$ 🎯 Bug Bounty Hunting Methodology

Complete Command Reference & Step-by-Step Guide

🔍 Phase 1: Reconnaissance & Information Gathering

🎯 Goal Gather information about the target without directly interacting with it. This phase focuses on passive reconnaissance to build a comprehensive picture of the attack surface.

Subfinder Subdomain Discovery

Fast subdomain discovery tool using passive sources

Basic subdomain enumeration

subfinder -d target.com -o subdomains.txt

Use all sources for comprehensive results

subfinder -d target.com -all -o subdomains_all.txt

Recursive subdomain discovery

subfinder -d target.com -recursive -o subdomains_recursive.txt

Scan multiple domains from a file

subfinder -dL domains.txt -o subdomain_output.txt

Assetfinder Asset Discovery

Find related domains and subdomains

Find all assets related to domain

assetfinder target.com

Find only subdomains

assetfinder --subs-only target.com

Save results to file

assetfinder target.com | tee assetfinder_output.txt

Amass Comprehensive OSINT

In-depth attack surface mapping and asset discovery

Basic enumeration

amass enum -d target.com -o amass_output.txt

Passive enumeration only

amass enum -passive -d target.com -o amass_passive.txt

Active enumeration with DNS queries

amass enum -active -d target.com -o amass_active.txt

Brute force with wordlist

amass enum -d target.com -brute -w wordlist.txt -o amass_brute.txt

Intelligence gathering with WHOIS

amass intel -d target.com -whois

Certificate Transparency SSL/TLS Logs

Find subdomains from SSL/TLS certificates

Query crt.sh via curl

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u

Using crt tool

crt -d target.com

Using certspotter

certspotter target.com

Google Dorking Search Engine OSINT

Advanced Google search queries for information disclosure

Find all indexed pages

site:target.com

Find PDF documents

site:target.com filetype:pdf

Find admin panels

site:target.com inurl:admin

Find directory listings

site:target.com intitle:"index of"

Find exposed git repositories

site:target.com inurl:.git

Find API keys

site:target.com intext:"api_key"

theHarvester Email & Domain OSINT

Gather emails, names, subdomains, IPs, and URLs

Search all data sources

theHarvester -d target.com -b all

Search Google only

theHarvester -d target.com -b google

Multiple sources with result limit

theHarvester -d target.com -b bing,linkedin -l 500

Save results to file

theHarvester -d target.com -b all -f harvester_output

Findomain Subdomain Discovery

Fast subdomain enumeration tool

Find subdomains and save

findomain -t target.com -o

Save to custom file

findomain -t target.com -u findomain_output.txt

Process multiple domains

findomain -f domains.txt -u output.txt

Sublist3r Subdomain Discovery

Python-based subdomain enumeration

Basic enumeration

sublist3r -d target.com -o sublist3r_output.txt

With brute force

sublist3r -d target.com -b -o sublist3r_bruteforce.txt

Specific search engines

sublist3r -d target.com -e google,bing,yahoo

Chaos ProjectDiscovery Dataset

Access ProjectDiscovery’s subdomain dataset

Get subdomains from Chaos dataset

chaos -d target.com -o chaos_output.txt

Silent mode

chaos -d target.com -silent

DNSenum DNS Enumeration

Multithreaded DNS information gathering

Basic DNS enumeration

dnsenum target.com

Full enumeration with output

dnsenum --enum target.com -o dnsenum_output.txt

Use specific DNS server

dnsenum --dnsserver 8.8.8.8 target.com

Multi-threaded scan

dnsenum --threads 10 target.com

DNSrecon DNS Reconnaissance

Advanced DNS enumeration script

Standard enumeration

dnsrecon -d target.com -t std

Zone transfer test

dnsrecon -d target.com -t axfr

Brute force with wordlist

dnsrecon -d target.com -t brt -D wordlist.txt

Reverse lookup

dnsrecon -d target.com -t rvl -r 192.168.1.0/24

Fierce DNS Scanner

DNS reconnaissance tool

Basic DNS scan

fierce --domain target.com

Scan specific subdomains

fierce --domain target.com --subdomains accounts,admin,api

Use custom DNS server

fierce --domain target.com --dns-servers 8.8.8.8

h8mail Email Breach Check

Email OSINT and breach hunting

Check single email

h8mail -t target@target.com

With configuration file

h8mail -t target@target.com -c h8mail_config.ini

Check multiple emails from file

h8mail -t targets.txt

WhatWeb Technology Detection

whatweb target.com

Webanalyze Tech Profiler

Analyze single host

webanalyze -host target.com

Use custom apps database

webanalyze -host target.com -apps apps.json

Analyze multiple hosts

webanalyze -hosts urls.txt -output json

GoSpider Web Crawler

Fast web spider written in Go

Basic crawl

gospider -s https://target.com -o output

Crawl with depth and concurrency

gospider -s https://target.com -c 10 -d 3

Include sitemap and robots.txt

gospider -s https://target.com --sitemap --robots

Crawl multiple sites

gospider -S sites.txt -o output -c 10 -d 2

Hakrawler Web Crawler

Simple, fast web crawler

Basic crawl

echo https://target.com | hakrawler

Crawl with depth

hakrawler -url target.com -depth 3

Include subdomains and unique URLs

echo https://target.com | hakrawler -subs -u -insecure

Crawl multiple URLs

cat urls.txt | hakrawler -d 2

Gau (Get All URLs) URL Collector

Fetch known URLs from multiple sources

Get all URLs

gau target.com

Save to file

gau target.com --o gau_output.txt

Include subdomains

gau target.com --subs

Blacklist file extensions

gau --blacklist png,jpg,gif target.com

Multi-threaded

echo target.com | gau --threads 5

Waymore Archive Scraper

Enhanced Wayback Machine scraper

Get URLs mode

waymore -i target.com -mode U

Get responses mode

waymore -i target.com -mode R

Save URLs to file

waymore -i target.com -oU urls.txt

---

🔐 Bug Bounty Hunting Methodology Guide

Remember: Always get proper authorization before testing. Happy hunting!

Made with 💚 for the Bug Bounty Community

View on GitHub