RK

Rabi Kishan Rauniyar

@07iamravi
Nepal 18 years UTC+5:45
"Breaking things to make them safer. I automate, audit, and write PoCs. OSCP aspirant."
18
Age
🇳🇵
Nepal
10+
Projects
CTF
Player
Skills & Tools
Python Kali Linux Penetration Testing Offensive Security Automation Bug Bounty Metasploit Wireshark Burp Suite Nmap SQL Injection XSS
Research Projects

PUNY-GEN

Homoglyph generator for security research
Educational

ThisIsNotRat

Remote access PoC for educational labs
Research

x-crypter

Advanced script obfuscation techniques
Educational

x-zone

Social engineering awareness platform
Awareness
Ethical Hacking Only
⚡ Systems I own or have explicit written permission.
All testing in labs/CTFs. Responsible disclosure always. Certified ethical hacker.
GitHub YouTube Contact Discord

Thursday, February 19, 2026

Bug-Bounty

Bug Hunting: Live Host Discovery

Thursday, February 19, 2026 X-MAXXX comments min read
Bug Hunting: Live Host Discovery - Complete Guide 2026

💻 Part 3: Live Host Discovery & Port Scanning

Find active hosts and open ports in your target infrastructure

⚠️ Only test domains you own or have permission to test

Enter Target Domain:

Current: example.com
📌 What is Live Host Discovery?
After gathering subdomains and IPs, we need to find which ones are actually alive and what services they're running. This phase separates live hosts from dead ones.

🔌 Common Ports to Scan

80 - HTTP
443 - HTTPS
21 - FTP
22 - SSH
25 - SMTP
53 - DNS
3306 - MySQL
5432 - PostgreSQL
27017 - MongoDB
6379 - Redis
8080 - HTTP-Alt
8443 - HTTPS-Alt
8000 - HTTP-Alt
8888 - HTTP-Alt
9090 - Prometheus
9200 - Elasticsearch

🌐 HTTP Probing with HTTPX

HTTPX - Basic Probe
cat subdomains.txt | httpx -ports 80,443,8080,8000,8443,8888 -threads 200 -o alive.txt
Basic probe for live hosts on common ports
HTTPX - With Details
cat subdomains.txt | httpx -sc -title -server -td -ports 80,443,8080,8000,8888 -threads 200 -o alive_with_details.txt
Probe with status codes, titles, and technology detection
HTTPX - IP Probe
cat ips.txt | httpx -ports 80,443,8080,8443 -threads 200 -o web_servers.txt
Check which IPs have web servers running
HTTPX - All Ports
cat subdomains.txt | httpx -ports 80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888 -threads 200
Extended port range for thorough checking

🔍 Nmap Scanning Techniques

Nmap - Quick Scan
nmap -iL ips.txt -p80,443,22,21,25,3306,5432,8080 --open -oG quick_scan.txt
Quick scan of common ports
Nmap - Service Version
nmap -iL ips.txt -p- --min-rate=1000 -sV -oN full_scan.txt
Full port scan with service version detection (slow but thorough)
Nmap - Script Scan
nmap -iL ips.txt -p80,443 --script=http-enum,http-title,http-server-header -oN web_scan.txt
Web-specific Nmap scripts for enumeration

⚡ Masscan - Ultra Fast Scanning

Masscan - Basic
masscan -iL ips.txt -p80,443,22,21,25,3306,5432,8080 --rate=1000 -oJ masscan.json
Fast port scanning (can scan the entire internet in minutes)
Masscan - CIDR Range
masscan 192.168.1.0/24 -p1-65535 --rate=1000 -oG masscan.gnmap
Scan entire CIDR range for all ports

📸 Visual Reconnaissance

Aquatone - Basic
cat alive.txt | aquatone -out screenshots
Take screenshots of all live websites
Aquatone - Custom Ports
cat alive.txt | aquatone -ports 80,443,8000,8080,8443 -out screenshots
Screenshot with custom port list
EyeWitness
eyewitness -f alive.txt --web -d eyewitness_report
Alternative screenshot tool with more features

🎯 Advanced Probing

Naabu + HTTPX Pipeline
naabu -list subdomains.txt -top-ports 1000 -silent | httpx -sc -title -server -td
Port scan then HTTP probe in one pipeline
RustScan + Nmap
rustscan -a ips.txt -- -A -sC
Ultra-fast port scanner with Nmap integration
TLS/SSL Probe
cat alive.txt | tlsx -san -cn -silent -o tls_info.txt
Extract TLS certificate information

📊 Processing & Analysis

Extract IPs from Nmap
grep "open" nmap_results.gnmap | cut -d' ' -f2 | sort -u > live_ips.txt
Extract live IPs from Nmap grepable output
Generate Report
echo "Live Hosts: $(wc -l < alive.txt)" > report.txt; echo "Open Ports: $(grep -c open nmap_results.txt)" >> report.txt
Simple statistics about your scan

📦 Installation Commands

# Install Go tools go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest go install -v github.com/projectdiscovery/tlsx/cmd/tlsx@latest # Install with apt sudo apt update sudo apt install nmap masscan aquatone eyewitness -y # Install RustScan curl -s https://api.github.com/repos/RustScan/RustScan/releases/latest | grep "browser_download_url.*amd64.deb" | cut -d '"' -f 4 | wget -qi - sudo dpkg -i rustscan*.deb

💡 Pro Tips

  • ✓ Use masscan for large IP ranges, nmap for detailed scans
  • ✓ Always scan from a VPS with good bandwidth for faster results
  • ✓ Save screenshots - they help quickly identify interesting targets
  • ✓ Check for non-standard ports (like 8080, 8443) - they often host dev/staging
  • ✓ Use rate limiting to avoid triggering IDS/IPS

⚡ Scan Speed Comparison

Tool Speed Best For
Masscan Ultra Fast (Millions packets/sec) Large IP ranges, internet-wide scans
RustScan Very Fast Quick port discovery
Naabu Fast Integration with HTTPX
Nmap Slow but thorough Detailed service enumeration
07iamravi@blog:~$