#BugBounty – Tools that I use and my companions in recon

Hey guys, This is my second post in this new blog, hope you like it. Feel free to comment.

A bug bounty is not my full time job, I regularly spend a little amount of time after my work to recon and find vulnerabilities in software, web applications and websites.

Here are a couple of tools I used to recon during #BugBounty. I’m not a seasoned bounty hunter, however, I believe that I know what I’m doing and I like it :).

“Tools” that I use and recommend reconning during Bug Bounty

*Not in the order

Hardware: Lenovo T560 laptop

I use Lenovo T560 laptop, with Windows 10 Pro OS preinstalled, an i5-6300U CPU @2.50GHz, 16GB RAM+ 500GB SSD.

As you know it is hard to find T-Series in the regular market, I bought from my company vendor with a good discounted price – since I work full time as IT and IS Manager, I have good contact with hardware vendors. So is this good laptop.

I have a little suggestion here: Never use your work laptop or desktop for the purpose of BugBounty, you might invite trouble for yourself and your company.

OS: Kali Linux

Well, it is not mandatory to have Linux if you are not used to it, the good Windows 10 laptop is sufficient to start-off. Nowadays, most recon-tools that available for Linux/ Kali are also available for Windows platform.

I’m using Oracle Virtual Box and Kali Linux is installed as a vitual machine. I have asigned 8GB of RAM.

I prefer Kali Linux over the other flavors of Linux, is because of the pre-packaged with tools and programs specially developed for Ethical Hackers and Cyber Security professionals. The pre-configured settings were carefully chosen according to fit the needs of the typical user – I’d rather say, first time users and professionals.

I love the way the tools are categorized, and the ease of use. I’m pretty sure that numerous Kali users are first time Linux users, but they become master in Kali after a few weeks of usage.

If you are not typical Kali Linux User, there are a plenty of distros that may suit your needs. Here is the link for you: https://itsfoss.com/linux-hacking-penetration-testing/


As you may already know, HackBar is a Mozilla add-on developed by SecuryTeam that helps Bug bounty hunters to perform security auditing/penetration test. This add-on tool for Mozilla Firefox used to test website security, XSS vulnerabilities and perform SQL injections.

Sublist3r – Subdomains Enumerating Tool

Who doesn’t know about Sublist3r? I love this tool – it will help you find subdomains buried under the main domain. I certainly advise you to start installing and learning this tool, if your scope is *.domain.com.

Owasp – A Collection of multi-tools

The Open Web Application Security Project or OWASP is a bunch of free-to-use tools developed by their non-profit organization. They have multiple tools to test and recon targets including various web apps and protocols. Flagship tools of the project include.

I regulary use

  1. Zed Attack Proxy (ZAP – an integrated penetration testing tool)
  2. OWASP Dependency-Check (Project dependency scanner and checks against known vulnerabilities)
  3. OWASP Web Testing Environment Project (A collection of security tools and documentation for applications and vulnerabilities)

WireShark – A Network Analysis Tool

Wireshark, as you know a network analysis tool. This is one of the tools that every pen-tester, bug bounty hunter or Ethical hackers must-have tools. I use Wireshark to capture packets when I recon a target.

W3AF (w3af)

W3af is a web application attack and audit framework. W3af comes with 3 plugins, (1) discovery, (2) audit and (3) attack. The 3 plugins work together to scan, audit and attack on a specified target. A discovery plugin scans for target URL and find the vulnerability and forward it to the audit plugin which attacks the target based on the vulnerability found in previous steps.

Shodan.io : search engine for Internet-connected devices

I use Google a lot for references, articles and tutorials. But when it comes to gathering information about an IP of a target server/ web application without revealing my identity, I use shodhan.io. They call it as search engine for Servers, the search engine for industrial control systems, search engine for IoTs etc. Shodhan has information about almost all internet-facing devices and listed in the right way to analyze.

I have bout the personal license which I pay monthly fee. I have an API which I integrate with nmap, burp for better and in depth scanning.

I have bout the personal license which I pay a monthly fee. I have my personalized API which I integrate with nmap, burp for better and in-depth scanning.

Other simple tools I use (some of them are paid, but available as demo/limited features):

Netsparker: I use this tool for scanning vulnerabilities in the target. This is one of the best tools to exploit SQL injection and LFI vulnerability.

Nessus: It concentrates in compliance checks, sensitive data searches, IPs scan, website scanning, etc.

Burpsuite: There is no limitation on the usage of this application. I prefer to use Burpsuite in Kali, however, I sometimes use JAR application in my Windows 10. This tool helps me to intercept proxy, web application scanning, crawling a page, testing APIs etc.


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

Notify of
Inline Feedbacks
View all comments
Sorry, that action is blocked.