The Ultimate 2026 Bug Bounty Recon Guide: 100+ Advanced Commands & Techniques

-

The Ultimate 2026 Bug Bounty Recon Guide

100+ Advanced Copy-Paste Commands That Find Real Bugs — Subdomain Discovery, Live Host Detection, Port Scanning, Content Discovery, Vulnerability Scanning, AI-Powered Automation & More

Subdomain Discovery Live Host Detection Port Scanning Content Discovery Nuclei Scanning Cloud Recon AI-Powered One-Liners
Kudos & Attribution: This guide is an expanded, advanced evolution of the outstanding original work published by the CipherOps team at CipherOps GitBook — Bug Bounty Notes. Their original article, "50 Copy-Paste Recon Commands That Find Bugs", is a must-read for every bug bounty hunter. We have built upon their foundation with additional commands, deeper explanations, new tool categories, and advanced automation techniques. All credit for the original 50 commands belongs to the CipherOps team. Follow them on GitBook for more incredible content.

Reconnaissance is the cornerstone of successful bug bounty hunting. The depth of your recon directly determines the quality of your findings. A hunter who spends 80% of their time on recon will consistently outperform one who rushes to exploitation. This guide provides a comprehensive, production-ready arsenal of over 100 commands, organized into a logical workflow from initial subdomain discovery all the way through AI-powered analysis and reporting. Every command is copy-paste ready — simply replace target.com with your actual target.

Legal Disclaimer: All commands and techniques described in this guide are intended exclusively for authorized security testing and bug bounty programs. Always obtain explicit written permission before testing any system. Unauthorized access to computer systems is illegal and unethical. Always verify the scope of a bug bounty program before running any active scans.

Table of Contents

  1. Subdomain Discovery (Commands 1–25)
  2. Live Host Detection (Commands 26–40)
  3. Port Scanning (Commands 41–55)
  4. Content Discovery (Commands 56–75)
  5. Automated Vulnerability Scanning — Nuclei (Commands 76–88)
  6. Advanced Recon Techniques (Commands 89–100)
  7. AI-Powered Reconnaissance (Commands 101–108)
  8. Master One-Liners
  9. Quick Tips & Best Practices
  10. Tool Reference Table
  11. References & Further Reading
Category Commands Key Tools Est. Time
Subdomain Discovery 1–25 subfinder, amass, puredns, dnsx 5–10 min
Live Host Detection 26–40 httpx 2–5 min
Port Scanning 41–55 naabu, nmap, masscan, rustscan 5–30 min
Content Discovery 56–75 feroxbuster, ffuf, katana, LinkFinder 10–30 min
Vulnerability Scanning 76–88 nuclei 10–60 min
Advanced Techniques 89–100 cloud_enum, trufflehog, gowitness Variable
AI-Powered Recon 101–108 OpenAI API, Python 1–5 min
🔍

Subdomain Discovery

Commands 1–25

Subdomain discovery is the foundation of any bug bounty engagement. The more subdomains you find, the larger your attack surface. A single forgotten staging server or a misconfigured development subdomain can be worth thousands of dollars. This section covers both passive techniques (which query third-party data sources without touching the target) and active techniques (which perform DNS queries directly against the target).

🔒 Passive Enumeration — No Direct DNS Queries

Passive techniques are stealthy and safe. They query public data sources like certificate transparency logs, internet archives, and threat intelligence platforms. Always start here to avoid triggering WAF alerts or rate limits on the target.

BASH Passive Subdomain Enumeration — Commands 1–18 
# ----------------------------------------------------------------
# COMMAND 1: Subfinder (All Sources)
# The fastest passive subdomain enumeration tool. Queries 40+
# sources including VirusTotal, Shodan, Censys, and more.
# Install: go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# ----------------------------------------------------------------
subfinder -d target.com -all -silent -o subs.txt

# ----------------------------------------------------------------
# COMMAND 2: Amass (Passive Mode)
# OWASP Amass is the gold standard for passive enumeration.
# It queries DNS, scrapes web archives, and uses APIs.
# Install: go install -v github.com/owasp-amass/amass/v4/...@master
# ----------------------------------------------------------------
amass enum -passive -d target.com -o amass.txt

# ----------------------------------------------------------------
# COMMAND 3: Assetfinder (Fast & Lightweight)
# Written by Tomnomnom. Excellent for quick initial enumeration.
# Install: go install github.com/tomnomnom/assetfinder@latest
# ----------------------------------------------------------------
assetfinder --subs-only target.com | tee assetfinder.txt

# ----------------------------------------------------------------
# COMMAND 4: Findomain (High Performance)
# Written in Rust. Extremely fast and reliable.
# Install: https://github.com/Findomain/Findomain/releases
# ----------------------------------------------------------------
findomain -t target.com -o findomain.txt

# ----------------------------------------------------------------
# COMMAND 5: Chaos (ProjectDiscovery Dataset)
# Access ProjectDiscovery's curated dataset of subdomains.
# Requires a free API key from chaos.projectdiscovery.io
# Install: go install -v github.com/projectdiscovery/chaos-client/cmd/chaos@latest
# ----------------------------------------------------------------
chaos -d target.com -silent -o chaos.txt

# ----------------------------------------------------------------
# COMMAND 6: GitHub Subdomain Search
# Finds subdomains mentioned in public GitHub repositories.
# Requires a GitHub personal access token.
# Install: go install github.com/gwen001/github-subdomains@latest
# ----------------------------------------------------------------
github-subdomains -d target.com -t YOUR_GITHUB_TOKEN | tee github_subs.txt

# ----------------------------------------------------------------
# COMMAND 7: Wayback Machine URL Mining
# Extracts subdomains from the Wayback Machine's URL archive.
# Install: go install github.com/tomnomnom/waybackurls@latest
# ----------------------------------------------------------------
echo "target.com" | waybackurls | grep -oE "[a-zA-Z0-9._-]+\.target\.com" | sort -u > wayback_subs.txt

# ----------------------------------------------------------------
# COMMAND 8: CRT.sh (Certificate Transparency Logs)
# Queries the certificate transparency log database.
# Wildcard certs often reveal internal subdomain naming patterns.
# ----------------------------------------------------------------
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > crtsh.txt

# ----------------------------------------------------------------
# COMMAND 9: AlienVault OTX (Open Threat Exchange)
# Queries AlienVault's passive DNS database. Free, no API key needed.
# ----------------------------------------------------------------
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/target.com/passive_dns" | jq -r '.passive_dns[]?.hostname' | sort -u > alienvault.txt

# ----------------------------------------------------------------
# COMMAND 10: SecurityTrails (API Key Required)
# One of the most comprehensive passive DNS databases available.
# Free tier: 50 queries/month. Sign up at securitytrails.com
# ----------------------------------------------------------------
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" \
  -H "APIKEY: YOUR_API_KEY" | jq -r '.subdomains[]' | sed "s/$/.target.com/" > securitytrails.txt

# ----------------------------------------------------------------
# COMMAND 11: Shodan (API Key Required)
# Shodan indexes internet-connected devices. Great for finding
# subdomains that host services on non-standard ports.
# Install: pip3 install shodan
# ----------------------------------------------------------------
shodan domain target.com | grep -oE "[a-zA-Z0-9._-]+\.target\.com" | sort -u > shodan_subs.txt

