Professional Penetration Testing Framework v4.0
- Overview
- What's New in v4.0
- Features
- Installation
- Usage
- Scan Modes
- Pipeline Architecture
- Configuration
- Tools Integrated
- Output & Reports
- API Integration
- Notifications
- Troubleshooting
- Contributing
- License
BCHackTool is a comprehensive, professional-grade penetration testing framework designed for security researchers, bug bounty hunters, and penetration testers. Built with bash, it orchestrates multiple industry-standard security tools into a streamlined, automated workflow.
- π¨ Modern UI/UX - Emoji-rich interface with real-time vulnerability display
- π Parallel Scanning - 10x faster with concurrent tool execution
- π― Smart Targeting - Intelligent subdomain enumeration and service discovery
- π Deep Vulnerability Scanning - Live detailed findings with Nuclei (9000+ templates)
- π Professional Reports - Clean TXT reports with human-readable vulnerability findings
- β‘ Resume Capability - Continue interrupted scans automatically
- π Notifications - Real-time alerts via Telegram/Discord/Slack
- π οΈ Modular Architecture - Easy to extend and customize
Emoji-rich interface with real-time vulnerability display and clean visual hierarchy!
Features:
- π― Emoji Navigation - Intuitive menu system with visual indicators
- π Real-time Vulnerability Display - Live detailed findings as Nuclei discovers them
- π¨ Color-coded Severity - Instant visual feedback (π΄ Critical, π High, π‘ Medium, π’ Low, βΉοΈ Info)
- β¨ Clean Spacing Design - No box-drawing characters for universal terminal compatibility
- π Clean TXT Reports - Human-readable vulnerability reports in current directory
- π Current Directory Output - All results saved in BCHackTool_Results/ folder
Live Vulnerability Display:
[βΆ] Starting vulnerability scan...
π΄ [CRITICAL] CVE-2024-1234-RCE
ββ Target: https://demo.xooi.com/api
π [HIGH] SQL Injection Found
ββ Target: https://our.xooi.com/login
π‘ [MEDIUM] XSS Vulnerability Detected
ββ Target: https://app.xooi.com/search
π’ [LOW] Information Disclosure
ββ Target: https://api.xooi.com/debug
βΉοΈ [INFO] Missing Security Headers
ββ Target: https://www.xooi.com
Skip the reconnaissance phase entirely and jump straight to vulnerability scanning!
# Use pre-collected subdomains
sudo bash bchacktool.sh
> 3 # Subdomain List option
Enter subdomain list file path: /path/to/subdomains.txt
Mode> ALLBenefits:
- β±οΈ Save 30-50% scan time
- π Integrate with external recon tools
- π― Test specific subdomains only
- π Use results from previous scans
File Format:
example.com
www.example.com
api.example.com
mail.example.com
Now scans ALL severity levels instead of just medium+
Before v4.0:
- β Info level: Filtered
- β Low level: Filtered
- β Medium: Included
- β High: Included
- β Critical: Included
v4.0:
- β Info: Version disclosure, tech stack detection
- β Low: Weak headers, minor misconfigurations
- β Medium: CSRF, open redirects
- β High: SQL injection, XSS
- β Critical: RCE, authentication bypass
Impact:
- π 3-5x more findings
- π― Complete security picture
- π Better compliance reporting
Live detailed findings as vulnerabilities are discovered
[βΆ] Starting vulnerability scan...
π΄ [CRITICAL] CVE-2024-1234-RCE
ββ Target: https://api.example.com/admin
π [HIGH] SQL Injection - Authentication Bypass
ββ Target: https://login.example.com
π‘ [MEDIUM] Cross-Site Scripting (XSS)
ββ Target: https://search.example.com?q=test
Features:
- Instant vulnerability notifications as they're found
- Detailed template identification
- Exact target URLs for each finding
- Color-coded severity for quick assessment
- No waiting for scan completion to see results
- β Parallel scanning with up to 10 concurrent jobs
- β Checkpoint system for resume capability
- β Enhanced error handling and retry logic
- β JSON structured output for all tools
- β Clean TXT reports with parsed vulnerability data
- β API key integration (Shodan, VirusTotal, etc.)
