to use for subdomain discovery, SecLists is the recomended pairing for use with this tool. | Go | Sam Lane |
| Name | Description | Created by |
|---|---|---|
| Recon.Dev | Recon Data specifically created for bug bounty hunters | NahamSec & StaticFlow |
| hunter.io | Email Enumeration for big corps | Hunter Team |
| intelx.io | Swiss army Knife of OSINT | Intelligence X |
| Shodan | Search engine that lets you find systems connected to the internet with a variety of filters | John Matherly |
| Censys | "Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet." | Censys |
| Lookyloo | Lookyloo is a web interface allowing to scrape a website and then displays a tree of domains calling each other. Github Page of the Project | CIRCL |
| Spyse.com | New Search Engine made for pentesters and cyber security specialists | Spyse Team |
| crt.sh | SSL certificate search tool | Sectigo |
| Virus Total | WHOIS, DNS, and subdomain recon | Virus Total Team |
| ZoomEye | Search engine for specific network components | Team from Knownsec |
| NerdyData | Search Engine for Source Code | NerdyData |
| Crunchbase | For finding Information about Businesses and their acquisitions | TechCrunch |
| Searchcode | Helping you find real world examples of functions, API's and libraries over 90 languages across multiple sources | searchcode |
| Name | Description | Written in | Created by |
|---|---|---|---|
| sqlmap | sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. | Python | sqlmapproject |
| Name | Description | Written in | Created by |
|---|---|---|---|
| Nmap | A well known and powerful Tool for port scanning. Nmap provides the possibility to use scripts to further customize its functionality. | C, C++, Python, Lua | Gordon Lyon |
| Masscan | This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine. | C | Robert David Graham |
| KeyHacks | Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. | / | streaak |
| Nmap command helper | A tool that helps you with nmap commands. Has a build in training feature to help memorizing them. | 0x0n0x | |
| threader3000 | Threader3000 is a script written in Python3 that allows multi-threaded port scanning. The program is interactive and simply requires you to run it to begin. Once started, you will be asked to input an IP address or a FQDN as Threader3000 does resolve hostnames. A full port scan should take less than 1 minute 30 seconds depending on your internet connection. | Python | Joe Helle,Tittimus,plasticuproject |
| Name | Description | Written in | Created by |
|---|---|---|---|
| Frida | |||
| jadx | Dex to Java decompiler | Java | skylot |
| Ghidra | "A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission" | Java | NSA |
| dex2jar | Useful to convert dex files into jar to decompile the application. | Java, Smali | Bob Pan |
| andriller | Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. andriller.com | Python | Denis Sazonov |
| Mobile Security Framework (MobSF) | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing. | Python | MobSF Team |
| objection | "objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak." | Python & TypeScript | sensepost |
| RMS - Runtime Mobile Security | Runtime Mobile Security (RMS) is a powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime | Python | @mobilesecurity_ |
| Name | Description | Written in | Created by |
|---|---|---|---|
| Reconness | "ReconNess helps you to run and keep all your #recon in the same place allowing you to focus only on the potentially vulnerable targets without distraction and without required a lot of bash skill or programing skill in general." | C# | Reconness |
| Updog | "Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth." | Python | sc0tfree |
| Notion | "Write, plan, collaborate, and get organized — all in one tool." | Notion Labs | |
| Joplin | "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. The notes are searchable, can be copied, tagged and modified either from the applications directly or from your own text editor. The notes are in Markdown format." | JavaScript | Laurent Cozic |
| Xmind | XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings productivity in a remote WFH team. | / | XMind Ltd. |
| Axiom | Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty and pentesting. | Bash | @pry0cc |
| PenTest.ws | PenTest.WS is a penetration testing web application for organizing hosts, services, vulnerabilities and credentials during a penetration test. A reporting module is available for documenting and delivering a full penetration test. | PenTest.ws |
| Name | Description | Written in | Created by |
|---|---|---|---|
| SecLists | A huge collection of word lists for hacking. | Daniel Miessler | |
| Recon Pi | A lightweight recon tool that performs extensive reconnaissance with the latest tools using a Raspberry Pi. | @x1m_martijn | |
| CyberChef | Awesome Tool for de-/encoding stuff. Try it out! | JavaScript | gchq |
| webhook.site | Webhook.site allows you to easily test, inspect, forward and create Custom Actions for any incoming HTTP request or e-mail. | fredsted | |
| requestcatcher | Request Catcher will create a subdomain on which you can test an application. All requests sent to any path on the subdomain are forwarded to your browser in real time. | ||
| canarytokens | Description | Thinkst Canary |
back to Intro Page