# ----------------------------------------------------------------
# COMMAND 12: Censys (API Key Required)
# Censys scans the entire internet and indexes certificates.
# Sign up at censys.io for a free API key.
# Install: pip3 install censys
# ----------------------------------------------------------------
censys search "target.com" --index-type certificates \
  --fields parsed.names | jq -r '.[] | .parsed.names[]' | \
  grep "target.com" | sort -u > censys_subs.txt

# ----------------------------------------------------------------
# COMMAND 13: RapidDNS
# A fast and free passive DNS database.
# ----------------------------------------------------------------
curl -s "https://rapiddns.io/subdomain/target.com?full=1" | \
  grep -oE "[a-zA-Z0-9._-]+\.target\.com" | sort -u > rapiddns.txt

# ----------------------------------------------------------------
# COMMAND 14: HackerTarget
# Another free passive DNS lookup service.
# ----------------------------------------------------------------
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | \
  cut -d',' -f1 | sort -u > hackertarget.txt

# ----------------------------------------------------------------
# COMMAND 15: URLScan.io
# Queries URLScan's database of scanned pages for subdomains.
# ----------------------------------------------------------------
curl -s "https://urlscan.io/api/v1/search/?q=domain:target.com&size=10000" | \
  jq -r '.results[].page.domain' | sort -u > urlscan.txt

# ----------------------------------------------------------------
# COMMAND 16: Sublist3r (Multi-Source)
# Enumerates subdomains using multiple search engines.
# Install: pip3 install sublist3r
# ----------------------------------------------------------------
sublist3r -d target.com -o sublist3r.txt

# ----------------------------------------------------------------
# COMMAND 17: TheHarvester (OSINT)
# Gathers emails, names, subdomains, IPs, and URLs from public sources.
# Install: pip3 install theHarvester
# ----------------------------------------------------------------
theHarvester -d target.com -b all -f theharvester_results

# ----------------------------------------------------------------
# COMMAND 18: Combine All Passive Sources & Deduplicate
# Merge all output files into a single, sorted, unique list.
# ----------------------------------------------------------------
cat subs.txt amass.txt assetfinder.txt findomain.txt chaos.txt \
    github_subs.txt wayback_subs.txt crtsh.txt alienvault.txt \
    securitytrails.txt shodan_subs.txt censys_subs.txt rapiddns.txt \
    hackertarget.txt urlscan.txt sublist3r.txt 2>/dev/null | \
    grep "target.com" | sort -u > all_passive_subs.txt

echo "[+] Total unique passive subdomains: $(wc -l < all_passive_subs.txt)"
🔨 Active Enumeration — DNS Brute-Forcing

Active enumeration involves directly querying DNS servers to discover subdomains by brute-forcing common names. This is significantly more powerful than passive enumeration but generates DNS traffic that may be logged. Use a high-quality wordlist like SecLists or Commonspeak2 for best results.

BASH Active DNS Brute-Forcing — Commands 19–25 
# ----------------------------------------------------------------
# COMMAND 19: puredns (Recommended for Brute-Forcing)
# The most accurate DNS brute-forcing tool. Handles wildcard
# filtering and DNS poisoning automatically.
# Install: go install github.com/d3mondev/puredns/v2@latest
# Wordlist: https://github.com/danielmiessler/SecLists
# ----------------------------------------------------------------
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
  target.com -r /path/to/resolvers.txt -w puredns_results.txt

# ----------------------------------------------------------------
# COMMAND 20: dnsx (DNS Resolver & Validator)
# Resolve and validate a list of subdomains. Filters out
# dead or non-resolving subdomains.
# Install: go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
# ----------------------------------------------------------------
dnsx -l all_passive_subs.txt -silent -o resolved_subs.txt

# ----------------------------------------------------------------
# COMMAND 21: massdns (Ultra-High-Speed Brute-Forcing)
# Can resolve millions of subdomains per second using public resolvers.
# Install: https://github.com/blechschmidt/massdns
# ----------------------------------------------------------------
massdns -r /path/to/resolvers.txt -t A -o S \
  -w massdns_results.txt \
  /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

# ----------------------------------------------------------------
# COMMAND 22: shuffledns (Combines massdns + puredns)
# Handles both brute-forcing and resolving in one tool.
# Install: go install -v github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest
# ----------------------------------------------------------------
shuffledns -d target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
  -r /path/to/resolvers.txt \
  -o shuffledns_results.txt

# ----------------------------------------------------------------
# COMMAND 23: dnsgen (Permutation & Alteration)
# Generates subdomain permutations from a known list.
# Excellent for finding dev, staging, and regional variants.
# Install: pip3 install dnsgen
# ----------------------------------------------------------------
cat resolved_subs.txt | dnsgen - | \
  massdns -r /path/to/resolvers.txt -t A -o S -w dnsgen_results.txt

# ----------------------------------------------------------------
# COMMAND 24: gobuster (DNS Mode)
# A versatile brute-forcing tool with DNS mode support.
# Install: go install github.com/OJ/gobuster/v3@latest
# ----------------------------------------------------------------
gobuster dns -d target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -t 50 -o gobuster_dns.txt

# ----------------------------------------------------------------
# COMMAND 25: Final Merge & Resolve All Discovered Subdomains
# Combine passive + active results, resolve, and get live hosts.
# ----------------------------------------------------------------
cat all_passive_subs.txt puredns_results.txt shuffledns_results.txt \
    dnsgen_results.txt gobuster_dns.txt 2>/dev/null | \
    sort -u | dnsx -silent -o all_resolved_subs.txt

echo "[+] Total resolved subdomains: $(wc -l < all_resolved_subs.txt)"
📶

Live Host Detection

Commands 26–40

Not every resolved subdomain hosts a live web service. Live host detection probes each subdomain over HTTP and HTTPS to identify which ones are actually serving content. The httpx tool by ProjectDiscovery is the industry standard for this task, offering a rich set of flags for extracting metadata in a single pass.

BASH Live Host Detection with httpx — Commands 26–40 
# ----------------------------------------------------------------
# COMMAND 26: Basic HTTP Probing
# Identify which subdomains are serving HTTP/HTTPS content.
# Install: go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -silent -o live_hosts.txt

# ----------------------------------------------------------------
# COMMAND 27: httpx with Status Codes
# Status codes reveal a lot: 200 = live, 301/302 = redirect,
# 401/403 = protected (potential bypass target), 500 = error.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -status-code -silent -o hosts_status.txt

# ----------------------------------------------------------------
# COMMAND 28: httpx with Page Title Extraction
# Page titles quickly identify the purpose of each host.
# Look for: "Admin", "Login", "Dashboard", "API", "Dev", "Staging".
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -title -silent -o hosts_title.txt

# ----------------------------------------------------------------
# COMMAND 29: httpx with Technology Detection
# Identifies the tech stack (CMS, frameworks, libraries).
# Use this to target known CVEs for specific technologies.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -tech-detect -silent -o hosts_tech.txt

# ----------------------------------------------------------------
# COMMAND 30: httpx with Web Server Detection
# Identifies the web server (Apache, Nginx, IIS, Tomcat, etc.).
# Different servers have different vulnerability profiles.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -web-server -silent -o hosts_server.txt

