From 8ab9d8125274aaf44579806ad1e4f0cc7ee5432d Mon Sep 17 00:00:00 2001 From: TheTechromancer <20261699+TheTechromancer@users.noreply.github.com> Date: Sat, 16 Aug 2025 02:58:47 +0000 Subject: [PATCH] [create-pull-request] automated change --- docs/data/chord_graph/entities.json | 1148 ++++++++++++++------------- docs/data/chord_graph/rels.json | 990 ++++++++++++----------- docs/modules/list_of_modules.md | 288 +++---- docs/modules/nuclei.md | 2 +- docs/scanning/advanced.md | 27 +- docs/scanning/configuration.md | 543 ++++++------- docs/scanning/events.md | 6 +- docs/scanning/index.md | 47 +- docs/scanning/presets_list.md | 67 +- 9 files changed, 1589 insertions(+), 1529 deletions(-) diff --git a/docs/data/chord_graph/entities.json b/docs/data/chord_graph/entities.json index 39863451d5..cb995ecc93 100644 --- a/docs/data/chord_graph/entities.json +++ b/docs/data/chord_graph/entities.json @@ -23,35 +23,35 @@ ] }, { - "id": 134, + "id": 136, "name": "AZURE_TENANT", "parent": 88888888, "consumes": [ - 133 + 135 ], "produces": [] }, { - "id": 42, + "id": 43, "name": "CODE_REPOSITORY", "parent": 88888888, "consumes": [ - 61, - 81, + 62, 82, - 86, - 88, - 121, - 141 + 83, + 87, + 89, + 123, + 143 ], "produces": [ - 41, - 62, - 80, - 83, + 42, + 63, + 81, 84, - 87, - 120 + 85, + 88, + 122 ] }, { @@ -60,143 +60,143 @@ "parent": 88888888, "consumes": [ 6, - 14, - 18, - 20, + 15, + 19, 21, - 25, - 27, + 22, + 26, 28, 29, 30, - 32, + 31, 33, 34, 35, - 37, + 36, 38, 39, 40, - 43, - 48, + 41, + 44, 49, 50, 51, 52, - 54, + 53, 55, 56, 57, 58, - 60, - 66, - 78, - 83, - 85, - 91, - 95, - 102, - 105, + 59, + 61, + 67, + 79, + 84, + 86, + 93, + 97, + 104, 107, - 110, - 111, - 115, - 116, + 109, + 112, + 113, + 117, 118, - 122, - 125, - 126, + 120, + 124, 127, 128, 129, 130, - 133, - 136, - 137, + 131, + 132, + 135, 138, + 139, 140, - 144, - 147, - 148, - 151, - 155 + 142, + 146, + 149, + 150, + 153, + 157 ], "produces": [ 6, - 20, - 27, - 34, + 21, + 28, 35, - 37, + 36, 38, 39, 40, - 48, + 41, 49, - 51, - 54, + 50, + 52, 55, 56, 57, 58, 59, - 78, - 91, - 95, - 102, - 105, - 108, + 60, + 79, + 93, + 97, + 104, + 107, 110, - 111, - 115, - 122, - 125, + 112, + 113, + 117, + 124, 127, - 128, 129, - 133, + 130, + 131, 135, - 136, 137, - 140, - 144, - 145, + 138, + 139, + 142, + 146, 147, - 148, - 151, - 155 + 149, + 150, + 153, + 157 ] }, { - "id": 22, + "id": 23, "name": "DNS_NAME_UNRESOLVED", "parent": 88888888, "consumes": [ - 21, - 133, - 138 + 22, + 135, + 140 ], "produces": [] }, { - "id": 44, + "id": 45, "name": "EMAIL_ADDRESS", "parent": 88888888, "consumes": [ - 67 + 68 ], "produces": [ - 43, - 50, - 56, - 60, - 66, - 85, - 95, - 116, - 126, - 130, - 135 + 44, + 51, + 57, + 61, + 67, + 86, + 97, + 118, + 128, + 132, + 137 ] }, { @@ -204,21 +204,21 @@ "name": "FILESYSTEM", "parent": 88888888, "consumes": [ - 71, - 101, - 141, - 142 + 72, + 103, + 143, + 144 ], "produces": [ 8, - 61, - 75, - 81, + 62, + 76, 82, - 86, - 101, - 121, - 142 + 83, + 87, + 103, + 123, + 144 ] }, { @@ -226,59 +226,60 @@ "name": "FINDING", "parent": 88888888, "consumes": [ - 14, - 153 + 15, + 155 ], "produces": [ 1, - 21, - 23, - 25, + 22, + 24, 26, - 28, + 27, 29, 30, - 32, + 31, 33, - 36, - 80, - 87, + 34, + 37, + 81, + 88, 92, 94, - 103, - 106, + 96, + 105, 108, - 109, - 112, - 113, - 123, - 128, - 131, + 110, + 111, + 114, + 115, + 125, + 130, 133, - 139, + 135, 141, 143, - 154 + 145, + 156 ] }, { - "id": 98, + "id": 100, "name": "GEOLOCATION", "parent": 88888888, "consumes": [], "produces": [ - 97, - 100 + 99, + 102 ] }, { - "id": 45, + "id": 46, "name": "HASHED_PASSWORD", "parent": 88888888, "consumes": [], "produces": [ - 43, - 50 + 44, + 51 ] }, { @@ -287,27 +288,27 @@ "parent": 88888888, "consumes": [ 1, - 14, - 26, - 65, - 68, - 75, - 87, - 92, - 106, - 107, + 15, + 27, + 66, + 69, + 76, + 88, + 94, 108, - 112, - 113, + 109, + 110, 114, - 133, - 139, + 115, + 116, + 135, 141, - 150, - 154 + 143, + 152, + 156 ], "produces": [ - 93 + 95 ] }, { @@ -316,29 +317,29 @@ "parent": 88888888, "consumes": [ 11, - 14, - 97, + 15, 99, - 100, - 107, - 118, - 128, - 133 + 101, + 102, + 109, + 120, + 130, + 135 ], "produces": [ - 14, - 59, - 99, - 133 + 15, + 60, + 101, + 135 ] }, { - "id": 119, + "id": 121, "name": "IP_RANGE", "parent": 88888888, "consumes": [ - 118, - 133 + 120, + 135 ], "produces": [] }, @@ -350,147 +351,147 @@ 8 ], "produces": [ - 88 + 89 ] }, { - "id": 15, + "id": 16, "name": "OPEN_TCP_PORT", "parent": 88888888, "consumes": [ - 14, - 76, - 93, - 107, - 117, - 135 + 15, + 77, + 95, + 109, + 119, + 137 ], "produces": [ - 14, - 118, - 128, - 133 + 15, + 120, + 130, + 135 ] }, { - "id": 63, + "id": 64, "name": "ORG_STUB", "parent": 88888888, "consumes": [ - 62, - 84, - 88, - 120 + 63, + 85, + 89, + 122 ], "produces": [ - 133 + 135 ] }, { - "id": 46, + "id": 47, "name": "PASSWORD", "parent": 88888888, "consumes": [], "produces": [ - 43, - 50 + 44, + 51 ] }, { - "id": 77, + "id": 78, "name": "PROTOCOL", "parent": 88888888, "consumes": [ - 104, - 107 + 106, + 109 ], "produces": [ - 76 + 77 ] }, { - "id": 53, + "id": 54, "name": "RAW_DNS_RECORD", "parent": 88888888, "consumes": [], "produces": [ - 52, - 59, - 60 + 53, + 60, + 61 ] }, { - "id": 69, + "id": 70, "name": "RAW_TEXT", "parent": 88888888, "consumes": [ - 68, - 141 + 69, + 143 ], "produces": [ - 71 + 72 ] }, { - "id": 64, + "id": 65, "name": "SOCIAL", "parent": 88888888, "consumes": [ - 62, - 84, - 87, - 89, - 120, - 133 + 63, + 85, + 88, + 90, + 122, + 135 ], "produces": [ - 62, - 85, - 87, - 132 + 63, + 86, + 88, + 134 ] }, { - "id": 24, + "id": 25, "name": "STORAGE_BUCKET", "parent": 88888888, "consumes": [ - 23, - 28, + 24, 29, 30, 31, 32, 33, - 133 + 34, + 135 ], "produces": [ - 28, 29, 30, - 32, - 33 + 31, + 33, + 34 ] }, { - "id": 16, + "id": 17, "name": "TECHNOLOGY", "parent": 88888888, "consumes": [ - 14, - 87, - 153, - 154 + 15, + 88, + 155, + 156 ], "produces": [ - 26, - 65, - 87, - 89, - 109, - 128, - 150, - 154 + 27, + 66, + 88, + 90, + 111, + 130, + 152, + 156 ] }, { @@ -500,98 +501,100 @@ "consumes": [ 1, 14, - 23, - 36, - 72, - 79, - 80, - 89, - 93, - 96, - 103, - 108, - 109, - 117, - 124, - 131, + 15, + 24, + 37, + 73, + 80, + 81, + 90, + 92, + 95, + 98, + 105, + 110, + 111, + 119, + 126, 133, - 139, - 143, + 135, + 141, 145, - 149, - 153 + 147, + 151, + 155 ], "produces": [ - 89, - 93 + 90, + 95 ] }, { - "id": 74, + "id": 75, "name": "URL_HINT", "parent": 88888888, "consumes": [ - 73 + 74 ], "produces": [ - 96 + 98 ] }, { - "id": 19, + "id": 20, "name": "URL_UNVERIFIED", "parent": 88888888, "consumes": [ - 41, - 75, - 93, - 110, - 117, - 132, - 133 + 42, + 76, + 95, + 112, + 119, + 134, + 135 ], "produces": [ - 18, - 27, - 31, - 52, - 56, - 60, - 62, - 68, - 72, + 19, + 28, + 32, + 53, + 57, + 61, + 63, + 69, 73, - 83, - 89, - 95, - 124, + 74, + 84, + 90, + 97, 126, - 144, - 151, - 154 + 128, + 146, + 153, + 156 ] }, { - "id": 47, + "id": 48, "name": "USERNAME", "parent": 88888888, "consumes": [ - 133 + 135 ], "produces": [ - 43, - 50 + 44, + 51 ] }, { - "id": 146, + "id": 148, "name": "VHOST", "parent": 88888888, "consumes": [ - 153 + 155 ], "produces": [ - 145 + 147 ] }, { @@ -599,64 +602,65 @@ "name": "VULNERABILITY", "parent": 88888888, "consumes": [ - 14, - 153 + 15, + 155 ], "produces": [ 1, - 21, - 23, - 25, + 14, + 22, + 24, 26, - 65, - 79, - 103, - 104, - 109, - 128, - 139, + 27, + 66, + 80, + 105, + 106, + 111, + 130, 141, - 154 + 143, + 156 ] }, { - "id": 17, + "id": 18, "name": "WAF", "parent": 88888888, "consumes": [ - 14 + 15 ], "produces": [ - 149 + 151 ] }, { - "id": 90, + "id": 91, "name": "WEBSCREENSHOT", "parent": 88888888, "consumes": [], "produces": [ - 89 + 90 ] }, { - "id": 70, + "id": 71, "name": "WEB_PARAMETER", "parent": 88888888, "consumes": [ - 94, - 103, - 112, - 113, + 96, + 105, 114, - 123, - 152 + 115, + 116, + 125, + 154 ], "produces": [ - 68, - 112, - 113, - 114 + 69, + 114, + 115, + 116 ] }, { @@ -707,6 +711,17 @@ }, { "id": 14, + "name": "aspnet_bin_exposure", + "parent": 99999999, + "consumes": [ + 3 + ], + "produces": [ + 5 + ] + }, + { + "id": 15, "name": "asset_inventory", "parent": 99999999, "consumes": [ @@ -714,30 +729,30 @@ 4, 2, 12, - 15, 16, + 17, 3, 5, - 17 + 18 ], "produces": [ 12, - 15 + 16 ] }, { - "id": 18, + "id": 19, "name": "azure_realm", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 19 + 20 ] }, { - "id": 20, + "id": 21, "name": "azure_tenant", "parent": 99999999, "consumes": [ @@ -748,12 +763,12 @@ ] }, { - "id": 21, + "id": 22, "name": "baddns", "parent": 99999999, "consumes": [ 7, - 22 + 23 ], "produces": [ 4, @@ -761,11 +776,11 @@ ] }, { - "id": 23, + "id": 24, "name": "baddns_direct", "parent": 99999999, "consumes": [ - 24, + 25, 3 ], "produces": [ @@ -774,7 +789,7 @@ ] }, { - "id": 25, + "id": 26, "name": "baddns_zone", "parent": 99999999, "consumes": [ @@ -786,7 +801,7 @@ ] }, { - "id": 26, + "id": 27, "name": "badsecrets", "parent": 99999999, "consumes": [ @@ -794,12 +809,12 @@ ], "produces": [ 4, - 16, + 17, 5 ] }, { - "id": 27, + "id": 28, "name": "bevigil", "parent": 99999999, "consumes": [ @@ -807,87 +822,87 @@ ], "produces": [ 7, - 19 + 20 ] }, { - "id": 28, + "id": 29, "name": "bucket_amazon", "parent": 99999999, "consumes": [ 7, - 24 + 25 ], "produces": [ 4, - 24 + 25 ] }, { - "id": 29, + "id": 30, "name": "bucket_azure", "parent": 99999999, "consumes": [ 7, - 24 + 25 ], "produces": [ 4, - 24 + 25 ] }, { - "id": 30, + "id": 31, "name": "bucket_digitalocean", "parent": 99999999, "consumes": [ 7, - 24 + 25 ], "produces": [ 4, - 24 + 25 ] }, { - "id": 31, + "id": 32, "name": "bucket_file_enum", "parent": 99999999, "consumes": [ - 24 + 25 ], "produces": [ - 19 + 20 ] }, { - "id": 32, + "id": 33, "name": "bucket_firebase", "parent": 99999999, "consumes": [ 7, - 24 + 25 ], "produces": [ 4, - 24 + 25 ] }, { - "id": 33, + "id": 34, "name": "bucket_google", "parent": 99999999, "consumes": [ 7, - 24 + 25 ], "produces": [ 4, - 24 + 25 ] }, { - "id": 34, + "id": 35, "name": "bufferoverrun", "parent": 99999999, "consumes": [ @@ -898,7 +913,7 @@ ] }, { - "id": 35, + "id": 36, "name": "builtwith", "parent": 99999999, "consumes": [ @@ -909,7 +924,7 @@ ] }, { - "id": 36, + "id": 37, "name": "bypass403", "parent": 99999999, "consumes": [ @@ -920,7 +935,7 @@ ] }, { - "id": 37, + "id": 38, "name": "c99", "parent": 99999999, "consumes": [ @@ -931,7 +946,7 @@ ] }, { - "id": 38, + "id": 39, "name": "censys", "parent": 99999999, "consumes": [ @@ -942,7 +957,7 @@ ] }, { - "id": 39, + "id": 40, "name": "certspotter", "parent": 99999999, "consumes": [ @@ -953,7 +968,7 @@ ] }, { - "id": 40, + "id": 41, "name": "chaos", "parent": 99999999, "consumes": [ @@ -964,32 +979,32 @@ ] }, { - "id": 41, + "id": 42, "name": "code_repository", "parent": 99999999, "consumes": [ - 19 + 20 ], "produces": [ - 42 + 43 ] }, { - "id": 43, + "id": 44, "name": "credshed", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44, 45, 46, - 47 + 47, + 48 ] }, { - "id": 48, + "id": 49, "name": "crt", "parent": 99999999, "consumes": [ @@ -1000,7 +1015,7 @@ ] }, { - "id": 49, + "id": 50, "name": "crt_db", "parent": 99999999, "consumes": [ @@ -1011,21 +1026,21 @@ ] }, { - "id": 50, + "id": 51, "name": "dehashed", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44, 45, 46, - 47 + 47, + 48 ] }, { - "id": 51, + "id": 52, "name": "digitorus", "parent": 99999999, "consumes": [ @@ -1036,19 +1051,19 @@ ] }, { - "id": 52, + "id": 53, "name": "dnsbimi", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 53, - 19 + 54, + 20 ] }, { - "id": 54, + "id": 55, "name": "dnsbrute", "parent": 99999999, "consumes": [ @@ -1059,7 +1074,7 @@ ] }, { - "id": 55, + "id": 56, "name": "dnsbrute_mutations", "parent": 99999999, "consumes": [ @@ -1070,7 +1085,7 @@ ] }, { - "id": 56, + "id": 57, "name": "dnscaa", "parent": 99999999, "consumes": [ @@ -1078,12 +1093,12 @@ ], "produces": [ 7, - 44, - 19 + 45, + 20 ] }, { - "id": 57, + "id": 58, "name": "dnscommonsrv", "parent": 99999999, "consumes": [ @@ -1094,7 +1109,7 @@ ] }, { - "id": 58, + "id": 59, "name": "dnsdumpster", "parent": 99999999, "consumes": [ @@ -1105,157 +1120,157 @@ ] }, { - "id": 59, + "id": 60, "name": "dnsresolve", "parent": 99999999, "consumes": [], "produces": [ 7, 12, - 53 + 54 ] }, { - "id": 60, + "id": 61, "name": "dnstlsrpt", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44, - 53, - 19 + 45, + 54, + 20 ] }, { - "id": 61, + "id": 62, "name": "docker_pull", "parent": 99999999, "consumes": [ - 42 + 43 ], "produces": [ 10 ] }, { - "id": 62, + "id": 63, "name": "dockerhub", "parent": 99999999, "consumes": [ - 63, - 64 + 64, + 65 ], "produces": [ - 42, - 64, - 19 + 43, + 65, + 20 ] }, { - "id": 65, + "id": 66, "name": "dotnetnuke", "parent": 99999999, "consumes": [ 2 ], "produces": [ - 16, + 17, 5 ] }, { - "id": 66, + "id": 67, "name": "emailformat", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44 + 45 ] }, { - "id": 67, + "id": 68, "name": "emails", "parent": 99999999, "consumes": [ - 44 + 45 ], "produces": [] }, { - "id": 68, + "id": 69, "name": "excavate", "parent": 99999999, "consumes": [ 2, - 69 + 70 ], "produces": [ - 19, - 70 + 20, + 71 ] }, { - "id": 71, + "id": 72, "name": "extractous", "parent": 99999999, "consumes": [ 10 ], "produces": [ - 69 + 70 ] }, { - "id": 72, + "id": 73, "name": "ffuf", "parent": 99999999, "consumes": [ 3 ], "produces": [ - 19 + 20 ] }, { - "id": 73, + "id": 74, "name": "ffuf_shortnames", "parent": 99999999, "consumes": [ - 74 + 75 ], "produces": [ - 19 + 20 ] }, { - "id": 75, + "id": 76, "name": "filedownload", "parent": 99999999, "consumes": [ 2, - 19 + 20 ], "produces": [ 10 ] }, { - "id": 76, + "id": 77, "name": "fingerprintx", "parent": 99999999, "consumes": [ - 15 + 16 ], "produces": [ - 77 + 78 ] }, { - "id": 78, + "id": 79, "name": "fullhunt", "parent": 99999999, "consumes": [ @@ -1266,7 +1281,7 @@ ] }, { - "id": 79, + "id": 80, "name": "generic_ssrf", "parent": 99999999, "consumes": [ @@ -1277,131 +1292,142 @@ ] }, { - "id": 80, + "id": 81, "name": "git", "parent": 99999999, "consumes": [ 3 ], "produces": [ - 42, + 43, 4 ] }, { - "id": 81, + "id": 82, "name": "git_clone", "parent": 99999999, "consumes": [ - 42 + 43 ], "produces": [ 10 ] }, { - "id": 82, + "id": 83, "name": "gitdumper", "parent": 99999999, "consumes": [ - 42 + 43 ], "produces": [ 10 ] }, { - "id": 83, + "id": 84, "name": "github_codesearch", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 42, - 19 + 43, + 20 ] }, { - "id": 84, + "id": 85, "name": "github_org", "parent": 99999999, "consumes": [ - 63, - 64 + 64, + 65 ], "produces": [ - 42 + 43 ] }, { - "id": 85, + "id": 86, "name": "github_usersearch", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44, - 64 + 45, + 65 ] }, { - "id": 86, + "id": 87, "name": "github_workflows", "parent": 99999999, "consumes": [ - 42 + 43 ], "produces": [ 10 ] }, { - "id": 87, + "id": 88, "name": "gitlab", "parent": 99999999, "consumes": [ 2, - 64, - 16 + 65, + 17 ], "produces": [ - 42, + 43, 4, - 64, - 16 + 65, + 17 ] }, { - "id": 88, + "id": 89, "name": "google_playstore", "parent": 99999999, "consumes": [ - 42, - 63 + 43, + 64 ], "produces": [ 9 ] }, { - "id": 89, + "id": 90, "name": "gowitness", "parent": 99999999, "consumes": [ - 64, + 65, 3 ], "produces": [ - 16, + 17, 3, - 19, - 90 + 20, + 91 ] }, { - "id": 91, + "id": 92, + "name": "graphql_introspection", + "parent": 99999999, + "consumes": [ + 3 + ], + "produces": [ + 4 + ] + }, + { + "id": 93, "name": "hackertarget", "parent": 99999999, "consumes": [ @@ -1412,7 +1438,7 @@ ] }, { - "id": 92, + "id": 94, "name": "host_header", "parent": 99999999, "consumes": [ @@ -1423,13 +1449,13 @@ ] }, { - "id": 93, + "id": 95, "name": "httpx", "parent": 99999999, "consumes": [ - 15, + 16, 3, - 19 + 20 ], "produces": [ 2, @@ -1437,18 +1463,18 @@ ] }, { - "id": 94, + "id": 96, "name": "hunt", "parent": 99999999, "consumes": [ - 70 + 71 ], "produces": [ 4 ] }, { - "id": 95, + "id": 97, "name": "hunterio", "parent": 99999999, "consumes": [ @@ -1456,34 +1482,34 @@ ], "produces": [ 7, - 44, - 19 + 45, + 20 ] }, { - "id": 96, + "id": 98, "name": "iis_shortnames", "parent": 99999999, "consumes": [ 3 ], "produces": [ - 74 + 75 ] }, { - "id": 97, + "id": 99, "name": "ip2location", "parent": 99999999, "consumes": [ 12 ], "produces": [ - 98 + 100 ] }, { - "id": 99, + "id": 101, "name": "ipneighbor", "parent": 99999999, "consumes": [ @@ -1494,18 +1520,18 @@ ] }, { - "id": 100, + "id": 102, "name": "ipstack", "parent": 99999999, "consumes": [ 12 ], "produces": [ - 98 + 100 ] }, { - "id": 101, + "id": 103, "name": "jadx", "parent": 99999999, "consumes": [ @@ -1516,7 +1542,7 @@ ] }, { - "id": 102, + "id": 104, "name": "leakix", "parent": 99999999, "consumes": [ @@ -1527,12 +1553,12 @@ ] }, { - "id": 103, + "id": 105, "name": "lightfuzz", "parent": 99999999, "consumes": [ 3, - 70 + 71 ], "produces": [ 4, @@ -1540,18 +1566,18 @@ ] }, { - "id": 104, + "id": 106, "name": "medusa", "parent": 99999999, "consumes": [ - 77 + 78 ], "produces": [ 5 ] }, { - "id": 105, + "id": 107, "name": "myssl", "parent": 99999999, "consumes": [ @@ -1562,7 +1588,7 @@ ] }, { - "id": 106, + "id": 108, "name": "newsletters", "parent": 99999999, "consumes": [ @@ -1573,20 +1599,20 @@ ] }, { - "id": 107, + "id": 109, "name": "nmap_xml", "parent": 99999999, "consumes": [ 7, 2, 12, - 15, - 77 + 16, + 78 ], "produces": [] }, { - "id": 108, + "id": 110, "name": "ntlm", "parent": 99999999, "consumes": [ @@ -1599,7 +1625,7 @@ ] }, { - "id": 109, + "id": 111, "name": "nuclei", "parent": 99999999, "consumes": [ @@ -1607,24 +1633,24 @@ ], "produces": [ 4, - 16, + 17, 5 ] }, { - "id": 110, + "id": 112, "name": "oauth", "parent": 99999999, "consumes": [ 7, - 19 + 20 ], "produces": [ 7 ] }, { - "id": 111, + "id": 113, "name": "otx", "parent": 99999999, "consumes": [ @@ -1635,45 +1661,45 @@ ] }, { - "id": 112, + "id": 114, "name": "paramminer_cookies", "parent": 99999999, "consumes": [ 2, - 70 + 71 ], "produces": [ 4, - 70 + 71 ] }, { - "id": 113, + "id": 115, "name": "paramminer_getparams", "parent": 99999999, "consumes": [ 2, - 70 + 71 ], "produces": [ 4, - 70 + 71 ] }, { - "id": 114, + "id": 116, "name": "paramminer_headers", "parent": 99999999, "consumes": [ 2, - 70 + 71 ], "produces": [ - 70 + 71 ] }, { - "id": 115, + "id": 117, "name": "passivetotal", "parent": 99999999, "consumes": [ @@ -1684,65 +1710,65 @@ ] }, { - "id": 116, + "id": 118, "name": "pgp", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44 + 45 ] }, { - "id": 117, + "id": 119, "name": "portfilter", "parent": 99999999, "consumes": [ - 15, + 16, 3, - 19 + 20 ], "produces": [] }, { - "id": 118, + "id": 120, "name": "portscan", "parent": 99999999, "consumes": [ 7, 12, - 119 + 121 ], "produces": [ - 15 + 16 ] }, { - "id": 120, + "id": 122, "name": "postman", "parent": 99999999, "consumes": [ - 63, - 64 + 64, + 65 ], "produces": [ - 42 + 43 ] }, { - "id": 121, + "id": 123, "name": "postman_download", "parent": 99999999, "consumes": [ - 42 + 43 ], "produces": [ 10 ] }, { - "id": 122, + "id": 124, "name": "rapiddns", "parent": 99999999, "consumes": [ @@ -1753,29 +1779,29 @@ ] }, { - "id": 123, + "id": 125, "name": "reflected_parameters", "parent": 99999999, "consumes": [ - 70 + 71 ], "produces": [ 4 ] }, { - "id": 124, + "id": 126, "name": "robots", "parent": 99999999, "consumes": [ 3 ], "produces": [ - 19 + 20 ] }, { - "id": 125, + "id": 127, "name": "securitytrails", "parent": 99999999, "consumes": [ @@ -1786,19 +1812,19 @@ ] }, { - "id": 126, + "id": 128, "name": "securitytxt", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44, - 19 + 45, + 20 ] }, { - "id": 127, + "id": 129, "name": "shodan_dns", "parent": 99999999, "consumes": [ @@ -1809,7 +1835,7 @@ ] }, { - "id": 128, + "id": 130, "name": "shodan_idb", "parent": 99999999, "consumes": [ @@ -1819,13 +1845,13 @@ "produces": [ 7, 4, - 15, 16, + 17, 5 ] }, { - "id": 129, + "id": 131, "name": "sitedossier", "parent": 99999999, "consumes": [ @@ -1836,18 +1862,18 @@ ] }, { - "id": 130, + "id": 132, "name": "skymem", "parent": 99999999, "consumes": [ 7 ], "produces": [ - 44 + 45 ] }, { - "id": 131, + "id": 133, "name": "smuggler", "parent": 99999999, "consumes": [ @@ -1858,55 +1884,55 @@ ] }, { - "id": 132, + "id": 134, "name": "social", "parent": 99999999, "consumes": [ - 19 + 20 ], "produces": [ - 64 + 65 ] }, { - "id": 133, + "id": 135, "name": "speculate", "parent": 99999999, "consumes": [ - 134, + 136, 7, - 22, + 23, 2, 12, - 119, - 64, - 24, + 121, + 65, + 25, 3, - 19, - 47 + 20, + 48 ], "produces": [ 7, 4, 12, - 15, - 63 + 16, + 64 ] }, { - "id": 135, + "id": 137, "name": "sslcert", "parent": 99999999, "consumes": [ - 15 + 16 ], "produces": [ 7, - 44 + 45 ] }, { - "id": 136, + "id": 138, "name": "subdomaincenter", "parent": 99999999, "consumes": [ @@ -1917,7 +1943,7 @@ ] }, { - "id": 137, + "id": 139, "name": "subdomainradar", "parent": 99999999, "consumes": [ @@ -1928,17 +1954,17 @@ ] }, { - "id": 138, + "id": 140, "name": "subdomains", "parent": 99999999, "consumes": [ 7, - 22 + 23 ], "produces": [] }, { - "id": 139, + "id": 141, "name": "telerik", "parent": 99999999, "consumes": [ @@ -1951,7 +1977,7 @@ ] }, { - "id": 140, + "id": 142, "name": "trickest", "parent": 99999999, "consumes": [ @@ -1962,14 +1988,14 @@ ] }, { - "id": 141, + "id": 143, "name": "trufflehog", "parent": 99999999, "consumes": [ - 42, + 43, 10, 2, - 69 + 70 ], "produces": [ 4, @@ -1977,7 +2003,7 @@ ] }, { - "id": 142, + "id": 144, "name": "unarchive", "parent": 99999999, "consumes": [ @@ -1988,7 +2014,7 @@ ] }, { - "id": 143, + "id": 145, "name": "url_manipulation", "parent": 99999999, "consumes": [ @@ -1999,7 +2025,7 @@ ] }, { - "id": 144, + "id": 146, "name": "urlscan", "parent": 99999999, "consumes": [ @@ -2007,11 +2033,11 @@ ], "produces": [ 7, - 19 + 20 ] }, { - "id": 145, + "id": 147, "name": "vhost", "parent": 99999999, "consumes": [ @@ -2019,11 +2045,11 @@ ], "produces": [ 7, - 146 + 148 ] }, { - "id": 147, + "id": 149, "name": "viewdns", "parent": 99999999, "consumes": [ @@ -2034,7 +2060,7 @@ ] }, { - "id": 148, + "id": 150, "name": "virustotal", "parent": 99999999, "consumes": [ @@ -2045,29 +2071,29 @@ ] }, { - "id": 149, + "id": 151, "name": "wafw00f", "parent": 99999999, "consumes": [ 3 ], "produces": [ - 17 + 18 ] }, { - "id": 150, + "id": 152, "name": "wappalyzer", "parent": 99999999, "consumes": [ 2 ], "produces": [ - 16 + 17 ] }, { - "id": 151, + "id": 153, "name": "wayback", "parent": 99999999, "consumes": [ @@ -2075,48 +2101,48 @@ ], "produces": [ 7, - 19 + 20 ] }, { - "id": 152, + "id": 154, "name": "web_parameters", "parent": 99999999, "consumes": [ - 70 + 71 ], "produces": [] }, { - "id": 153, + "id": 155, "name": "web_report", "parent": 99999999, "consumes": [ 4, - 16, + 17, 3, - 146, + 148, 5 ], "produces": [] }, { - "id": 154, + "id": 156, "name": "wpscan", "parent": 99999999, "consumes": [ 2, - 16 + 17 ], "produces": [ 4, - 16, - 19, + 17, + 20, 5 ] }, { - "id": 155, + "id": 157, "name": "zoomeye", "parent": 99999999, "consumes": [ diff --git a/docs/data/chord_graph/rels.json b/docs/data/chord_graph/rels.json index f6ea6fce5d..e69d33679d 100644 --- a/docs/data/chord_graph/rels.json +++ b/docs/data/chord_graph/rels.json @@ -51,166 +51,161 @@ }, { "source": 14, + "target": 3, + "type": "consumes" + }, + { + "source": 5, + "target": 14, + "type": "produces" + }, + { + "source": 15, "target": 7, "type": "consumes" }, { - "source": 14, + "source": 15, "target": 4, "type": "consumes" }, { - "source": 14, + "source": 15, "target": 2, "type": "consumes" }, { - "source": 14, + "source": 15, "target": 12, "type": "consumes" }, { - "source": 14, - "target": 15, + "source": 15, + "target": 16, "type": "consumes" }, { - "source": 14, - "target": 16, + "source": 15, + "target": 17, "type": "consumes" }, { - "source": 14, + "source": 15, "target": 3, "type": "consumes" }, { - "source": 14, + "source": 15, "target": 5, "type": "consumes" }, { - "source": 14, - "target": 17, + "source": 15, + "target": 18, "type": "consumes" }, { "source": 12, - "target": 14, + "target": 15, "type": "produces" }, { - "source": 15, - "target": 14, + "source": 16, + "target": 15, "type": "produces" }, { - "source": 18, + "source": 19, "target": 7, "type": "consumes" }, { - "source": 19, - "target": 18, + "source": 20, + "target": 19, "type": "produces" }, { - "source": 20, + "source": 21, "target": 7, "type": "consumes" }, { "source": 7, - "target": 20, + "target": 21, "type": "produces" }, { - "source": 21, + "source": 22, "target": 7, "type": "consumes" }, { - "source": 21, - "target": 22, + "source": 22, + "target": 23, "type": "consumes" }, { "source": 4, - "target": 21, + "target": 22, "type": "produces" }, { "source": 5, - "target": 21, + "target": 22, "type": "produces" }, { - "source": 23, - "target": 24, + "source": 24, + "target": 25, "type": "consumes" }, { - "source": 23, + "source": 24, "target": 3, "type": "consumes" }, { "source": 4, - "target": 23, + "target": 24, "type": "produces" }, { "source": 5, - "target": 23, + "target": 24, "type": "produces" }, { - "source": 25, + "source": 26, "target": 7, "type": "consumes" }, { "source": 4, - "target": 25, + "target": 26, "type": "produces" }, { "source": 5, - "target": 25, + "target": 26, "type": "produces" }, { - "source": 26, + "source": 27, "target": 2, "type": "consumes" }, { "source": 4, - "target": 26, - "type": "produces" - }, - { - "source": 16, - "target": 26, - "type": "produces" - }, - { - "source": 5, - "target": 26, + "target": 27, "type": "produces" }, { - "source": 27, - "target": 7, - "type": "consumes" - }, - { - "source": 7, + "source": 17, "target": 27, "type": "produces" }, { - "source": 19, + "source": 5, "target": 27, "type": "produces" }, @@ -220,17 +215,12 @@ "type": "consumes" }, { - "source": 28, - "target": 24, - "type": "consumes" - }, - { - "source": 4, + "source": 7, "target": 28, "type": "produces" }, { - "source": 24, + "source": 20, "target": 28, "type": "produces" }, @@ -241,7 +231,7 @@ }, { "source": 29, - "target": 24, + "target": 25, "type": "consumes" }, { @@ -250,7 +240,7 @@ "type": "produces" }, { - "source": 24, + "source": 25, "target": 29, "type": "produces" }, @@ -261,7 +251,7 @@ }, { "source": 30, - "target": 24, + "target": 25, "type": "consumes" }, { @@ -270,37 +260,37 @@ "type": "produces" }, { - "source": 24, + "source": 25, "target": 30, "type": "produces" }, { "source": 31, - "target": 24, + "target": 7, "type": "consumes" }, { - "source": 19, + "source": 31, + "target": 25, + "type": "consumes" + }, + { + "source": 4, "target": 31, "type": "produces" }, { - "source": 32, - "target": 7, - "type": "consumes" + "source": 25, + "target": 31, + "type": "produces" }, { "source": 32, - "target": 24, + "target": 25, "type": "consumes" }, { - "source": 4, - "target": 32, - "type": "produces" - }, - { - "source": 24, + "source": 20, "target": 32, "type": "produces" }, @@ -311,7 +301,7 @@ }, { "source": 33, - "target": 24, + "target": 25, "type": "consumes" }, { @@ -320,7 +310,7 @@ "type": "produces" }, { - "source": 24, + "source": 25, "target": 33, "type": "produces" }, @@ -330,7 +320,17 @@ "type": "consumes" }, { - "source": 7, + "source": 34, + "target": 25, + "type": "consumes" + }, + { + "source": 4, + "target": 34, + "type": "produces" + }, + { + "source": 25, "target": 34, "type": "produces" }, @@ -346,21 +346,21 @@ }, { "source": 36, - "target": 3, + "target": 7, "type": "consumes" }, { - "source": 4, + "source": 7, "target": 36, "type": "produces" }, { "source": 37, - "target": 7, + "target": 3, "type": "consumes" }, { - "source": 7, + "source": 4, "target": 37, "type": "produces" }, @@ -396,47 +396,47 @@ }, { "source": 41, - "target": 19, + "target": 7, "type": "consumes" }, { - "source": 42, + "source": 7, "target": 41, "type": "produces" }, { - "source": 43, - "target": 7, + "source": 42, + "target": 20, "type": "consumes" }, { - "source": 44, - "target": 43, + "source": 43, + "target": 42, "type": "produces" }, + { + "source": 44, + "target": 7, + "type": "consumes" + }, { "source": 45, - "target": 43, + "target": 44, "type": "produces" }, { "source": 46, - "target": 43, + "target": 44, "type": "produces" }, { "source": 47, - "target": 43, + "target": 44, "type": "produces" }, { "source": 48, - "target": 7, - "type": "consumes" - }, - { - "source": 7, - "target": 48, + "target": 44, "type": "produces" }, { @@ -455,1383 +455,1403 @@ "type": "consumes" }, { - "source": 44, + "source": 7, "target": 50, "type": "produces" }, + { + "source": 51, + "target": 7, + "type": "consumes" + }, { "source": 45, - "target": 50, + "target": 51, "type": "produces" }, { "source": 46, - "target": 50, + "target": 51, "type": "produces" }, { "source": 47, - "target": 50, + "target": 51, "type": "produces" }, { - "source": 51, + "source": 48, + "target": 51, + "type": "produces" + }, + { + "source": 52, "target": 7, "type": "consumes" }, { "source": 7, - "target": 51, + "target": 52, "type": "produces" }, { - "source": 52, + "source": 53, "target": 7, "type": "consumes" }, { - "source": 53, - "target": 52, + "source": 54, + "target": 53, "type": "produces" }, { - "source": 19, - "target": 52, + "source": 20, + "target": 53, "type": "produces" }, { - "source": 54, + "source": 55, "target": 7, "type": "consumes" }, { "source": 7, - "target": 54, + "target": 55, "type": "produces" }, { - "source": 55, + "source": 56, "target": 7, "type": "consumes" }, { "source": 7, - "target": 55, + "target": 56, "type": "produces" }, { - "source": 56, + "source": 57, "target": 7, "type": "consumes" }, { "source": 7, - "target": 56, + "target": 57, "type": "produces" }, { - "source": 44, - "target": 56, + "source": 45, + "target": 57, "type": "produces" }, { - "source": 19, - "target": 56, + "source": 20, + "target": 57, "type": "produces" }, { - "source": 57, + "source": 58, "target": 7, "type": "consumes" }, { "source": 7, - "target": 57, + "target": 58, "type": "produces" }, { - "source": 58, + "source": 59, "target": 7, "type": "consumes" }, { "source": 7, - "target": 58, + "target": 59, "type": "produces" }, { "source": 7, - "target": 59, + "target": 60, "type": "produces" }, { "source": 12, - "target": 59, + "target": 60, "type": "produces" }, { - "source": 53, - "target": 59, + "source": 54, + "target": 60, "type": "produces" }, { - "source": 60, + "source": 61, "target": 7, "type": "consumes" }, { - "source": 44, - "target": 60, - "type": "produces" + "source": 45, + "target": 61, + "type": "produces" }, { - "source": 53, - "target": 60, + "source": 54, + "target": 61, "type": "produces" }, { - "source": 19, - "target": 60, + "source": 20, + "target": 61, "type": "produces" }, { - "source": 61, - "target": 42, + "source": 62, + "target": 43, "type": "consumes" }, { "source": 10, - "target": 61, + "target": 62, "type": "produces" }, { - "source": 62, - "target": 63, + "source": 63, + "target": 64, "type": "consumes" }, { - "source": 62, - "target": 64, + "source": 63, + "target": 65, "type": "consumes" }, { - "source": 42, - "target": 62, + "source": 43, + "target": 63, "type": "produces" }, { - "source": 64, - "target": 62, + "source": 65, + "target": 63, "type": "produces" }, { - "source": 19, - "target": 62, + "source": 20, + "target": 63, "type": "produces" }, { - "source": 65, + "source": 66, "target": 2, "type": "consumes" }, { - "source": 16, - "target": 65, + "source": 17, + "target": 66, "type": "produces" }, { "source": 5, - "target": 65, + "target": 66, "type": "produces" }, { - "source": 66, + "source": 67, "target": 7, "type": "consumes" }, { - "source": 44, - "target": 66, + "source": 45, + "target": 67, "type": "produces" }, { - "source": 67, - "target": 44, + "source": 68, + "target": 45, "type": "consumes" }, { - "source": 68, + "source": 69, "target": 2, "type": "consumes" }, { - "source": 68, - "target": 69, + "source": 69, + "target": 70, "type": "consumes" }, { - "source": 19, - "target": 68, + "source": 20, + "target": 69, "type": "produces" }, { - "source": 70, - "target": 68, + "source": 71, + "target": 69, "type": "produces" }, { - "source": 71, + "source": 72, "target": 10, "type": "consumes" }, { - "source": 69, - "target": 71, + "source": 70, + "target": 72, "type": "produces" }, { - "source": 72, + "source": 73, "target": 3, "type": "consumes" }, { - "source": 19, - "target": 72, + "source": 20, + "target": 73, "type": "produces" }, { - "source": 73, - "target": 74, + "source": 74, + "target": 75, "type": "consumes" }, { - "source": 19, - "target": 73, + "source": 20, + "target": 74, "type": "produces" }, { - "source": 75, + "source": 76, "target": 2, "type": "consumes" }, { - "source": 75, - "target": 19, + "source": 76, + "target": 20, "type": "consumes" }, { "source": 10, - "target": 75, + "target": 76, "type": "produces" }, { - "source": 76, - "target": 15, + "source": 77, + "target": 16, "type": "consumes" }, { - "source": 77, - "target": 76, + "source": 78, + "target": 77, "type": "produces" }, { - "source": 78, + "source": 79, "target": 7, "type": "consumes" }, { "source": 7, - "target": 78, + "target": 79, "type": "produces" }, { - "source": 79, + "source": 80, "target": 3, "type": "consumes" }, { "source": 5, - "target": 79, + "target": 80, "type": "produces" }, { - "source": 80, + "source": 81, "target": 3, "type": "consumes" }, { - "source": 42, - "target": 80, + "source": 43, + "target": 81, "type": "produces" }, { "source": 4, - "target": 80, + "target": 81, "type": "produces" }, { - "source": 81, - "target": 42, + "source": 82, + "target": 43, "type": "consumes" }, { "source": 10, - "target": 81, + "target": 82, "type": "produces" }, { - "source": 82, - "target": 42, + "source": 83, + "target": 43, "type": "consumes" }, { "source": 10, - "target": 82, + "target": 83, "type": "produces" }, { - "source": 83, + "source": 84, "target": 7, "type": "consumes" }, { - "source": 42, - "target": 83, + "source": 43, + "target": 84, "type": "produces" }, { - "source": 19, - "target": 83, + "source": 20, + "target": 84, "type": "produces" }, { - "source": 84, - "target": 63, + "source": 85, + "target": 64, "type": "consumes" }, { - "source": 84, - "target": 64, + "source": 85, + "target": 65, "type": "consumes" }, { - "source": 42, - "target": 84, + "source": 43, + "target": 85, "type": "produces" }, { - "source": 85, + "source": 86, "target": 7, "type": "consumes" }, { - "source": 44, - "target": 85, + "source": 45, + "target": 86, "type": "produces" }, { - "source": 64, - "target": 85, + "source": 65, + "target": 86, "type": "produces" }, { - "source": 86, - "target": 42, + "source": 87, + "target": 43, "type": "consumes" }, { "source": 10, - "target": 86, + "target": 87, "type": "produces" }, { - "source": 87, + "source": 88, "target": 2, "type": "consumes" }, { - "source": 87, - "target": 64, + "source": 88, + "target": 65, "type": "consumes" }, { - "source": 87, - "target": 16, + "source": 88, + "target": 17, "type": "consumes" }, { - "source": 42, - "target": 87, + "source": 43, + "target": 88, "type": "produces" }, { "source": 4, - "target": 87, + "target": 88, "type": "produces" }, { - "source": 64, - "target": 87, + "source": 65, + "target": 88, "type": "produces" }, { - "source": 16, - "target": 87, + "source": 17, + "target": 88, "type": "produces" }, { - "source": 88, - "target": 42, + "source": 89, + "target": 43, "type": "consumes" }, { - "source": 88, - "target": 63, + "source": 89, + "target": 64, "type": "consumes" }, { "source": 9, - "target": 88, + "target": 89, "type": "produces" }, { - "source": 89, - "target": 64, + "source": 90, + "target": 65, "type": "consumes" }, { - "source": 89, + "source": 90, "target": 3, "type": "consumes" }, { - "source": 16, - "target": 89, + "source": 17, + "target": 90, "type": "produces" }, { "source": 3, - "target": 89, + "target": 90, "type": "produces" }, { - "source": 19, - "target": 89, + "source": 20, + "target": 90, "type": "produces" }, { - "source": 90, - "target": 89, + "source": 91, + "target": 90, "type": "produces" }, { - "source": 91, + "source": 92, + "target": 3, + "type": "consumes" + }, + { + "source": 4, + "target": 92, + "type": "produces" + }, + { + "source": 93, "target": 7, "type": "consumes" }, { "source": 7, - "target": 91, + "target": 93, "type": "produces" }, { - "source": 92, + "source": 94, "target": 2, "type": "consumes" }, { "source": 4, - "target": 92, + "target": 94, "type": "produces" }, { - "source": 93, - "target": 15, + "source": 95, + "target": 16, "type": "consumes" }, { - "source": 93, + "source": 95, "target": 3, "type": "consumes" }, { - "source": 93, - "target": 19, + "source": 95, + "target": 20, "type": "consumes" }, { "source": 2, - "target": 93, + "target": 95, "type": "produces" }, { "source": 3, - "target": 93, + "target": 95, "type": "produces" }, { - "source": 94, - "target": 70, + "source": 96, + "target": 71, "type": "consumes" }, { "source": 4, - "target": 94, + "target": 96, "type": "produces" }, { - "source": 95, + "source": 97, "target": 7, "type": "consumes" }, { "source": 7, - "target": 95, + "target": 97, "type": "produces" }, { - "source": 44, - "target": 95, + "source": 45, + "target": 97, "type": "produces" }, { - "source": 19, - "target": 95, + "source": 20, + "target": 97, "type": "produces" }, { - "source": 96, + "source": 98, "target": 3, "type": "consumes" }, { - "source": 74, - "target": 96, + "source": 75, + "target": 98, "type": "produces" }, { - "source": 97, + "source": 99, "target": 12, "type": "consumes" }, { - "source": 98, - "target": 97, + "source": 100, + "target": 99, "type": "produces" }, { - "source": 99, + "source": 101, "target": 12, "type": "consumes" }, { "source": 12, - "target": 99, + "target": 101, "type": "produces" }, { - "source": 100, + "source": 102, "target": 12, "type": "consumes" }, { - "source": 98, - "target": 100, + "source": 100, + "target": 102, "type": "produces" }, { - "source": 101, + "source": 103, "target": 10, "type": "consumes" }, { "source": 10, - "target": 101, + "target": 103, "type": "produces" }, { - "source": 102, + "source": 104, "target": 7, "type": "consumes" }, { "source": 7, - "target": 102, + "target": 104, "type": "produces" }, { - "source": 103, + "source": 105, "target": 3, "type": "consumes" }, { - "source": 103, - "target": 70, + "source": 105, + "target": 71, "type": "consumes" }, { "source": 4, - "target": 103, + "target": 105, "type": "produces" }, { "source": 5, - "target": 103, + "target": 105, "type": "produces" }, { - "source": 104, - "target": 77, + "source": 106, + "target": 78, "type": "consumes" }, { "source": 5, - "target": 104, + "target": 106, "type": "produces" }, { - "source": 105, + "source": 107, "target": 7, "type": "consumes" }, { "source": 7, - "target": 105, + "target": 107, "type": "produces" }, { - "source": 106, + "source": 108, "target": 2, "type": "consumes" }, { "source": 4, - "target": 106, + "target": 108, "type": "produces" }, { - "source": 107, + "source": 109, "target": 7, "type": "consumes" }, { - "source": 107, + "source": 109, "target": 2, "type": "consumes" }, { - "source": 107, + "source": 109, "target": 12, "type": "consumes" }, { - "source": 107, - "target": 15, + "source": 109, + "target": 16, "type": "consumes" }, { - "source": 107, - "target": 77, + "source": 109, + "target": 78, "type": "consumes" }, { - "source": 108, + "source": 110, "target": 2, "type": "consumes" }, { - "source": 108, + "source": 110, "target": 3, "type": "consumes" }, { "source": 7, - "target": 108, + "target": 110, "type": "produces" }, { "source": 4, - "target": 108, + "target": 110, "type": "produces" }, { - "source": 109, + "source": 111, "target": 3, "type": "consumes" }, { "source": 4, - "target": 109, + "target": 111, "type": "produces" }, { - "source": 16, - "target": 109, + "source": 17, + "target": 111, "type": "produces" }, { "source": 5, - "target": 109, + "target": 111, "type": "produces" }, { - "source": 110, + "source": 112, "target": 7, "type": "consumes" }, { - "source": 110, - "target": 19, + "source": 112, + "target": 20, "type": "consumes" }, { "source": 7, - "target": 110, + "target": 112, "type": "produces" }, { - "source": 111, + "source": 113, "target": 7, "type": "consumes" }, { "source": 7, - "target": 111, + "target": 113, "type": "produces" }, { - "source": 112, + "source": 114, "target": 2, "type": "consumes" }, { - "source": 112, - "target": 70, + "source": 114, + "target": 71, "type": "consumes" }, { "source": 4, - "target": 112, + "target": 114, "type": "produces" }, { - "source": 70, - "target": 112, + "source": 71, + "target": 114, "type": "produces" }, { - "source": 113, + "source": 115, "target": 2, "type": "consumes" }, { - "source": 113, - "target": 70, + "source": 115, + "target": 71, "type": "consumes" }, { "source": 4, - "target": 113, + "target": 115, "type": "produces" }, { - "source": 70, - "target": 113, + "source": 71, + "target": 115, "type": "produces" }, { - "source": 114, + "source": 116, "target": 2, "type": "consumes" }, { - "source": 114, - "target": 70, + "source": 116, + "target": 71, "type": "consumes" }, { - "source": 70, - "target": 114, + "source": 71, + "target": 116, "type": "produces" }, { - "source": 115, + "source": 117, "target": 7, "type": "consumes" }, { "source": 7, - "target": 115, + "target": 117, "type": "produces" }, { - "source": 116, + "source": 118, "target": 7, "type": "consumes" }, { - "source": 44, - "target": 116, + "source": 45, + "target": 118, "type": "produces" }, { - "source": 117, - "target": 15, + "source": 119, + "target": 16, "type": "consumes" }, { - "source": 117, + "source": 119, "target": 3, "type": "consumes" }, { - "source": 117, - "target": 19, + "source": 119, + "target": 20, "type": "consumes" }, { - "source": 118, + "source": 120, "target": 7, "type": "consumes" }, { - "source": 118, + "source": 120, "target": 12, "type": "consumes" }, { - "source": 118, - "target": 119, + "source": 120, + "target": 121, "type": "consumes" }, { - "source": 15, - "target": 118, + "source": 16, + "target": 120, "type": "produces" }, { - "source": 120, - "target": 63, + "source": 122, + "target": 64, "type": "consumes" }, { - "source": 120, - "target": 64, + "source": 122, + "target": 65, "type": "consumes" }, { - "source": 42, - "target": 120, + "source": 43, + "target": 122, "type": "produces" }, { - "source": 121, - "target": 42, + "source": 123, + "target": 43, "type": "consumes" }, { "source": 10, - "target": 121, + "target": 123, "type": "produces" }, { - "source": 122, + "source": 124, "target": 7, "type": "consumes" }, { "source": 7, - "target": 122, + "target": 124, "type": "produces" }, { - "source": 123, - "target": 70, + "source": 125, + "target": 71, "type": "consumes" }, { "source": 4, - "target": 123, + "target": 125, "type": "produces" }, { - "source": 124, + "source": 126, "target": 3, "type": "consumes" }, { - "source": 19, - "target": 124, + "source": 20, + "target": 126, "type": "produces" }, { - "source": 125, + "source": 127, "target": 7, "type": "consumes" }, { "source": 7, - "target": 125, + "target": 127, "type": "produces" }, { - "source": 126, + "source": 128, "target": 7, "type": "consumes" }, { - "source": 44, - "target": 126, + "source": 45, + "target": 128, "type": "produces" }, { - "source": 19, - "target": 126, + "source": 20, + "target": 128, "type": "produces" }, { - "source": 127, + "source": 129, "target": 7, "type": "consumes" }, { "source": 7, - "target": 127, + "target": 129, "type": "produces" }, { - "source": 128, + "source": 130, "target": 7, "type": "consumes" }, { - "source": 128, + "source": 130, "target": 12, "type": "consumes" }, { "source": 7, - "target": 128, + "target": 130, "type": "produces" }, { "source": 4, - "target": 128, + "target": 130, "type": "produces" }, { - "source": 15, - "target": 128, + "source": 16, + "target": 130, "type": "produces" }, { - "source": 16, - "target": 128, + "source": 17, + "target": 130, "type": "produces" }, { "source": 5, - "target": 128, + "target": 130, "type": "produces" }, { - "source": 