๐Ÿ› ๏ธ Tools

Essential Security Testing Tools Guide

๐ŸŽฏ Must-Have Tools for Bug Bounty & Pentesting

๐ŸŒ Web Proxies

Burp Suite (Professional/Community)

Purpose: Intercepting proxy, web vulnerability scanner

bash
1# Installation
2Download from: https://portswigger.net/burp/releases
3
4# Basic Usage
51. Start Burp Suite
62. Configure browser proxy: 127.0.0.1:8080
73. Install CA certificate
84. Intercept requests
95. Send to Repeater/Intruder/Scanner

Key Features:

  • Intercept & modify HTTP/HTTPS traffic
  • Repeater: Manual request testing
  • Intruder: Automated fuzzing/brute forcing
  • Scanner: Automated vulnerability detection (Pro only)
  • Extensions: Extend functionality

Essential Extensions:

  • Autorize (IDOR testing)
  • JWT Editor
  • Param Miner
  • Turbo Intruder
  • Upload Scanner

OWASP ZAP (Free Alternative)

bash
# Installation
sudo apt install zaproxy

# Usage
zaproxy

๐Ÿ” Reconnaissance Tools

Subdomain Enumeration

Subfinder

bash
1# Install
2go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
3
4# Usage
5subfinder -d target.com
6subfinder -d target.com -o subdomains.txt
7subfinder -d target.com -all  # All sources

Amass

bash
1# Install
2go install -v github.com/owasp-amass/amass/v4/...@master
3
4# Usage
5amass enum -d target.com
6amass enum -d target.com -o output.txt
7amass enum -passive -d target.com  # Passive only

Assetfinder

bash
1# Install
2go install github.com/tomnomnom/assetfinder@latest
3
4# Usage
5assetfinder target.com
6assetfinder --subs-only target.com

HTTP Probing

httpx

bash
1# Install
2go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
3
4# Usage
5cat subdomains.txt | httpx
6cat subdomains.txt | httpx -status-code -title -tech-detect
7httpx -l urls.txt -o alive.txt

httprobe

bash
1# Install
2go install github.com/tomnomnom/httprobe@latest
3
4# Usage
5cat domains.txt | httprobe
6cat domains.txt | httprobe -c 50 -t 3000

URL Discovery

waybackurls

bash
1# Install
2go install github.com/tomnomnom/waybackurls@latest
3
4# Usage
5waybackurls target.com
6waybackurls target.com | grep -E "\.js$"

gau (GetAllURLs)

bash
1# Install
2go install github.com/lc/gau/v2/cmd/gau@latest
3
4# Usage
5gau target.com
6gau --subs target.com
7gau --blacklist png,jpg,gif target.com

๐Ÿ’‰ Vulnerability Scanners

Nuclei

Purpose: Template-based vulnerability scanner

bash
1# Install
2go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
3
4# Usage
5nuclei -u https://target.com
6nuclei -l urls.txt
7nuclei -u https://target.com -t cves/
8nuclei -u https://target.com -tags xss,sqli
9nuclei -u https://target.com -severity critical,high
10
11# Update templates
12nuclei -update-templates

Custom Template:

yaml
1id: custom-check
2info:
3  name: Custom Vulnerability Check
4  severity: medium
5
6requests:
7  - method: GET
8    path:
9      - "{{BaseURL}}/admin"
10    matchers:
11      - type: word
12        words:
13          - "admin panel"

SQLMap

Purpose: Automated SQL injection exploitation

bash
1# Install
2sudo apt install sqlmap
3
4# Basic Usage
5sqlmap -u "http://target.com/page?id=1"
6sqlmap -u "http://target.com/page?id=1" --dbs
7sqlmap -u "http://target.com/page?id=1" -D database --tables
8sqlmap -u "http://target.com/page?id=1" -D database -T users --dump
9
10# POST request
11sqlmap -u "http://target.com/login" --data="username=admin&password=pass"
12
13# Cookie-based
14sqlmap -u "http://target.com/page" --cookie="PHPSESSID=abc123"
15
16# Tamper scripts (WAF bypass)
17sqlmap -u "url" --tamper=space2comment,between

XSStrike

bash
1# Install
2git clone https://github.com/s0md3v/XSStrike
3cd XSStrike
4pip install -r requirements.txt
5
6# Usage
7python xsstrike.py -u "http://target.com/search?q=test"
8python xsstrike.py -u "http://target.com/page" --crawl

Dalfox (XSS Scanner)

bash
1# Install
2go install github.com/hahwul/dalfox/v2@latest
3
4# Usage
5dalfox url https://target.com/search?q=test
6dalfox file urls.txt
7echo "http://target.com/search?q=FUZZ" | dalfox pipe

๐Ÿ”จ Fuzzing & Brute Force

ffuf

Purpose: Fast web fuzzer

bash
1# Install
2go install github.com/ffuf/ffuf/v2@latest
3
4# Directory fuzzing
5ffuf -u https://target.com/FUZZ -w wordlist.txt
6
7# Virtual host discovery
8ffuf -u https://target.com -H "Host: FUZZ.target.com" -w wordlist.txt
9
10# Parameter fuzzing
11ffuf -u https://target.com/page?FUZZ=value -w params.txt
12
13# POST data fuzzing
14ffuf -u https://target.com/login -X POST -d "username=admin&password=FUZZ" -w passwords.txt
15
16# Filter by status code
17ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
18
19# Match by response size
20ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 4242

wfuzz

bash
1# Install
2pip install wfuzz
3
4# Usage
5wfuzz -w wordlist.txt https://target.com/FUZZ
6wfuzz -w usernames.txt -w passwords.txt https://target.com/login?user=FUZZ&pass=FUZ2Z

๐Ÿ—‚๏ธ Wordlists

SecLists (Already downloaded in sources/)

bash
1# Common locations
2sources/SecLists/Discovery/Web-Content/
3sources/SecLists/Fuzzing/
4sources/SecLists/Passwords/
5sources/SecLists/Usernames/
6
7# Popular wordlists
8sources/SecLists/Discovery/Web-Content/raft-large-words.txt
9sources/SecLists/Discovery/Web-Content/common.txt
10sources/SecLists/Fuzzing/SQLi/Generic-SQLi.txt
11sources/SecLists/Fuzzing/XSS/XSS-Jhaddix.txt

๐Ÿ” Password Cracking

John the Ripper

bash
1# Install
2sudo apt install john
3
4# Crack password hash
5john --wordlist=rockyou.txt hashes.txt
6john --format=raw-md5 hashes.txt
7
8# Show cracked passwords
9john --show hashes.txt

Hashcat

bash
1# Install
2sudo apt install hashcat
3
4# MD5
5hashcat -m 0 -a 0 hash.txt rockyou.txt
6
7# SHA256
8hashcat -m 1400 -a 0 hash.txt rockyou.txt
9
10# NTLM
11hashcat -m 1000 -a 0 hash.txt rockyou.txt
12
13# JWT (HS256)
14hashcat -m 16500 jwt.txt rockyou.txt

๐Ÿ•ท๏ธ Web Crawlers

Katana

bash
1# Install
2go install github.com/projectdiscovery/katana/cmd/katana@latest
3
4# Usage
5katana -u https://target.com
6katana -u https://target.com -d 5  # Depth 5
7katana -u https://target.com -jc  # JavaScript crawling

GoSpider

bash
1# Install
2go install github.com/jaeles-project/gospider@latest
3
4# Usage
5gospider -s https://target.com
6gospider -S targets.txt -o output

๐Ÿ“ก Network Tools

Nmap

bash
1# Quick scan
2nmap target.com
3
4# Full port scan
5nmap -p- target.com
6
7# Service version detection
8nmap -sV target.com
9
10# OS detection
11nmap -O target.com
12
13# Script scanning
14nmap --script=vuln target.com

masscan

bash
# Fast port scanner
masscan -p1-65535 10.0.0.0/8 --rate=100000

๐Ÿ”ง Utility Tools

curl

bash
1# Basic request
2curl https://target.com
3
4# With headers
5curl -H "Authorization: Bearer token" https://target.com
6
7# POST request
8curl -X POST -d "user=admin&pass=secret" https://target.com/login
9
10# Save cookies
11curl -c cookies.txt https://target.com
12
13# Load cookies
14curl -b cookies.txt https://target.com
15
16# Follow redirects
17curl -L https://target.com
18
19# Verbose output
20curl -v https://target.com

jq (JSON parsing)

bash
1# Pretty print JSON
2curl https://api.target.com | jq
3
4# Extract specific field
5curl https://api.target.com | jq '.users[].email'
6
7# Filter
8curl https://api.target.com | jq '.users[] | select(.role=="admin")'

๐Ÿ Custom Scripts

Python HTTP Request

python
1import requests
2
3# GET request
4r = requests.get('https://target.com')
5print(r.status_code)
6print(r.text)
7
8# POST request
9data = {'username': 'admin', 'password': 'pass'}
10r = requests.post('https://target.com/login', data=data)
11
12# With headers
13headers = {'Authorization': 'Bearer token'}
14r = requests.get('https://api.target.com', headers=headers)
15
16# With cookies
17cookies = {'session': 'abc123'}
18r = requests.get('https://target.com', cookies=cookies)

Bash Automation

bash
1#!/bin/bash
2
3# Subdomain enumeration
4subfinder -d $1 -silent | httprobe | tee alive.txt
5
6# URL discovery
7cat alive.txt | waybackurls | tee urls.txt
8
9# Vulnerability scanning
10nuclei -l alive.txt -severity critical,high

๐Ÿ“ฑ Mobile App Testing

APKTool (Android)

bash
1# Install
2sudo apt install apktool
3
4# Decompile APK
5apktool d app.apk
6
7# Rebuild APK
8apktool b app -o modified.apk

MobSF (Mobile Security Framework)

bash
# Docker installation
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf

๐ŸŽฏ Recommended Tool Stack

Beginner Stack

  1. Burp Suite Community
  2. OWASP ZAP
  3. Nmap
  4. SQLMap
  5. Browser Dev Tools

Intermediate Stack

  1. Burp Suite Pro
  2. Subfinder + httpx
  3. ffuf
  4. Nuclei
  5. Custom Python scripts

Advanced Stack

  1. All above +
  2. Custom tooling
  3. Automation frameworks
  4. CI/CD integration
  5. Custom Nuclei templates

๐Ÿ’ก Pro Tips

  1. Learn shortcuts - Master Burp Suite hotkeys
  2. Automate reconnaissance - Build recon pipelines
  3. Create custom wordlists - From target-specific data
  4. Use templates - Nuclei templates for repeatability
  5. Chain tools - Output from one tool as input to another
  6. Keep tools updated - go install -v tool@latest
  7. Contribute templates - Share Nuclei templates
  8. Script everything - Automate repetitive tasks

Stay updated! Tools evolve rapidly.