# ----------------------------------------------------------------
# COMMAND 31: httpx with IP Resolution
# Maps each subdomain to its IP address.
# Useful for identifying shared hosting and cloud providers.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -ip -silent -o hosts_ip.txt

# ----------------------------------------------------------------
# COMMAND 32: httpx with CDN Detection
# Identifies if a host is behind a CDN (Cloudflare, Akamai, etc.).
# Hosts NOT behind a CDN are often more interesting targets.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -cdn -silent -o hosts_cdn.txt

# ----------------------------------------------------------------
# COMMAND 33: httpx with Response Time
# Slow response times can indicate backend processing or
# potential for timing-based attacks.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -response-time -silent -o hosts_response.txt

# ----------------------------------------------------------------
# COMMAND 34: httpx with Content Type
# Identifies the content type of the response.
# JSON responses often indicate API endpoints.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -content-type -silent -o hosts_content.txt

# ----------------------------------------------------------------
# COMMAND 35: httpx with Final URL (Follow Redirects)
# Follows all redirects to find the final destination URL.
# Useful for discovering redirect chains and open redirects.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -follow-redirects -silent -o hosts_final.txt

# ----------------------------------------------------------------
# COMMAND 36: httpx - Match Specific Strings in Response Body
# Find hosts with specific keywords like "staging", "admin",
# "debug", "internal", "test", "dev", "beta", "api".
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -match-string "staging" -silent -o staging_hosts.txt
httpx -l all_resolved_subs.txt -match-string "admin" -silent -o admin_hosts.txt
httpx -l all_resolved_subs.txt -match-string "debug" -silent -o debug_hosts.txt

# ----------------------------------------------------------------
# COMMAND 37: httpx - Filter by Status Code
# Focus on specific status codes. 403 hosts are often
# bypassable with header manipulation or path traversal.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -mc 200 -silent -o hosts_200.txt
httpx -l all_resolved_subs.txt -mc 403 -silent -o hosts_403.txt
httpx -l all_resolved_subs.txt -mc 401 -silent -o hosts_401.txt

# ----------------------------------------------------------------
# COMMAND 38: httpx - Extract Response Headers
# Look for security headers (or the lack thereof).
# Missing security headers are reportable findings.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -include-response-header -silent | \
  grep -v "X-Frame-Options\|Content-Security-Policy\|X-XSS-Protection" > missing_security_headers.txt

# ----------------------------------------------------------------
# COMMAND 39: httpx - Probe Specific Ports
# Check for web services running on non-standard ports.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt -ports 80,443,8080,8443,3000,5000,8000,9000,9090,4443 \
  -silent -o hosts_all_ports.txt

# ----------------------------------------------------------------
# COMMAND 40: THE ULTIMATE httpx ONE-LINER
# Get everything in a single pass. This is the most efficient
# way to run httpx and the recommended starting point.
# ----------------------------------------------------------------
httpx -l all_resolved_subs.txt \
  -status-code -title -tech-detect -web-server -ip -cdn \
  -content-type -follow-redirects \
  -silent -o hosts_full.txt

echo "[+] Live hosts discovered: $(wc -l < live_hosts.txt)"
🔌

Port Scanning

Commands 41–55

Port scanning reveals services running on non-standard ports that are often overlooked by other hunters. A forgotten Jenkins instance on port 8080, an exposed Redis database on port 6379, or an unprotected Kubernetes API on port 6443 can all lead to critical findings. Use a layered approach: start fast with naabu or rustscan, then follow up with nmap for service detection.

BASH Port Scanning — Commands 41–55 
# ----------------------------------------------------------------
# COMMAND 41: naabu - Top 100 Ports (Fast)
# The fastest port scanner for bug bounty. Built by ProjectDiscovery.
# Install: go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
# ----------------------------------------------------------------
naabu -list live_hosts.txt -top-ports 100 -silent -o ports_top100.txt

# ----------------------------------------------------------------
# COMMAND 42: naabu - Common Web Ports
# Focus on ports commonly used for web applications.
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p 80,443,8080,8443,3000,5000,8000,9000,9090,4443,10443 \
  -silent -o ports_web.txt

# ----------------------------------------------------------------
# COMMAND 43: naabu - Full Port Scan (All 65535 Ports)
# Comprehensive but slow. Run overnight or in a tmux session.
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p - -silent -o ports_all.txt

# ----------------------------------------------------------------
# COMMAND 44: nmap - Top Ports with Service & Version Detection
# The gold standard for service identification.
# -sV: Version detection, -sC: Default scripts
# ----------------------------------------------------------------
nmap -iL live_hosts.txt --top-ports 100 -sV -sC -oN nmap_top100.txt

# ----------------------------------------------------------------
# COMMAND 45: nmap - Quick Scan (Fast)
# -F: Fast mode (top 100 ports), -T4: Aggressive timing
# ----------------------------------------------------------------
nmap -iL live_hosts.txt -F -T4 -oN nmap_quick.txt

# ----------------------------------------------------------------
# COMMAND 46: masscan - Ultra-Fast Full Port Scan
# Can scan the entire internet in under 6 minutes.
# WARNING: Very noisy. Use with caution and only on authorized targets.
# ----------------------------------------------------------------
masscan -iL live_hosts.txt -p1-65535 --rate=1000 -oL masscan.txt

# ----------------------------------------------------------------
# COMMAND 47: rustscan - The Fastest Port Scanner
# Written in Rust. Scans all 65535 ports in seconds.
# Install: https://github.com/RustScan/RustScan/releases
# ----------------------------------------------------------------
rustscan -a $(cat live_hosts.txt | tr '\n' ',') -- -A -sV

# ----------------------------------------------------------------
# COMMAND 48: naabu - Find Open RDP (Remote Desktop Protocol)
# Open RDP (3389) is often a high-severity finding.
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p 3389 -silent -o ports_rdp.txt

# ----------------------------------------------------------------
# COMMAND 49: naabu - Find Open SSH
# Default SSH port. Look for weak credentials or outdated versions.
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p 22 -silent -o ports_ssh.txt

# ----------------------------------------------------------------
# COMMAND 50: naabu - Find Open SMB
# SMB (445) is a common target for lateral movement and data exfil.
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p 445 -silent -o ports_smb.txt

# ----------------------------------------------------------------
# COMMAND 51: naabu - Find Exposed Databases
# Exposed databases are critical findings in bug bounties.
# MySQL(3306), PostgreSQL(5432), MSSQL(1433), MongoDB(27017),
# Redis(6379), Elasticsearch(9200), Cassandra(9042)
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p 3306,5432,1433,27017,6379,9200,9042,5984 \
  -silent -o ports_db.txt

# ----------------------------------------------------------------
# COMMAND 52: naabu - Find Exposed Admin Panels & Dev Tools
# Jenkins(8080), Grafana(3000), Kibana(5601), Prometheus(9090),
# Portainer(9000), Jupyter(8888), RabbitMQ(15672)
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p 8080,3000,5601,9090,9000,8888,15672,4848 \
  -silent -o ports_admin.txt

# ----------------------------------------------------------------
# COMMAND 53: naabu - Find Kubernetes & Docker Services
# Kubernetes API(6443), Docker API(2375/2376), etcd(2379)
# ----------------------------------------------------------------
naabu -list live_hosts.txt -p 6443,2375,2376,2379,10250 \
  -silent -o ports_k8s_docker.txt

# ----------------------------------------------------------------
# COMMAND 54: nmap - Vulnerability Script Scan
# Run Nmap's built-in vulnerability detection scripts.
# ----------------------------------------------------------------
nmap -iL live_hosts.txt --script vuln -oN nmap_vuln.txt

# ----------------------------------------------------------------
# COMMAND 55: Combined Port Scan + httpx Probe
# Discover open ports and immediately probe them for web services.
# ----------------------------------------------------------------
naabu -list live_hosts.txt -top-ports 1000 -silent | \
  httpx -silent -status-code -title -o web_services_all_ports.txt
📂

Content Discovery

Commands 56–75

Content discovery uncovers hidden files, directories, API endpoints, and parameters that are not publicly linked. This is where many high-severity bugs are found: exposed .git directories, backup files, admin panels, and undocumented API endpoints. Use a combination of directory brute-forcing, web crawling, and JavaScript analysis for maximum coverage.