129, + "source": 131, "target": 7, "type": "consumes" }, { "source": 7, - "target": 129, + "target": 131, "type": "produces" }, { - "source": 130, + "source": 132, "target": 7, "type": "consumes" }, { - "source": 44, - "target": 130, + "source": 45, + "target": 132, "type": "produces" }, { - "source": 131, + "source": 133, "target": 3, "type": "consumes" }, { "source": 4, - "target": 131, + "target": 133, "type": "produces" }, { - "source": 132, - "target": 19, + "source": 134, + "target": 20, "type": "consumes" }, { - "source": 64, - "target": 132, + "source": 65, + "target": 134, "type": "produces" }, { - "source": 133, - "target": 134, + "source": 135, + "target": 136, "type": "consumes" }, { - "source": 133, + "source": 135, "target": 7, "type": "consumes" }, { - "source": 133, - "target": 22, + "source": 135, + "target": 23, "type": "consumes" }, { - "source": 133, + "source": 135, "target": 2, "type": "consumes" }, { - "source": 133, + "source": 135, "target": 12, "type": "consumes" }, { - "source": 133, - "target": 119, + "source": 135, + "target": 121, "type": "consumes" }, { - "source": 133, - "target": 64, + "source": 135, + "target": 65, "type": "consumes" }, { - "source": 133, - "target": 24, + "source": 135, + "target": 25, "type": "consumes" }, { - "source": 133, + "source": 135, "target": 3, "type": "consumes" }, { - "source": 133, - "target": 19, + "source": 135, + "target": 20, "type": "consumes" }, { - "source": 133, - "target": 47, + "source": 135, + "target": 48, "type": "consumes" }, { "source": 7, - "target": 133, + "target": 135, "type": "produces" }, { "source": 4, - "target": 133, + "target": 135, "type": "produces" }, { "source": 12, - "target": 133, + "target": 135, "type": "produces" }, { - "source": 15, - "target": 133, + "source": 16, + "target": 135, "type": "produces" }, { - "source": 63, - "target": 133, + "source": 64, + "target": 135, "type": "produces" }, { - "source": 135, - "target": 15, + "source": 137, + "target": 16, "type": "consumes" }, { "source": 7, - "target": 135, + "target": 137, "type": "produces" }, { - "source": 44, - "target": 135, + "source": 45, + "target": 137, "type": "produces" }, { - "source": 136, + "source": 138, "target": 7, "type": "consumes" }, { "source": 7, - "target": 136, + "target": 138, "type": "produces" }, { - "source": 137, + "source": 139, "target": 7, "type": "consumes" }, { "source": 7, - "target": 137, + "target": 139, "type": "produces" }, { - "source": 138, + "source": 140, "target": 7, "type": "consumes" }, { - "source": 138, - "target": 22, + "source": 140, + "target": 23, "type": "consumes" }, { - "source": 139, + "source": 141, "target": 2, "type": "consumes" }, { - "source": 139, + "source": 141, "target": 3, "type": "consumes" }, { "source": 4, - "target": 139, + "target": 141, "type": "produces" }, { "source": 5, - "target": 139, + "target": 141, "type": "produces" }, { - "source": 140, + "source": 142, "target": 7, "type": "consumes" }, { "source": 7, - "target": 140, + "target": 142, "type": "produces" }, { - "source": 141, - "target": 42, + "source": 143, + "target": 43, "type": "consumes" }, { - "source": 141, + "source": 143, "target": 10, "type": "consumes" }, { - "source": 141, + "source": 143, "target": 2, "type": "consumes" }, { - "source": 141, - "target": 69, + "source": 143, + "target": 70, "type": "consumes" }, { "source": 4, - "target": 141, + "target": 143, "type": "produces" }, { "source": 5, - "target": 141, + "target": 143, "type": "produces" }, { - "source": 142, + "source": 144, "target": 10, "type": "consumes" }, { "source": 10, - "target": 142, + "target": 144, "type": "produces" }, { - "source": 143, + "source": 145, "target": 3, "type": "consumes" }, { "source": 4, - "target": 143, + "target": 145, "type": "produces" }, { - "source": 144, + "source": 146, "target": 7, "type": "consumes" }, { "source": 7, - "target": 144, + "target": 146, "type": "produces" }, { - "source": 19, - "target": 144, + "source": 20, + "target": 146, "type": "produces" }, { - "source": 145, + "source": 147, "target": 3, "type": "consumes" }, { "source": 7, - "target": 145, + "target": 147, "type": "produces" }, { - "source": 146, - "target": 145, + "source": 148, + "target": 147, "type": "produces" }, { - "source": 147, + "source": 149, "target": 7, "type": "consumes" }, { "source": 7, - "target": 147, + "target": 149, "type": "produces" }, { - "source": 148, + "source": 150, "target": 7, "type": "consumes" }, { "source": 7, - "target": 148, + "target": 150, "type": "produces" }, { - "source": 149, + "source": 151, "target": 3, "type": "consumes" }, { - "source": 17, - "target": 149, + "source": 18, + "target": 151, "type": "produces" }, { - "source": 150, + "source": 152, "target": 2, "type": "consumes" }, { - "source": 16, - "target": 150, + "source": 17, + "target": 152, "type": "produces" }, { - "source": 151, + "source": 153, "target": 7, "type": "consumes" }, { "source": 7, - "target": 151, + "target": 153, "type": "produces" }, { - "source": 19, - "target": 151, + "source": 20, + "target": 153, "type": "produces" }, { - "source": 152, - "target": 70, + "source": 154, + "target": 71, "type": "consumes" }, { - "source": 153, + "source": 155, "target": 4, "type": "consumes" }, { - "source": 153, - "target": 16, + "source": 155, + "target": 17, "type": "consumes" }, { - "source": 153, + "source": 155, "target": 3, "type": "consumes" }, { - "source": 153, - "target": 146, + "source": 155, + "target": 148, "type": "consumes" }, { - "source": 153, + "source": 155, "target": 5, "type": "consumes" }, { - "source": 154, + "source": 156, "target": 2, "type": "consumes" }, { - "source": 154, - "target": 16, + "source": 156, + "target": 17, "type": "consumes" }, { "source": 4, - "target": 154, + "target": 156, "type": "produces" }, { - "source": 16, - "target": 154, + "source": 17, + "target": 156, "type": "produces" }, { - "source": 19, - "target": 154, + "source": 20, + "target": 156, "type": "produces" }, { "source": 5, - "target": 154, + "target": 156, "type": "produces" }, { - "source": 155, + "source": 157, "target": 7, "type": "consumes" }, { "source": 7, - "target": 155, + "target": 157, "type": "produces" } ] \ No newline at end of file diff --git a/docs/modules/list_of_modules.md b/docs/modules/list_of_modules.md index 9affadcfa3..0dec9bff7b 100644 --- a/docs/modules/list_of_modules.md +++ b/docs/modules/list_of_modules.md @@ -1,149 +1,151 @@ # List of Modules -| Module | Type | Needs API Key | Description | Flags | Consumed Events | Produced Events | Author | Created Date | -|----------------------|----------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|------------------|----------------| -| ajaxpro | scan | No | Check for potentially vulnerable Ajaxpro instances | active, safe, web-thorough | HTTP_RESPONSE, URL | FINDING, VULNERABILITY | @liquidsec | 2024-01-18 | -| baddns | scan | No | Check hosts for domain/subdomain takeovers | active, baddns, cloud-enum, safe, subdomain-hijack, web-basic | DNS_NAME, DNS_NAME_UNRESOLVED | FINDING, VULNERABILITY | @liquidsec | 2024-01-18 | -| baddns_direct | scan | No | Check for unusual subdomain / service takeover edge cases that require direct detection | active, baddns, cloud-enum, safe, subdomain-enum | STORAGE_BUCKET, URL | FINDING, VULNERABILITY | @liquidsec | 2024-01-29 | -| baddns_zone | scan | No | Check hosts for DNS zone transfers and NSEC walks | active, baddns, cloud-enum, safe, subdomain-enum | DNS_NAME | FINDING, VULNERABILITY | @liquidsec | 2024-01-29 | -| badsecrets | scan | No | Library for detecting known or weak secrets across many web frameworks | active, safe, web-basic | HTTP_RESPONSE | FINDING, TECHNOLOGY, VULNERABILITY | @liquidsec | 2022-11-19 | -| bucket_amazon | scan | No | Check for S3 buckets related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-04 | -| bucket_azure | scan | No | Check for Azure storage blobs related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-04 | -| bucket_digitalocean | scan | No | Check for DigitalOcean spaces related to target | active, cloud-enum, safe, slow, web-thorough | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-08 | -| bucket_firebase | scan | No | Check for open Firebase databases related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2023-03-20 | -| bucket_google | scan | No | Check for Google object storage related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-04 | -| bypass403 | scan | No | Check 403 pages for common bypasses | active, aggressive, web-thorough | URL | FINDING | @liquidsec | 2022-07-05 | -| dnsbrute | scan | No | Brute-force subdomains with massdns + static wordlist | active, aggressive, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-04-24 | -| dnsbrute_mutations | scan | No | Brute-force subdomains with massdns + target-specific mutations | active, aggressive, slow, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-04-25 | -| dnscommonsrv | scan | No | Check for common SRV records | active, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-05-15 | -| dotnetnuke | scan | No | Scan for critical DotNetNuke (DNN) vulnerabilities | active, aggressive, web-thorough | HTTP_RESPONSE | TECHNOLOGY, VULNERABILITY | @liquidsec | 2023-11-21 | -| ffuf | scan | No | A fast web fuzzer written in Go | active, aggressive, deadly | URL | URL_UNVERIFIED | @liquidsec | 2022-04-10 | -| ffuf_shortnames | scan | No | Use ffuf in combination IIS shortnames | active, aggressive, iis-shortnames, web-thorough | URL_HINT | URL_UNVERIFIED | @liquidsec | 2022-07-05 | -| filedownload | scan | No | Download common filetypes such as PDF, DOCX, PPTX, etc. | active, safe, web-basic | HTTP_RESPONSE, URL_UNVERIFIED | FILESYSTEM | @TheTechromancer | 2023-10-11 | -| fingerprintx | scan | No | Fingerprint exposed services like RDP, SSH, MySQL, etc. | active, safe, service-enum, slow | OPEN_TCP_PORT | PROTOCOL | @TheTechromancer | 2023-01-30 | -| generic_ssrf | scan | No | Check for generic SSRFs | active, aggressive, web-thorough | URL | VULNERABILITY | @liquidsec | 2022-07-30 | -| git | scan | No | Check for exposed .git repositories | active, code-enum, safe, web-basic | URL | CODE_REPOSITORY, FINDING | @TheTechromancer | 2023-05-30 | -| gitlab | scan | No | Detect GitLab instances and query them for repositories | active, code-enum, safe | HTTP_RESPONSE, SOCIAL, TECHNOLOGY | CODE_REPOSITORY, FINDING, SOCIAL, TECHNOLOGY | @TheTechromancer | 2024-03-11 | -| gowitness | scan | No | Take screenshots of webpages | active, safe, web-screenshots | SOCIAL, URL | TECHNOLOGY, URL, URL_UNVERIFIED, WEBSCREENSHOT | @TheTechromancer | 2022-07-08 | -| host_header | scan | No | Try common HTTP Host header spoofing techniques | active, aggressive, web-thorough | HTTP_RESPONSE | FINDING | @liquidsec | 2022-07-27 | -| httpx | scan | No | Visit webpages. Many other modules rely on httpx | active, cloud-enum, safe, social-enum, subdomain-enum, web-basic | OPEN_TCP_PORT, URL, URL_UNVERIFIED | HTTP_RESPONSE, URL | @TheTechromancer | 2022-07-08 | -| hunt | scan | No | Watch for commonly-exploitable HTTP parameters | active, safe, web-thorough | WEB_PARAMETER | FINDING | @liquidsec | 2022-07-20 | -| iis_shortnames | scan | No | Check for IIS shortname vulnerability | active, iis-shortnames, safe, web-basic | URL | URL_HINT | @liquidsec | 2022-04-15 | -| lightfuzz | scan | No | Find Web Parameters and Lightly Fuzz them using a heuristic based scanner | active, aggressive, deadly, web-thorough | URL, WEB_PARAMETER | FINDING, VULNERABILITY | @liquidsec | 2024-06-28 | -| medusa | scan | No | Medusa SNMP bruteforcing with v1, v2c and R/W check. | active, aggressive, deadly | PROTOCOL | VULNERABILITY | @christianfl | 2025-05-16 | -| newsletters | scan | No | Searches for Newsletter Submission Entry Fields on Websites | active, safe | HTTP_RESPONSE | FINDING | @stryker2k2 | 2024-02-02 | -| ntlm | scan | No | Watch for HTTP endpoints that support NTLM authentication | active, safe, web-basic | HTTP_RESPONSE, URL | DNS_NAME, FINDING | @liquidsec | 2022-07-25 | -| nuclei | scan | No | Fast and customisable vulnerability scanner | active, aggressive, deadly | URL | FINDING, TECHNOLOGY, VULNERABILITY | @TheTechromancer | 2022-03-12 | -| oauth | scan | No | Enumerate OAUTH and OpenID Connect services | active, affiliates, cloud-enum, safe, subdomain-enum, web-basic | DNS_NAME, URL_UNVERIFIED | DNS_NAME | @TheTechromancer | 2023-07-12 | -| paramminer_cookies | scan | No | Smart brute-force to check for common HTTP cookie parameters | active, aggressive, slow, web-paramminer | HTTP_RESPONSE, WEB_PARAMETER | FINDING, WEB_PARAMETER | @liquidsec | 2022-06-27 | -| paramminer_getparams | scan | No | Use smart brute-force to check for common HTTP GET parameters | active, aggressive, slow, web-paramminer | HTTP_RESPONSE, WEB_PARAMETER | FINDING, WEB_PARAMETER | @liquidsec | 2022-06-28 | -| paramminer_headers | scan | No | Use smart brute-force to check for common HTTP header parameters | active, aggressive, slow, web-paramminer | HTTP_RESPONSE, WEB_PARAMETER | WEB_PARAMETER | @liquidsec | 2022-04-15 | -| portscan | scan | No | Port scan with masscan. By default, scans top 100 ports. | active, portscan, safe | DNS_NAME, IP_ADDRESS, IP_RANGE | OPEN_TCP_PORT | @TheTechromancer | 2024-05-15 | -| reflected_parameters | scan | No | Highlight parameters that reflect their contents in response body | active, safe, web-thorough | WEB_PARAMETER | FINDING | @liquidsec | 2024-10-29 | -| robots | scan | No | Look for and parse robots.txt | active, safe, web-basic | URL | URL_UNVERIFIED | @liquidsec | 2023-02-01 | -| securitytxt | scan | No | Check for security.txt content | active, cloud-enum, safe, subdomain-enum, web-basic | DNS_NAME | EMAIL_ADDRESS, URL_UNVERIFIED | @colin-stubbs | 2024-05-26 | -| smuggler | scan | No | Check for HTTP smuggling | active, aggressive, slow, web-thorough | URL | FINDING | @liquidsec | 2022-07-06 | -| sslcert | scan | No | Visit open ports and retrieve SSL certificates | active, affiliates, email-enum, safe, subdomain-enum, web-basic | OPEN_TCP_PORT | DNS_NAME, EMAIL_ADDRESS | @TheTechromancer | 2022-03-30 | -| telerik | scan | No | Scan for critical Telerik vulnerabilities | active, aggressive, web-thorough | HTTP_RESPONSE, URL | FINDING, VULNERABILITY | @liquidsec | 2022-04-10 | -| url_manipulation | scan | No | Attempt to identify URL parsing/routing based vulnerabilities | active, aggressive, web-thorough | URL | FINDING | @liquidsec | 2022-09-27 | -| vhost | scan | No | Fuzz for virtual hosts | active, aggressive, deadly, slow | URL | DNS_NAME, VHOST | @liquidsec | 2022-05-02 | -| wafw00f | scan | No | Web Application Firewall Fingerprinting Tool | active, aggressive | URL | WAF | @liquidsec | 2023-02-15 | -| wappalyzer | scan | No | Extract technologies from web responses | active, safe, web-basic | HTTP_RESPONSE | TECHNOLOGY | @liquidsec | 2022-04-15 | -| wpscan | scan | No | Wordpress security scanner. Highly recommended to use an API key for better results. | active, aggressive | HTTP_RESPONSE, TECHNOLOGY | FINDING, TECHNOLOGY, URL_UNVERIFIED, VULNERABILITY | @domwhewell-sage | 2024-05-29 | -| affiliates | scan | No | Summarize affiliate domains at the end of a scan | affiliates, passive, report, safe | * | | @TheTechromancer | 2022-07-25 | -| anubisdb | scan | No | Query jldc.me's database for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-10-04 | -| apkpure | scan | No | Download android applications from apkpure.com | code-enum, passive, safe | MOBILE_APP | FILESYSTEM | @domwhewell-sage | 2024-10-11 | -| asn | scan | No | Query ripe and bgpview.io for ASNs | passive, report, safe, subdomain-enum | IP_ADDRESS | ASN | @TheTechromancer | 2022-07-25 | -| azure_realm | scan | No | Retrieves the "AuthURL" from login.microsoftonline.com/getuserrealm | affiliates, cloud-enum, passive, safe, subdomain-enum, web-basic | DNS_NAME | URL_UNVERIFIED | @TheTechromancer | 2023-07-12 | -| azure_tenant | scan | No | Query Azure for tenant sister domains | affiliates, cloud-enum, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-07-04 | -| bevigil | scan | Yes | Retrieve OSINT data from mobile applications using BeVigil | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, URL_UNVERIFIED | @alt-glitch | 2022-10-26 | -| bucket_file_enum | scan | No | Works in conjunction with the filedownload module to download files from open storage buckets. Currently supported cloud providers: AWS, DigitalOcean | cloud-enum, passive, safe | STORAGE_BUCKET | URL_UNVERIFIED | @TheTechromancer | 2023-11-14 | -| bufferoverrun | scan | Yes | Query BufferOverrun's TLS API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-10-23 | -| builtwith | scan | Yes | Query Builtwith.com for subdomains | affiliates, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-23 | -| c99 | scan | Yes | Query the C99 API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-08 | -| censys | scan | Yes | Query the Censys API | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-04 | -| certspotter | scan | No | Query Certspotter's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-28 | -| chaos | scan | Yes | Query ProjectDiscovery's Chaos API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-14 | -| code_repository | scan | No | Look for code repository links in webpages | code-enum, passive, safe | URL_UNVERIFIED | CODE_REPOSITORY | @domwhewell-sage | 2024-05-15 | -| credshed | scan | Yes | Send queries to your own credshed server to check for known credentials of your targets | passive, safe | DNS_NAME | EMAIL_ADDRESS, HASHED_PASSWORD, PASSWORD, USERNAME | @SpamFaux | 2023-10-12 | -| crt | scan | No | Query crt.sh (certificate transparency) for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-05-13 | -| crt_db | scan | No | Query crt.sh (certificate transparency) for subdomains via PostgreSQL | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2025-03-27 | -| dehashed | scan | Yes | Execute queries against dehashed.com for exposed credentials | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS, HASHED_PASSWORD, PASSWORD, USERNAME | @SpamFaux | 2023-10-12 | -| digitorus | scan | No | Query certificatedetails.com for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-07-25 | -| dnsbimi | scan | No | Check DNS_NAME's for BIMI records to find image and certificate hosting URL's | cloud-enum, passive, safe, subdomain-enum | DNS_NAME | RAW_DNS_RECORD, URL_UNVERIFIED | @colin-stubbs | 2024-11-15 | -| dnscaa | scan | No | Check for CAA records | email-enum, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, EMAIL_ADDRESS, URL_UNVERIFIED | @colin-stubbs | 2024-05-26 | -| dnsdumpster | scan | No | Query dnsdumpster for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-03-12 | -| dnstlsrpt | scan | No | Check for TLS-RPT records | cloud-enum, email-enum, passive, safe, subdomain-enum | DNS_NAME | EMAIL_ADDRESS, RAW_DNS_RECORD, URL_UNVERIFIED | @colin-stubbs | 2024-07-26 | -| docker_pull | scan | No | Download images from a docker repository | code-enum, passive, safe, slow | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-03-24 | -| dockerhub | scan | No | Search for docker repositories of discovered orgs/usernames | code-enum, passive, safe | ORG_STUB, SOCIAL | CODE_REPOSITORY, SOCIAL, URL_UNVERIFIED | @domwhewell-sage | 2024-03-12 | -| emailformat | scan | No | Query email-format.com for email addresses | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS | @TheTechromancer | 2022-07-11 | -| extractous | scan | No | Module to extract data from files | passive, safe | FILESYSTEM | RAW_TEXT | @domwhewell-sage | 2024-06-03 | -| fullhunt | scan | Yes | Query the fullhunt.io API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-24 | -| git_clone | scan | No | Clone code github repositories | code-enum, passive, safe, slow | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-03-08 | -| gitdumper | scan | No | Download a leaked .git folder recursively or by fuzzing common names | code-enum, passive, safe, slow | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2025-02-11 | -| github_codesearch | scan | Yes | Query Github's API for code containing the target domain name | code-enum, passive, safe, subdomain-enum | DNS_NAME | CODE_REPOSITORY, URL_UNVERIFIED | @domwhewell-sage | 2023-12-14 | -| github_org | scan | No | Query Github's API for organization and member repositories | code-enum, passive, safe, subdomain-enum | ORG_STUB, SOCIAL | CODE_REPOSITORY | @domwhewell-sage | 2023-12-14 | -| github_usersearch | scan | Yes | Query Github's API for users with emails matching in scope domains that may not be discoverable by listing members of the organization. | code-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS, SOCIAL | @domwhewell-sage | 2025-05-10 | -| github_workflows | scan | No | Download a github repositories workflow logs and workflow artifacts | code-enum, passive, safe | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-04-29 | -| google_playstore | scan | No | Search for android applications on play.google.com | code-enum, passive, safe | CODE_REPOSITORY, ORG_STUB | MOBILE_APP | @domwhewell-sage | 2024-10-08 | -| hackertarget | scan | No | Query the hackertarget.com API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-28 | -| hunterio | scan | Yes | Query hunter.io for emails | email-enum, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, EMAIL_ADDRESS, URL_UNVERIFIED | @TheTechromancer | 2022-04-25 | -| ip2location | scan | Yes | Query IP2location.io's API for geolocation information. | passive, safe | IP_ADDRESS | GEOLOCATION | @TheTechromancer | 2023-09-12 | -| ipneighbor | scan | No | Look beside IPs in their surrounding subnet | aggressive, passive, subdomain-enum | IP_ADDRESS | IP_ADDRESS | @TheTechromancer | 2022-06-08 | -| ipstack | scan | Yes | Query IPStack's GeoIP API | passive, safe | IP_ADDRESS | GEOLOCATION | @tycoonslive | 