Nerd Level Tech logo
|
Lesson 2 of 24

Bug Bounty Fundamentals

Setting Up Your Hunting Environment

4 min read

A proper bug bounty setup combines interception proxies, reconnaissance tools, and organized workflows. Here's the industry-standard 2026 toolkit.

Core Tools

Burp Suite (Required)

The industry standard for web testing:

# Community Edition: Free
# Professional Edition: $449/year (recommended for serious hunters)

# Key features you'll use:
# - Proxy: Intercept and modify HTTP/HTTPS requests
# - Repeater: Manual request manipulation
# - Intruder: Automated fuzzing
# - Scanner: Automated vulnerability detection (Pro only)

Browser Setup: Install the Burp CA certificate and configure FoxyProxy for quick proxy toggling.

Command-Line Reconnaissance Stack

# Install Go first (required for most tools)
# Then install essential tools:

# Subdomain enumeration
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/owasp-amass/amass/v4/...@master

# HTTP probing
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest

# Vulnerability scanning
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Directory/parameter fuzzing
go install -v github.com/ffuf/ffuf/v2@latest

# DNS resolution
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

Browser Extensions

Extension Purpose
Wappalyzer Technology fingerprinting
FoxyProxy Quick proxy switching
Cookie Editor Session manipulation
HackBar Encoding/decoding
Shodan Passive reconnaissance

Virtual Machine Setup

Use a dedicated VM for hunting:

# Recommended: Kali Linux or ParrotOS
# - Pre-installed security tools
# - Isolated environment
# - Snapshot capability for clean states

# Alternative: Ubuntu + manual tool installation
# More control, smaller footprint

Directory Structure

Organize your work:

~/bugbounty/
├── targets/
│   └── {program-name}/
│       ├── recon/
│       │   ├── subdomains.txt
│       │   ├── live-hosts.txt
│       │   └── screenshots/
│       ├── notes/
│       ├── reports/
│       └── evidence/
├── tools/
│   └── wordlists/
├── templates/
│   └── report-template.md
└── automation/
    └── recon-scripts/

Essential Wordlists

# Clone SecLists (most comprehensive)
git clone https://github.com/danielmiessler/SecLists.git ~/wordlists/SecLists

# Key lists you'll use:
# - Discovery/Web-Content/directory-list-2.3-medium.txt
# - Discovery/DNS/subdomains-top1million-5000.txt
# - Fuzzing/LFI/LFI-Jhaddix.txt
# - Passwords/Common-Credentials/

Quick Verification

Test your setup:

# Verify tools are installed
subfinder -version
nuclei -version
ffuf -version

# Test Burp proxy (should see traffic)
curl -x http://127.0.0.1:8080 https://example.com

Pro Tip: Create aliases for common commands. Time saved on typing adds up over hundreds of targets.

Next, we'll cover the legal and ethical framework that keeps you safe while hunting. :::

Quiz

Module 1: Bug Bounty Fundamentals

Take Quiz