BASH Directory & File Brute-Forcing — Commands 56–65 
# ----------------------------------------------------------------
# COMMAND 56: feroxbuster - Fast Directory Brute Force
# A fast, recursive content discovery tool written in Rust.
# Install: https://github.com/epi052/feroxbuster/releases
# ----------------------------------------------------------------
feroxbuster -u https://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -t 50 -o dirs_fast.txt

# ----------------------------------------------------------------
# COMMAND 57: feroxbuster - Comprehensive Directory Scan
# Use the large raft wordlist for maximum coverage.
# ----------------------------------------------------------------
feroxbuster -u https://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt \
  -t 30 --depth 3 -o dirs_full.txt

# ----------------------------------------------------------------
# COMMAND 58: feroxbuster - File Discovery
# Hunt for specific file types: config files, backups, logs.
# ----------------------------------------------------------------
feroxbuster -u https://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt \
  -t 30 -o files.txt

# ----------------------------------------------------------------
# COMMAND 59: feroxbuster - API Endpoint Discovery
# Discover REST API endpoints using a dedicated wordlist.
# ----------------------------------------------------------------
feroxbuster -u https://target.com/api \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -t 30 -o api_endpoints.txt

# ----------------------------------------------------------------
# COMMAND 60: ffuf - Backup File Discovery
# Find backup files that may contain source code or credentials.
# ----------------------------------------------------------------
ffuf -u https://target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/backup_files.txt \
  -mc 200,301,302 -o backups.txt -of json

# ----------------------------------------------------------------
# COMMAND 61: ffuf - Git Directory Exposure
# An exposed .git directory can leak the entire source code.
# ----------------------------------------------------------------
ffuf -u https://target.com/.git/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -mc 200 -o git_exposed.txt

# ----------------------------------------------------------------
# COMMAND 62: ffuf - Configuration File Discovery
# Find exposed configuration files with credentials or secrets.
# ----------------------------------------------------------------
ffuf -u https://target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/config_files.txt \
  -mc 200 -o configs.txt

# ----------------------------------------------------------------
# COMMAND 63: ffuf - Subdomain Fuzzing (Virtual Host Discovery)
# Discover virtual hosts that are not in DNS by fuzzing the
# Host header. Useful for finding internal applications.
# ----------------------------------------------------------------
ffuf -u https://target.com/ \
  -H "Host: FUZZ.target.com" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -mc 200,301,302 -o vhosts.txt

# ----------------------------------------------------------------
# COMMAND 64: dirsearch - Comprehensive Web Path Scanner
# A mature and reliable directory scanner with many features.
# Install: pip3 install dirsearch
# ----------------------------------------------------------------
dirsearch -u https://target.com -e php,asp,aspx,jsp,html,js,txt,bak \
  -o dirsearch_results.txt

# ----------------------------------------------------------------
# COMMAND 65: gobuster - Directory Mode
# Fast and reliable directory brute-forcing.
# ----------------------------------------------------------------
gobuster dir -u https://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -t 50 -o gobuster_dirs.txt
BASH Web Crawling & JavaScript Analysis — Commands 66–75 
# ----------------------------------------------------------------
# COMMAND 66: katana - Modern Web Crawler
# A fast, configurable web crawler from ProjectDiscovery.
# Supports JavaScript rendering with headless browser.
# Install: go install github.com/projectdiscovery/katana/cmd/katana@latest
# ----------------------------------------------------------------
katana -u https://target.com -depth 3 -jc -o katana_results.txt

# ----------------------------------------------------------------
# COMMAND 67: gospider - Fast Web Crawler
# Crawls a website and extracts all URLs, forms, and endpoints.
# Install: go install github.com/jaeles-project/gospider@latest
# ----------------------------------------------------------------
gospider -s "https://target.com" -c 10 -d 3 -o gospider_results/

# ----------------------------------------------------------------
# COMMAND 68: hakrawler - Simple & Fast Web Crawler
# Extracts URLs, forms, and JavaScript files from a website.
# Install: go install github.com/hakluke/hakrawler@latest
# ----------------------------------------------------------------
echo "https://target.com" | hakrawler -depth 3 -insecure | tee hakrawler_results.txt

# ----------------------------------------------------------------
# COMMAND 69: waybackurls - Historical URL Mining
# Extracts all URLs ever crawled by the Wayback Machine.
# Great for finding old, forgotten endpoints.
# ----------------------------------------------------------------
cat live_hosts.txt | waybackurls | sort -u > wayback_all_urls.txt

# ----------------------------------------------------------------
# COMMAND 70: waybackurls - Extract URLs with Parameters
# URLs with parameters are prime targets for injection attacks.
# ----------------------------------------------------------------
cat live_hosts.txt | waybackurls | grep "?" | sort -u > wayback_params.txt

# ----------------------------------------------------------------
# COMMAND 71: getJS - JavaScript File Discovery
# Finds all JavaScript files linked from a list of hosts.
# Install: go install github.com/003random/getJS@latest
# ----------------------------------------------------------------
getJS -input live_hosts.txt -output js_files.txt

# ----------------------------------------------------------------
# COMMAND 72: LinkFinder - Endpoint Discovery in JS Files
# Parses JavaScript files to find hidden API endpoints and paths.
# Install: pip3 install linkfinder
# ----------------------------------------------------------------
python3 linkfinder.py -i https://target.com/app.js -o cli
# Or scan all JS files from a list:
cat js_files.txt | xargs -I {} python3 linkfinder.py -i {} -o cli | sort -u > js_endpoints.txt

# ----------------------------------------------------------------
# COMMAND 73: SecretFinder - Secret Detection in JS Files
# Finds API keys, tokens, passwords, and other secrets in JS files.
# Install: pip3 install secretfinder
# ----------------------------------------------------------------
python3 SecretFinder.py -i https://target.com/app.js -o cli
# Or scan all JS files:
cat js_files.txt | xargs -I {} python3 SecretFinder.py -i {} -o cli > secrets_found.txt

# ----------------------------------------------------------------
# COMMAND 74: arjun - HTTP Parameter Discovery
# Discovers hidden GET and POST parameters for a given URL.
# Install: pip3 install arjun
# ----------------------------------------------------------------
arjun -u https://target.com/api/endpoint -oT arjun_params.txt
# Scan multiple URLs:
arjun -i live_hosts.txt -oT arjun_all_params.txt

