๐ About โข ๐ How does it work โข ๐๏ธ Installation โข โ๏ธ Usage โข ๐ Examples โข ๐ค Contributing
Vuln-Hunter is an automated workflow that utilizes existing community tools for web assessment. It's designed to streamline the process of scanning domains and hosts for vulnerabilities and misconfigurations, making it particularly useful for bug bounty and pentesting engagements.
While there are many tools available in the community, it is crucial to choose those that can be adjusted to each assessor's preference. This is why Nuclei by ProjectDiscovery is a top choice. Each pentester can create custom templates that fit their style using a simple YAML-based DSL.
The workflow of Vuln-Hunter is engineered to maximize efficiency by leveraging multi-threading. This approach significantly enhances the speed and effectiveness of the vulnerability hunting process. Below is an illustrative diagram demonstrating the workflow:
This diagram highlights the interconnected nature of the tools and processes within Vuln-Hunter, ensuring that each stage of the vulnerability assessment is conducted thoroughly yet swiftly. By optimizing the use of each tool, Vuln-Hunter provides a comprehensive and streamlined experience for identifying potential vulnerabilities in domains and hosts.
- The effectiveness of scans depends on the templates used. Some community templates can be found at Nuclei-Fuzzing Templates. However, it is often better to create your own to fit your style.
- Subfinder is highly effective, especially when augmented with additional sources (API keys), such as SecurityTrails.
- The workflow enables multi-threading for higher efficiency. Please choose the number of threads wisely.
Before using Vuln-Hunter, ensure the following tools are installed on your system:
Install these dependencies with the following commands:
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
git clone https://github.com/projectdiscovery/fuzzing-templates.git
mv fuzzing-templates $HOME/.local/nuclei-templates/
go install github.com/projectdiscovery/katana/cmd/katana@latest
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
git clone https://github.com/devanshbatham/paramspider
cd paramspider && pip install .
sudo apt update && sudo apt install -y feroxbuster
#NOTE: Ensure your Go bin directory is included in your system's PATH. If it's not already set, temporarily add it with:
export PATH=$PATH:$HOME/go/binTo use Vuln-Hunter, run the script with the desired options. Below is the table of options for easy reference:
| Option | Description |
|---|---|
-d, --domain |
Specify a single domain for scanning. |
-l, --domain_list |
Specify a file containing a list of domains (one per line). |
--fuzzing |
Perform Nuclei fuzzing scan. |
--complete |
Perform both basic and fuzzing scans. |
--paramspider |
Use ParamSpider for parameterized URL discovery (default is Katana). |
--nobasic |
Disable Nuclei basic scan. |
-cs, --concurrentscans |
Specify the number of concurrent scans (default is 2). |
-t, --timeout |
Set a timeout for each scan in minutes (default is 30 minutes). |
--silent |
Run scans in silent mode. |
--techdetect |
Run a technology detection scan on the target. |
--allparams |
Use both Katana and ParamSpider for URL extraction and merging. |
--nobrute |
disable directory bruteforcing feature. |
Example usage:
python vuln-hunter.py [options]These examples showcase the versatility of Vuln-Hunter and how it can be utilized for various scanning scenarios:
1- Scan a single domain with a basic scan (no fuzzing or tech-detect):
python vuln-hunter.py -d example.com2- Scan multiple domains from a file with fuzzing scan only (no basic):
python vuln-hunter.py -l domains.txt --fuzzing3- Run scans in silent mode for a single domain with a timeout of 15 minutes:
python vuln-hunter.py -d example.com --silent -t 154- Run a complete scan with technology detection wihtout brute forcing:
python vuln-hunter.py -d example.com --complete --techdetect --nobrute5- Using both Katana and ParamSpider for URL extraction:
python vuln-hunter.py -d example.com --fuzzing --allparams6- Comprehensive scanning of a list of domains with directory bruteforcing, techdetect, fuzzing, basic scans, and simultaneous usage of ParamSpider and Katana (Warning: This can be time-consuming):
python vuln-hunter.py -l domains.txt --complete --allparams --techdetect -cs 4 -t 157- Perform a basic scan with a custom number of concurrent scans:
python vuln-hunter.py -l domains.txt -cs 58- Run a silent, fuzzing-only scan for a list of domains with extended timeout:
python vuln-hunter.py -l domains.txt --fuzzing --silent -t 609- Execute a basic scan with technology detection on a single domain:
python vuln-hunter.py -d example.com --nobasic --techdetect10- Run a full scan (basic, fuzzing, tech-detect) on a single domain with a custom timeout:
python vuln-hunter.py -d example.com --complete -t 20Vuln-Hunter is a synthesis of several powerful tools developed by the cybersecurity community. The efficacy and utility of Vuln-Hunter are a testament to the ingenuity and hard work of the developers behind these individual tools. It's highly encouraged to visit their repositories to understand the depth of their contributions:
This workflow is developed as a contribution to the cybersecurity community. If you wish to contribute, enhance, or fork the project for your purposes, you are more than welcome to do so. Any contributions that improve the tool or extend its capabilities are greatly appreciated.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent