
The Ultimate Bug Bounty Reconnaissance Arsenal
"In the shadows we hunt, in the code we trust"
Telegram | Twitter | YouTube | LinkedIn
Full DoD Scope - 19 Domains
# BBRF Scope - All DoD Domains
bbrf inscope add '*.af.mil' '*.army.mil' '*.marines.mil' '*.navy.mil' '*.spaceforce.mil' '*.ussf.mil' '*.pentagon.mil' '*.osd.mil' '*.disa.mil' '*.dtra.mil' '*.dla.mil' '*.dcma.mil' '*.dtic.mil' '*.dau.mil' '*.health.mil' '*.ng.mil' '*.uscg.mil' '*.socom.mil' '*.dds.mil' '*.yellowribbon.mil'
| Military Branches | DoD Agencies | Support Commands |
|---|---|---|
*.af.mil - Air Force |
*.pentagon.mil - Pentagon HQ |
*.dtic.mil - Tech Info Center |
*.army.mil - Army |
*.osd.mil - Office of SecDef |
*.dau.mil - Acquisition Univ |
*.marines.mil - Marines |
*.disa.mil - Defense Info Systems |
*.health.mil - Military Health |
*.navy.mil - Navy |
*.dtra.mil - Threat Reduction |
*.ng.mil - National Guard |
*.spaceforce.mil - Space Force |
*.dla.mil - Logistics Agency |
*.uscg.mil - Coast Guard |
*.ussf.mil - Space Force |
*.dcma.mil - Contract Management |
*.socom.mil - Special Operations |
This repository is for EDUCATIONAL and AUTHORIZED testing ONLY. Always obtain proper authorization before testing.
📜 Click to read our Security Policy & Guidelines
Found a security issue in this repository? Please report it responsibly:
Click to expand navigation
| Section | Description |
|---|---|
| About | Project overview and goals |
| Quick Start | Get started in 5 minutes |
| Required Tools | Essential toolset |
| BBRF Scope DoD | DoD scope configuration |
| Subdomain Enumeration | Finding subdomains |
| JavaScript Recon | JS file analysis |
| XSS Detection | Cross-site scripting |
| SQL Injection | SQLi techniques |
| SSRF & SSTI | Server-side attacks |
| Web Crawling | Deep crawling methods |
| Parameter Discovery | Hidden params |
| Content Discovery | Sensitive files |
| Nuclei Scanning | Automated scanning |
| API Security Testing | API vulnerabilities |
| Cloud Security | AWS, GCP, Azure |
| Automation Scripts | Ready-to-use scripts |
| Bash Functions | Shell productivity |
| New Oneliners 2026 | CVE-2026 exploits & techniques |
| Oneliners 2024-2025 | Previous techniques |
| February 2026 CVE Discovery | Latest CVE recon oneliners |
| Search Engines | Hacker search engines |
| Wordlists | Best wordlists |
| Resources | Books, courses, blogs |
╔═══════════════════════════════════════════════════════════════╗
║ 🎯 MISSION STATEMENT 🎯 ║
╠═══════════════════════════════════════════════════════════════╣
║ Share elite bug bounty techniques from world-class hunters ║
║ Build the most comprehensive one-liner collection ║
║ Empower the security research community ║
╚═══════════════════════════════════════════════════════════════╝
Our main goal is to share tips from well-known bug hunters. Using advanced recon methodology, we discover subdomains, APIs, tokens, and vulnerabilities that are exploitable. We aim to influence and educate the community with powerful one-liner techniques for better understanding and faster results.
|
|
|
|
|
📈 Click to see detailed statistics
| Category | Count | Status |
|---|---|---|
| One-Liners | 400+ | ✅ Active |
| Techniques | 50+ | ✅ Active |
| Tools Covered | 100+ | ✅ Active |
| CVE Examples | 20+ | ✅ Active |
| DoD Domains | 19 | ✅ Active |
| Contributors | Growing | 🚀 Growing |
| Last Update | 2026 | ✅ Current |
1️⃣ Install Tools |
2️⃣ Run Recon |
3️⃣ Find Bugs |
# 📥 Step 1: Install essential tools (ProjectDiscovery Suite)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# 🔍 Step 2: Run your first reconnaissance chain
subfinder -d target.com -silent | httpx -silent | nuclei -severity critical,high
# 🎉 Step 3: Analyze results and profit!
# Check the output for vulnerabilities and start reporting!
🎬 Want a complete automated workflow? Click here!
# 🚀 Advanced Quick Start - Complete Recon Pipeline
TARGET="target.com"
# Subdomain enumeration with multiple sources
subfinder -d $TARGET -all -silent | \
httpx -silent -title -status-code -tech-detect -follow-redirects | \
tee subdomains_live.txt
# Deep crawling and parameter discovery
cat subdomains_live.txt | katana -silent -d 3 -jc | \
grep -E '\\.js$' | \
httpx -silent -mc 200 | \
tee js_files.txt
# Vulnerability scanning with Nuclei
nuclei -l subdomains_live.txt -severity critical,high,medium -silent -o nuclei_results.txt
# 💎 Results saved in:
# - subdomains_live.txt (Live domains)
# - js_files.txt (JavaScript files)
# - nuclei_results.txt (Vulnerabilities found)
| Tip | Description |
|---|---|
| 🔑 | Always get proper authorization before testing |
| 📝 | Keep detailed notes of your findings |
| 🛠️ | Start with automated tools, then manual testing |
| 💰 | Focus on high-impact vulnerabilities first |
| 🤝 | Join the community and learn from others |
Click to expand complete tool list
| Category | Tools | Installation |
|---|---|---|
| Subdomain | Subfinder, Amass, Assetfinder, Findomain, Chaos | go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest |
| HTTP Probing | Httpx, Httprobe | go install github.com/projectdiscovery/httpx/cmd/httpx@latest |
| Crawling | Katana, Gospider, Hakrawler, Cariddi | go install github.com/projectdiscovery/katana/cmd/katana@latest |
| URLs | Gau, Waybackurls, Waymore | go install github.com/lc/gau/v2/cmd/gau@latest |
| Scanning | Nuclei, Jaeles, Naabu | go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest |
| XSS | Dalfox, XSStrike, Kxss, Airixss | go install github.com/hahwul/dalfox/v2@latest |
| SQLi | SQLMap, Ghauri | pip install sqlmap ghauri |
| Utilities | Anew, Qsreplace, Unfurl, Gf, Uro | go install github.com/tomnomnom/anew@latest |
| Fuzzing | Ffuf, Feroxbuster | go install github.com/ffuf/ffuf/v2@latest |
| JS Analysis | Subjs, LinkFinder, SecretFinder, Jsubfinder | go install github.com/lc/subjs@latest |
| Cert Monitoring | Certstream, Certstream-go | pip install certstream |
| DNS | Dnsx, Shuffledns, PureDNS, MassDNS, [Dnsgen](https://github.com/ProjectAnte/dn |
$ claude mcp add KingOfBugBountyTips \
-- python -m otcore.mcp_server <graph>