Vulnerability Hunting

Turn your service and web inventory into a prioritized list of likely vulnerabilities, at scale.

By now you have a full inventory: services with versions, live web apps with fingerprinted technologies, and discovered content. Hunting is where you work through that inventory for known weaknesses — fast, broad, and automated first, then manual verification.

This is identification, not exploitation. The output is a list of probable findings, each of which you then confirm by hand (see Evidence & Reporting). Automated scanners produce false positives, so never report a finding you haven’t reproduced.

The hunting passes

  1. Automated scanning with nuclei — template-driven checks for CVEs, misconfigurations, exposures, and default credentials across every web service at once.
  2. Known exploits with searchsploit — map your nmap service versions to public exploits.
  3. Subdomain takeover — find dangling DNS records pointing at unclaimed cloud resources.

Order of operations

Run the cheap, broad passes first to triage, then go deep on what they flag:

nuclei (broad) ──┐
searchsploit ────┼──▶ triaged candidate findings ──▶ manual verification ──▶ report
takeover checks ─┘

Then pivot to manual, application-specific testing on the high-value targets the recon screenshots surfaced — login panels, admin consoles, APIs. Automation finds the easy 80%; the findings that actually matter usually come out of the manual 20%.

Stay in scope, stay polite

Hunting is the loudest phase — nuclei alone can fire thousands of requests per host. Re-read your rules of engagement: honor rate limits (nuclei -rl), keep intrusive templates off fragile production, and never run exploitation modules without explicit authorization.

Start with nuclei.


Automated Scanning with Nuclei

Run template-based vulnerability checks across every web service to surface CVEs, misconfigurations, and exposures fast.

Known Exploits with SearchSploit

Map the service versions you found to public exploits in Exploit-DB.

Subdomain Takeover

Find dangling DNS records pointing at unclaimed cloud resources you can hijack.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)