# ----------------------------------------------------------------
# COMMAND 75: Combine All Discovered URLs & Endpoints
# Merge all content discovery results into a master URL list.
# ----------------------------------------------------------------
cat katana_results.txt gospider_results/*.txt hakrawler_results.txt \
    wayback_all_urls.txt js_endpoints.txt 2>/dev/null | \
    grep "target.com" | sort -u > all_discovered_urls.txt

echo "[+] Total unique URLs discovered: $(wc -l < all_discovered_urls.txt)"
💣

Automated Vulnerability Scanning — Nuclei

Commands 76–88

Nuclei by ProjectDiscovery is the most powerful open-source vulnerability scanner available to bug bounty hunters. It uses a YAML-based template system with over 9,000 community-contributed templates covering CVEs, misconfigurations, exposed panels, default credentials, and much more. Running Nuclei against your live hosts is one of the highest-ROI activities in bug bounty hunting.

Pro Tip: Always run nuclei -update-templates before starting a new engagement to ensure you have the latest templates. New templates are added daily by the community.
BASH Nuclei Vulnerability Scanning — Commands 76–88 
# ----------------------------------------------------------------
# COMMAND 76: Update Nuclei Templates (Always Do This First!)
# Install: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# ----------------------------------------------------------------
nuclei -update-templates

# ----------------------------------------------------------------
# COMMAND 77: Basic Nuclei Scan (Single Target)
# Runs all templates against a single URL.
# ----------------------------------------------------------------
nuclei -u https://target.com -o nuclei_single.txt

# ----------------------------------------------------------------
# COMMAND 78: Nuclei Scan (List of Targets)
# Runs all templates against a list of live hosts.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -o nuclei_all.txt

# ----------------------------------------------------------------
# COMMAND 79: Nuclei - CVE Scanning
# Focus exclusively on known CVEs. High signal-to-noise ratio.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -t cves/ -severity critical,high -o nuclei_cves.txt

# ----------------------------------------------------------------
# COMMAND 80: Nuclei - Exposed Panels & Login Pages
# Find admin panels, login pages, and management interfaces.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -t exposed-panels/ -o nuclei_panels.txt

# ----------------------------------------------------------------
# COMMAND 81: Nuclei - Misconfiguration Detection
# Find common misconfigurations in web servers and applications.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -t misconfiguration/ -o nuclei_misconfig.txt

# ----------------------------------------------------------------
# COMMAND 82: Nuclei - Default Credentials Testing
# Test for default usernames and passwords on admin panels.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -t default-logins/ -o nuclei_default_creds.txt

# ----------------------------------------------------------------
# COMMAND 83: Nuclei - Subdomain Takeover Detection
# Detect CNAME records pointing to unclaimed third-party services.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -t dns/subdomain-takeover.yaml -o nuclei_takeover.txt

# ----------------------------------------------------------------
# COMMAND 84: Nuclei - Technology Detection
# Identify the technology stack of each host.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -t technologies/ -o nuclei_tech.txt

# ----------------------------------------------------------------
# COMMAND 85: Nuclei - Exposure Detection
# Find exposed sensitive files, directories, and data.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -t exposures/ -o nuclei_exposures.txt

# ----------------------------------------------------------------
# COMMAND 86: Nuclei - Headless Browser Scanning
# Use a headless browser for JavaScript-heavy applications.
# Catches vulnerabilities that require JavaScript execution.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -headless -t headless/ -o nuclei_headless.txt

# ----------------------------------------------------------------
# COMMAND 87: Nuclei - Rate-Limited Scan (Respectful)
# Limit requests per second to avoid overwhelming the target
# and to stay within bug bounty program guidelines.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt -rate-limit 50 -bulk-size 10 -o nuclei_ratelimited.txt

# ----------------------------------------------------------------
# COMMAND 88: Nuclei - Full Comprehensive Scan
# The ultimate Nuclei command. Covers all template categories.
# Run this for a complete automated vulnerability assessment.
# ----------------------------------------------------------------
nuclei -l live_hosts.txt \
  -t cves/,exposures/,misconfiguration/,exposed-panels/,default-logins/,technologies/ \
  -severity critical,high,medium \
  -rate-limit 100 \
  -o nuclei_comprehensive.txt

echo "[+] Nuclei scan complete. Results saved to nuclei_comprehensive.txt"

Advanced Recon Techniques

Commands 89–100

These advanced techniques go beyond the basics and target specific, high-value attack surfaces: cloud storage misconfigurations, exposed Git repositories, secret leakage in source code, subdomain takeovers, and visual reconnaissance. These are the techniques that separate top-tier bug bounty hunters from the rest.

BASH Advanced Recon Techniques — Commands 89–100 
# ----------------------------------------------------------------
# COMMAND 89: Cloud Enumeration - cloud_enum
# Discovers cloud assets (S3, Azure Blob, GCP Storage) for a target.
# Install: pip3 install cloud-enum
# ----------------------------------------------------------------
cloud_enum -k target -k targetcompany -k target-company \
  --disable-azure --disable-gcp -o cloud_enum_results.txt

# ----------------------------------------------------------------
# COMMAND 90: AWS S3 Bucket Enumeration
# Check if a specific S3 bucket is publicly accessible.
# ----------------------------------------------------------------
aws s3 ls s3://target-company-assets --no-sign-request
aws s3 ls s3://target-backup --no-sign-request
aws s3 ls s3://target-dev --no-sign-request

# ----------------------------------------------------------------
# COMMAND 91: S3Scanner - Bulk S3 Bucket Scanning
# Scans a list of potential bucket names for public access.
# Install: pip3 install s3scanner
# ----------------------------------------------------------------
echo -e "target\ntarget-dev\ntarget-staging\ntarget-backup\ntarget-assets" | \
  s3scanner scan --bucket-file -

# ----------------------------------------------------------------
# COMMAND 92: TruffleHog - Secret Detection in Git Repos
# Scans Git repositories for high-entropy strings and secrets.
# Install: pip3 install truffleHog
# ----------------------------------------------------------------
trufflehog git https://github.com/target-org/target-repo.git
# Scan a local directory:
trufflehog filesystem /path/to/cloned/repo

# ----------------------------------------------------------------
# COMMAND 93: git-dumper - Dump Exposed .git Directories
# Reconstructs source code from an exposed .git directory.
# Install: pip3 install git-dumper
# ----------------------------------------------------------------
git-dumper https://target.com/.git/ ~/git-dumper-output/
# After dumping, search for secrets:
grep -r "password\|secret\|api_key\|token\|credential" ~/git-dumper-output/

# ----------------------------------------------------------------
# COMMAND 94: Subdomain Takeover - subzy
# Checks a list of subdomains for potential takeover vulnerabilities.
# Install: go install github.com/LukaSikic/subzy@latest
# ----------------------------------------------------------------
subzy run --targets live_hosts.txt --output subzy_results.txt

# ----------------------------------------------------------------
# COMMAND 95: Subdomain Takeover - subjack
# Another excellent subdomain takeover detection tool.
# Install: go install github.com/haccer/subjack@latest
# ----------------------------------------------------------------
subjack -w live_hosts.txt -t 100 -timeout 30 -o subjack_results.txt -ssl

