Are These The Best Hacking Tools for 2026?

2 years ago, I dropped a video kind of

like this one. And I just rewatched it.

And to be honest, it's wild how much

I've changed since then. Like, you don't

really notice it dayto-day, but looking

back, I can see how much my hacking

style, my mindset, and even the stuff

that I care about now has evolved over

time. Part of that is just learning new

techniques. Part of it is just shifting

my interest. And just sometimes the bugs

that I look for are different. So, all

I'm trying to say is that everything

from my approach has changed over the

years. And that comes with the tools of

the trade that I use day-to-day and it's

all completely new. Now, I figured why

not update this video. It's time to show

you some of the tools that I think every

bug bounty hunter should know and give

you a peak at the exact stuff I use

day-to-day. You really can't hack or you

can, but it just won't be as fun and

easy without a proxy tool. And if you're

not familiar with the proxy tool, what

it does is it sits between your browser

and the web server and it kind of just

grabs all the traffic that you're

sending to that web server and allows

you to analyze it in a very very clean

and easy way. Usually we use these

because we want to be able to manipulate

the requests that we're sending to these

servers, inject our payload fuzz, look

for vulnerabilities, look for anomalies

and things that could be interesting and

just escalate them and hopefully be able

to report something that could turn into

a value. So in this category you have a

ton of options and some of those are

paid for and some of them are free. The

ones that I usually tend to use is Kaido

because it is more affordable but also

it is very community-driven and you see

a ton of hackers are just contributing

to the ecosystem of Kaido but you also

have the runner up like Burpsweet which

it is a little bit on the more expensive

side but they have been around for maybe

over a decade now. They're doing cool

research as well. Or you can go as far

as using Zap Proxy if you don't want to

pay for any of these. And that was a

project that was maintained by the OAS

project, but I think now it's been

funded a little bit more and it's being

built on more. I don't use Zap at all,

but I know a ton of hackers were happy

about using it. But you do have these

options. So, if you're looking for one,

these are your options that you can use.

Personally, go to Kaido. And if you want

to win a license, actually, I'm going to

do you a favor. Go down into the

comments, type in the word Kaido, and

I'll pick two users to give him a

license to use Kaido on me. So, that was

an easy category. It's just I don't want

to cover that too much because I think

there are a ton of videos on this that

I've made in the past. I've covered

Burpsweet in the past. I've done Kaido

in the past. Maybe I'll do a full course

on Kaido at some point on this channel.

But I don't want to waste too much time

on this category of proxies. But I do

think it's a tool that every bug bounty

out there uses. And if you're getting

into bug bounties and you want to get

started, this should be your number one

tool. You should master it and become

very good and comfortable with these

tools. So, let's talk recon. Now, recon

is probably one of the most important

parts of your day-to-day hacking. And

the thing that everybody gets confused

when it comes down to recon is everyone

thinks recon is automation. It is pretty

much removing yourself from finding

vulnerabilities and having these massive

scripts that look for bugs for you and

you just copy paste them and record

them. A lot of people think of recon as

running nuclei, which we'll talk about

in just a little bit, but it's not that.

Recon should be just finding extra

assets to hack on and just kind of

connecting them together and maybe being

able to extend the attack surface while

you are hacking on a specific company.

So, that category specifically, this one

has not changed since the last video. I

still love to use Subfinder because it

allows you to use multiple sources and

it just takes all those different

sources and combines them all into one.

But it all comes down to how much money

you're willing to spend or what API keys

you have access to. So, if you're

running Subfinder without actually

setting up keys, even if those are free

keys that you can use, you are doing it

right. So, do me a favor. Make sure you

go to config file and find a config file

under the dot folders. It's usually

underconfig/subfinder.

And there is a YAML file in there that

you can update and put all these

different keys in. When I first started

doing this, I just kind of had showdan

varoto and those I think only it. But

I've recently bought a lot of more of

those. If you want to buy something more

affordable, C99 is a really good one

that I use. You can go also as expensive

as getting something like security

trails, signing up for all the different

services. But honestly, that comes down

to how many of these do you have access

to, how many of these you want to go

access and get a trial for and how many

different API keys you include within

it. But also, you can take this whole

entire process into a step further and

describing all those subdomains,

resolving them, seeing what they

resolve, if they resolve to another

domain. For example, that domain could

be a part of the infrastructure. You can

enumerate on there. You can go as far as

doing permutations, all that good stuff.