- β Multi-platform notification support
- β Detailed logging system
- 7 Parallel Subdomain Enumeration Tools
- Subfinder (Passive OSINT)
- Assetfinder (Web scraping)
- Findomain (Multi-source API)
- Wayback Machine (Archive.org)
- GAU (GetAllUrls)
- Crt.sh (Certificate logs)
- Anubis (Passive DNS)
- Fast SYN scanning with Naabu
- Top 1000 ports by default
- CDN exclusion for accurate results
- Rate limiting (300 req/sec - stealth mode)
- HTTP/HTTPS service detection
- Technology stack identification
- Status code validation
- Title extraction
- Redirect following
- Template-based detection with Nuclei v3.6+
- 9000+ vulnerability templates (updated automatically)
- CVE database integration
- Custom template support
- All severity levels (info to critical)
- Real-time detailed vulnerability display
- Live findings as they're discovered
- Clean TXT reports with:
- Vulnerability breakdown by severity
- Subdomain discovery results
- Live service inventory
- Human-readable format
- JSON output for automation
- JSONL format for streaming
- All results saved in current directory (BCHackTool_Results/)
- Telegram bot integration
- Discord webhook support
- Slack webhook support
- Scan completion alerts
- Error notifications
- Parallel tool execution (10 concurrent jobs)
- Optimized vulnerability counting (80% faster)
- Timeout management
- Resource optimization
- Stealth mode rate limiting (300 req/sec)
- Clean, efficient output (no overhead)
- Resume interrupted scans
- Checkpoint system
- API key management
- Automatic tool updates
- Template auto-updates
- Comprehensive logging
- Operating System: Linux (Ubuntu 20.04+, Debian 10+, Kali Linux)
- Root Access: Required for some tools
- Internet Connection: For tool installation and updates
# Download
git clone https://github.com/ByCh4n/BCHackTool.git
cd BCHackTool
# Run (auto-installs dependencies)
sudo bash bchacktool.sh# 1. Install system dependencies
sudo apt-get update
sudo apt-get install -y git curl jq python3 perl unzip pv gcc make libpcap-dev
# 2. Install Go (if not present)
wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.22.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# 3. Run BCHackTool
sudo bash bchacktool.sh
# Tools will be installed automatically on first runThe script automatically installs:
Go-based tools:
- subfinder
- naabu
- httpx
- nuclei
- notify
- assetfinder
- waybackurls
- gau
Binary tools:
- findomain
BCHackTool Main Menu Interface
# Start BCHackTool
sudo bash bchacktool.sh
# Select scan type from menu
1. Single Domain Scan # Scan one domain
2. Multiple Domains # Scan domains from file
3. Subdomain List # Use pre-collected subdomains (NEW!)
4. Configure API Keys # Setup API integrations
5. Setup Notifications # Configure alerts
6. View Previous Scans # Browse scan history
T. Update Nuclei Templates # Update vulnerability templates
U. Update All Tools # Update all tools to latest
H. Help & Wiki # Detailed documentation
L. View Logs # Check error logs
0. Exit # Close toolsudo bash bchacktool.sh
> 1 # Single Domain Scan
Enter target domain: example.com
Mode> ALL # Comprehensive scan
# Output:
# β 247 subdomains discovered
# β 89 open ports found
# β 34 live web services
# β 12 vulnerabilities detected
# Report: BCHackTool_Results/example_com_20260108_123456/vulnerabilities.txt# Create domains.txt
echo "example.com" > domains.txt
echo "test.com" >> domains.txt
sudo bash bchacktool.sh
> 2 # Multiple Domains
Enter file path: /path/to/domains.txt
Mode> A # Web scan only# Already have subdomains from external tool
cat subdomains.txt
# example.com
# www.example.com
# api.example.com
sudo bash bchacktool.sh
> 3 # Subdomain List
Enter subdomain list file path: /path/to/subdomains.txt
Mode> ALL
# Skips reconnaissance phase
# Starts directly with port scanning# If scan is interrupted (Ctrl+C or network issue)
# Simply run the same scan again
sudo bash bchacktool.sh
> 1
Enter target domain: example.com
Mode> ALL
# [INFO] Checkpoint found, resuming from: web_done
# Automatically continues from last completed stageπ All modes now use ALL Nuclei templates (9000+) for comprehensive coverage!
Target: Live web applications (HTTP/HTTPS only)
Input: alive.txt - Discovered live web services
Templates: π ALL templates (9000+) - Nuclei intelligently filters based on target type
Best For: Bug bounty web app testing, OWASP Top 10
What runs:
- β HTTP templates (XSS, SQLi, LFI, RCE, SSRF, etc.)
- β SSL/TLS templates (certificate issues, misconfigurations)
- β CVE templates (known vulnerabilities)
- β File templates (path traversal, LFI)
- β Headless templates (JavaScript-based attacks)
- β WebSocket templates
- β Everything else - Nuclei auto-skips irrelevant templates
Target: All subdomains (including non-HTTP)
Input: subdomains.txt - All discovered subdomains
Templates: π ALL templates (9000+)
Best For: Infrastructure assessment, subdomain takeover hunting
What runs:
- β DNS templates (subdomain takeover, DNS misconfig)
- β SSL/TLS templates
- β HTTP templates (if subdomain resolves to web service)
- β WHOIS templates
- β Everything else - Nuclei auto-skips irrelevant templates
Target: Non-web services and ports
Input: ports.txt - Discovered open ports (host:port format)
Templates: π ALL templates (9000+)
Best For: Internal network pentesting, service misconfiguration
What runs:
- β Network templates (FTP, SSH, Redis, MongoDB, SMTP)
- β SSL/TLS templates
- β Protocol-specific templates
- β Everything else - Nuclei auto-skips irrelevant templates
Target: Everything combined (web + DNS + network)
Input: all_targets.txt - All discovered targets merged
Templates: π ALL templates (9000+)
Best For: Complete security audit, maximum coverage
Includes:
- β All web services from Mode A
- β All subdomains from Mode B
- β All open ports from Mode C
- β Complete attack surface mapping
- β Zero vulnerabilities missed
Don't worry about performance! Nuclei is intelligent:
# Example: alive.txt (https://example.com)
β
HTTP templates run (XSS, SQLi, etc.)
β DNS templates skip (URL detected, not domain)
β
SSL templates run (HTTPS detected)
β Network templates skip (no port specified)
# Example: subdomains.txt (example.com)
β
DNS templates run (domain detected)
β
HTTP templates run (if resolves to web)
β Network templates skip (no port info)
# Example: ports.txt (example.com:22)
β
Network/SSH templates run (port 22 detected)
β HTTP templates skip (port 22 is not web)Result: All modes use 9000+ templates but only relevant ones execute!
Parallel execution - 7 tools simultaneously
| Tool | Purpose |
|---|---|
| π Subfinder | Passive OSINT |
| π Assetfinder | Web scraping |
| π‘ Findomain | Multi-source API |
| π Wayback Machine | Archive.org history |
| π GAU | URL enumeration |
| π Crt.sh | Certificate transparency logs |
| π Anubis | Passive DNS records |
Output: subdomains.txt (deduplicated & cleaned)
β¬οΈ
Tool: Naabu - Fast SYN scanner
Features:
- β Top 1000 ports
- β CDN exclusion
- β Rate limiting (300/sec - stealth mode)
Output: ports.txt (host:port format)
β¬οΈ
Tool: Httpx - HTTP service detection
Features:
- β Status code validation
- β Technology detection
- β Title extraction
- β Redirect following
Output: alive.txt + httpx_results.json
β¬οΈ
Tool: Nuclei - Template-based scanner
Features:
- β 9000+ templates (auto-updated)
- β All severity levels (infoβcritical) [NEW in v4.0]
- β Real-time detailed vulnerability display [NEW in v4.0]
- β CVE database integration
- β Rate limiting (150/sec)
- β Bulk processing (25 hosts)
- β 25 concurrent threads
Output: nuclei_results.json (JSONL format)
β¬οΈ
Features:
- β Clean TXT report with human-readable format
- β Vulnerability breakdown by severity (Nuclei findings)
- β Subdomain discovery results
- β Live service inventory
- β Scan statistics
- β Easy-to-read vulnerability descriptions with target URLs
Output: BCHackTool_Results/[target]_[timestamp]/vulnerabilities.txt (clean, human-readable format)
π― USER PROVIDES: subdomains.txt β Skip Stage 1 entirely β Stages 2-5 proceed normally
Time Saved: 30-50% of total scan time
~/.bchacktool/config.json{
"api_keys": {
"shodan": "YOUR_SHODAN_API_KEY",
"virustotal": "YOUR_VT_API_KEY",
"securitytrails": "YOUR_ST_API_KEY",
"censys": "YOUR_CENSYS_API_KEY"
},
"notifications": {
"telegram_bot_token": "YOUR_BOT_TOKEN",
"telegram_chat_id": "YOUR_CHAT_ID",
"discord_webhook": "https://discord.com/api/webhooks/...",
"slack_webhook": "https://hooks.slack.com/services/..."