2022-11-26 | -| jadx | scan | No | Decompile APKs and XAPKs using JADX | code-enum, passive, safe | FILESYSTEM | FILESYSTEM | @domwhewell-sage | 2024-11-04 | -| leakix | scan | No | Query leakix.net for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-11 | -| myssl | scan | No | Query myssl.com's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-07-10 | -| otx | scan | No | Query otx.alienvault.com for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-24 | -| passivetotal | scan | Yes | Query the PassiveTotal API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-08 | -| pgp | scan | No | Query common PGP servers for email addresses | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS | @TheTechromancer | 2022-08-10 | -| portfilter | scan | No | Filter out unwanted open ports from cloud/CDN targets | passive, safe | OPEN_TCP_PORT, URL, URL_UNVERIFIED | | @TheTechromancer | 2025-01-06 | -| postman | scan | No | Query Postman's API for related workspaces, collections, requests and download them | code-enum, passive, safe, subdomain-enum | ORG_STUB, SOCIAL | CODE_REPOSITORY | @domwhewell-sage | 2024-09-07 | -| postman_download | scan | No | Download workspaces, collections, requests from Postman | code-enum, passive, safe, subdomain-enum | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-09-07 | -| rapiddns | scan | No | Query rapiddns.io for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-24 | -| securitytrails | scan | Yes | Query the SecurityTrails API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-03 | -| shodan_dns | scan | Yes | Query Shodan for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-03 | -| shodan_idb | scan | No | Query Shodan's InternetDB for open ports, hostnames, technologies, and vulnerabilities | passive, portscan, safe, subdomain-enum | DNS_NAME, IP_ADDRESS | DNS_NAME, FINDING, OPEN_TCP_PORT, TECHNOLOGY, VULNERABILITY | @TheTechromancer | 2023-12-22 | -| sitedossier | scan | No | Query sitedossier.com for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-08-04 | -| skymem | scan | No | Query skymem.info for email addresses | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS | @TheTechromancer | 2022-07-11 | -| social | scan | No | Look for social media links in webpages | passive, safe, social-enum | URL_UNVERIFIED | SOCIAL | @TheTechromancer | 2023-03-28 | -| subdomaincenter | scan | No | Query subdomain.center's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-07-26 | -| subdomainradar | scan | Yes | Query the Subdomain API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-08 | -| trickest | scan | Yes | Query Trickest's API for subdomains | affiliates, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @amiremami | 2024-07-27 | -| trufflehog | scan | No | TruffleHog is a tool for finding credentials | code-enum, passive, safe | CODE_REPOSITORY, FILESYSTEM, HTTP_RESPONSE, RAW_TEXT | FINDING, VULNERABILITY | @domwhewell-sage | 2024-03-12 | -| urlscan | scan | No | Query urlscan.io for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, URL_UNVERIFIED | @TheTechromancer | 2022-06-09 | -| viewdns | scan | No | Query viewdns.info's reverse whois for related domains | affiliates, passive, safe | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-04 | -| virustotal | scan | Yes | Query VirusTotal's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-25 | -| wayback | scan | No | Query archive.org's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, URL_UNVERIFIED | @liquidsec | 2022-04-01 | -| zoomeye | scan | Yes | Query ZoomEye's API for subdomains | affiliates, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-03 | -| asset_inventory | output | No | Merge hosts, open ports, technologies, findings, etc. into a single asset inventory CSV | | DNS_NAME, FINDING, HTTP_RESPONSE, IP_ADDRESS, OPEN_TCP_PORT, TECHNOLOGY, URL, VULNERABILITY, WAF | IP_ADDRESS, OPEN_TCP_PORT | @liquidsec | 2022-09-30 | -| csv | output | No | Output to CSV | | * | | @TheTechromancer | 2022-04-07 | -| discord | output | No | Message a Discord channel when certain events are encountered | | * | | @TheTechromancer | 2023-08-14 | -| emails | output | No | Output any email addresses found belonging to the target domain | email-enum | EMAIL_ADDRESS | | @domwhewell-sage | 2023-12-23 | -| http | output | No | Send every event to a custom URL via a web request | | * | | @TheTechromancer | 2022-04-13 | -| json | output | No | Output to Newline-Delimited JSON (NDJSON) | | * | | @TheTechromancer | 2022-04-07 | -| mysql | output | No | Output scan data to a MySQL database | | * | | @TheTechromancer | 2024-11-13 | -| neo4j | output | No | Output to Neo4j | | * | | @TheTechromancer | 2022-04-07 | -| nmap_xml | output | No | Output to Nmap XML | | DNS_NAME, HTTP_RESPONSE, IP_ADDRESS, OPEN_TCP_PORT, PROTOCOL | | @TheTechromancer | 2024-11-16 | -| postgres | output | No | Output scan data to a SQLite database | | * | | @TheTechromancer | 2024-11-08 | -| python | output | No | Output via Python API | | * | | @TheTechromancer | 2022-09-13 | -| slack | output | No | Message a Slack channel when certain events are encountered | | * | | @TheTechromancer | 2023-08-14 | -| splunk | output | No | Send every event to a splunk instance through HTTP Event Collector | | * | | @w0Tx | 2024-02-17 | -| sqlite | output | No | Output scan data to a SQLite database | | * | | @TheTechromancer | 2024-11-07 | -| stdout | output | No | Output to text | | * | | @TheTechromancer | 2024-04-03 | -| subdomains | output | No | Output only resolved, in-scope subdomains | subdomain-enum | DNS_NAME, DNS_NAME_UNRESOLVED | | @TheTechromancer | 2023-07-31 | -| teams | output | No | Message a Teams channel when certain events are encountered | | * | | @TheTechromancer | 2023-08-14 | -| txt | output | No | Output to text | | * | | @TheTechromancer | 2024-04-03 | -| web_parameters | output | No | Output WEB_PARAMETER names to a file | | WEB_PARAMETER | | @liquidsec | 2025-01-25 | -| web_report | output | No | Create a markdown report with web assets | | FINDING, TECHNOLOGY, URL, VHOST, VULNERABILITY | | @liquidsec | 2023-02-08 | -| websocket | output | No | Output to websockets | | * | | @TheTechromancer | 2022-04-15 | -| cloudcheck | internal | No | Tag events by cloud provider, identify cloud resources like storage buckets | | * | | @TheTechromancer | 2024-07-07 | -| dnsresolve | internal | No | Perform DNS resolution | | * | DNS_NAME, IP_ADDRESS, RAW_DNS_RECORD | @TheTechromancer | 2022-04-08 | -| aggregate | internal | No | Summarize statistics at the end of a scan | passive, safe | | | @TheTechromancer | 2022-07-25 | -| excavate | internal | No | Passively extract juicy tidbits from scan data | passive | HTTP_RESPONSE, RAW_TEXT | URL_UNVERIFIED, WEB_PARAMETER | @liquidsec | 2022-06-27 | -| speculate | internal | No | Derive certain event types from others by common sense | passive | AZURE_TENANT, DNS_NAME, DNS_NAME_UNRESOLVED, HTTP_RESPONSE, IP_ADDRESS, IP_RANGE, SOCIAL, STORAGE_BUCKET, URL, URL_UNVERIFIED, USERNAME | DNS_NAME, FINDING, IP_ADDRESS, OPEN_TCP_PORT, ORG_STUB | @liquidsec | 2022-05-03 | -| unarchive | internal | No | Extract different types of files into folders on the filesystem | passive, safe | FILESYSTEM | FILESYSTEM | @domwhewell-sage | 2024-12-08 | +| Module | Type | Needs API Key | Description | Flags | Consumed Events | Produced Events | Author | Created Date | +|-----------------------|----------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|------------------|----------------| +| ajaxpro | scan | No | Check for potentially vulnerable Ajaxpro instances | active, safe, web-thorough | HTTP_RESPONSE, URL | FINDING, VULNERABILITY | @liquidsec | 2024-01-18 | +| aspnet_bin_exposure | scan | No | Check for ASP.NET Security Feature Bypasses (CVE-2023-36899 and CVE-2023-36560) | active, safe, web-thorough | URL | VULNERABILITY | @liquidsec | 2025-01-28 | +| baddns | scan | No | Check hosts for domain/subdomain takeovers | active, baddns, cloud-enum, safe, subdomain-hijack, web-basic | DNS_NAME, DNS_NAME_UNRESOLVED | FINDING, VULNERABILITY | @liquidsec | 2024-01-18 | +| baddns_direct | scan | No | Check for unusual subdomain / service takeover edge cases that require direct detection | active, baddns, cloud-enum, safe, subdomain-enum | STORAGE_BUCKET, URL | FINDING, VULNERABILITY | @liquidsec | 2024-01-29 | +| baddns_zone | scan | No | Check hosts for DNS zone transfers and NSEC walks | active, baddns, cloud-enum, safe, subdomain-enum | DNS_NAME | FINDING, VULNERABILITY | @liquidsec | 2024-01-29 | +| badsecrets | scan | No | Library for detecting known or weak secrets across many web frameworks | active, safe, web-basic | HTTP_RESPONSE | FINDING, TECHNOLOGY, VULNERABILITY | @liquidsec | 2022-11-19 | +| bucket_amazon | scan | No | Check for S3 buckets related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-04 | +| bucket_azure | scan | No | Check for Azure storage blobs related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-04 | +| bucket_digitalocean | scan | No | Check for DigitalOcean spaces related to target | active, cloud-enum, safe, slow, web-thorough | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-08 | +| bucket_firebase | scan | No | Check for open Firebase databases related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2023-03-20 | +| bucket_google | scan | No | Check for Google object storage related to target | active, cloud-enum, safe, web-basic | DNS_NAME, STORAGE_BUCKET | FINDING, STORAGE_BUCKET | @TheTechromancer | 2022-11-04 | +| bypass403 | scan | No | Check 403 pages for common bypasses | active, aggressive, web-thorough | URL | FINDING | @liquidsec | 2022-07-05 | +| dnsbrute | scan | No | Brute-force subdomains with massdns + static wordlist | active, aggressive, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-04-24 | +| dnsbrute_mutations | scan | No | Brute-force subdomains with massdns + target-specific mutations | active, aggressive, slow, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-04-25 | +| dnscommonsrv | scan | No | Check for common SRV records | active, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-05-15 | +| dotnetnuke | scan | No | Scan for critical DotNetNuke (DNN) vulnerabilities | active, aggressive, web-thorough | HTTP_RESPONSE | TECHNOLOGY, VULNERABILITY | @liquidsec | 2023-11-21 | +| ffuf | scan | No | A fast web fuzzer written in Go | active, aggressive, deadly | URL | URL_UNVERIFIED | @liquidsec | 2022-04-10 | +| ffuf_shortnames | scan | No | Use ffuf in combination IIS shortnames | active, aggressive, iis-shortnames, web-thorough | URL_HINT | URL_UNVERIFIED | @liquidsec | 2022-07-05 | +| filedownload | scan | No | Download common filetypes such as PDF, DOCX, PPTX, etc. | active, safe, web-basic | HTTP_RESPONSE, URL_UNVERIFIED | FILESYSTEM | @TheTechromancer | 2023-10-11 | +| fingerprintx | scan | No | Fingerprint exposed services like RDP, SSH, MySQL, etc. | active, safe, service-enum, slow | OPEN_TCP_PORT | PROTOCOL | @TheTechromancer | 2023-01-30 | +| generic_ssrf | scan | No | Check for generic SSRFs | active, aggressive, web-thorough | URL | VULNERABILITY | @liquidsec | 2022-07-30 | +| git | scan | No | Check for exposed .git repositories | active, code-enum, safe, web-basic | URL | CODE_REPOSITORY, FINDING | @TheTechromancer | 2023-05-30 | +| gitlab | scan | No | Detect GitLab instances and query them for repositories | active, code-enum, safe | HTTP_RESPONSE, SOCIAL, TECHNOLOGY | CODE_REPOSITORY, FINDING, SOCIAL, TECHNOLOGY | @TheTechromancer | 2024-03-11 | +| gowitness | scan | No | Take screenshots of webpages | active, safe, web-screenshots | SOCIAL, URL | TECHNOLOGY, URL, URL_UNVERIFIED, WEBSCREENSHOT | @TheTechromancer | 2022-07-08 | +| graphql_introspection | scan | No | Perform GraphQL introspection on a target | active, safe, web-basic | URL | FINDING | @mukesh-dream11 | 2025-07-01 | +| host_header | scan | No | Try common HTTP Host header spoofing techniques | active, aggressive, web-thorough | HTTP_RESPONSE | FINDING | @liquidsec | 2022-07-27 | +| httpx | scan | No | Visit webpages. Many other modules rely on httpx | active, cloud-enum, safe, social-enum, subdomain-enum, web-basic | OPEN_TCP_PORT, URL, URL_UNVERIFIED | HTTP_RESPONSE, URL | @TheTechromancer | 2022-07-08 | +| hunt | scan | No | Watch for commonly-exploitable HTTP parameters | active, safe, web-thorough | WEB_PARAMETER | FINDING | @liquidsec | 2022-07-20 | +| iis_shortnames | scan | No | Check for IIS shortname vulnerability | active, iis-shortnames, safe, web-basic | URL | URL_HINT | @liquidsec | 2022-04-15 | +| lightfuzz | scan | No | Find Web Parameters and Lightly Fuzz them using a heuristic based scanner | active, aggressive, deadly, web-thorough | URL, WEB_PARAMETER | FINDING, VULNERABILITY | @liquidsec | 2024-06-28 | +| medusa | scan | No | Medusa SNMP bruteforcing with v1, v2c and R/W check. | active, aggressive, deadly | PROTOCOL | VULNERABILITY | @christianfl | 2025-05-16 | +| newsletters | scan | No | Searches for Newsletter Submission Entry Fields on Websites | active, safe | HTTP_RESPONSE | FINDING | @stryker2k2 | 2024-02-02 | +| ntlm | scan | No | Watch for HTTP endpoints that support NTLM authentication | active, safe, web-basic | HTTP_RESPONSE, URL | DNS_NAME, FINDING | @liquidsec | 2022-07-25 | +| nuclei | scan | No | Fast and customisable vulnerability scanner | active, aggressive, deadly | URL | FINDING, TECHNOLOGY, VULNERABILITY | @TheTechromancer | 2022-03-12 | +| oauth | scan | No | Enumerate OAUTH and OpenID Connect services | active, affiliates, cloud-enum, safe, subdomain-enum, web-basic | DNS_NAME, URL_UNVERIFIED | DNS_NAME | @TheTechromancer | 2023-07-12 | +| paramminer_cookies | scan | No | Smart brute-force to check for common HTTP cookie parameters | active, aggressive, slow, web-paramminer | HTTP_RESPONSE, WEB_PARAMETER | FINDING, WEB_PARAMETER | @liquidsec | 2022-06-27 | +| paramminer_getparams | scan | No | Use smart brute-force to check for common HTTP GET parameters | active, aggressive, slow, web-paramminer | HTTP_RESPONSE, WEB_PARAMETER | FINDING, WEB_PARAMETER | @liquidsec | 2022-06-28 | +| paramminer_headers | scan | No | Use smart brute-force to check for common HTTP header parameters | active, aggressive, slow, web-paramminer | HTTP_RESPONSE, WEB_PARAMETER | WEB_PARAMETER | @liquidsec | 2022-04-15 | +| portscan | scan | No | Port scan with masscan. By default, scans top 100 ports. | active, portscan, safe | DNS_NAME, IP_ADDRESS, IP_RANGE | OPEN_TCP_PORT | @TheTechromancer | 2024-05-15 | +| reflected_parameters | scan | No | Highlight parameters that reflect their contents in response body | active, safe, web-thorough | WEB_PARAMETER | FINDING | @liquidsec | 2024-10-29 | +| robots | scan | No | Look for and parse robots.txt | active, safe, web-basic | URL | URL_UNVERIFIED | @liquidsec | 2023-02-01 | +| securitytxt | scan | No | Check for security.txt content | active, cloud-enum, safe, subdomain-enum, web-basic | DNS_NAME | EMAIL_ADDRESS, URL_UNVERIFIED | @colin-stubbs | 2024-05-26 | +| smuggler | scan | No | Check for HTTP smuggling | active, aggressive, slow, web-thorough | URL | FINDING | @liquidsec | 2022-07-06 | +| sslcert | scan | No | Visit open ports and retrieve SSL certificates | active, affiliates, email-enum, safe, subdomain-enum, web-basic | OPEN_TCP_PORT | DNS_NAME, EMAIL_ADDRESS | @TheTechromancer | 2022-03-30 | +| telerik | scan | No | Scan for critical Telerik vulnerabilities | active, aggressive, web-thorough | HTTP_RESPONSE, URL | FINDING, VULNERABILITY | @liquidsec | 2022-04-10 | +| url_manipulation | scan | No | Attempt to identify URL parsing/routing based vulnerabilities | active, aggressive, web-thorough | URL | FINDING | @liquidsec | 2022-09-27 | +| vhost | scan | No | Fuzz for virtual hosts | active, aggressive, deadly, slow | URL | DNS_NAME, VHOST | @liquidsec | 2022-05-02 | +| wafw00f | scan | No | Web Application Firewall Fingerprinting Tool | active, aggressive | URL | WAF | @liquidsec | 2023-02-15 | +| wappalyzer | scan | No | Extract technologies from web responses | active, safe, web-basic | HTTP_RESPONSE | TECHNOLOGY | @liquidsec | 2022-04-15 | +| wpscan | scan | No | Wordpress security scanner. Highly recommended to use an API key for better results. | active, aggressive | HTTP_RESPONSE, TECHNOLOGY | FINDING, TECHNOLOGY, URL_UNVERIFIED, VULNERABILITY | @domwhewell-sage | 2024-05-29 | +| affiliates | scan | No | Summarize affiliate domains at the end of a scan | affiliates, passive, safe | * | | @TheTechromancer | 2022-07-25 | +| anubisdb | scan | No | Query jldc.me's database for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-10-04 | +| apkpure | scan | No | Download android applications from apkpure.com | code-enum, passive, safe | MOBILE_APP | FILESYSTEM | @domwhewell-sage | 2024-10-11 | +| asn | scan | No | Query ripe and bgpview.io for ASNs | passive, safe, subdomain-enum | IP_ADDRESS | ASN | @TheTechromancer | 2022-07-25 | +| azure_realm | scan | No | Retrieves the "AuthURL" from login.microsoftonline.com/getuserrealm | affiliates, cloud-enum, passive, safe, subdomain-enum, web-basic | DNS_NAME | URL_UNVERIFIED | @TheTechromancer | 2023-07-12 | +| azure_tenant | scan | No | Query Azure for tenant sister domains | affiliates, cloud-enum, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-07-04 | +| bevigil | scan | Yes | Retrieve OSINT data from mobile applications using BeVigil | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, URL_UNVERIFIED | @alt-glitch | 2022-10-26 | +| bucket_file_enum | scan | No | Works in conjunction with the filedownload module to download files from open storage buckets. Currently supported cloud providers: AWS, DigitalOcean | cloud-enum, passive, safe | STORAGE_BUCKET | URL_UNVERIFIED | @TheTechromancer | 2023-11-14 | +| bufferoverrun | scan | Yes | Query BufferOverrun's TLS API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2024-10-23 | +| builtwith | scan | Yes | Query Builtwith.com for subdomains | affiliates, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-23 | +| c99 | scan | Yes | Query the C99 API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-08 | +| censys | scan | Yes | Query the Censys API | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-04 | +| certspotter | scan | No | Query Certspotter's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-28 | +| chaos | scan | Yes | Query ProjectDiscovery's Chaos API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-14 | +| code_repository | scan | No | Look for code repository links in webpages | code-enum, passive, safe | URL_UNVERIFIED | CODE_REPOSITORY | @domwhewell-sage | 2024-05-15 | +| credshed | scan | Yes | Send queries to your own credshed server to check for known credentials of your targets | passive, safe | DNS_NAME | EMAIL_ADDRESS, HASHED_PASSWORD, PASSWORD, USERNAME | @SpamFaux | 2023-10-12 | +| crt | scan | No | Query crt.sh (certificate transparency) for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-05-13 | +| crt_db | scan | No | Query crt.sh (certificate transparency) for subdomains via PostgreSQL | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2025-03-27 | +| dehashed | scan | Yes | Execute queries against dehashed.com for exposed credentials | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS, HASHED_PASSWORD, PASSWORD, USERNAME | @SpamFaux | 2023-10-12 | +| digitorus | scan | No | Query certificatedetails.com for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-07-25 | +| dnsbimi | scan | No | Check DNS_NAME's for BIMI records to find image and certificate hosting URL's | cloud-enum, passive, safe, subdomain-enum | DNS_NAME | RAW_DNS_RECORD, URL_UNVERIFIED | @colin-stubbs | 2024-11-15 | +| dnscaa | scan | No | Check for CAA records | email-enum, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, EMAIL_ADDRESS, URL_UNVERIFIED | @colin-stubbs | 2024-05-26 | +| dnsdumpster | scan | No | Query dnsdumpster for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-03-12 | +| dnstlsrpt | scan | No | Check for TLS-RPT records | cloud-enum, email-enum, passive, safe, subdomain-enum | DNS_NAME | EMAIL_ADDRESS, RAW_DNS_RECORD, URL_UNVERIFIED | @colin-stubbs | 2024-07-26 | +| docker_pull | scan | No | Download images from a docker repository | code-enum, passive, safe, slow | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-03-24 | +| dockerhub | scan | No | Search for docker repositories of discovered orgs/usernames | code-enum, passive, safe | ORG_STUB, SOCIAL | CODE_REPOSITORY, SOCIAL, URL_UNVERIFIED | @domwhewell-sage | 2024-03-12 | +| emailformat | scan | No | Query email-format.com for email addresses | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS | @TheTechromancer | 2022-07-11 | +| extractous | scan | No | Module to extract data from files | passive, safe | FILESYSTEM | RAW_TEXT | @domwhewell-sage | 2024-06-03 | +| fullhunt | scan | Yes | Query the fullhunt.io API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-24 | +| git_clone | scan | No | Clone code github repositories | code-enum, passive, safe, slow | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-03-08 | +| gitdumper | scan | No | Download a leaked .git folder recursively or by fuzzing common names | code-enum, passive, safe, slow | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2025-02-11 | +| github_codesearch | scan | Yes | Query Github's API for code containing the target domain name | code-enum, passive, safe, subdomain-enum | DNS_NAME | CODE_REPOSITORY, URL_UNVERIFIED | @domwhewell-sage | 2023-12-14 | +| github_org | scan | No | Query Github's API for organization and member repositories | code-enum, passive, safe, subdomain-enum | ORG_STUB, SOCIAL | CODE_REPOSITORY | @domwhewell-sage | 2023-12-14 | +| github_usersearch | scan | Yes | Query Github's API for users with emails matching in scope domains that may not be discoverable by listing members of