# ----------------------------------------------------------------
# COMMAND 96: Visual Reconnaissance - gowitness
# Takes screenshots of all live hosts for visual review.
# Install: go install github.com/sensepost/gowitness@latest
# ----------------------------------------------------------------
gowitness file -f live_hosts.txt --screenshot-path ./screenshots/
# Generate an HTML report:
gowitness report generate

# ----------------------------------------------------------------
# COMMAND 97: Visual Reconnaissance - aquatone
# Takes screenshots and generates a beautiful HTML report.
# Install: https://github.com/michenriksen/aquatone/releases
# ----------------------------------------------------------------
cat live_hosts.txt | aquatone -out aquatone_report/ -threads 5

# ----------------------------------------------------------------
# COMMAND 98: Shodan CLI - Advanced Search
# Search Shodan for specific services, technologies, and vulnerabilities.
# Install: pip3 install shodan
# ----------------------------------------------------------------
shodan search "org:\"Target Organization\" http.title:\"Admin\""
shodan search "ssl.cert.subject.cn:*.target.com"
shodan search "hostname:target.com port:8080"

# ----------------------------------------------------------------
# COMMAND 99: Google Dorks - Manual OSINT
# Use Google's advanced search operators to find sensitive info.
# Run these manually in your browser.
# ----------------------------------------------------------------
# site:target.com filetype:pdf OR filetype:xls OR filetype:docx
# site:target.com inurl:admin OR inurl:login OR inurl:dashboard
# site:target.com intext:"password" OR intext:"api_key" OR intext:"secret"
# site:github.com "target.com" "api_key"
# site:pastebin.com "target.com"
# inurl:target.com ext:env OR ext:log OR ext:bak OR ext:sql

# ----------------------------------------------------------------
# COMMAND 100: anew - Track New Subdomains Over Time
# Use anew to continuously monitor for new subdomains.
# Install: go install github.com/tomnomnom/anew@latest
# ----------------------------------------------------------------
# Run this daily via cron to track new assets:
subfinder -d target.com -all -silent | anew tracked_subs.txt | \
  httpx -silent | anew live_hosts_new.txt
🤖

AI-Powered Reconnaissance

Commands 101–108

Artificial intelligence is transforming bug bounty hunting. AI can generate intelligent subdomain wordlists, craft targeted Google dorks, analyze technology stacks for vulnerabilities, prioritize targets, and generate professional reports. These Python scripts use the OpenAI API to supercharge your recon workflow. Set your API key as an environment variable: export OPENAI_API_KEY="your_key_here"

Important: These scripts require an OpenAI API key and will incur API costs. The GPT-3.5-turbo model is cost-effective for most tasks. Use GPT-4 for complex analysis where accuracy is critical.
PYTHON AI-Powered Recon Scripts — Commands 101–108 
# ----------------------------------------------------------------
# COMMAND 101: AI Subdomain Wordlist Generator
# Generates intelligent, context-aware subdomain prefixes.
# Save as: ai_subdomain_gen.py
# ----------------------------------------------------------------
"""
import openai, os

openai.api_key = os.getenv("OPENAI_API_KEY")
target = "target.com"
prompt = (
    f"Generate 100 realistic subdomain prefixes for {target}. "
    "Include: environments (dev, staging, uat, qa, prod, beta, alpha), "
    "services (api, mail, ftp, vpn, cdn, static, assets, media, img), "
    "regions (us-east, eu-west, ap-southeast, us-west, ca-central), "
    "internal tools (jenkins, jira, confluence, gitlab, grafana, kibana), "
    "and any other common subdomain patterns. One per line, no explanations."
)

response = openai.ChatCompletion.create(
    model="gpt-3.5-turbo",
    messages=[{"role": "user", "content": prompt}]
)

wordlist = response.choices[0].message.content.strip().split('\n')
with open('ai_wordlist.txt', 'w') as f:
    f.write('\n'.join(wordlist))

print(f"[+] Generated {len(wordlist)} subdomain prefixes. Saved to ai_wordlist.txt")
"""

# ----------------------------------------------------------------
# COMMAND 102: AI Google Dorks Generator
# Creates highly targeted Google dorks for a specific company.
# ----------------------------------------------------------------
"""
import openai, os

openai.api_key = os.getenv("OPENAI_API_KEY")
target = "target.com"
company_name = "Target Company"

prompt = (
    f"Generate 25 advanced Google dorks to find sensitive information "
    f"about {company_name} ({target}). Include dorks for: "
    "exposed configuration files (.env, config.php, settings.py), "
    "exposed credentials in code (GitHub, GitLab, Bitbucket), "
    "admin and login panels, API documentation, "
    "exposed cloud storage (S3, Azure Blob), "
    "employee information and org charts, "
    "exposed databases and backups, "
    "and any other high-value targets. Format each dork on its own line."
)

response = openai.ChatCompletion.create(
    model="gpt-3.5-turbo",
    messages=[{"role": "user", "content": prompt}]
)

print(response.choices[0].message.content)
"""

# ----------------------------------------------------------------
# COMMAND 103: AI Technology Stack Vulnerability Analyzer
# Analyzes httpx tech-detect output and suggests attack vectors.
# ----------------------------------------------------------------
"""
import openai, os

openai.api_key = os.getenv("OPENAI_API_KEY")

with open('hosts_tech.txt', 'r') as f:
    tech_data = f.read()

prompt = (
    "You are an expert bug bounty hunter. Analyze the following technology "
    "stack detection output from httpx. For each unique technology identified:\n"
    "1. List known CVEs or vulnerability classes relevant to that technology.\n"
    "2. Suggest specific Nuclei templates to run.\n"
    "3. Recommend manual testing techniques.\n"
    "4. Prioritize the most promising attack vectors.\n\n"
    f"Technology Detection Output:\n{tech_data}"
)

response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)

with open('ai_tech_analysis.txt', 'w') as f:
    f.write(response.choices[0].message.content)

print("[+] AI technology analysis saved to ai_tech_analysis.txt")
"""

# ----------------------------------------------------------------
# COMMAND 104: AI Target Prioritization
# Analyzes all recon data and ranks targets by potential value.
# ----------------------------------------------------------------
"""
import openai, os

openai.api_key = os.getenv("OPENAI_API_KEY")

with open('hosts_full.txt', 'r') as f:
    hosts_data = f.read()

prompt = (
    "You are an expert bug bounty hunter. Analyze the following list of "
    "live hosts with their status codes, titles, and technologies. "
    "Identify and rank the top 15 most promising targets for bug bounty "
    "hunting. For each target, explain:\n"
    "1. Why it is interesting (technology, title, status code).\n"
    "2. What vulnerabilities to look for first.\n"
    "3. Specific commands or tools to use next.\n\n"
    f"Live Hosts Data:\n{hosts_data[:8000]}"
)

response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)

with open('ai_priorities.txt', 'w') as f:
    f.write(response.choices[0].message.content)

print("[+] AI target prioritization saved to ai_priorities.txt")
"""

