is an automation recon tool for bug hunters who want to work fast and efficiently. Designed for both beginners and professionals.
- Subfinder + Assetfinder → find subdomains
- Httpx → validate active subdomains (200)
- Nuclei → scanning active subdomains using common templates like:
misconfiguration, exposure, default-login, panel, cves, cms, files, dns, ssl, token, backup, etc.
- Scan speed can be adjusted (low/standard/fast).
- Scan results are automatically sent to Telegram.
- Subfinder + Assetfinder → find subdomains
- Httpx → validate active subdomains (200)
- Katana + Gau → Crawling URLs with parameters and .js.
- Httpx → validate active URLs (200)
- Separate URLs with parameters and URLs (.js)
- Nuclei stage 1: scan URLs .js (exposure tag).
- Nuclei stage 2: scan URLs with parameters (dast templates).
- Adjust scanning speed (nuclei) → Available 3 options: Low, Standard, Fast.
- All results are automatically sent to Telegram.
- Subfinder + Assetfinder → find subdomains
- Httpx → validate active subdomains (200)
- Waybackurls + Katana + Gau → Crawling URLs with parameters and .js.
- Httpx → validate active URLs (200)
- Separate URLs with parameters and URLs (.js)
- Nuclei stage 1: scan active subdomains (common templates).
- Nuclei stage 2: scan URLs .js (exposure tag).
- Nuclei stage 3: scan URLs with parameters (dast templates).
- Nuclei stage 4: scan subdomains to check takeover potential.
- Adjust scanning speed (nuclei) → Available 3 options: Low, Standard, Fast.
- All results are automatically sent to Telegram.
- Using crawling results from previous gau process to identify URLs with sensitive extensions.
- Filter URLs containing extensions: .zip, .tar, .gz, .7z, .rar, .bak, .backup, .old, .sql, .db, .sqlite, .env, .log, .conf, .config, .ini, .cfg, .xml, .json, .js
- Test filtered URLs with Httpx to identify active sensitive resources.
- Detect configuration files, credentials, or important backups that are publicly exposed.
- Results are saved to text file.
- Has two modes:
• Mass → from subdomain list file.
• Wildcard → auto subdomain with subfinder + assetfinder.
- Using Nuclei with `takeovers` template to check for possible takeover.
- Scan results sent to Telegram.
• Telegram Notification • Automatic folder structure for scan results • Access to target lists from bug bounty platforms such as
-
hackerone
-
bugcrowd
-
yeswehack
-
intigriti
-
hackenproof
File Number of domainss hackerone_bounty.txt 769 domains hackerone_swag_vdp.txt 656 domains bugcrowd_bounty.txt 255 domains bugcrowd_swag_vdp.txt 183 domains hackenproof_bounty.txt 86 domains hackenproof_swag_vdp.txt 0 domains (empty) yeswehack_bounty.txt 68 domains yeswehack_swag_vdp.txt 0 domains (empty) intigriti_bounty.txt 45 domains intigriti_swag_vdp.txt 23 domains immunefi_bounty.txt 5 domains immunefi_swag_vdp.txt 0 domains (empty) bugv_bounty.txt 8 domains bugv_swag_vdp.txt 0 domains (empty) bugbase_bounty.txt 3 domains bugbase_swag_vdp.txt 0 domains (empty) self_hosted_program_bounty.txt 354 domains self_hosted_program_swag_vdp.txt 1,625 domains Total: 4,430 domains across 18 files
source: https://github.com/projectdiscovery/public-bugbounty-programs
First, clone the repository from GitHub:
git clone https://github.com/phims403/lazyhunter.git
cd lazyhunterSimply use the setup.sh script to install all requirements automatically:
chmod +x setup.sh
./setup.shThe script will:
- Install Python and Go (Golang) if not already installed
- Install all Python dependencies from requirements.txt
- Install required external tools:
- subfinder
- assetfinder
- katana
- gau
- waybackurls
- httpx
- nuclei
- Add Go binary path to your shell automatically (permanently)
Once everything is ready, run the tool with:
python lazyhunter.pyselect the desired feature