Tool Chains
Tools that work best together. Each chain is a copy-paste pipeline you can run right now.
Subdomain Discovery to Vulnerability Scan
Find subdomains, probe for live hosts, then scan for vulnerabilities. The most common bug bounty pipeline.
Subfinder$ subfinder -d target.com -silent | httpx -silent | nuclei -asPort Scan to Service Exploitation
Discover open ports and services, then search for matching exploits. Classic pentest workflow.
Nmap
SearchSploit
Metasploit Framework$ nmap -sV -oX scan.xml target && searchsploit --nmap scan.xmlWeb Crawl to Parameter Discovery
Crawl a web app, extract parameters from archived URLs, then fuzz them for hidden endpoints.
gau
ffuf$ katana -u https://target.com -jc -d 3 | sort -u | tee urls.txt && cat urls.txt | grep '=' | ffuf -w - -u FUZZAD Recon to Domain Admin
Map Active Directory attack paths, extract Kerberos tickets, then move laterally to domain admin.
BloodHound
Rubeus
Impacket$ SharpHound.exe -c All && Rubeus.exe kerberoast /outfile:hashes.txtEmail to Full OSINT Profile
Start with an email address and build a complete profile: registered accounts, phone, social media, and data breaches.
Holehe
theHarvester
Sherlock$ holehe target@email.com && theharvester -d email.com -b all && sherlock usernameContainer Scan to Escape
Scan container images for vulnerabilities, check runtime config, then test for escape paths.
Trivy
Falco
CDK$ trivy image target:latest && cdk evaluateWiFi Handshake Capture to Crack
Capture WPA handshakes from nearby networks, then crack them offline with GPU acceleration.
Aircrack-ng
Hashcat$ airodump-ng wlan0mon && aircrack-ng -w wordlist.txt capture.capWallet Address to Transaction Graph
Index blockchain data locally, then trace fund flows and cluster related addresses.
Cryo
TrueBlocks
GraphSense$ cryo transactions --blocks 18M:18.1M && chifra export 0xaddress --fmt jsonAPK Decompile to Secret Extraction
Decompile an Android APK, search for hardcoded secrets, then hook the app at runtime to bypass protections.
JADX
APKLeaks
Frida$ apkleaks -f app.apk && jadx -d output/ app.apk && frida -U -l hook.js com.target.appCloud Asset Discovery to Exploitation
Enumerate cloud resources, find exposed storage buckets and misconfigured IAM, then simulate attacks.
CloudFox
S3Scanner
Stratus Red Team$ cloudfox aws all-checks && s3scanner --bucket-file buckets.txtLog Analysis to Forensic Timeline
Parse Windows event logs for suspicious activity, then build a visual timeline for the investigation.
Hayabusa
Plaso (log2timeline)
Timesketch$ hayabusa csv-timeline -d logs/ -o timeline.csv && log2timeline.py plaso.dump logs/Domain Typosquat Detection to Analysis
Generate domain permutations, check which are registered, then capture screenshots for evidence.
dnstwist
EyeWitness$ dnstwist -r -w domain.com | tee results.csv && eyewitness --web -f urls.txt