# ----------------------------------------------------------------
# COMMAND 105: AI Recon Report Generator
# Generates a professional recon summary report from all findings.
# ----------------------------------------------------------------
"""
import openai, os

openai.api_key = os.getenv("OPENAI_API_KEY")

with open('live_hosts.txt', 'r') as f:
    hosts = f.read()
with open('ports_top100.txt', 'r') as f:
    ports = f.read()
with open('nuclei_comprehensive.txt', 'r') as f:
    nuclei = f.read()

prompt = (
    "Generate a professional, structured bug bounty reconnaissance report "
    "in Markdown format. Include the following sections:\n"
    "1. Executive Summary\n"
    "2. Scope & Methodology\n"
    "3. Assets Discovered (subdomains, live hosts)\n"
    "4. Open Ports & Services\n"
    "5. Technology Stack Analysis\n"
    "6. Automated Findings (from Nuclei)\n"
    "7. Recommended Next Steps\n"
    "8. Risk Assessment\n\n"
    f"Live Hosts ({len(hosts.splitlines())} total):\n{hosts[:2000]}\n\n"
    f"Open Ports:\n{ports[:2000]}\n\n"
    f"Nuclei Findings:\n{nuclei[:3000]}"
)

response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)

with open('recon_report.md', 'w') as f:
    f.write(response.choices[0].message.content)

print("[+] Professional recon report saved to recon_report.md")
"""

# ----------------------------------------------------------------
# COMMAND 106: AI Custom Nuclei Template Generator
# Generates a Nuclei template for a specific vulnerability.
# ----------------------------------------------------------------
"""
import openai, os

openai.api_key = os.getenv("OPENAI_API_KEY")

vuln_description = "Login page at /admin/login that returns different error messages for valid vs invalid usernames, enabling username enumeration."

prompt = (
    "Generate a valid Nuclei YAML template to detect the following vulnerability:\n\n"
    f"{vuln_description}\n\n"
    "The template should follow the official Nuclei template format and include "
    "proper id, info (name, author, severity, description, tags), "
    "and the appropriate requests/matchers section."
)

response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)

template = response.choices[0].message.content
with open('custom_template.yaml', 'w') as f:
    f.write(template)

print("[+] Custom Nuclei template saved to custom_template.yaml")
print("[*] Run with: nuclei -u https://target.com -t custom_template.yaml")
"""

# ----------------------------------------------------------------
# COMMAND 107: AI-Powered Parameter Fuzzing Payload Generator
# Generates context-aware fuzzing payloads for discovered parameters.
# ----------------------------------------------------------------
"""
import openai, os

openai.api_key = os.getenv("OPENAI_API_KEY")

endpoint = "https://target.com/api/search?q=test&category=products&sort=price"

prompt = (
    f"Analyze this URL and its parameters: {endpoint}\n\n"
    "Generate a comprehensive list of fuzzing payloads to test for:\n"
    "1. SQL Injection (error-based, time-based, boolean-based)\n"
    "2. XSS (reflected, stored, DOM-based)\n"
    "3. SSRF (internal network probing)\n"
    "4. Path Traversal\n"
    "5. Command Injection\n"
    "6. SSTI (Server-Side Template Injection)\n"
    "7. Open Redirect\n\n"
    "Format as a JSON object with vulnerability type as key and list of payloads as value."
)

response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)

print(response.choices[0].message.content)
"""

# ----------------------------------------------------------------
# COMMAND 108: Complete AI-Powered Recon Automation Pipeline
# A full end-to-end recon pipeline with AI analysis at each stage.
# Save as: ai_recon_pipeline.sh
# Usage: bash ai_recon_pipeline.sh target.com
# ----------------------------------------------------------------
"""
#!/bin/bash
TARGET=$1

if [ -z "$TARGET" ]; then
    echo "Usage: $0 target.com"
    exit 1
fi

mkdir -p recon_$TARGET
cd recon_$TARGET

echo "[*] Phase 1: Subdomain Discovery for $TARGET"
subfinder -d $TARGET -all -silent | tee subs.txt
echo "[+] Found $(wc -l < subs.txt) subdomains"

echo "[*] Phase 2: DNS Resolution"
cat subs.txt | dnsx -silent | tee resolved.txt
echo "[+] Resolved $(wc -l < resolved.txt) subdomains"

echo "[*] Phase 3: Live Host Detection"
httpx -l resolved.txt -status-code -title -tech-detect -web-server -ip -cdn \
      -silent | tee hosts_full.txt
grep -oE "https?://[^ ]+" hosts_full.txt | sort -u > live_hosts.txt
echo "[+] Found $(wc -l < live_hosts.txt) live hosts"

echo "[*] Phase 4: Port Scanning"
naabu -list live_hosts.txt -top-ports 100 -silent | tee ports.txt
echo "[+] Port scan complete"

echo "[*] Phase 5: Nuclei Scanning"
nuclei -l live_hosts.txt -t cves/,exposures/,misconfiguration/ \
       -severity critical,high -rate-limit 50 | tee nuclei.txt
echo "[+] Nuclei scan complete"

echo "[*] Phase 6: AI Analysis"
python3 <<PYEOF
import openai, os
openai.api_key = os.getenv("OPENAI_API_KEY")
with open("hosts_full.txt") as f: hosts = f.read()
with open("nuclei.txt") as f: nuclei = f.read()
prompt = f"Analyze this recon data and provide a prioritized action plan:\n\nHosts:\n{hosts[:4000]}\n\nNuclei:\n{nuclei[:4000]}"
response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[{"role": "user", "content": prompt}]
)
with open("ai_action_plan.txt", "w") as f:
    f.write(response.choices[0].message.content)
print("[+] AI action plan saved to ai_action_plan.txt")
PYEOF

echo "[*] Recon complete for $TARGET"
echo "[*] Results saved in: recon_$TARGET/"
ls -la
"""

Master One-Liners

These one-liners chain multiple tools together using Unix pipes to perform complex recon workflows in a single command. They are the hallmark of an efficient bug bounty hunter.

BASH Master One-Liners 
# The Ultimate Passive Recon One-Liner
# Discover subdomains, probe for live hosts, detect tech stack
subfinder -d target.com -all -silent | \
  httpx -silent -status-code -title -tech-detect -web-server | \
  tee passive_recon.txt

# The Full Active Recon Pipeline (Use with caution!)
subfinder -d target.com -all -silent | dnsx -silent | \
  httpx -silent | tee live_hosts.txt | \
  nuclei -t cves/,exposures/ -severity critical,high | \
  tee nuclei_results.txt

# Subdomain Discovery + Visual Recon
subfinder -d target.com -all -silent | httpx -silent | \
  gowitness file -f - --screenshot-path ./screenshots/

# Find All URLs with Parameters (for injection testing)
subfinder -d target.com -all -silent | httpx -silent | \
  katana -jc | grep "?" | sort -u | tee params.txt

# Discover & Scan for Subdomain Takeovers
subfinder -d target.com -all -silent | httpx -silent | \
  nuclei -t dns/subdomain-takeover.yaml | tee takeovers.txt

# Find Exposed Admin Panels
subfinder -d target.com -all -silent | httpx -silent | \
  nuclei -t exposed-panels/ | tee admin_panels.txt

