"In bug bounty hunting, speed isn't about running fast… it's about letting small scripts do the running for you."

Imagine trying to check hundreds of doors in a huge building. You could walk to each one… or you could press a button and let a swarm of tiny robots do it for you.

Those "robots"? One-liner Bash commands.

Let's decode them step by step, even if you've never touched Linux before.

🧠 What is a One-Liner Bash Script?

A one-liner is just a single command (or chain of commands) that performs a task.

Think of it like:

  • A shortcut on your phone 📱
  • A voice command like "Play music" 🎵

But here, you're telling your system to: 👉 find domains 👉 scan ports 👉 collect URLs 👉 filter vulnerabilities

🧰 Before We Start (Beginner Setup)

You'll need:

  • Linux (or Kali Linux)
  • Terminal (command line)

Basic idea:

  • You type commands
  • System responds with results

That's it. No coding degree needed.

🔍 PART 1: Domain & Subdomain Discovery

1. Find subdomains (hidden websites)

subfinder -d example.com

👉 Output:

api.example.com
dev.example.com
test.example.com

💡 Meaning: These are hidden entry points

2. Save results to a file

subfinder -d example.com > subs.txt

👉 Now stored in subs.txt

3. Remove duplicates

sort -u subs.txt > clean_subs.txt

💡 Cleans messy data automatically

4. Check which domains are alive

cat clean_subs.txt | httpx

👉 Only shows working websites

🌐 PART 2: URL & Endpoint Collection

5. Get all URLs from a domain

gau example.com

👉 Collects URLs from history

6. Save URLs

gau example.com > urls.txt

7. Filter only PHP pages

grep ".php" urls.txt

💡 Useful for finding vulnerable pages

8. Extract parameters (important!)

grep "=" urls.txt

👉 Finds URLs like:

example.com/page?id=123

💡 These are attack points

🧪 PART 3: Vulnerability Hunting Shortcuts

9. Find possible XSS points

cat urls.txt | grep "=" | dalfox pipe

👉 Tests for Cross-Site Scripting

10. Find SQL Injection points

cat urls.txt | grep "=" | sqlmap --batch

👉 Checks database vulnerabilities

⚠️ Use only on authorized targets!

🚪 PART 4: Port & Service Scanning

11. Scan open ports

nmap -iL clean_subs.txt

👉 Finds open doors in systems

12. Fast scan

nmap -T4 -F example.com

💡 Faster but less detailed

🗂️ PART 5: Directory Discovery

13. Find hidden folders

ffuf -u https://example.com/FUZZ -w wordlist.txt

👉 Finds:

/admin
/login
/backup

🧹 PART 6: Automation Magic (Where Power Begins)

14. Full recon pipeline

subfinder -d example.com | httpx | gau | tee final.txt

💡 One command = multiple steps combined

15. Chain filtering + scanning

gau example.com | grep "=" | sort -u | tee params.txt

🧠 Understanding What's Happening (Simple Analogy)

Imagine:

  • subfinder → finds houses 🏠
  • httpx → checks if someone lives there 🚪
  • gau → collects history 📜
  • grep → filters important clues 🔍
  • nmap → checks locks and doors 🔐

You're basically doing digital investigation

🔥 Advanced but Easy Tricks (Most Beginners Don't Know)

16. Run commands in background

subfinder -d example.com &

👉 Runs while you do other tasks

17. Count results

cat subs.txt | wc -l

👉 "How many domains did I find?"

18. Combine multiple files

cat *.txt > all.txt

19. Live monitoring

tail -f results.txt

👉 Watch results in real time

You caught that gap like a good recon hunter spotting an open port 👀 Let's complete your arsenal with the remaining 11 one-liner Bash commands to make it a full 30/30 toolkit.

🔍 PART 7: Smarter Filtering & Data Extraction

20. Extract only unique domains from URLs

cat urls.txt | awk -F/ '{print $3}' | sort -u

👉 Converts messy URLs into clean domain list 💡 Useful for mapping targets

21. Find JavaScript files (hidden logic goldmine 🧠)

cat urls.txt | grep ".js"

👉 JS files often contain:

  • API endpoints
  • Keys (sometimes 👀)

22. Extract API endpoints from JS files

cat urls.txt | grep ".js" | xargs -I{} curl -s {} | grep "/api/"

👉 Pulls hidden backend routes 💡 Advanced recon trick most beginners miss

🌐 PART 8: Live Target Deep Dive

23. Get page titles (quick insight)

cat clean_subs.txt | httpx -title

👉 Shows:

  • Login pages
  • Admin dashboards

24. Detect technologies used

cat clean_subs.txt | httpx -tech-detect

👉 Example:

  • WordPress
  • Apache
  • React

💡 Helps choose attack method

25. Screenshot all websites

cat clean_subs.txt | httpx -screenshot

👉 Visual recon 📸 💡 Faster than opening 100 tabs

🧪 PART 9: Vulnerability Signals

26. Find potential open redirects

cat urls.txt | grep "redirect="

👉 Common vulnerability pattern

27. Find SSRF candidates

cat urls.txt | grep "url="

👉 URLs that fetch external resources 💡 SSRF = high impact bug

28. Find LFI (Local File Inclusion) patterns

cat urls.txt | grep "file="

👉 Example:

page.php?file=home

💡 Can expose system files

🚀 PART 10: Automation & Speed Hacks

29. Run multiple recon tools together

(subfinder -d example.com; assetfinder example.com) | sort -u

👉 Combines tools for better results

30. Save everything with timestamp (pro move ⏱️)

subfinder -d example.com > subs_$(date +%F).txt

👉 Output:

subs_2026-04-28.txt

💡 Keeps your work organized like a pro

⚠️ Common Mistakes Beginners Make

  • ❌ Running tools without understanding output
  • ❌ Not saving results
  • ❌ Scanning random sites (illegal 🚫)
  • ❌ Ignoring small findings

🧪 Practice Safely

Use platforms like:

  • TryHackMe
  • Hack The Box

Or your own test environment

🧠 Big Picture (What You Just Built)

You now have:

  • 🔎 Discovery tools
  • 🌐 URL collectors
  • 🧪 Vulnerability filters
  • ⚡ Automation pipelines
  • 📊 Data organization tricks

👉 This is not just commands… This is a complete recon system

🎯 Final Thought

At first glance, these look like random commands. But together?

They behave like a cybersecurity assembly line 🏭 Input a domain → Output potential vulnerabilities.

"Great pentesters don't work harder… they let the terminal do the heavy lifting."