And if you want to learn more about

that, I have a free course on this ready

channel. is called the recon methodology

for bug bount bounty hunters. Go look it

up. We talked all of that in that video.

You can just view it for free and

there's also a free lab with it that's

coming out in the next coming weeks. So

that was the second category is just

finding more assets to hack on. That is

key for any bug bounty hunter that is

hacking on these programs nowadays. But

remember this isn't always the case for

a lot of bug bounty programs. You may

have some bug bounty programs that allow

you to do any subdomain in any domain

they own. Those are your Google, Uber,

Facebook, you name it. Those companies

allow you to do that. But some companies

are a lot smaller. So they only allow

you to hack on their main bug bounty

program or their main asset in the bug

bounty program and you have to just

stick to the scope. So make sure you're

always doing the scope before you start

running tools like Subfinder and going

after all these different subdomains. I

also have a bunch of Showdown keys. So

if you want to just comment showdan, I

will give you one of those. But by the

way, don't go commenting both Kaido and

Showdown. You can only enter for one of

them. If you did Kaido and you don't

want to win Kaido, go delete it. drop a

comment saying Showdown and I'll pick

two or three of you to get a free access

code to Showdown as well. So, we've

talked about your proxy tools so you can

intercept data and you know fuzz with

things manually or just use some of

those plugins on Kaido. We also talked

about looking for subdomains using tools

like Subfinder which is my go-to. There

are a couple of runner-ups in that

category like Amass uh subdomain finder.

Uh you can use some other open tools but

that's obviously the one that I go with.

But then you have the next step of what

do we do when we find the subdomains? So

when you have subdomains that are given

to you and you want to be able to hack

on them and sometimes you don't have

context, you do have a couple of options

here. The first option here is to do

something like a fuzzing where you take

a dictionary word like you go look for

word list. Uh you can go grab those from

something like a sick list or maybe go

on asset notes website and grab them.

But you have to take those and see each

of those entries in those word list

exist on those web servers. So this is

when you start directory or file root

forcing in for this one. This category

has not changed since the last video and

it stays as FF, but I have been

considering going to Ghostbuster over FF

because of how much development is going

into Gob Buster. So, if you want to see

a whole video on Go Buster, obviously

drop a comment. But I'm really thinking

about just switching to Gob Buster for

30 days and then making a video on

reporting back on which ones I like

more. The thing that I do like a lot

about Go Buster is that they have this

different mode that allows you to brute

force for let's say virtual host. You

can brute force for S3 buckets. You can

brute force for different things rather

than just one simple tool that does it

all like FF does. FF is just hey you put

the word fuzz anywhere you want in the

HTTP request and I will replace it with

the keywords that you're giving me which

is gobuster has these modes that says

hey I want to specifically look for

virtual host. I want to specifically

look at S3 bucket. So that's kind of

what I like about it and I'm thinking

about switching over to. So I want to

make sure I combine those two and give

you an option. Obviously if you're using

something like Kaido or Burpu or

Zaproxy, all three of those have a tab

where you can go into it, import your

word list and use something like

automate on Kaido, you can use intruder

on Burpuite and just import your files

and have it do the work for you.

Sometimes I do that, but it's not the

best way to do it. I like to have a tool

on the command line, especially in the

cloud that I usually use for these

purposes. That was the first approach.

So we have FF gob buster just fuzzing

and using the old school dictionaries

here right here. You can just do that

with almost every website. But the other

option you have is using something like

a historic data source, right? You can

use these crawlers that have indexed all

over the internet and look for data and

kind of make sense of what these assets

are. And that's something that I do a

lot of times because when I see a

subdomain that has a like random name

within the subdomain name, I always ask

the question of what was the purpose of

this domain or subdomain? What was it

supposed to do? because I can't see the

content. Sometimes it's a white page.

Sometimes it's just an API that I don't

know API route for. You always want to

have context. Context matters the most

in bug bounty hunting, especially if

you're going after a white target and

you're just extending your attack

surface by doing a lot of recon. So keep

that in mind. You always want to make a

little bit of assumptions based on the

context of that website. And tools like

Waymore make this way, way more, no pun

intended, they make it way more easier

to do because they have all these

different sources baked into them. And

all you have to do is just tell it, hey,

I want to look for all the links that

you can find on the specific subdomain.

But the cool thing with way more is that

not only you can just get a list of all

those, you can also download the

context. So you can actually look at the

content of those pages and see if

there's any API keys that may have been

leaked in there or any JavaScript files

that may have been in there. I could

give you more uh resources or more

endpoints and things like that. So

that's a really really good tool that I

use. I've been just using it a whole lot

more. Shout outs to XML Hacker for

making this and just amazing tool all

around. So that's your second approach

when it comes down to looking at assets

and just trying to look for content that

you want to hack on or just fuzz and

just find vulnerabilities with it. You

also have the option of just crawling

these websites, but crawling requires

the websites to have some sort of a

content. So let's say you are going

after a massive application like Airbnb.

You can do all three of these. You can

do supplement brute forcing. You can use

way more to get all this historic data.

But also you can use a tool like Katana

to crawl them. But I usually don't do

that as much anymore just because of the

fact that it just is takes a lot of

resources. is but also it's just it

takes time. So that's just a desperate

measure that I use towards the end and

sometimes you'll see me run katana but

the exact order for me is always looking

for my own word list then doing

something like way more and then the

hail mary at the end is just like hey

let's just run katana on all this and

just grab all the files and folders that

we can come across and then we can just

start compiling all of our lists

together and just go and hack and look

for vulnerabilities within all of them.

Katana isn't a part of this video but

I've done a massive video on all this.

Go on the channel you'll find it. It's

about crawling using way more and katana

and it's all around just a good

introduction to this methodology. And

our last category is looking for a tool

that allows you to look for blind XSS

because if you've been watching my

channel for a while, you know how much I

love blind XSS or just XSS in general.

The thing with blind XSS is though, you

used to be able to use a tool like XSS

Hunter, but that has changed now. XSS

Hunter is gone. And honestly, a lot of

companies don't want you to use a

thirdparty service to capture their data

when it comes down to blind XSS. While I

don't really use Easy XSS as much, I do

have it set up somewhere because of the

course that I created. If you want to

learn how to use Easy XSS, set it up and

how I hunt for blind XSS, there will be

a link down below for my course. You can

buy it for $30 right now. But regardless

if you buy the course or not, I do have

it set up somewhere. But I also have my

own setup. I've made something just

super custom that does different things

for it. But honestly, in this category,

easy access is hands down the best to

use. Again, it's easy to install. It

allows you to configure it a lot of

different ways and also it gives you the

payloads that you need and it allows you

to have just a web hook that notifies

your Discord or your Slack anytime that

a new plan fires. So, if you want to

learn more about that, actually, I think

I've done a video on this. It's called

lessons learned from $250,000 of LAXS.

That will be also linked down below. You

can go watch and learn more about. So,

those are typically all of the tools

that I use. I do have one more tool that

I've been just using more and more and

that is Nuclei and I don't use Nuclei in

the sense that everybody else does. If

you go and look at how everybody uses

Nuclei, it's just everyone just

downloads the tool. They download all

their community templates and then just

spray it everywhere and everywhere in

the world and they just expect to find

vulnerabilities while they're using the

same thing as a thousand other hackers.

The way I use Nucleari is very very

different. First of all, I go through

all the different templates that I like

and I tag them. So I tag them with

nomsec or maybe custom or a custom

keyboard that I know that I have

customized and then I tag it even

further with technologies and things

like that. So it's very very organized.

But the reason why I go through them and

I tag them is because I also want to be

able to customize these. I go and add

different paths to these. I go and add

different routing. So for example, if

I'm looking for something like swagger

and they have maybe five entries for

swagger, I go and add 20, 30 more of

those. Some of those I come up with and

some of them I can just use AI and just

come up with common patterns in places

that these different endpoints would

exist. A lot of people don't do that and

if you're trying to use Nuclei, you

should definitely start with this very

step. The second thing I do is create

workflows. Workflows are something that

most people don't understand how to use

in Nuclei, I'm not sure why, but it is

probably one of the best features of

that tool. So, if you want to see a

video on that, I have one coming up. But

if you want to drop me a comment and say

nuclei to convince me, why not drop

another comment and we'll make that

happen. I think that was all of them.

These are the tools that I use very

regularly, if not daily. But I do have a

couple more that are just in my computer

or on my machine that probably we can do

a part two of this. I'll just think

about it and see if we can make that in

the future. But for now, thank you

watching for this video all the way up

to the end. We're almost at 200,000

subscribers. So, if you haven't already,

make sure you hit that subscribe button,

become a homie, and also turn on the

notification bell so every time I post a

video, you get alerted as well. All

right, that's it. See you all in next

week's video. Peace.

[Music]