the organization. | code-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS, SOCIAL | @domwhewell-sage | 2025-05-10 | +| github_workflows | scan | No | Download a github repositories workflow logs and workflow artifacts | code-enum, passive, safe | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-04-29 | +| google_playstore | scan | No | Search for android applications on play.google.com | code-enum, passive, safe | CODE_REPOSITORY, ORG_STUB | MOBILE_APP | @domwhewell-sage | 2024-10-08 | +| hackertarget | scan | No | Query the hackertarget.com API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-28 | +| hunterio | scan | Yes | Query hunter.io for emails | email-enum, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, EMAIL_ADDRESS, URL_UNVERIFIED | @TheTechromancer | 2022-04-25 | +| ip2location | scan | Yes | Query IP2location.io's API for geolocation information. | passive, safe | IP_ADDRESS | GEOLOCATION | @TheTechromancer | 2023-09-12 | +| ipneighbor | scan | No | Look beside IPs in their surrounding subnet | aggressive, passive, subdomain-enum | IP_ADDRESS | IP_ADDRESS | @TheTechromancer | 2022-06-08 | +| ipstack | scan | Yes | Query IPStack's GeoIP API | passive, safe | IP_ADDRESS | GEOLOCATION | @tycoonslive | 2022-11-26 | +| jadx | scan | No | Decompile APKs and XAPKs using JADX | code-enum, passive, safe | FILESYSTEM | FILESYSTEM | @domwhewell-sage | 2024-11-04 | +| leakix | scan | No | Query leakix.net for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-11 | +| myssl | scan | No | Query myssl.com's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-07-10 | +| otx | scan | No | Query otx.alienvault.com for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-24 | +| passivetotal | scan | Yes | Query the PassiveTotal API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-08 | +| pgp | scan | No | Query common PGP servers for email addresses | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS | @TheTechromancer | 2022-08-10 | +| portfilter | scan | No | Filter out unwanted open ports from cloud/CDN targets | passive, safe | OPEN_TCP_PORT, URL, URL_UNVERIFIED | | @TheTechromancer | 2025-01-06 | +| postman | scan | No | Query Postman's API for related workspaces, collections, requests and download them | code-enum, passive, safe, subdomain-enum | ORG_STUB, SOCIAL | CODE_REPOSITORY | @domwhewell-sage | 2024-09-07 | +| postman_download | scan | No | Download workspaces, collections, requests from Postman | code-enum, passive, safe, subdomain-enum | CODE_REPOSITORY | FILESYSTEM | @domwhewell-sage | 2024-09-07 | +| rapiddns | scan | No | Query rapiddns.io for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-24 | +| securitytrails | scan | Yes | Query the SecurityTrails API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-03 | +| shodan_dns | scan | Yes | Query Shodan for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-03 | +| shodan_idb | scan | No | Query Shodan's InternetDB for open ports, hostnames, technologies, and vulnerabilities | passive, portscan, safe, subdomain-enum | DNS_NAME, IP_ADDRESS | DNS_NAME, FINDING, OPEN_TCP_PORT, TECHNOLOGY, VULNERABILITY | @TheTechromancer | 2023-12-22 | +| sitedossier | scan | No | Query sitedossier.com for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-08-04 | +| skymem | scan | No | Query skymem.info for email addresses | email-enum, passive, safe | DNS_NAME | EMAIL_ADDRESS | @TheTechromancer | 2022-07-11 | +| social | scan | No | Look for social media links in webpages | passive, safe, social-enum | URL_UNVERIFIED | SOCIAL | @TheTechromancer | 2023-03-28 | +| subdomaincenter | scan | No | Query subdomain.center's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2023-07-26 | +| subdomainradar | scan | Yes | Query the Subdomain API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-08 | +| trickest | scan | Yes | Query Trickest's API for subdomains | affiliates, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @amiremami | 2024-07-27 | +| trufflehog | scan | No | TruffleHog is a tool for finding credentials | code-enum, passive, safe | CODE_REPOSITORY, FILESYSTEM, HTTP_RESPONSE, RAW_TEXT | FINDING, VULNERABILITY | @domwhewell-sage | 2024-03-12 | +| urlscan | scan | No | Query urlscan.io for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, URL_UNVERIFIED | @TheTechromancer | 2022-06-09 | +| viewdns | scan | No | Query viewdns.info's reverse whois for related domains | affiliates, passive, safe | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-07-04 | +| virustotal | scan | Yes | Query VirusTotal's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-25 | +| wayback | scan | No | Query archive.org's API for subdomains | passive, safe, subdomain-enum | DNS_NAME | DNS_NAME, URL_UNVERIFIED | @liquidsec | 2022-04-01 | +| zoomeye | scan | Yes | Query ZoomEye's API for subdomains | affiliates, passive, safe, subdomain-enum | DNS_NAME | DNS_NAME | @TheTechromancer | 2022-08-03 | +| asset_inventory | output | No | Merge hosts, open ports, technologies, findings, etc. into a single asset inventory CSV | | DNS_NAME, FINDING, HTTP_RESPONSE, IP_ADDRESS, OPEN_TCP_PORT, TECHNOLOGY, URL, VULNERABILITY, WAF | IP_ADDRESS, OPEN_TCP_PORT | @liquidsec | 2022-09-30 | +| csv | output | No | Output to CSV | | * | | @TheTechromancer | 2022-04-07 | +| discord | output | No | Message a Discord channel when certain events are encountered | | * | | @TheTechromancer | 2023-08-14 | +| emails | output | No | Output any email addresses found belonging to the target domain | email-enum | EMAIL_ADDRESS | | @domwhewell-sage | 2023-12-23 | +| http | output | No | Send every event to a custom URL via a web request | | * | | @TheTechromancer | 2022-04-13 | +| json | output | No | Output to Newline-Delimited JSON (NDJSON) | | * | | @TheTechromancer | 2022-04-07 | +| mysql | output | No | Output scan data to a MySQL database | | * | | @TheTechromancer | 2024-11-13 | +| neo4j | output | No | Output to Neo4j | | * | | @TheTechromancer | 2022-04-07 | +| nmap_xml | output | No | Output to Nmap XML | | DNS_NAME, HTTP_RESPONSE, IP_ADDRESS, OPEN_TCP_PORT, PROTOCOL | | @TheTechromancer | 2024-11-16 | +| postgres | output | No | Output scan data to a SQLite database | | * | | @TheTechromancer | 2024-11-08 | +| python | output | No | Output via Python API | | * | | @TheTechromancer | 2022-09-13 | +| slack | output | No | Message a Slack channel when certain events are encountered | | * | | @TheTechromancer | 2023-08-14 | +| splunk | output | No | Send every event to a splunk instance through HTTP Event Collector | | * | | @w0Tx | 2024-02-17 | +| sqlite | output | No | Output scan data to a SQLite database | | * | | @TheTechromancer | 2024-11-07 | +| stdout | output | No | Output to text | | * | | @TheTechromancer | 2024-04-03 | +| subdomains | output | No | Output only resolved, in-scope subdomains | subdomain-enum | DNS_NAME, DNS_NAME_UNRESOLVED | | @TheTechromancer | 2023-07-31 | +| teams | output | No | Message a Teams channel when certain events are encountered | | * | | @TheTechromancer | 2023-08-14 | +| txt | output | No | Output to text | | * | | @TheTechromancer | 2024-04-03 | +| web_parameters | output | No | Output WEB_PARAMETER names to a file | | WEB_PARAMETER | | @liquidsec | 2025-01-25 | +| web_report | output | No | Create a markdown report with web assets | | FINDING, TECHNOLOGY, URL, VHOST, VULNERABILITY | | @liquidsec | 2023-02-08 | +| websocket | output | No | Output to websockets | | * | | @TheTechromancer | 2022-04-15 | +| cloudcheck | internal | No | Tag events by cloud provider, identify cloud resources like storage buckets | | * | | @TheTechromancer | 2024-07-07 | +| dnsresolve | internal | No | Perform DNS resolution | | * | DNS_NAME, IP_ADDRESS, RAW_DNS_RECORD | @TheTechromancer | 2022-04-08 | +| aggregate | internal | No | Summarize statistics at the end of a scan | passive, safe | | | @TheTechromancer | 2022-07-25 | +| excavate | internal | No | Passively extract juicy tidbits from scan data | passive | HTTP_RESPONSE, RAW_TEXT | URL_UNVERIFIED, WEB_PARAMETER | @liquidsec | 2022-06-27 | +| speculate | internal | No | Derive certain event types from others by common sense | passive | AZURE_TENANT, DNS_NAME, DNS_NAME_UNRESOLVED, HTTP_RESPONSE, IP_ADDRESS, IP_RANGE, SOCIAL, STORAGE_BUCKET, URL, URL_UNVERIFIED, USERNAME | DNS_NAME, FINDING, IP_ADDRESS, OPEN_TCP_PORT, ORG_STUB | @liquidsec | 2022-05-03 | +| unarchive | internal | No | Extract different types of files into folders on the filesystem | passive, safe | FILESYSTEM | FILESYSTEM | @domwhewell-sage | 2024-12-08 | For a list of module config options, see [Module Options](../scanning/configuration.md#module-config-options). diff --git a/docs/modules/nuclei.md b/docs/modules/nuclei.md index 5925ec1772..cd59127cfe 100644 --- a/docs/modules/nuclei.md +++ b/docs/modules/nuclei.md @@ -52,7 +52,7 @@ The Nuclei module has many configuration options: | modules.nuclei.silent | bool | Don't display nuclei's banner or status messages | False | | modules.nuclei.tags | str | execute a subset of templates that contain the provided tags | | | modules.nuclei.templates | str | template or template directory paths to include in the scan | | -| modules.nuclei.version | str | nuclei version | 3.4.2 | +| modules.nuclei.version | str | nuclei version | 3.4.7 | Most of these you probably will **NOT** want to change. In particular, we advise against changing the version of Nuclei, as it's possible the latest version won't work right with BBOT. diff --git a/docs/scanning/advanced.md b/docs/scanning/advanced.md index f6d9a57619..835c73b854 100644 --- a/docs/scanning/advanced.md +++ b/docs/scanning/advanced.md @@ -32,13 +32,22 @@ if __name__ == "__main__": ```text -usage: bbot [-h] [-t TARGET [TARGET ...]] [-w WHITELIST [WHITELIST ...]] [-b BLACKLIST [BLACKLIST ...]] [--strict-scope] [-p [PRESET ...]] - [-c [CONFIG ...]] [-lp] [-m MODULE [MODULE ...]] [-l] [-lmo] [-em MODULE [MODULE ...]] [-f FLAG [FLAG ...]] [-lf] - [-rf FLAG [FLAG ...]] [-ef FLAG [FLAG ...]] [--allow-deadly] [-n SCAN_NAME] [-v] [-d] [-s] [--force] [-y] [--fast-mode] - [--dry-run] [--current-preset] [--current-preset-full] [-mh MODULE] [-o DIR] [-om MODULE [MODULE ...]] [-lo] [--json] [--brief] - [--event-types EVENT_TYPES [EVENT_TYPES ...]] [--exclude-cdn] [--no-deps | --force-deps | --retry-deps | --ignore-failed-deps | - --install-all-deps] [--version] [--proxy HTTP_PROXY] [-H CUSTOM_HEADERS [CUSTOM_HEADERS ...]] - [-C CUSTOM_COOKIES [CUSTOM_COOKIES ...]] [--custom-yara-rules CUSTOM_YARA_RULES] [--user-agent USER_AGENT] +usage: bbot [-h] [-t TARGET [TARGET ...]] [-w WHITELIST [WHITELIST ...]] + [-b BLACKLIST [BLACKLIST ...]] [--strict-scope] + [-p [PRESET ...]] [-c [CONFIG ...]] [-lp] + [-m MODULE [MODULE ...]] [-l] [-lmo] [-em MODULE [MODULE ...]] + [-f FLAG [FLAG ...]] [-lf] [-rf FLAG [FLAG ...]] + [-ef FLAG [FLAG ...]] [--allow-deadly] [-n SCAN_NAME] [-v] [-d] + [-s] [--force] [-y] [--fast-mode] [--dry-run] + [--current-preset] [--current-preset-full] [-mh MODULE] + [-o DIR] [-om MODULE [MODULE ...]] [-lo] [--json] [--brief] + [--event-types EVENT_TYPES [EVENT_TYPES ...]] [--exclude-cdn] + [--no-deps | --force-deps | --retry-deps | + --ignore-failed-deps | --install-all-deps] [--version] + [--proxy HTTP_PROXY] [-H CUSTOM_HEADERS [CUSTOM_HEADERS ...]] + [-C CUSTOM_COOKIES [CUSTOM_COOKIES ...]] + [--custom-yara-rules CUSTOM_YARA_RULES] + [--user-agent USER_AGENT] Bighuge BLS OSINT Tool @@ -63,14 +72,14 @@ Presets: Modules: -m, --modules MODULE [MODULE ...] - Modules to enable. Choices: affiliates,ajaxpro,anubisdb,apkpure,asn,azure_realm,azure_tenant,baddns,baddns_direct,baddns_zone,badsecrets,bevigil,bucket_amazon,bucket_azure,bucket_digitalocean,bucket_file_enum,bucket_firebase,bucket_google,bufferoverrun,builtwith,bypass403,c99,censys,certspotter,chaos,code_repository,credshed,crt,crt_db,dehashed,digitorus,dnsbimi,dnsbrute,dnsbrute_mutations,dnscaa,dnscommonsrv,dnsdumpster,dnstlsrpt,docker_pull,dockerhub,dotnetnuke,emailformat,extractous,ffuf,ffuf_shortnames,filedownload,fingerprintx,fullhunt,generic_ssrf,git,git_clone,gitdumper,github_codesearch,github_org,github_usersearch,github_workflows,gitlab,google_playstore,gowitness,hackertarget,host_header,httpx,hunt,hunterio,iis_shortnames,ip2location,ipneighbor,ipstack,jadx,leakix,lightfuzz,medusa,myssl,newsletters,ntlm,nuclei,oauth,otx,paramminer_cookies,paramminer_getparams,paramminer_headers,passivetotal,pgp,portfilter,portscan,postman,postman_download,rapiddns,reflected_parameters,robots,securitytrails,securitytxt,shodan_dns,shodan_idb,sitedossier,skymem,smuggler,social,sslcert,subdomaincenter,subdomainradar,telerik,trickest,trufflehog,url_manipulation,urlscan,vhost,viewdns,virustotal,wafw00f,wappalyzer,wayback,wpscan,zoomeye + Modules to enable. Choices: affiliates,ajaxpro,anubisdb,apkpure,asn,aspnet_bin_exposure,azure_realm,azure_tenant,baddns,baddns_direct,baddns_zone,badsecrets,bevigil,bucket_amazon,bucket_azure,bucket_digitalocean,bucket_file_enum,bucket_firebase,bucket_google,bufferoverrun,builtwith,bypass403,c99,censys,certspotter,chaos,code_repository,credshed,crt,crt_db,dehashed,digitorus,dnsbimi,dnsbrute,dnsbrute_mutations,dnscaa,dnscommonsrv,dnsdumpster,dnstlsrpt,docker_pull,dockerhub,dotnetnuke,emailformat,extractous,ffuf,ffuf_shortnames,filedownload,fingerprintx,fullhunt,generic_ssrf,git,git_clone,gitdumper,github_codesearch,github_org,github_usersearch,github_workflows,gitlab,google_playstore,gowitness,graphql_introspection,hackertarget,host_header,httpx,hunt,hunterio,iis_shortnames,ip2location,ipneighbor,ipstack,jadx,leakix,lightfuzz,medusa,myssl,newsletters,ntlm,nuclei,oauth,otx,paramminer_cookies,paramminer_getparams,paramminer_headers,passivetotal,pgp,portfilter,portscan,postman,postman_download,rapiddns,reflected_parameters,robots,securitytrails,securitytxt,shodan_dns,shodan_idb,sitedossier,skymem,smuggler,social,sslcert,subdomaincenter,subdomainradar,telerik,trickest,trufflehog,url_manipulation,urlscan,vhost,viewdns,virustotal,wafw00f,wappalyzer,wayback,wpscan,zoomeye -l, --list-modules List available modules. -lmo, --list-module-options Show all module config options -em, --exclude-modules MODULE [MODULE ...] Exclude these modules. -f, --flags FLAG [FLAG ...] - Enable modules by flag. Choices: active,affiliates,aggressive,baddns,cloud-enum,code-enum,deadly,email-enum,iis-shortnames,passive,portscan,report,safe,service-enum,slow,social-enum,subdomain-enum,subdomain-hijack,web-basic,web-paramminer,web-screenshots,web-thorough + Enable modules by flag. Choices: active,affiliates,aggressive,baddns,cloud-enum,code-enum,deadly,email-enum,iis-shortnames,passive,portscan,safe,service-enum,slow,social-enum,subdomain-enum,subdomain-hijack,web-basic,web-paramminer,web-screenshots,web-thorough -lf, --list-flags List available flags. -rf, --require-flags FLAG [FLAG ...] Only enable modules with these flags (e.g. -rf passive) diff --git a/docs/scanning/configuration.md b/docs/scanning/configuration.md index 1c684f31a0..fc7279651d 100644 --- a/docs/scanning/configuration.md +++ b/docs/scanning/configuration.md @@ -355,274 +355,277 @@ In addition to the stated options for each module, the following universal optio ### Module Options -| Config Option | Type | Description | Default | -|------------------------------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| modules.baddns.custom_nameservers | list | Force BadDNS to use a list of custom nameservers | [] | -| modules.baddns.enabled_submodules | list | A list of submodules to enable. Empty list (default) enables CNAME, TXT and MX Only | [] | -| modules.baddns.only_high_confidence | bool | Do not emit low-confidence or generic detections | False | -| modules.baddns_direct.custom_nameservers | list | Force BadDNS to use a list of custom nameservers | [] | -| modules.baddns_zone.custom_nameservers | list | Force BadDNS to use a list of custom nameservers | [] | -| modules.baddns_zone.only_high_confidence | bool | Do not emit low-confidence or generic detections | False | -| modules.badsecrets.custom_secrets | NoneType | Include custom secrets loaded from a local file | None | -| modules.bucket_amazon.permutations | bool | Whether to try permutations | False | -| modules.bucket_azure.permutations | bool | Whether to try permutations | False | -| modules.bucket_digitalocean.permutations | bool | Whether to try permutations | False | -| modules.bucket_firebase.permutations | bool | Whether to try permutations | False | -| modules.bucket_google.permutations | bool | Whether to try permutations | False | -| modules.dnsbrute.max_depth | int | How many subdomains deep to brute force, i.e. 5.4.3.2.1.evilcorp.com | 5 | -| modules.dnsbrute.wordlist | str | Subdomain wordlist URL | https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt | -| modules.dnsbrute_mutations.max_mutations | int | Maximum number of target-specific mutations to try per subdomain | 100 | -| modules.dnscommonsrv.max_depth | int | The maximum subdomain depth to brute-force SRV records | 2 | -| modules.ffuf.extensions | str | Optionally include a list of extensions to extend the keyword with (comma separated) | | -| modules.ffuf.ignore_case | bool | Only put lowercase words into the wordlist | False | -| modules.ffuf.lines | int | take only the first N lines from the wordlist when finding directories | 5000 | -| modules.ffuf.max_depth | int | the maximum directory depth to attempt to solve | 0 | -| modules.ffuf.rate | int | Rate of requests per second (default: 0) | 0 | -| modules.ffuf.wordlist | str | Specify wordlist to use when finding directories | https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-small-directories.txt | -| modules.ffuf_shortnames.extensions | str | Optionally include a list of extensions to extend the keyword with (comma separated) | | -| modules.ffuf_shortnames.find_common_prefixes | bool | Attempt to automatically detect common prefixes and make additional ffuf runs against them | False | -| modules.ffuf_shortnames.find_delimiters | bool | Attempt to detect common delimiters and make additional ffuf runs against them | True | -| modules.ffuf_shortnames.find_subwords | bool | Attempt to detect subwords and make additional ffuf runs against them | False | -| modules.ffuf_shortnames.ignore_redirects | bool | Explicitly ignore redirects (301,302) | True | -| modules.ffuf_shortnames.max_depth | int | the maximum directory depth to attempt to solve | 1 | -| modules.ffuf_shortnames.max_predictions | int | The maximum number of predictions to generate per shortname prefix | 250 | -| modules.ffuf_shortnames.rate | int | Rate of requests per second (default: 0) | 0 | -| modules.ffuf_shortnames.version | str | ffuf version | 2.0.0 | -| modules.ffuf_shortnames.wordlist_extensions | str | Specify wordlist to use when making extension lists | | -| modules.filedownload.extensions | list | File extensions to download | ['bak', 'bash', 'bashrc', 'cfg', 'conf', 'crt', 'csv', 'db', 'dll', 'doc', 'docx', 'exe', 'ica', 'indd', 'ini', 'jar', 'json', 'key', 'log', 'markdown', 'md', 'msi', 'odg', 'odp', 'ods', 'odt', 'pdf', 'pem', 'pps', 'ppsx', 'ppt', 'pptx', 'ps1', 'pub', 'raw', 'rdp', 'rsa', 'sh', 'sql', 'sqlite', 'swp', 'sxw', 'tar.gz', 'tgz', 'tar', 'txt', 'vbs', 'war', 'wpd', 'xls', 'xlsx', 'xml', 'yaml', 'yml', 'zip', 'lzma', 'rar', '7z', 'xz', 'bz2'] | -| modules.filedownload.max_filesize | str | Cancel download if filesize is greater than this size | 10MB | -| modules.filedownload.output_folder | str | Folder to download files to. If not specified, downloaded files will be deleted when the scan completes, to minimize disk usage. | | -| modules.fingerprintx.skip_common_web | bool | Skip common web ports such as 80, 443, 8080, 8443, etc. | True | -| modules.fingerprintx.version | str | fingerprintx version | 1.1.4 | -| modules.generic_ssrf.skip_dns_interaction | bool | Do not report DNS interactions (only HTTP interaction) | False | -| modules.gitlab.api_key | str | Gitlab access token | | -| modules.gowitness.idle_timeout | int | Skip the current gowitness batch if it stalls for longer than this many seconds | 1800 | -| modules.gowitness.output_path | str | Where to save screenshots | | -| modules.gowitness.resolution_x | int | Screenshot resolution x | 1440 | -| modules.gowitness.resolution_y | int | Screenshot resolution y | 900 | -| modules.gowitness.social | bool | Whether to screenshot social media webpages | False | -| modules.gowitness.threads | int | How many gowitness threads to spawn (default is number of CPUs x 2) | 0 | -| modules.gowitness.timeout | int | Preflight check timeout | 10 | -| modules.gowitness.version | str | Gowitness version | 2.4.2 | -| modules.httpx.in_scope_only | bool | Only visit web reparents that are in scope. | True | -| modules.httpx.max_response_size | int | Max response size in bytes | 5242880 | -| modules.httpx.probe_all_ips | bool | Probe all the ips associated with same host | False | -| modules.httpx.store_responses | bool | Save raw HTTP responses to scan folder | False | -| modules.httpx.threads | int | Number of httpx threads to use | 50 | -| modules.httpx.version | str | httpx version | 1.2.5 | -| modules.iis_shortnames.detect_only | bool | Only detect the vulnerability and do not run the shortname scanner | True | -| modules.iis_shortnames.max_node_count | int | Limit how many nodes to attempt to resolve on any given recursion branch | 50 | -| modules.iis_shortnames.speculate_magic_urls | bool | Attempt to discover iis 'magic' special folders | True | -| modules.lightfuzz.disable_post | bool | Disable processing of POST parameters, avoiding form submissions. | False | -| modules.lightfuzz.enabled_submodules | list | A list of submodules to enable. Empty list enabled all modules. | ['sqli', 'cmdi', 'xss', 'path', 'ssti', 'crypto', 'serial'] | -| modules.lightfuzz.force_common_headers | bool | Force emit commonly exploitable parameters that may be difficult to detect | False | -| modules.medusa.snmp_versions | list | List of SNMP versions to attempt against the SNMP server (default ['1', '2C']) | ['1', '2C'] | -| modules.medusa.snmp_wordlist | str | Wordlist url for SNMP community strings, newline separated (default https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/snmp.txt) | https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/common-snmp-community-strings.txt | -| modules.medusa.threads | int | Number of communities to be tested concurrently (default 5) | 5 | -| modules.medusa.timeout_s | int | Wait time for the SNMP response(s) once at the end of all attempts (default 5) | 5 | -| modules.medusa.wait_microseconds | int | Wait time after every SNMP request in microseconds (default 200) | 200 | -| modules.ntlm.try_all | bool | Try every NTLM endpoint | False | -| modules.nuclei.batch_size | int | Number of targets to send to Nuclei per batch (default 200) | 200 | -| modules.nuclei.budget | int | Used in budget mode to set the number of allowed requests per host | 1 | -| modules.nuclei.concurrency | int | maximum number of templates to be executed in parallel (default 25) | 25 | -| modules.nuclei.directory_only | bool | Filter out 'file' URL event (default True) | True | -| modules.nuclei.etags | str | tags to exclude from the scan | | -| modules.nuclei.mode | str | manual | technology | severe | budget. Technology: Only activate based on technology events that match nuclei tags (nuclei -as mode). Manual (DEFAULT): Fully manual settings. Severe: Only critical and high severity templates without intrusive. Budget: Limit Nuclei to a specified number of HTTP requests | manual | -| modules.nuclei.module_timeout | int | Max time in seconds to spend handling each batch of events | 21600 | -| modules.nuclei.ratelimit | int | maximum number of requests to send per second (default 150) | 150 | -| modules.nuclei.retries | int | number of times to retry a failed request (default 0) | 0 | -| modules.nuclei.severity | str | Filter based on severity field available in the template. | | -| modules.nuclei.silent | bool | Don't display nuclei's banner or status messages | False | -| modules.nuclei.tags | str | execute a subset of templates that contain the provided tags | | -| modules.nuclei.templates | str | template or template directory paths to include in the scan | | -| modules.nuclei.version | str | nuclei version | 3.4.2 | -| modules.oauth.try_all | bool | Check for OAUTH/IODC on every subdomain and URL. | False | -| modules.paramminer_cookies.