Some of the open-source tools being used for pentest and bug bounty targets in web and mobile environments along with their commands.

#1 Subdomain Collectors

Multiple hosts inside a .txt file

subfinder -dL root-domains.txt -o subfinder-company.txt

Single host:

subfinder -d -o hosts.txt

Github subdomains discovery:

github-subdomains -d -t [git-api-token]

AltDNS (dns bruteforce):

altdns -i all-subdomains.txt -o results -w words.txt -r -s all-dns-domains.txt

#2 Live hosts and open ports

HTTProbe with critical ports

cat all-hosts.txt | httprobe -p https:8089 httprobe -p https:10250 -p https:2375 -p https:8080 -p https:8443 -p https:9200 -p https:5200 -p https:9300 -p https:5601 -p https:21 -p https:3389 -p htpps:22 -c 50 > httprobe-allCriticalPorts.txt

only HTTP(s)

cat all-hosts.txt | httprobe -c 50 --prefer-https > httprobe-allHTTPs.txt

Naabu tool – full port scan excluding CDN hosts

sudo ./naabu -iL scp-httprobe-allHTTPs.txt -p - --exclude-cdn -o naabu-results.txt -v

#3 URLs and endpoints discovery

Gospider in all hosts list

gospider -S httprobe-hosts.txt -o gospider-results --other-source --include-subs

Get All URLs (GAU)

cat all-subdomains.txt | gau -t 500 -b css,png,jpeg,jpg,svg,gif,ttf,woff,woff2,eot,otf,ico,js > gau-results.txt

Fuzzing endpoints/parameters with ffuf

ffuf -w daniel-v-compilation.txt -u -fc 401,403

Alienvault passive URLs discovery:

for sub in $(cat domains.txt);do /usr/bin/gron "$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq |egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a file.txt ;done

#4 Takeovers

Basic subjack tool usage

subjack -w all-hosts.txt -t 100 -timeout 30 -o subjack-results.txt -ssl

Nuclei active takeovers

nuclei -l allhosts.txt -t takeovers/ -etags info -H "User-Agent: User-Agent: Mozilla/5.0 Windows NT 10.0"

#5 Screenshots - Visual Recon

Eyewitness tool:

./ -f all-domains.txt --timeout 8

Webscreenshot tool:

python -i all-domains.txt -w 40

#6 Others

Fuzzing multiple hosts at the same time:

ffuf -w "https-domains.txt:DOMAIN" -w daniel_v_compilation.txt -u DOMAIN/FUZZ -t 50 -fc 301,401,403 -v -od ffuf-multipleHosts-results -of md

Cloud environment enumeration:

python -kf keyfile-company.txt -m enum_tools/fuzz.txt -b enum_tools/fuzz.txt -t 10 -l cloudEnv-results.txt

nmap top ports with hosts file

nmap -A -PN -oN nmap-all.txt -iL subdomains.txt --top-ports 1000

Single host:

nmap -sT -sU -A -v --top-ports 100

Multiple hosts path fuzzing with MEG tool (golang)

meg --savestatus 200

Mobile tools

#1 Frida to Bypass SSL

  • Bypass SSL with Frida:

Connect ADB with device

adb connect localhost:port

Start Frida server on mobile device(after pushing it to tmp folder)

adb shell /data/local/tmp/frida-server &

Bypass certificate with custom JavaScripts (frida code share)

frida -U -l bypass-ssl-frida.js --no-pause -f

#2 Objection


First make a regular ADB connection and start Frida server in the device.

Attach objection with apk

objection --gadget explore

SSL Pinning with objection

android sslpinning disable

Disable root detection

android root disable


Search for classes inside apk

android hooking search classes

Excract the methods from a class

android hooking search methods MainActivity

Discover parameters for the methods

android hooking list class_methods

List all classes being used by the app

android hooking list classes

#3 Others


Extract URLs/endpoints from apks

apkurlgrep -a ~/path/to/file.apk

Decompile apk

apktool d name.apk

Convert an apk to jar file application.apk

Reverse shared object files