# JavaScript Secret Hunting Pipeline
subfinder -d target.com -all -silent | httpx -silent | \
  getJS -output js_files.txt && \
  cat js_files.txt | xargs -I {} python3 SecretFinder.py -i {} -o cli | \
  tee secrets.txt

# Port Scan + Web Service Discovery
subfinder -d target.com -all -silent | dnsx -silent | \
  naabu -top-ports 1000 -silent | \
  httpx -silent -status-code -title | tee web_services.txt

# Continuous Monitoring (run via cron daily)
subfinder -d target.com -all -silent | anew all_subs.txt | \
  httpx -silent | anew live_hosts.txt | \
  nuclei -t cves/ -severity critical | \
  tee new_findings_$(date +%Y%m%d).txt
💡

Quick Tips & Best Practices

Tip 1: Always Verify Scope First. Before running any active scans, carefully read the bug bounty program's scope definition. Filter out-of-scope domains: cat all_subs.txt | grep -v "out-of-scope.com" | tee in_scope.txt
Tip 2: Use Rate Limiting to Avoid Bans. Respect the target's infrastructure by adding rate limits: httpx -l subs.txt -rate-limit 50 -silent and nuclei -l hosts.txt -rate-limit 30
Tip 3: Use tmux for Long-Running Scans. Never run long scans in a terminal that might disconnect. Use tmux: tmux new -s recon to start, Ctrl+B, D to detach, tmux attach -t recon to reattach.
Tip 4: Use anew for Continuous Monitoring. The anew tool by Tomnomnom appends only new lines to a file, making it perfect for tracking new assets over time. Run your recon pipeline daily via cron.
Tip 5: Use a Good Resolver List. The quality of your DNS resolvers directly impacts the accuracy of your brute-forcing results. Use the Trickest resolvers list for best results: puredns bruteforce wordlist.txt target.com -r resolvers.txt
Tip 6: Organize Your Output Files. Create a dedicated directory for each target and timestamp your output files. This makes it easy to track changes over time and avoid confusion between engagements.
Tip 7: Use Parallel Execution. Run multiple tools simultaneously to save time: subfinder -d target.com -silent & amass enum -passive -d target.com & assetfinder target.com & wait
Tip 8: Prioritize Targets Intelligently. Focus on hosts with interesting titles (Admin, Login, Dashboard), non-CDN hosts (direct IP access), hosts with unusual status codes (403, 401), and hosts running older or less common technologies.
🔧

Tool Reference Table

Tool Category Description Install
subfinder Subdomain Discovery Fast passive subdomain enumeration from 40+ sources GitHub
amass Subdomain Discovery OWASP's comprehensive attack surface management tool GitHub
assetfinder Subdomain Discovery Fast and lightweight subdomain finder by Tomnomnom GitHub
puredns DNS Brute-Forcing Accurate DNS brute-forcing with wildcard filtering GitHub
dnsx DNS Resolution Fast DNS toolkit for resolving and querying subdomains GitHub
shuffledns DNS Brute-Forcing Wrapper around massdns for subdomain brute-forcing GitHub
dnsgen DNS Permutation Generates subdomain permutations from a known list GitHub
httpx Live Host Detection Fast HTTP toolkit for probing and fingerprinting hosts GitHub
naabu Port Scanning Fast port scanner with SYN/CONNECT probe support GitHub
nmap Port Scanning The industry-standard network scanner with scripting engine nmap.org
masscan Port Scanning Internet-scale port scanner. Extremely fast. GitHub
rustscan Port Scanning The fastest port scanner, written in Rust GitHub
feroxbuster Content Discovery Fast, recursive content discovery tool written in Rust GitHub
ffuf Content Discovery Fast web fuzzer written in Go. Highly flexible. GitHub
katana Web Crawling Next-generation web crawling framework by ProjectDiscovery GitHub
waybackurls Historical Recon Fetches all URLs from the Wayback Machine for a domain GitHub
nuclei Vulnerability Scanning Fast, template-based vulnerability scanner with 9,000+ templates GitHub
LinkFinder JS Analysis Discovers endpoints and parameters in JavaScript files GitHub
SecretFinder Secret Detection Finds API keys, tokens, and secrets in JavaScript files GitHub
trufflehog Secret Detection Finds secrets in Git repositories and filesystems GitHub
cloud_enum Cloud Recon Multi-cloud asset enumeration (AWS, Azure, GCP) GitHub
subzy Subdomain Takeover Subdomain takeover vulnerability checker GitHub
gowitness Visual Recon Web screenshot utility with reporting capabilities GitHub
arjun Parameter Discovery HTTP parameter discovery suite GitHub
anew Utility Appends new lines to files, perfect for tracking changes GitHub

This guide was compiled and significantly expanded from the original work of the CipherOps team. Full credit and kudos to them for their outstanding contributions to the bug bounty community.

Use responsibly. Always obtain proper written authorization before testing any system. Happy hunting!

Last Updated: February 2026 • For educational and authorized security testing purposes only.

Comments

Post a Comment

Popular posts from this blog

Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp)

-
Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp) 🤖 Build Your Own AI Penetration Tester: Claude + MCP + Burp Suite A complete step-by-step tutorial to replicate autonomous security testing (25 labs + 2 BSCP exams solved) ⚡ Inspired by "Sonnet Took the Exam. I Just Watched." Originally published on Notion · Tutorial expanded for hands-on replication 🎯 What you'll build: An autonomous AI agent (Claude Sonnet 4.6) that can browse web apps via Playwright, inspect raw HTTP traffic via Burp Suite, and chain XSS → SQLi → RCE to solve PortSwigger labs — completely on its own. 📚 Table of Contents Overview & Architecture Prerequisites & Hardware Step 1: Install Claude Code & MCP Step 2: Configure Playwright MCP Server Step 3: Burp Suite & Burp MCP Integration ...
Read more

InfluxDB TCP 8086 (Default) — Authentication Bypass & Pentest Notes

-
``` Target: InfluxDB (port 8086) Affected versions: < 1.7.6 (CVE-2019-20933) Vulnerability description InfluxDB versions prior to 1.7.6 contain an authentication bypass in the authenticate function in services/httpd/handler.go . A crafted JWT token may contain an empty SharedSecret , allowing an attacker to bypass authentication and perform sensitive actions such as reading internal metrics, modifying data, or executing administrative operations. Risk No formal risk description available in original advisory. Impact depends on exposed instance and data sensitivity. Recommendation Upgrade to influxdb version 1.7.6~rc0-1 or later. Apply vendor-provided patches and restrict access to port 8086 with network controls. References Exploit: LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 CVE-2019-20933 — MITRE NVD — CVE-2019-20933 InfluxData patch commit Exploitation ...
Read more

Mastering PowerShell Execution Policy Bypass

-
📋 Table of Contents 1. Introduction to PowerShell Execution Policies 2. Understanding Execution Policy Mechanisms 3. Basic Bypass Techniques 4. Advanced Bypass Methods 5. PowerShell Script Signing 6. Converting PowerShell to Executables 7. Advanced Obfuscation Techniques 8. Steganographic Delivery Systems 9. Bypassing Reputation-Based Protection 10. Practical Implementation Scenarios 11. Detection Evasion Strategies 12. Conclusion and Best Practices 🔒 Introduction to PowerShell Execution Policies This guide is used in professional penetration testing training and aligns with MITR...
Read more