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False | -| modules.paramminer_cookies.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True | -| modules.paramminer_cookies.wordlist | str | Define the wordlist to be used to derive cookies | | -| modules.paramminer_getparams.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False | -| modules.paramminer_getparams.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True | -| modules.paramminer_getparams.wordlist | str | Define the wordlist to be used to derive headers | | -| modules.paramminer_headers.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False | -| modules.paramminer_headers.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True | -| modules.paramminer_headers.wordlist | str | Define the wordlist to be used to derive headers | | -| modules.portscan.adapter | str | Manually specify a network interface, such as "eth0" or "tun0". If not specified, the first network interface found with a default gateway will be used. | | -| modules.portscan.adapter_ip | str | Send packets using this IP address. Not needed unless masscan's autodetection fails | | -| modules.portscan.adapter_mac | str | Send packets using this as the source MAC address. Not needed unless masscan's autodetection fails | | -| modules.portscan.module_timeout | int | Max time in seconds to spend handling each batch of events | 259200 | -| modules.portscan.ping_first | bool | Only portscan hosts that reply to pings | False | -| modules.portscan.ping_only | bool | Ping sweep only, no portscan | False | -| modules.portscan.ports | str | Ports to scan | | -| modules.portscan.rate | int | Rate in packets per second | 300 | -| modules.portscan.router_mac | str | Send packets to this MAC address as the destination. Not needed unless masscan's autodetection fails | | -| modules.portscan.top_ports | int | Top ports to scan (default 100) (to override, specify 'ports') | 100 | -| modules.portscan.wait | int | Seconds to wait for replies after scan is complete | 5 | -| modules.robots.include_allow | bool | Include 'Allow' Entries | True | -| modules.robots.include_disallow | bool | Include 'Disallow' Entries | True | -| modules.robots.include_sitemap | bool | Include 'sitemap' entries | False | -| modules.securitytxt.emails | bool | emit EMAIL_ADDRESS events | True | -| modules.securitytxt.urls | bool | emit URL_UNVERIFIED events | True | -| modules.sslcert.skip_non_ssl | bool | Don't try common non-SSL ports | True | -| modules.sslcert.timeout | float | Socket connect timeout in seconds | 5.0 | -| modules.telerik.exploit_RAU_crypto | bool | Attempt to confirm any RAU AXD detections are vulnerable | False | -| modules.telerik.include_subdirs | bool | Include subdirectories in the scan (off by default) | False | -| modules.url_manipulation.allow_redirects | bool | Allowing redirects will sometimes create false positives. Disallowing will sometimes create false negatives. Allowed by default. | True | -| modules.vhost.force_basehost | str | Use a custom base host (e.g. evilcorp.com) instead of the default behavior of using the current URL | | -| modules.vhost.lines | int | take only the first N lines from the wordlist when finding directories | 5000 | -| modules.vhost.wordlist | str | Wordlist containing subdomains | https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt | -| modules.wafw00f.generic_detect | bool | When no specific WAF detections are made, try to perform a generic detect | True | -| modules.wpscan.api_key | str | WPScan API Key | | -| modules.wpscan.connection_timeout | int | The connection timeout in seconds (default 2) | 2 | -| modules.wpscan.disable_tls_checks | bool | Disables the SSL/TLS certificate verification (Default True) | True | -| modules.wpscan.enumerate | str | Enumeration Process see wpscan help documentation (default: vp,vt,cb,dbe) | vp,vt,cb,dbe | -| modules.wpscan.force | bool | Do not check if the target is running WordPress or returns a 403 | False | -| modules.wpscan.request_timeout | int | The request timeout in seconds (default 5) | 5 | -| modules.wpscan.threads | int | How many wpscan threads to spawn (default is 5) | 5 | -| modules.anubisdb.limit | int | Limit the number of subdomains returned per query (increasing this may slow the scan due to garbage results from this API) | 1000 | -| modules.apkpure.output_folder | str | Folder to download APKs to. If not specified, downloaded APKs will be deleted when the scan completes, to minimize disk usage. | | -| modules.bevigil.api_key | str | BeVigil OSINT API Key | | -| modules.bevigil.urls | bool | Emit URLs in addition to DNS_NAMEs | False | -| modules.bucket_file_enum.file_limit | int | Limit the number of files downloaded per bucket | 50 | -| modules.bufferoverrun.api_key | str | BufferOverrun API key | | -| modules.bufferoverrun.commercial | bool | Use commercial API | False | -| modules.builtwith.api_key | str | Builtwith API key | | -| modules.builtwith.redirects | bool | Also look up inbound and outbound redirects | True | -| modules.c99.api_key | str | c99.nl API key | | -| modules.censys.api_key | str | Censys.io API Key in the format of 'key:secret' | | -| modules.censys.max_pages | int | Maximum number of pages to fetch (100 results per page) | 5 | -| modules.chaos.api_key | str | Chaos API key | | -| modules.credshed.credshed_url | str | URL of credshed server | | -| modules.credshed.password | str | Credshed password | | -| modules.credshed.username | str | Credshed username | | -| modules.dehashed.api_key | str | DeHashed API Key | | -| modules.dnsbimi.emit_raw_dns_records | bool | Emit RAW_DNS_RECORD events | False | -| modules.dnsbimi.emit_urls | bool | Emit URL_UNVERIFIED events | True | -| modules.dnsbimi.selectors | str | CSV list of BIMI selectors to check | default,email,mail,bimi | -| modules.dnscaa.dns_names | bool | emit DNS_NAME events | True | -| modules.dnscaa.emails | bool | emit EMAIL_ADDRESS events | True | -| modules.dnscaa.in_scope_only | bool | Only check in-scope domains | True | -| modules.dnscaa.urls | bool | emit URL_UNVERIFIED events | True | -| modules.dnstlsrpt.emit_emails | bool | Emit EMAIL_ADDRESS events | True | -| modules.dnstlsrpt.emit_raw_dns_records | bool | Emit RAW_DNS_RECORD events | False | -| modules.dnstlsrpt.emit_urls | bool | Emit URL_UNVERIFIED events | True | -| modules.dnstlsrpt.emit_vulnerabilities | bool | Emit VULNERABILITY events | True | -| modules.docker_pull.all_tags | bool | Download all tags from each registry (Default False) | False | -| modules.docker_pull.output_folder | str | Folder to download docker repositories to. If not specified, downloaded docker images will be deleted when the scan completes, to minimize disk usage. | | -| modules.extractous.extensions | list | File extensions to parse | ['bak', 'bash', 'bashrc', 'conf', 'cfg', 'crt', 'csv', 'db', 'sqlite', 'doc', 'docx', 'ica', 'indd', 'ini', 'json', 'key', 'pub', 'log', 'markdown', 'md', 'odg', 'odp', 'ods', 'odt', 'pdf', 'pem', 'pps', 'ppsx', 'ppt', 'pptx', 'ps1', 'rdp', 'rsa', 'sh', 'sql', 'swp', 'sxw', 'txt', 'vbs', 'wpd', 'xls', 'xlsx', 'xml', 'yml', 'yaml'] | -| modules.fullhunt.api_key | str | FullHunt API Key | | -| modules.git_clone.api_key | str | Github token | | -| modules.git_clone.output_folder | str | Folder to clone repositories to. If not specified, cloned repositories will be deleted when the scan completes, to minimize disk usage. | | -| modules.gitdumper.fuzz_tags | bool | Fuzz for common git tag names (v0.0.1, 0.0.2, etc.) up to the max_semanic_version | False | -| modules.gitdumper.max_semanic_version | int |` Maximum version number to fuzz for (default < v10.10.10) `| 10 | -| modules.gitdumper.output_folder | str | Folder to download repositories to. If not specified, downloaded repositories will be deleted when the scan completes, to minimize disk usage. | | -| modules.github_codesearch.api_key | str | Github token | | -| modules.github_codesearch.limit | int | Limit code search to this many results | 100 | -| modules.github_org.api_key | str | Github token | | -| modules.github_org.include_member_repos | bool | Also enumerate organization members' repositories | False | -| modules.github_org.include_members | bool | Enumerate organization members | True | -| modules.github_usersearch.api_key | str | Github token | | -| modules.github_workflows.api_key | str | Github token | | -| modules.github_workflows.num_logs | int | For each workflow fetch the last N successful runs logs (max 100) | 1 | -| modules.github_workflows.output_folder | str | Folder to download workflow logs and artifacts to | | -| modules.hunterio.api_key | str | Hunter.IO API key | | -| modules.ip2location.api_key | str | IP2location.io API Key | | -| modules.ip2location.lang | str | Translation information(ISO639-1). The translation is only applicable for continent, country, region and city name. | | -| modules.ipneighbor.num_bits | int | Netmask size (in CIDR notation) to check. Default is 4 bits (16 hosts) | 4 | -| modules.ipstack.api_key | str | IPStack GeoIP API Key | | -| modules.jadx.threads | int | Maximum jadx threads for extracting apk's, default: 4 | 4 | -| modules.leakix.api_key | str | LeakIX API Key | | -| modules.passivetotal.api_key | str | PassiveTotal API Key in the format of 'username:api_key' | | -| modules.pgp.search_urls | list | PGP key servers to search |` ['https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=vindex&search=', 'http://the.earth.li:11371/pks/lookup?fingerprint=on&op=vindex&search=', 'https://pgpkeys.eu/pks/lookup?search=&op=index', 'https://pgp.mit.edu/pks/lookup?search=&op=index'] `| -| modules.portfilter.allowed_cdn_ports | str | Comma-separated list of ports that are allowed to be scanned for CDNs | 80,443 | -| modules.portfilter.cdn_tags | str | Comma-separated list of tags to skip, e.g. 'cdn,cloud' | cdn- | -| modules.postman.api_key | str | Postman API Key | | -| modules.postman_download.api_key | str | Postman API Key | | -| modules.postman_download.output_folder | str | Folder to download postman workspaces to. If not specified, downloaded workspaces will be deleted when the scan completes, to minimize disk usage. | | -| modules.securitytrails.api_key | str | SecurityTrails API key | | -| modules.shodan_dns.api_key | str | Shodan API key | | -| modules.shodan_idb.retries | NoneType | How many times to retry API requests (e.g. after a 429 error). Overrides the global web.api_retries setting. | None | -| modules.subdomainradar.api_key | str | SubDomainRadar.io API key | | -| modules.subdomainradar.group | str | The enumeration group to use. Choose from fast, medium, deep | fast | -| modules.subdomainradar.timeout | int | Timeout in seconds | 120 | -| modules.trickest.api_key | str | Trickest API key | | -| modules.trufflehog.concurrency | int | Number of concurrent workers | 8 | -| modules.trufflehog.config | str | File path or URL to YAML trufflehog config | | -| modules.trufflehog.deleted_forks | bool | Scan for deleted github forks. WARNING: This is SLOW. For a smaller repository, this process can take 20 minutes. For a larger repository, it could take hours. | False | -| modules.trufflehog.only_verified | bool | Only report credentials that have been verified | True | -| modules.trufflehog.version | str | trufflehog version | 3.88.34 | -| modules.urlscan.urls | bool | Emit URLs in addition to DNS_NAMEs | False | -| modules.virustotal.api_key | str | VirusTotal API Key | | -| modules.wayback.garbage_threshold | int | Dedupe similar urls if they are in a group of this size or higher (lower values == less garbage data) | 10 | -| modules.wayback.urls | bool | emit URLs in addition to DNS_NAMEs | False | -| modules.zoomeye.api_key | str | ZoomEye API key | | -| modules.zoomeye.include_related | bool | Include domains which may be related to the target | False | -| modules.zoomeye.max_pages | int | How many pages of results to fetch | 20 | -| modules.asset_inventory.output_file | str | Set a custom output file | | -| modules.asset_inventory.recheck | bool | When use_previous=True, don't retain past details like open ports or findings. Instead, allow them to be rediscovered by the new scan | False | -| modules.asset_inventory.summary_netmask | int | Subnet mask to use when summarizing IP addresses at end of scan | 16 | -| modules.asset_inventory.use_previous | bool |` Emit previous asset inventory as new events (use in conjunction with -n ) `| False | -| modules.csv.output_file | str | Output to CSV file | | -| modules.discord.event_types | list | Types of events to send | ['VULNERABILITY', 'FINDING'] | -| modules.discord.min_severity | str | Only allow VULNERABILITY events of this severity or higher | LOW | -| modules.discord.retries | int | Number of times to retry sending the message before skipping the event | 10 | -| modules.discord.webhook_url | str | Discord webhook URL | | -| modules.emails.output_file | str | Output to file | | -| modules.http.bearer | str | Authorization Bearer token | | -| modules.http.method | str | HTTP method | POST | -| modules.http.password | str | Password (basic auth) | | -| modules.http.siem_friendly | bool | Format JSON in a SIEM-friendly way for ingestion into Elastic, Splunk, etc. | False | -| modules.http.timeout | int | HTTP timeout | 10 | -| modules.http.url | str | Web URL | | -| modules.http.username | str | Username (basic auth) | | -| modules.json.output_file | str | Output to file | | -| modules.json.siem_friendly | bool | Output JSON in a SIEM-friendly format for ingestion into Elastic, Splunk, etc. | False | -| modules.mysql.database | str | The database name to connect to | bbot | -| modules.mysql.host | str | The server running MySQL | localhost | -| modules.mysql.password | str | The password to connect to MySQL | bbotislife | -| modules.mysql.port | int | The port to connect to MySQL | 3306 | -| modules.mysql.username | str | The username to connect to MySQL | root | -| modules.neo4j.password | str | Neo4j password | bbotislife | -| modules.neo4j.uri | str | Neo4j server + port | bolt://localhost:7687 | -| modules.neo4j.username | str | Neo4j username | neo4j | -| modules.postgres.database | str | The database name to connect to | bbot | -| modules.postgres.host | str | The server running Postgres | localhost | -| modules.postgres.password | str | The password to connect to Postgres | bbotislife | -| modules.postgres.port | int | The port to connect to Postgres | 5432 | -| modules.postgres.username | str | The username to connect to Postgres | postgres | -| modules.slack.event_types | list | Types of events to send | ['VULNERABILITY', 'FINDING'] | -| modules.slack.min_severity | str | Only allow VULNERABILITY events of this severity or higher | LOW | -| modules.slack.retries | int | Number of times to retry sending the message before skipping the event | 10 | -| modules.slack.webhook_url | str | Discord webhook URL | | -| modules.splunk.hectoken | str | HEC Token | | -| modules.splunk.index | str | Index to send data to | | -| modules.splunk.source | str | Source path to be added to the metadata | | -| modules.splunk.timeout | int | HTTP timeout | 10 | -| modules.splunk.url | str | Web URL | | -| modules.sqlite.database | str | The path to the sqlite database file | | -| modules.stdout.accept_dupes | bool | Whether to show duplicate events, default True | True | -| modules.stdout.event_fields | list | Which event fields to display | [] | -| modules.stdout.event_types | list | Which events to display, default all event types | [] | -| modules.stdout.format | str | Which text format to display, choices: text,json | text | -| modules.stdout.in_scope_only | bool | Whether to only show in-scope events | False | -| modules.subdomains.include_unresolved | bool | Include unresolved subdomains in output | False | -| modules.subdomains.output_file | str | Output to file | | -| modules.teams.event_types | list | Types of events to send | ['VULNERABILITY', 'FINDING'] | -| modules.teams.min_severity | str | Only allow VULNERABILITY events of this severity or higher | LOW | -| modules.teams.retries | int | Number of times to retry sending the message before skipping the event | 10 | -| modules.teams.webhook_url | str | Teams webhook URL | | -| modules.txt.output_file | str | Output to file | | -| modules.web_parameters.include_count | bool | Include the count of each parameter in the output | False | -| modules.web_parameters.output_file | str | Output to file | | -| modules.web_report.css_theme_file | str | CSS theme URL for HTML output | https://cdnjs.cloudflare.com/ajax/libs/github-markdown-css/5.1.0/github-markdown.min.css | -| modules.web_report.output_file | str | Output to file | | -| modules.websocket.ignore_ssl | bool | Ignores all Websocket SSL related errors (like Self-Signed Certificates, etc.) | False | -| modules.websocket.preserve_graph | bool | Preserve full chains of events in the graph (prevents orphans) | True | -| modules.websocket.token | str | Authorization Bearer token | | -| modules.websocket.url | str | Web URL | | -| modules.excavate.custom_yara_rules | str | Include custom Yara rules | | -| modules.excavate.speculate_params | bool | Enable speculative parameter extraction from JSON and XML content | False | -| modules.excavate.yara_max_match_data | int | Sets the maximum amount of text that can extracted from a YARA regex | 2000 | -| modules.speculate.essential_only | bool | Only enable essential speculate features (no extra discovery) | False | -| modules.speculate.max_hosts | int | Max number of IP_RANGE hosts to convert into IP_ADDRESS events | 65536 | -| modules.speculate.ports | str | The set of ports to speculate on | 80,443 | +| Config Option | Type | Description | Default | +|-----------------------------------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| modules.baddns.custom_nameservers | list | Force BadDNS to use a list of custom nameservers | [] | +| modules.baddns.enabled_submodules | list | A list of submodules to enable. Empty list (default) enables CNAME, TXT and MX Only | [] | +| modules.baddns.only_high_confidence | bool | Do not emit low-confidence or generic detections | False | +| modules.baddns_direct.custom_nameservers | list | Force BadDNS to use a list of custom nameservers | [] | +| modules.baddns_zone.custom_nameservers | list | Force BadDNS to use a list of custom nameservers | [] | +| modules.baddns_zone.only_high_confidence | bool | Do not emit low-confidence or generic detections | False | +| modules.badsecrets.custom_secrets | NoneType | Include custom secrets loaded from a local file | None | +| modules.bucket_amazon.permutations | bool | Whether to try permutations | False | +| modules.bucket_azure.permutations | bool | Whether to try permutations | False | +| modules.bucket_digitalocean.permutations | bool | Whether to try permutations | False | +| modules.bucket_firebase.permutations | bool | Whether to try permutations | False | +| modules.bucket_google.permutations | bool | Whether to try permutations | False | +| modules.dnsbrute.max_depth | int | How many subdomains deep to brute force, i.e. 5.4.3.2.1.evilcorp.com | 5 | +| modules.dnsbrute.wordlist | str | Subdomain wordlist URL | https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt | +| modules.dnsbrute_mutations.max_mutations | int | Maximum number of target-specific mutations to try per