},
"scan_settings": {
"max_parallel": 10,
"timeout": 300
}
}# Method 1: From menu
sudo bash bchacktool.sh
> 4 # Configure API Keys
# Method 2: Direct edit
nano ~/.bchacktool/config.json
# Method 3: Command line
vim ~/.bchacktool/config.json| Tool | Purpose | Speed | Output Quality |
|---|---|---|---|
| Subfinder | Passive OSINT | β‘β‘β‘ | βββββ |
| Assetfinder | Web scraping | β‘β‘ | ββββ |
| Findomain | Multi-source API | β‘β‘β‘ | βββββ |
| Wayback | Archive history | β‘β‘ | βββ |
| GAU | URL enumeration | β‘β‘ | βββ |
| Crt.sh | Certificate logs | β‘β‘β‘ | ββββ |
| Anubis | Passive DNS | β‘β‘ | ββββ |
| Tool | Purpose | Features |
|---|---|---|
| Naabu | Port scanning | SYN scan, CDN exclusion, fast |
| Httpx | Web probing | Tech detect, titles, JSON output |
| Nuclei | Vulnerability scanning | 2500+ templates, CVE database |
| Tool | Purpose | Use Case |
|---|
~/.bchacktool/
βββ config.json # Configuration file
βββ bchacktool.log # Main log file
βββ checkpoints/ # Resume points
βββ example_com.checkpoint
BCHackTool_Results/ # Scan results (in current directory)
βββ example_com_20260108_123456/
βββ vulnerabilities.txt # Clean TXT report with vulnerability findings
βββ subdomains.txt # Discovered subdomains
βββ ports.txt # Open ports (host:port)
βββ alive.txt # Live URLs
βββ httpx_results.json # Web probe details
βββ nuclei_results.json # Vulnerabilities (JSONL - raw output)
βββ *_raw.txt # Raw tool outputs
-
Clean Human-Readable Format
- Easy to read and parse
- Saved in current directory (BCHackTool_Results/)
- No need to open HTML in browser
-
Vulnerability Breakdown
- Grouped by severity (critical β info)
- Clear severity labels [CRITICAL], [HIGH], [MEDIUM], [LOW], [INFO]
- Detailed vulnerability names
- Affected target URLs listed for each finding
-
Report Header
- Scan date and timestamp
- Target information
- Scan mode used
-
Subdomain Inventory
- Complete list of discovered subdomains
- Scrollable interface (max 50 shown)
- Quick preview
-
Live Services
- All active HTTP/HTTPS endpoints
- Status codes
- Page titles
- Technology detection
-
Scan Statistics
- Scan duration
- Tool performance metrics
- Timestamp information
- Powered by BCHackTool v4.0
Purpose: Enhanced subdomain discovery and service fingerprinting
Setup:
- Create account: https://account.shodan.io/
- Get API key from dashboard
- Add to config:
"shodan": "YOUR_KEY"
Benefits:
- Historical DNS data
- Service banner information
- Vulnerability correlation
Purpose: Domain reputation and malware analysis
Setup:
- Register: https://virustotal.com/gui/my-apikey
- Copy API key
- Add to config:
"virustotal": "YOUR_KEY"
Benefits:
- Subdomain discovery via passive DNS
- URL reputation checking
- Malware detection
Purpose: Historical DNS and WHOIS data
Setup:
- Sign up: https://securitytrails.com/
- Generate API key
- Add to config:
"securitytrails": "YOUR_KEY"
Benefits:
- Historical subdomain records
- DNS history
- WHOIS data
-
Create Bot:
Open Telegram β Search @BotFather Send: /newbot Follow instructions Copy bot token: 123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11 -
Get Chat ID:
Start chat with your bot Send any message Visit: https://api.telegram.org/bot<TOKEN>/getUpdates Look for: "chat":{"id":YOUR_CHAT_ID} -
Configure:
"telegram_bot_token": "123456:ABC-DEF1234...", "telegram_chat_id": "123456789"
-
Create Webhook:
Discord Server β Server Settings β Integrations Create Webhook β Copy Webhook URL -
Configure:
"discord_webhook": "https://discord.com/api/webhooks/..."
-
Create Webhook:
Slack Workspace β Apps β Incoming Webhooks Add to Slack β Choose channel β Copy URL -
Configure:
"slack_webhook": "https://hooks.slack.com/services/..."
