Epilepsy warning

Attack surface monitoring has become increasingly important and popular in recent years as the internet footprint of organizations has increased. Hackers are utilizing advanced recon methods for discovering and monitoring internet-facing assets of an organisation. As changes occur in the attack surface, it is beneficial for hackers to be notified so that they can immediately check if these changes may have introduced security issues. Of course, this makes it equally important for organisations to monitor their own attack surface, so that they have at least the same visibility as their attackers.

Today there are a lot of tools available to…

Yes, I made a logo for my tool. It’s a wolf with a moon on it’s head. It has nothing to do with the tool but if you like wolves then you will probably enjoy it. I am quite talented at graphic design, I changed the text to “haktrails” all by myself. The wolf bit was a free Canva template.

Quick Ad Break

Full disclosure — SecurityTrails has sponsored me to write this tool and create some content because they’re running Bug Bounty Hunting Month. As part of that, they’ve released a plan that is catered directly to bug bounty hunters. If you’re…

A while back, I posted a Twitter thread that described the Nmap features that I actually use. It really blew up! Nearly 80,000 people saw that thread, so I thought it would be good to put it into a blog post that can be searched and referred to over the long term. The original tweet is here: https://twitter.com/hakluke/status/1263821957163741185

The thing is, Nmap is one of those OG hacking tools that has been around since forever, and it’s incredible, but similar to amass, Nmap is one of those tools that is synonymous with hacking, and extremely well known, but most people…

ASCII art is life

Amass has a lot of features. It’s a bit of a weird tool because despite being synonymous with bug bounty recon, and despite being extremely well known, most people don’t know how to use it to it’s full advantage. Most people that I see using Amass are just doing this:

amass enum -d clicktheclapbutton50timesplz.com

Amass hums away for a few minutes doing its thing, skulking around the slums of the internet, begging for subdomains from anyone that will listen and then sending them back to you, the hacker. …

Hakrawler Output Example


For a long time, I’ve wanted a tool that can extract all URL endpoints from an application and simply dump them to the command-line. So I created one!

Here’s the tool: https://github.com/hakluke/hakrawler

The URLs are extracted by spidering the application, querying wayback machine, parsing robots.txt files and parsing sitemap.xml files.

The tool also collects any subdomains it finds along the way. As far as I know, this subdomain enumeration method is not currently used by any other popular subdomain enumeration tools, so it may help to uncover some additional targets.

For installation and usage details, see the repository’s readme.


  • Easily…

Image Credit: Veklabs on Unsplash

I’m an ethical computer hacker, and I follow a lot of others in the same profession on Twitter. In many ways it is a demanding job because it requires constant learning. Every day there are new techniques and vulnerabilities to exploit. To be a reasonable ethical hacker, you need to be on top of all of them. This may sound exciting, but it can quickly turn from exciting to exhausting.

I’ve noticed a lot of tweets lately from people saying that they have no motivation to hack or learn anything new. They might have enough motivation to turn on their…

Photo by Paul Esch-Laurent on Unsplash

TL;DR: Before you report an XSS, look for ways it can be leveraged to increase severity. Here’s my repo containing weaponised JavaScript payloads for popular platforms like Wordpress and Drupal. More will be added in the coming weeks.

It feels like every day that I see another under-leveraged XSS writeup hit my Twitter feed. I saw another one today, I don’t want to name and shame, so let’s call the author “Jim”. The write-up went something like this.

  • Jim found some user input that was reflected, unsanitised
  • Jim put <script> alert(1)</script> into the input and an alert box popped up

Image result for productivity hacking

Before we start, I need to get something off my chest. I’m an efficiency junkie. I’m one of those people who spends 4 hours configuring the perfect tmux/vim/sublime/bash configuration to save 4 milliseconds on a common task. If I could take one skill into the afterlife it would be automation. One of the ultimate hard-truths in my life is that efficiency does not equal productivity.

I would be generally more productive if I spent more time on actually doing things and less time on trying to improve efficiency. But hey, if I write blog posts about efficiency hacks, at least…

Have you ever received an email from a Nigerian prince or a non-existent distant relative who is offering you an absurd amount of money? It was a phishing scam, albeit an extremely unsophisticated one. These unsophisticated phishing emails are generally sent to a huge number of people, in the hundreds of thousands or even millions. Sending this many emails does not take much effort given the right resources. If just 0.01% of people fall for this phishing scam, at $1000 per victim, with 1 million emails, you have just made yourself a tidy $100,000. Not bad for a weekend’s work!

You, with your new subdomain scanner, literally punching clean through a laptop because you’re so awesome.

Sub-domain takeovers are all the rage in the bug bounty scene at the moment. You’ve probably heard about some bug bounty legends who are raking in the dough because they’ve managed to set up an automated sub-domain takeover scanner, if you haven’t, Google “Frans Rosén”. I’m going to let you in on a secret, it’s not as hard as it sounds.

Using a couple of free tools and some dodgy ghetto bash scripts, we can slap together our own poor-man’s version in under 5 minutes. Strap-in!

Gathering Wildcard Domains

First things first! We need to get a list of all the wildcard domains…

Luke Stephens (@hakluke)

Pentester | Hubby | Musician

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store