subdomain | 100 | +| modules.dnscommonsrv.max_depth | int | The maximum subdomain depth to brute-force SRV records | 2 | +| modules.ffuf.extensions | str | Optionally include a list of extensions to extend the keyword with (comma separated) | | +| modules.ffuf.ignore_case | bool | Only put lowercase words into the wordlist | False | +| modules.ffuf.lines | int | take only the first N lines from the wordlist when finding directories | 5000 | +| modules.ffuf.max_depth | int | the maximum directory depth to attempt to solve | 0 | +| modules.ffuf.rate | int | Rate of requests per second (default: 0) | 0 | +| modules.ffuf.wordlist | str | Specify wordlist to use when finding directories | https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-small-directories.txt | +| modules.ffuf_shortnames.extensions | str | Optionally include a list of extensions to extend the keyword with (comma separated) | | +| modules.ffuf_shortnames.find_common_prefixes | bool | Attempt to automatically detect common prefixes and make additional ffuf runs against them | False | +| modules.ffuf_shortnames.find_delimiters | bool | Attempt to detect common delimiters and make additional ffuf runs against them | True | +| modules.ffuf_shortnames.find_subwords | bool | Attempt to detect subwords and make additional ffuf runs against them | False | +| modules.ffuf_shortnames.ignore_redirects | bool | Explicitly ignore redirects (301,302) | True | +| modules.ffuf_shortnames.max_depth | int | the maximum directory depth to attempt to solve | 1 | +| modules.ffuf_shortnames.max_predictions | int | The maximum number of predictions to generate per shortname prefix | 250 | +| modules.ffuf_shortnames.rate | int | Rate of requests per second (default: 0) | 0 | +| modules.ffuf_shortnames.version | str | ffuf version | 2.0.0 | +| modules.ffuf_shortnames.wordlist_extensions | str | Specify wordlist to use when making extension lists | | +| modules.filedownload.extensions | list | File extensions to download | ['bak', 'bash', 'bashrc', 'cfg', 'conf', 'crt', 'csv', 'db', 'dll', 'doc', 'docx', 'exe', 'ica', 'indd', 'ini', 'jar', 'json', 'key', 'log', 'markdown', 'md', 'msi', 'odg', 'odp', 'ods', 'odt', 'pdf', 'pem', 'pps', 'ppsx', 'ppt', 'pptx', 'ps1', 'pub', 'raw', 'rdp', 'rsa', 'sh', 'sql', 'sqlite', 'swp', 'sxw', 'tar.gz', 'tgz', 'tar', 'txt', 'vbs', 'war', 'wpd', 'xls', 'xlsx', 'xml', 'yaml', 'yml', 'zip', 'lzma', 'rar', '7z', 'xz', 'bz2'] | +| modules.filedownload.max_filesize | str | Cancel download if filesize is greater than this size | 10MB | +| modules.filedownload.output_folder | str | Folder to download files to. If not specified, downloaded files will be deleted when the scan completes, to minimize disk usage. | | +| modules.fingerprintx.skip_common_web | bool | Skip common web ports such as 80, 443, 8080, 8443, etc. | True | +| modules.fingerprintx.version | str | fingerprintx version | 1.1.4 | +| modules.generic_ssrf.skip_dns_interaction | bool | Do not report DNS interactions (only HTTP interaction) | False | +| modules.gitlab.api_key | str | Gitlab access token | | +| modules.gowitness.chrome_path | str | Path to chrome executable | | +| modules.gowitness.idle_timeout | int | Skip the current gowitness batch if it stalls for longer than this many seconds | 1800 | +| modules.gowitness.output_path | str | Where to save screenshots | | +| modules.gowitness.resolution_x | int | Screenshot resolution x | 1440 | +| modules.gowitness.resolution_y | int | Screenshot resolution y | 900 | +| modules.gowitness.social | bool | Whether to screenshot social media webpages | False | +| modules.gowitness.threads | int | How many gowitness threads to spawn (default is number of CPUs x 2) | 0 | +| modules.gowitness.timeout | int | Preflight check timeout | 10 | +| modules.gowitness.version | str | Gowitness version | 3.0.5 | +| modules.graphql_introspection.graphql_endpoint_urls | list | List of GraphQL endpoint to suffix to the target URL | ['/', '/graphql', '/v1/graphql'] | +| modules.graphql_introspection.output_folder | str | Folder to save the GraphQL schemas to | | +| modules.httpx.in_scope_only | bool | Only visit web reparents that are in scope. | True | +| modules.httpx.max_response_size | int | Max response size in bytes | 5242880 | +| modules.httpx.probe_all_ips | bool | Probe all the ips associated with same host | False | +| modules.httpx.store_responses | bool | Save raw HTTP responses to scan folder | False | +| modules.httpx.threads | int | Number of httpx threads to use | 50 | +| modules.httpx.version | str | httpx version | 1.2.5 | +| modules.iis_shortnames.detect_only | bool | Only detect the vulnerability and do not run the shortname scanner | True | +| modules.iis_shortnames.max_node_count | int | Limit how many nodes to attempt to resolve on any given recursion branch | 50 | +| modules.iis_shortnames.speculate_magic_urls | bool | Attempt to discover iis 'magic' special folders | True | +| modules.lightfuzz.disable_post | bool | Disable processing of POST parameters, avoiding form submissions. | False | +| modules.lightfuzz.enabled_submodules | list | A list of submodules to enable. Empty list enabled all modules. | ['sqli', 'cmdi', 'xss', 'path', 'ssti', 'crypto', 'serial'] | +| modules.lightfuzz.force_common_headers | bool | Force emit commonly exploitable parameters that may be difficult to detect | False | +| modules.medusa.snmp_versions | list | List of SNMP versions to attempt against the SNMP server (default ['1', '2C']) | ['1', '2C'] | +| modules.medusa.snmp_wordlist | str | Wordlist url for SNMP community strings, newline separated (default https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/snmp.txt) | https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/common-snmp-community-strings.txt | +| modules.medusa.threads | int | Number of communities to be tested concurrently (default 5) | 5 | +| modules.medusa.timeout_s | int | Wait time for the SNMP response(s) once at the end of all attempts (default 5) | 5 | +| modules.medusa.wait_microseconds | int | Wait time after every SNMP request in microseconds (default 200) | 200 | +| modules.ntlm.try_all | bool | Try every NTLM endpoint | False | +| modules.nuclei.batch_size | int | Number of targets to send to Nuclei per batch (default 200) | 200 | +| modules.nuclei.budget | int | Used in budget mode to set the number of allowed requests per host | 1 | +| modules.nuclei.concurrency | int | maximum number of templates to be executed in parallel (default 25) | 25 | +| modules.nuclei.directory_only | bool | Filter out 'file' URL event (default True) | True | +| modules.nuclei.etags | str | tags to exclude from the scan | | +| modules.nuclei.mode | str | manual | technology | severe | budget. Technology: Only activate based on technology events that match nuclei tags (nuclei -as mode). Manual (DEFAULT): Fully manual settings. Severe: Only critical and high severity templates without intrusive. Budget: Limit Nuclei to a specified number of HTTP requests | manual | +| modules.nuclei.module_timeout | int | Max time in seconds to spend handling each batch of events | 21600 | +| modules.nuclei.ratelimit | int | maximum number of requests to send per second (default 150) | 150 | +| modules.nuclei.retries | int | number of times to retry a failed request (default 0) | 0 | +| modules.nuclei.severity | str | Filter based on severity field available in the template. | | +| modules.nuclei.silent | bool | Don't display nuclei's banner or status messages | False | +| modules.nuclei.tags | str | execute a subset of templates that contain the provided tags | | +| modules.nuclei.templates | str | template or template directory paths to include in the scan | | +| modules.nuclei.version | str | nuclei version | 3.4.7 | +| modules.oauth.try_all | bool | Check for OAUTH/IODC on every subdomain and URL. | False | +| modules.paramminer_cookies.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False | +| modules.paramminer_cookies.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True | +| modules.paramminer_cookies.wordlist | str | Define the wordlist to be used to derive cookies | | +| modules.paramminer_getparams.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False | +| modules.paramminer_getparams.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True | +| modules.paramminer_getparams.wordlist | str | Define the wordlist to be used to derive headers | | +| modules.paramminer_headers.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False | +| modules.paramminer_headers.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True | +| modules.paramminer_headers.wordlist | str | Define the wordlist to be used to derive headers | | +| modules.portscan.adapter | str | Manually specify a network interface, such as "eth0" or "tun0". If not specified, the first network interface found with a default gateway will be used. | | +| modules.portscan.adapter_ip | str | Send packets using this IP address. Not needed unless masscan's autodetection fails | | +| modules.portscan.adapter_mac | str | Send packets using this as the source MAC address. Not needed unless masscan's autodetection fails | | +| modules.portscan.module_timeout | int | Max time in seconds to spend handling each batch of events | 259200 | +| modules.portscan.ping_first | bool | Only portscan hosts that reply to pings | False | +| modules.portscan.ping_only | bool | Ping sweep only, no portscan | False | +| modules.portscan.ports | str | Ports to scan | | +| modules.portscan.rate | int | Rate in packets per second | 300 | +| modules.portscan.router_mac | str | Send packets to this MAC address as the destination. Not needed unless masscan's autodetection fails | | +| modules.portscan.top_ports | int | Top ports to scan (default 100) (to override, specify 'ports') | 100 | +| modules.portscan.wait | int | Seconds to wait for replies after scan is complete | 5 | +| modules.robots.include_allow | bool | Include 'Allow' Entries | True | +| modules.robots.include_disallow | bool | Include 'Disallow' Entries | True | +| modules.robots.include_sitemap | bool | Include 'sitemap' entries | False | +| modules.securitytxt.emails | bool | emit EMAIL_ADDRESS events | True | +| modules.securitytxt.urls | bool | emit URL_UNVERIFIED events | True | +| modules.sslcert.skip_non_ssl | bool | Don't try common non-SSL ports | True | +| modules.sslcert.timeout | float | Socket connect timeout in seconds | 5.0 | +| modules.telerik.exploit_RAU_crypto | bool | Attempt to confirm any RAU AXD detections are vulnerable | False | +| modules.telerik.include_subdirs | bool | Include subdirectories in the scan (off by default) | False | +| modules.url_manipulation.allow_redirects | bool | Allowing redirects will sometimes create false positives. Disallowing will sometimes create false negatives. Allowed by default. | True | +| modules.vhost.force_basehost | str | Use a custom base host (e.g. evilcorp.com) instead of the default behavior of using the current URL | | +| modules.vhost.lines | int | take only the first N lines from the wordlist when finding directories | 5000 | +| modules.vhost.wordlist | str | Wordlist containing subdomains | https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt | +| modules.wafw00f.generic_detect | bool | When no specific WAF detections are made, try to perform a generic detect | True | +| modules.wpscan.api_key | str | WPScan API Key | | +| modules.wpscan.connection_timeout | int | The connection timeout in seconds (default 2) | 2 | +| modules.wpscan.disable_tls_checks | bool | Disables the SSL/TLS certificate verification (Default True) | True | +| modules.wpscan.enumerate | str | Enumeration Process see wpscan help documentation (default: vp,vt,cb,dbe) | vp,vt,cb,dbe | +| modules.wpscan.force | bool | Do not check if the target is running WordPress or returns a 403 | False | +| modules.wpscan.request_timeout | int | The request timeout in seconds (default 5) | 5 | +| modules.wpscan.threads | int | How many wpscan threads to spawn (default is 5) | 5 | +| modules.anubisdb.limit | int | Limit the number of subdomains returned per query (increasing this may slow the scan due to garbage results from this API) | 1000 | +| modules.apkpure.output_folder | str | Folder to download APKs to. If not specified, downloaded APKs will be deleted when the scan completes, to minimize disk usage. | | +| modules.bevigil.api_key | str | BeVigil OSINT API Key | | +| modules.bevigil.urls | bool | Emit URLs in addition to DNS_NAMEs | False | +| modules.bucket_file_enum.file_limit | int | Limit the number of files downloaded per bucket | 50 | +| modules.bufferoverrun.api_key | str | BufferOverrun API key | | +| modules.bufferoverrun.commercial | bool | Use commercial API | False | +| modules.builtwith.api_key | str | Builtwith API key | | +| modules.builtwith.redirects | bool | Also look up inbound and outbound redirects | True | +| modules.c99.api_key | str | c99.nl API key | | +| modules.censys.api_key | str | Censys.io API Key in the format of 'key:secret' | | +| modules.censys.max_pages | int | Maximum number of pages to fetch (100 results per page) | 5 | +| modules.chaos.api_key | str | Chaos API key | | +| modules.credshed.credshed_url | str | URL of credshed server | | +| modules.credshed.password | str | Credshed password | | +| modules.credshed.username | str | Credshed username | | +| modules.dehashed.api_key | str | DeHashed API Key | | +| modules.dnsbimi.emit_raw_dns_records | bool | Emit RAW_DNS_RECORD events | False | +| modules.dnsbimi.emit_urls | bool | Emit URL_UNVERIFIED events | True | +| modules.dnsbimi.selectors | str | CSV list of BIMI selectors to check | default,email,mail,bimi | +| modules.dnscaa.dns_names | bool | emit DNS_NAME events | True | +| modules.dnscaa.emails | bool | emit EMAIL_ADDRESS events | True | +| modules.dnscaa.in_scope_only | bool | Only check in-scope domains | True | +| modules.dnscaa.urls | bool | emit URL_UNVERIFIED events | True | +| modules.dnstlsrpt.emit_emails | bool | Emit EMAIL_ADDRESS events | True | +| modules.dnstlsrpt.emit_raw_dns_records | bool | Emit RAW_DNS_RECORD events | False | +| modules.dnstlsrpt.emit_urls | bool | Emit URL_UNVERIFIED events | True | +| modules.dnstlsrpt.emit_vulnerabilities | bool | Emit VULNERABILITY events | True | +| modules.docker_pull.all_tags | bool | Download all tags from each registry (Default False) | False | +| modules.docker_pull.output_folder | str | Folder to download docker repositories to. If not specified, downloaded docker images will be deleted when the scan completes, to minimize disk usage. | | +| modules.extractous.extensions | list | File extensions to parse | ['bak', 'bash', 'bashrc', 'conf', 'cfg', 'crt', 'csv', 'db', 'sqlite', 'doc', 'docx', 'ica', 'indd', 'ini', 'json', 'key', 'pub', 'log', 'markdown', 'md', 'odg', 'odp', 'ods', 'odt', 'pdf', 'pem', 'pps', 'ppsx', 'ppt', 'pptx', 'ps1', 'rdp', 'rsa', 'sh', 'sql', 'swp', 'sxw', 'txt', 'vbs', 'wpd', 'xls', 'xlsx', 'xml', 'yml', 'yaml'] | +| modules.fullhunt.api_key | str | FullHunt API Key | | +| modules.git_clone.api_key | str | Github token | | +| modules.git_clone.output_folder | str | Folder to clone repositories to. If not specified, cloned repositories will be deleted when the scan completes, to minimize disk usage. | | +| modules.gitdumper.fuzz_tags | bool | Fuzz for common git tag names (v0.0.1, 0.0.2, etc.) up to the max_semanic_version | False | +| modules.gitdumper.max_semanic_version | int |` Maximum version number to fuzz for (default < v10.10.10) `| 10 | +| modules.gitdumper.output_folder | str | Folder to download repositories to. If not specified, downloaded repositories will be deleted when the scan completes, to minimize disk usage. | | +| modules.github_codesearch.api_key | str | Github token | | +| modules.github_codesearch.limit | int | Limit code search to this many results | 100 | +| modules.github_org.api_key | str | Github token | | +| modules.github_org.include_member_repos | bool | Also enumerate organization members' repositories | False | +| modules.github_org.include_members | bool | Enumerate organization members | True | +| modules.github_usersearch.api_key | str | Github token | | +| modules.github_workflows.api_key | str | Github token | | +| modules.github_workflows.num_logs | int | For each workflow fetch the last N successful runs logs (max 100) | 1 | +| modules.github_workflows.output_folder | str | Folder to download workflow logs and artifacts to | | +| modules.hunterio.api_key | str | Hunter.IO API key | | +| modules.ip2location.api_key | str | IP2location.io API Key | | +| modules.ip2location.lang | str | Translation information(ISO639-1). The translation is only applicable for continent, country, region and city name. | | +| modules.ipneighbor.num_bits | int | Netmask size (in CIDR notation) to check. Default is 4 bits (16 hosts) | 4 | +| modules.ipstack.api_key | str | IPStack GeoIP API Key | | +| modules.jadx.threads | int | Maximum jadx threads for extracting apk's, default: 4 | 4 | +| modules.leakix.api_key | str | LeakIX API Key | | +| modules.passivetotal.api_key | str | PassiveTotal API Key in the format of 'username:api_key' | | +| modules.pgp.search_urls | list | PGP key servers to search |` ['https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=vindex&search=', 'http://the.earth.li:11371/pks/lookup?fingerprint=on&op=vindex&search=', 'https://pgpkeys.eu/pks/lookup?search=&op=index', 'https://pgp.mit.edu/pks/lookup?search=&op=index'] `| +| modules.portfilter.allowed_cdn_ports | str | Comma-separated list of ports that are allowed to be scanned for CDNs | 80,443 | +| modules.portfilter.cdn_tags | str | Comma-separated list of tags to skip, e.g. 'cdn,cloud' | cdn- | +| modules.postman.api_key | str | Postman API Key | | +| modules.postman_download.api_key | str | Postman API Key | | +| modules.postman_download.output_folder | str | Folder to download postman workspaces to. If not specified, downloaded workspaces will be deleted when the scan completes, to minimize disk usage. | | +| modules.securitytrails.api_key | str | SecurityTrails API key | | +| modules.shodan_dns.api_key | str | Shodan API key | | +| modules.shodan_idb.retries | NoneType | How many times to retry API requests (e.g. after a 429 error). Overrides the global web.api_retries setting. | None | +| modules.subdomainradar.api_key | str | SubDomainRadar.io API key | | +| modules.subdomainradar.group | str | The enumeration group to use. Choose from fast, medium, deep | fast | +| modules.subdomainradar.timeout | int | Timeout in seconds | 120 | +| modules.trickest.api_key | str | Trickest API key | | +| modules.trufflehog.concurrency | int | Number of concurrent workers | 8 | +| modules.trufflehog.config | str | File path or URL to YAML trufflehog config | | +| modules.trufflehog.deleted_forks | bool | Scan for deleted github forks. WARNING: This is SLOW. For a smaller repository, this process can take 20 minutes. For a larger repository, it could take hours. | False | +| modules.trufflehog.only_verified | bool | Only report credentials that have been verified | True | +| modules.trufflehog.version | str | trufflehog version | 3.90.3 | +| modules.urlscan.urls | bool | Emit URLs in addition to DNS_NAMEs | False | +| modules.virustotal.api_key | str | VirusTotal API Key | | +| modules.wayback.garbage_threshold | int | Dedupe similar urls if they are in a group of this size or higher (lower values == less garbage data) | 10 | +| modules.wayback.urls | bool | emit URLs in addition to DNS_NAMEs | False | +| modules.zoomeye.api_key | str | ZoomEye API key | | +| modules.zoomeye.include_related | bool | Include domains which may be related to the target | False | +| modules.zoomeye.max_pages | int | How many pages of results to fetch | 20 | +| modules.asset_inventory.output_file | str | Set a custom output file | | +| modules.asset_inventory.recheck | bool | When use_previous=True, don't retain past details like open ports or findings. Instead, allow them to be rediscovered by the new scan | False | +| modules.asset_inventory.summary_netmask | int | Subnet mask to use when summarizing IP addresses at end of scan | 16 | +| modules.asset_inventory.use_previous | bool |` Emit previous asset inventory as new events (use in conjunction with -n ) `| False | +| modules.csv.output_file | str | Output to CSV file | | +| modules.discord.event_types | list | Types of events to send | ['VULNERABILITY', 'FINDING'] | +| modules.discord.min_severity | str | Only allow VULNERABILITY events of this severity or higher | LOW | +| modules.discord.retries | int | Number of times to retry sending the message before skipping the event | 10 | +| modules.discord.webhook_url | str | Discord webhook URL | | +| modules.emails.output_file | str | Output to file | | +| modules.http.bearer | str | Authorization Bearer token | | +| modules.http.method | str | HTTP method | POST | +| modules.http.password | str | Password (basic auth) | | +| modules.http.siem_friendly | bool | Format JSON in a SIEM-friendly way for ingestion into Elastic, Splunk, etc. | False | +| modules.http.timeout | int | HTTP timeout | 10 | +| modules.http.url | str | Web URL | | +| modules.http.username | str | Username (basic auth) | | +| modules.json.output_file | str | Output to file | | +| modules.json.siem_friendly | bool | Output JSON in a SIEM-friendly format for ingestion into Elastic, Splunk, etc. | False | +| modules.mysql.database | str | The database name to connect to | bbot | +| modules.mysql.host | str | The server running MySQL | localhost | +| modules.mysql.password | str | The password to connect to MySQL | bbotislife | +| modules.mysql.port | int | The port to connect to MySQL | 3306 | +| modules.mysql.username | str | The username to connect to MySQL | root | +| modules.neo4j.password | str | Neo4j password | bbotislife | +| modules.neo4j.uri | str | Neo4j