Error:
[β] Root privileges required. Run: sudo bash bchacktool.sh
Solution:
sudo bash bchacktool.shError:
go: command not found
Solution:
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
# Make permanent
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrcError:
[β] Failed to install subfinder
Solution:
# Manually install
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Or update all tools
sudo bash bchacktool.sh
> U # Update All ToolsIssue: All reconnaissance tools return 0 results
Possible Causes:
- Network connectivity issues
- Target domain has no subdomains
- DNS resolution problems
- API rate limiting
Solution:
# Check network
ping 8.8.8.8
# Test DNS
nslookup example.com
# Try with API keys (better results)
sudo bash bchacktool.sh
> 4 # Configure API KeysIssue: Nuclei runs but shows no vulnerabilities
Solution:
- This is normal if no vulnerabilities are found
- Vulnerabilities appear in real-time as they're discovered
- Wait for Nuclei to complete scanning all templates
- Check the final summary for total findings
- Press Ctrl+C to skip Nuclei if needed
"scan_settings": {
"max_parallel": 15 // Increase for powerful systems
}Guidelines:
- 4 CPU cores: max_parallel = 8
- 8 CPU cores: max_parallel = 15
- 16 CPU cores: max_parallel = 20
Skip reconnaissance if you already have subdomains:
# Save 30-50% scan time
sudo bash bchacktool.sh
> 3 # Subdomain ListChoose appropriate mode for your target:
- Web app only? β Use Mode A (faster)
- Infrastructure audit? β Use Mode B
- Complete assessment? β Use Mode ALL
Never restart from scratch:
# Interrupted scan automatically resumes
# Checkpoint system tracks progressSignificantly improve subdomain discovery:
# Without API keys: 50-100 subdomains
# With API keys: 200-500+ subdomainsLegal Use Cases:
- β Bug bounty programs
- β Penetration testing with written authorization
- β Security research on your own assets
- β Educational purposes in controlled environments
- β Red team exercises with proper approval
Illegal Use Cases:
- β Unauthorized scanning of third-party systems
- β Scanning without permission
- β Exploiting vulnerabilities you discover
- β Selling vulnerability data
- β Any malicious activities
UI/UX & Feature Enhancements:
- β NEW: π¨ Complete UI/UX redesign with emoji-rich interface
- β NEW: π Real-time vulnerability display with detailed findings
- β NEW: π― Color-coded severity indicators (π΄ Critical, π High, π‘ Medium, π’ Low, βΉοΈ Info)
- β NEW: β¨ Clean spacing-based design for universal terminal compatibility
- β NEW: π Clean TXT reports with human-readable vulnerability findings
- β NEW: π Current directory output (BCHackTool_Results/ folder)
- β NEW: π Live detailed vulnerability information (template name + target URL)
- β NEW: β‘ Subdomain List Input (Option 3 - Skip Recon)
- β NEW: π― ALL scan modes now use complete Nuclei template set (9000+)
- β NEW: π Smart template filtering - Nuclei auto-skips irrelevant templates
- β NEW: π‘ Enhanced recon tool status reporting (0 results, timeout, rate limited)
- β NEW: β° Human-readable time format in scan headers (YYYY-MM-DD HH:MM:SS)
- β NEW: π― Improved input handling - No more backspace issues
- β NEW: π Better output spacing for cleaner terminal display
Fixes & Improvements:
- β FIX: Domain validation regex (now accepts all valid domains)
- β FIX: Terminal compatibility issues with Unicode characters
- β FIX: Nuclei template path errors (removed invalid paths)
- β FIX: Anubis API endpoint updated (jldc.me β anubisdb.com)
- β FIX: Go GOROOT environment detection with env -i isolation
- β FIX: Naabu rate limiting (1000β300/sec for stealth mode)
- β FIX: Clean/uninstall log file error
- β FIX: Input field handling (read -e β read -r with xargs trim)
- β FIX: Ctrl+C interrupt handling (removed duplicate messages)
- β REMOVED: Nikto web scanner (focus on Nuclei)
- β REMOVED: SQLMap SQL injection tool (focus on Nuclei)
- β REMOVED: HTML report generation (TXT reports only)
- β Optimized vulnerability counting (80% performance improvement)
- β Added domain input validation with security checks
- β Removed progress bar overhead (cleaner, faster output)
- β Fixed Nuclei output visibility and formatting
- β Parallel scanning (10 concurrent jobs)
- β Checkpoint/resume system
- β Enhanced error handling
- β JSON structured output
- β Fixed exit code 3 errors
- β Improved recon stage
- β Better empty file handling
- β Tool auto-update feature (U key)
- β Template update feature (T key)
- β Main domain fallback
- β Modern UI redesign
- β Initial release
We welcome contributions! Here's how:
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
MIT License - Educational purposes only
- ByCh4n - Original concept and development
- Enhanced by AI assistance
- Community feedback and testing
- ProjectDiscovery team (tool creators)
- OWASP community
- Bug bounty platforms
- Security researchers worldwide
- Open source contributors
Made with β€οΈ by ByCh4n
Star β this repository if you find it useful!