Ethical Hacking Blog

Subdomain Enumeration for Bug Bounty — 4 Kali Tools, One Chain The first thing any bug bounty hunter or pentester does on a new target is the same: figure out the full attack surface. A program in scope says "*.target.com" — your job is to find every subdomain that resolves to something interesting. The bigger your map, the more chances you have of finding the host nobody else thought to test. This post walks the four-tool chain I run on every engagement, end to end, with real output against `hackerone.com` (an authorized recon target under their own bug bounty program). > Prefer video? The Chain at a Glance | ` subfinder ` | Fast passive enum from many public sources | Subs → file | | ` assetfinder ` | Different source mix, catches hosts subfinder misses | Subs → file | | ` amass ` | Deepest passive coverage (especially with API keys configured) | Subs → file | | ` sort -u ` | Merge + dedupe the three lists | File → master list | | ` httpx-toolkit ` | Probe each host live...

Transfer Files Between Kali and a Target — 4 Ways Every Pentester Should Know You've landed on a target. You need to push a payload over, or pull a loot file back to your Kali box. The question every pentester runs into eventually is: which transfer method should I use?  The answer depends on what you have available — credentials, network reach, available tools on the target. Here are the four techniques I reach for the most, ranked roughly from "you have credentials" to "you have nothing but a shell". > Prefer video? I walk through all four end-to-end on (https://www.youtube.com/@guskhawaja). When to Use Which | ` scp ` | You already have SSH credentials |  | ` netcat ` | No SSH, but TCP works | | ` python3 -m http.server ` | Target has Python and can reach you | | ` updog ` | You also need the target to upload files back | I'll cover each one with a real command you can copy and paste. Method 1 — ` scp ` (Secure Copy) If you have SSH access to the targ...