To learn the ProjectDiscovery (PD) suite, it is best to follow a “Recon-to-Vulnerability” workflow.
Let’s see how data flows from broad discovery to specific security findings.
Use the PD’s dedicated testing domain: chaos.projectdiscovery.io.
Phase 1: Discovery#
- Finding the surface with: Subfinder
% subfinder -d projectdiscovery.io -o subdomains.txt
- Finding the doors with: Naabu
% naabu -list subdomains.txt -p 80,443,8080,8443 -o open_ports.txt
- Checking the services with: HTTPX
% httpx -list open_ports.txt -title -tech-detect -status-code
- Scanning for vulnerabilities with: Nuclei
% nuclei -ut
% nuclei -u https://testphp.vulnweb.com -severity low,medium,high,critical
Phase 2: Chaining#
Let’s see the power of chaining.
The true strength of the PD suite is the UNIX Philosophy:
Standard Input (stdin) and Standard Output (stdout).
We can chain the results of one tool directly into the next.
Here is a classic automation chain that goes from a domain name to a vulnerability report in one line:
% subfinder -d projectdiscovery.io | httpx -silent | nuclei -t vulnerabilities/ -severity low,medium,high,critical
Phase 3: Advanced Piping#
Security assessment to local home lab network.
% naabu -host 192.168.10.0/24 -top-ports 100 -silent | httpx -sc -title | nuclei -tags exposure,misconfig
Common Tools#
| Tool | Core Function | Input |
|---|---|---|
| Subfinder | Find subdomains | Root domain (example.com) |
| Naabu | Port scanning | IP address or Subdomain |
| HTTPX | Service analysis | Open ports or URLs |
| Nuclei | Vulnerability scan | Live URLs |
| Katana | Web crawling | A single starting URL |
| Dnsx | DNS resolution | List of potential subdomains |