server + port | bolt://localhost:7687 | +| modules.neo4j.username | str | Neo4j username | neo4j | +| modules.postgres.database | str | The database name to connect to | bbot | +| modules.postgres.host | str | The server running Postgres | localhost | +| modules.postgres.password | str | The password to connect to Postgres | bbotislife | +| modules.postgres.port | int | The port to connect to Postgres | 5432 | +| modules.postgres.username | str | The username to connect to Postgres | postgres | +| modules.slack.event_types | list | Types of events to send | ['VULNERABILITY', 'FINDING'] | +| modules.slack.min_severity | str | Only allow VULNERABILITY events of this severity or higher | LOW | +| modules.slack.retries | int | Number of times to retry sending the message before skipping the event | 10 | +| modules.slack.webhook_url | str | Discord webhook URL | | +| modules.splunk.hectoken | str | HEC Token | | +| modules.splunk.index | str | Index to send data to | | +| modules.splunk.source | str | Source path to be added to the metadata | | +| modules.splunk.timeout | int | HTTP timeout | 10 | +| modules.splunk.url | str | Web URL | | +| modules.sqlite.database | str | The path to the sqlite database file | | +| modules.stdout.accept_dupes | bool | Whether to show duplicate events, default True | True | +| modules.stdout.event_fields | list | Which event fields to display | [] | +| modules.stdout.event_types | list | Which events to display, default all event types | [] | +| modules.stdout.format | str | Which text format to display, choices: text,json | text | +| modules.stdout.in_scope_only | bool | Whether to only show in-scope events | False | +| modules.subdomains.include_unresolved | bool | Include unresolved subdomains in output | False | +| modules.subdomains.output_file | str | Output to file | | +| modules.teams.event_types | list | Types of events to send | ['VULNERABILITY', 'FINDING'] | +| modules.teams.min_severity | str | Only allow VULNERABILITY events of this severity or higher | LOW | +| modules.teams.retries | int | Number of times to retry sending the message before skipping the event | 10 | +| modules.teams.webhook_url | str | Teams webhook URL | | +| modules.txt.output_file | str | Output to file | | +| modules.web_parameters.include_count | bool | Include the count of each parameter in the output | False | +| modules.web_parameters.output_file | str | Output to file | | +| modules.web_report.css_theme_file | str | CSS theme URL for HTML output | https://cdnjs.cloudflare.com/ajax/libs/github-markdown-css/5.1.0/github-markdown.min.css | +| modules.web_report.output_file | str | Output to file | | +| modules.websocket.ignore_ssl | bool | Ignores all Websocket SSL related errors (like Self-Signed Certificates, etc.) | False | +| modules.websocket.preserve_graph | bool | Preserve full chains of events in the graph (prevents orphans) | True | +| modules.websocket.token | str | Authorization Bearer token | | +| modules.websocket.url | str | Web URL | | +| modules.excavate.custom_yara_rules | str | Include custom Yara rules | | +| modules.excavate.speculate_params | bool | Enable speculative parameter extraction from JSON and XML content | False | +| modules.excavate.yara_max_match_data | int | Sets the maximum amount of text that can extracted from a YARA regex | 2000 | +| modules.speculate.essential_only | bool | Only enable essential speculate features (no extra discovery) | False | +| modules.speculate.max_hosts | int | Max number of IP_RANGE hosts to convert into IP_ADDRESS events | 65536 | +| modules.speculate.ports | str | The set of ports to speculate on | 80,443 | diff --git a/docs/scanning/events.md b/docs/scanning/events.md index 4eff71cf96..bd67a80152 100644 --- a/docs/scanning/events.md +++ b/docs/scanning/events.md @@ -114,7 +114,7 @@ Below is a full list of event types along with which modules produce/consume the | DNS_NAME_UNRESOLVED | 3 | 0 | baddns, speculate, subdomains | | | EMAIL_ADDRESS | 1 | 11 | emails | credshed, dehashed, dnscaa, dnstlsrpt, emailformat, github_usersearch, hunterio, pgp, securitytxt, skymem, sslcert | | FILESYSTEM | 4 | 9 | extractous, jadx, trufflehog, unarchive | apkpure, docker_pull, filedownload, git_clone, gitdumper, github_workflows, jadx, postman_download, unarchive | -| FINDING | 2 | 29 | asset_inventory, web_report | ajaxpro, baddns, baddns_direct, baddns_zone, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, git, gitlab, host_header, hunt, lightfuzz, newsletters, ntlm, nuclei, paramminer_cookies, paramminer_getparams, reflected_parameters, shodan_idb, smuggler, speculate, telerik, trufflehog, url_manipulation, wpscan | +| FINDING | 2 | 30 | asset_inventory, web_report | ajaxpro, baddns, baddns_direct, baddns_zone, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, git, gitlab, graphql_introspection, host_header, hunt, lightfuzz, newsletters, ntlm, nuclei, paramminer_cookies, paramminer_getparams, reflected_parameters, shodan_idb, smuggler, speculate, telerik, trufflehog, url_manipulation, wpscan | | GEOLOCATION | 0 | 2 | | ip2location, ipstack | | HASHED_PASSWORD | 0 | 2 | | credshed, dehashed | | HTTP_RESPONSE | 19 | 1 | ajaxpro, asset_inventory, badsecrets, dotnetnuke, excavate, filedownload, gitlab, host_header, newsletters, nmap_xml, ntlm, paramminer_cookies, paramminer_getparams, paramminer_headers, speculate, telerik, trufflehog, wappalyzer, wpscan | httpx | @@ -130,12 +130,12 @@ Below is a full list of event types along with which modules produce/consume the | SOCIAL | 6 | 4 | dockerhub, github_org, gitlab, gowitness, postman, speculate | dockerhub, github_usersearch, gitlab, social | | STORAGE_BUCKET | 8 | 5 | baddns_direct, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, speculate | bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google | | TECHNOLOGY | 4 | 8 | asset_inventory, gitlab, web_report, wpscan | badsecrets, dotnetnuke, gitlab, gowitness, nuclei, shodan_idb, wappalyzer, wpscan | -| URL | 22 | 2 | ajaxpro, asset_inventory, baddns_direct, bypass403, ffuf, generic_ssrf, git, gowitness, httpx, iis_shortnames, lightfuzz, ntlm, nuclei, portfilter, robots, smuggler, speculate, telerik, url_manipulation, vhost, wafw00f, web_report | gowitness, httpx | +| URL | 24 | 2 | ajaxpro, aspnet_bin_exposure, asset_inventory, baddns_direct, bypass403, ffuf, generic_ssrf, git, gowitness, graphql_introspection, httpx, iis_shortnames, lightfuzz, ntlm, nuclei, portfilter, robots, smuggler, speculate, telerik, url_manipulation, vhost, wafw00f, web_report | gowitness, httpx | | URL_HINT | 1 | 1 | ffuf_shortnames | iis_shortnames | | URL_UNVERIFIED | 7 | 18 | code_repository, filedownload, httpx, oauth, portfilter, social, speculate | azure_realm, bevigil, bucket_file_enum, dnsbimi, dnscaa, dnstlsrpt, dockerhub, excavate, ffuf, ffuf_shortnames, github_codesearch, gowitness, hunterio, robots, securitytxt, urlscan, wayback, wpscan | | USERNAME | 1 | 2 | speculate | credshed, dehashed | | VHOST | 1 | 1 | web_report | vhost | -| VULNERABILITY | 2 | 14 | asset_inventory, web_report | ajaxpro, baddns, baddns_direct, baddns_zone, badsecrets, dotnetnuke, generic_ssrf, lightfuzz, medusa, nuclei, shodan_idb, telerik, trufflehog, wpscan | +| VULNERABILITY | 2 | 15 | asset_inventory, web_report | ajaxpro, aspnet_bin_exposure, baddns, baddns_direct, baddns_zone, badsecrets, dotnetnuke, generic_ssrf, lightfuzz, medusa, nuclei, shodan_idb, telerik, trufflehog, wpscan | | WAF | 1 | 1 | asset_inventory | wafw00f | | WEBSCREENSHOT | 0 | 1 | | gowitness | | WEB_PARAMETER | 7 | 4 | hunt, lightfuzz, paramminer_cookies, paramminer_getparams, paramminer_headers, reflected_parameters, web_parameters | excavate, paramminer_cookies, paramminer_getparams, paramminer_headers | diff --git a/docs/scanning/index.md b/docs/scanning/index.md index 5dc568aaa3..3930b3311d 100644 --- a/docs/scanning/index.md +++ b/docs/scanning/index.md @@ -112,30 +112,29 @@ A single module can have multiple flags. For example, the `securitytrails` modul ### List of Flags -| Flag | # Modules | Description | Modules | -|------------------|-------------|----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| safe | 95 | Non-intrusive, safe to run | affiliates, aggregate, ajaxpro, anubisdb, apkpure, asn, azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, badsecrets, bevigil, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, bufferoverrun, builtwith, c99, censys, certspotter, chaos, code_repository, credshed, crt, crt_db, dehashed, digitorus, dnsbimi, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, docker_pull, dockerhub, emailformat, extractous, filedownload, fingerprintx, fullhunt, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, gowitness, hackertarget, httpx, hunt, hunterio, iis_shortnames, ip2location, ipstack, jadx, leakix, myssl, newsletters, ntlm, oauth, otx, passivetotal, pgp, portfilter, portscan, postman, postman_download, rapiddns, reflected_parameters, robots, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, skymem, social, sslcert, subdomaincenter, subdomainradar, trickest, trufflehog, unarchive, urlscan, viewdns, virustotal, wappalyzer, wayback, zoomeye | -| passive | 70 | Never connects to target systems | affiliates, aggregate, anubisdb, apkpure, asn, azure_realm, azure_tenant, bevigil, bucket_file_enum, bufferoverrun, builtwith, c99, censys, certspotter, chaos, code_repository, credshed, crt, crt_db, dehashed, digitorus, dnsbimi, dnscaa, dnsdumpster, dnstlsrpt, docker_pull, dockerhub, emailformat, excavate, extractous, fullhunt, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, google_playstore, hackertarget, hunterio, ip2location, ipneighbor, ipstack, jadx, leakix, myssl, otx, passivetotal, pgp, portfilter, postman, postman_download, rapiddns, securitytrails, shodan_dns, shodan_idb, sitedossier, skymem, social, speculate, subdomaincenter, subdomainradar, trickest, trufflehog, unarchive, urlscan, viewdns, virustotal, wayback, zoomeye | -| subdomain-enum | 52 | Enumerates subdomains | anubisdb, asn, azure_realm, azure_tenant, baddns_direct, baddns_zone, bevigil, bufferoverrun, builtwith, c99, censys, certspotter, chaos, crt, crt_db, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, fullhunt, github_codesearch, github_org, hackertarget, httpx, hunterio, ipneighbor, leakix, myssl, oauth, otx, passivetotal, postman, postman_download, rapiddns, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, sslcert, subdomaincenter, subdomainradar, subdomains, trickest, urlscan, virustotal, wayback, zoomeye | -| active | 48 | Makes active connections to target systems | ajaxpro, baddns, baddns_direct, baddns_zone, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dnsbrute, dnsbrute_mutations, dnscommonsrv, dotnetnuke, ffuf, ffuf_shortnames, filedownload, fingerprintx, generic_ssrf, git, gitlab, gowitness, host_header, httpx, hunt, iis_shortnames, lightfuzz, medusa, newsletters, ntlm, nuclei, oauth, paramminer_cookies, paramminer_getparams, paramminer_headers, portscan, reflected_parameters, robots, securitytxt, smuggler, sslcert, telerik, url_manipulation, vhost, wafw00f, wappalyzer, wpscan | -| aggressive | 21 | Generates a large amount of network traffic | bypass403, dnsbrute, dnsbrute_mutations, dotnetnuke, ffuf, ffuf_shortnames, generic_ssrf, host_header, ipneighbor, lightfuzz, medusa, nuclei, paramminer_cookies, paramminer_getparams, paramminer_headers, smuggler, telerik, url_manipulation, vhost, wafw00f, wpscan | -| code-enum | 17 | Find public code repositories and search them for secrets etc. | apkpure, code_repository, docker_pull, dockerhub, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, jadx, postman, postman_download, trufflehog | -| web-basic | 17 | Basic, non-intrusive web scan functionality | azure_realm, baddns, badsecrets, bucket_amazon, bucket_azure, bucket_firebase, bucket_google, filedownload, git, httpx, iis_shortnames, ntlm, oauth, robots, securitytxt, sslcert, wappalyzer | -| cloud-enum | 16 | Enumerates cloud resources | azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, dnsbimi, dnstlsrpt, httpx, oauth, securitytxt | -| web-thorough | 13 | More advanced web scanning functionality | ajaxpro, bucket_digitalocean, bypass403, dotnetnuke, ffuf_shortnames, generic_ssrf, host_header, hunt, lightfuzz, reflected_parameters, smuggler, telerik, url_manipulation | -| slow | 11 | May take a long time to complete | bucket_digitalocean, dnsbrute_mutations, docker_pull, fingerprintx, git_clone, gitdumper, paramminer_cookies, paramminer_getparams, paramminer_headers, smuggler, vhost | -| affiliates | 9 | Discovers affiliated hostnames/domains | affiliates, azure_realm, azure_tenant, builtwith, oauth, sslcert, trickest, viewdns, zoomeye | -| email-enum | 9 | Enumerates email addresses | dehashed, dnscaa, dnstlsrpt, emailformat, emails, hunterio, pgp, skymem, sslcert | -| deadly | 5 | Highly aggressive | ffuf, lightfuzz, medusa, nuclei, vhost | -| baddns | 3 | Runs all modules from the DNS auditing tool BadDNS | baddns, baddns_direct, baddns_zone | -| web-paramminer | 3 | Discovers HTTP parameters through brute-force | paramminer_cookies, paramminer_getparams, paramminer_headers | -| iis-shortnames | 2 | Scans for IIS Shortname vulnerability | ffuf_shortnames, iis_shortnames | -| portscan | 2 | Discovers open ports | portscan, shodan_idb | -| report | 2 | Generates a report at the end of the scan | affiliates, asn | -| social-enum | 2 | Enumerates social media | httpx, social | -| service-enum | 1 | Identifies protocols running on open ports | fingerprintx | -| subdomain-hijack | 1 | Detects hijackable subdomains | baddns | -| web-screenshots | 1 | Takes screenshots of web pages | gowitness | +| Flag | # Modules | Description | Modules | +|------------------|-------------|----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| safe | 97 | Non-intrusive, safe to run | affiliates, aggregate, ajaxpro, anubisdb, apkpure, asn, aspnet_bin_exposure, azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, badsecrets, bevigil, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, bufferoverrun, builtwith, c99, censys, certspotter, chaos, code_repository, credshed, crt, crt_db, dehashed, digitorus, dnsbimi, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, docker_pull, dockerhub, emailformat, extractous, filedownload, fingerprintx, fullhunt, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, gowitness, graphql_introspection, hackertarget, httpx, hunt, hunterio, iis_shortnames, ip2location, ipstack, jadx, leakix, myssl, newsletters, ntlm, oauth, otx, passivetotal, pgp, portfilter, portscan, postman, postman_download, rapiddns, reflected_parameters, robots, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, skymem, social, sslcert, subdomaincenter, subdomainradar, trickest, trufflehog, unarchive, urlscan, viewdns, virustotal, wappalyzer, wayback, zoomeye | +| passive | 70 | Never connects to target systems | affiliates, aggregate, anubisdb, apkpure, asn, azure_realm, azure_tenant, bevigil, bucket_file_enum, bufferoverrun, builtwith, c99, censys, certspotter, chaos, code_repository, credshed, crt, crt_db, dehashed, digitorus, dnsbimi, dnscaa, dnsdumpster, dnstlsrpt, docker_pull, dockerhub, emailformat, excavate, extractous, fullhunt, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, google_playstore, hackertarget, hunterio, ip2location, ipneighbor, ipstack, jadx, leakix, myssl, otx, passivetotal, pgp, portfilter, postman, postman_download, rapiddns, securitytrails, shodan_dns, shodan_idb, sitedossier, skymem, social, speculate, subdomaincenter, subdomainradar, trickest, trufflehog, unarchive, urlscan, viewdns, virustotal, wayback, zoomeye | +| subdomain-enum | 52 | Enumerates subdomains | anubisdb, asn, azure_realm, azure_tenant, baddns_direct, baddns_zone, bevigil, bufferoverrun, builtwith, c99, censys, certspotter, chaos, crt, crt_db, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, fullhunt, github_codesearch, github_org, hackertarget, httpx, hunterio, ipneighbor, leakix, myssl, oauth, otx, passivetotal, postman, postman_download, rapiddns, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, sslcert, subdomaincenter, subdomainradar, subdomains, trickest, urlscan, virustotal, wayback, zoomeye | +| active | 50 | Makes active connections to target systems | ajaxpro, aspnet_bin_exposure, baddns, baddns_direct, baddns_zone, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dnsbrute, dnsbrute_mutations, dnscommonsrv, dotnetnuke, ffuf, ffuf_shortnames, filedownload, fingerprintx, generic_ssrf, git, gitlab, gowitness, graphql_introspection, host_header, httpx, hunt, iis_shortnames, lightfuzz, medusa, newsletters, ntlm, nuclei, oauth, paramminer_cookies, paramminer_getparams, paramminer_headers, portscan, reflected_parameters, robots, securitytxt, smuggler, sslcert, telerik, url_manipulation, vhost, wafw00f, wappalyzer, wpscan | +| aggressive | 21 | Generates a large amount of network traffic | bypass403, dnsbrute, dnsbrute_mutations, dotnetnuke, ffuf, ffuf_shortnames, generic_ssrf, host_header, ipneighbor, lightfuzz, medusa, nuclei, paramminer_cookies, paramminer_getparams, paramminer_headers, smuggler, telerik, url_manipulation, vhost, wafw00f, wpscan | +| web-basic | 18 | Basic, non-intrusive web scan functionality | azure_realm, baddns, badsecrets, bucket_amazon, bucket_azure, bucket_firebase, bucket_google, filedownload, git, graphql_introspection, httpx, iis_shortnames, ntlm, oauth, robots, securitytxt, sslcert, wappalyzer | +| code-enum | 17 | Find public code repositories and search them for secrets etc. | apkpure, code_repository, docker_pull, dockerhub, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, jadx, postman, postman_download, trufflehog | +| cloud-enum | 16 | Enumerates cloud resources | azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, dnsbimi, dnstlsrpt, httpx, oauth, securitytxt | +| web-thorough | 14 | More advanced web scanning functionality | ajaxpro, aspnet_bin_exposure, bucket_digitalocean, bypass403, dotnetnuke, ffuf_shortnames, generic_ssrf, host_header, hunt, lightfuzz, reflected_parameters, smuggler, telerik, url_manipulation | +| slow | 11 | May take a long time to complete | bucket_digitalocean, dnsbrute_mutations, docker_pull, fingerprintx, git_clone, gitdumper, paramminer_cookies, paramminer_getparams, paramminer_headers, smuggler, vhost | +| affiliates | 9 | Discovers affiliated hostnames/domains | affiliates, azure_realm, azure_tenant, builtwith, oauth, sslcert, trickest, viewdns, zoomeye | +| email-enum | 9 | Enumerates email addresses | dehashed, dnscaa, dnstlsrpt, emailformat, emails, hunterio, pgp, skymem, sslcert | +| deadly | 5 | Highly aggressive | ffuf, lightfuzz, medusa, nuclei, vhost | +| baddns | 3 | Runs all modules from the DNS auditing tool BadDNS | baddns, baddns_direct, baddns_zone | +| web-paramminer | 3 | Discovers HTTP parameters through brute-force | paramminer_cookies, paramminer_getparams, paramminer_headers | +| iis-shortnames | 2 | Scans for IIS Shortname vulnerability | ffuf_shortnames, iis_shortnames | +| portscan | 2 | Discovers open ports | portscan, shodan_idb | +| social-enum | 2 | Enumerates social media | httpx, social | +| service-enum | 1 | Identifies protocols running on open ports | fingerprintx | +| subdomain-hijack | 1 | Detects hijackable subdomains | baddns | +| web-screenshots | 1 | Takes screenshots of web pages | gowitness | ## Dependencies diff --git a/docs/scanning/presets_list.md b/docs/scanning/presets_list.md index 5e6a9125c1..9b380d0972 100644 --- a/docs/scanning/presets_list.md +++ b/docs/scanning/presets_list.md @@ -156,6 +156,7 @@ Comprehensive scan for all IIS/.NET specific modules and module settings - telerik - ajaxpro - dotnetnuke + - aspnet_bin_exposure config: modules: @@ -171,7 +172,7 @@ Comprehensive scan for all IIS/.NET specific modules and module settings Category: web -Modules: [8]("`ajaxpro`, `badsecrets`, `dotnetnuke`, `ffuf_shortnames`, `ffuf`, `httpx`, `iis_shortnames`, `telerik`") +Modules: [9]("`ajaxpro`, `aspnet_bin_exposure`, `badsecrets`, `dotnetnuke`, `ffuf_shortnames`, `ffuf`, `httpx`, `iis_shortnames`, `telerik`") ## **email-enum** @@ -270,7 +271,7 @@ Everything everywhere all at once -Modules: [90]("`anubisdb`, `apkpure`, `asn`, `azure_realm`, `azure_tenant`, `baddns_direct`, `baddns_zone`, `baddns`, `badsecrets`, `bevigil`, `bucket_amazon`, `bucket_azure`, `bucket_digitalocean`, `bucket_file_enum`, `bucket_firebase`, `bucket_google`, `bufferoverrun`, `builtwith`, `c99`, `censys`, `certspotter`, `chaos`, `code_repository`, `crt_db`, `crt`, `dehashed`, `digitorus`, `dnsbimi`, `dnsbrute_mutations`, `dnsbrute`, `dnscaa`, `dnscommonsrv`, `dnsdumpster`, `dnstlsrpt`, `docker_pull`, `dockerhub`, `emailformat`, `ffuf_shortnames`, `ffuf`, `filedownload`, `fullhunt`, `git_clone`, `git`, `gitdumper`, `github_codesearch`, `github_org`, `github_usersearch`, `github_workflows`, `gitlab`, `google_playstore`, `gowitness`, `hackertarget`, `httpx`, `hunt`, `hunterio`, `iis_shortnames`, `ipneighbor`, `jadx`, `leakix`, `myssl`, `ntlm`, `oauth`, `otx`, `paramminer_cookies`, `paramminer_getparams`, `paramminer_headers`, `passivetotal`, `pgp`, `postman_download`, `postman`, `rapiddns`, `reflected_parameters`, `robots`, `securitytrails`, `securitytxt`, `shodan_dns`, `shodan_idb`, `sitedossier`, `skymem`, `social`, `sslcert`, `subdomaincenter`, `subdomainradar`, `trickest`, `trufflehog`, `urlscan`, `virustotal`, `wappalyzer`, `wayback`, `zoomeye`") +Modules: [91]("`anubisdb`, `apkpure`, `asn`, `azure_realm`, `azure_tenant`, `baddns_direct`, `baddns_zone`, `baddns`, `badsecrets`, `bevigil`, `bucket_amazon`, `bucket_azure`, `bucket_digitalocean`, `bucket_file_enum`, `bucket_firebase`, `bucket_google`, `bufferoverrun`, `builtwith`, `c99`, `censys`, `certspotter`, `chaos`, `code_repository`, `crt_db`, `crt`, `dehashed`, `digitorus`, `dnsbimi`, `dnsbrute_mutations`, `dnsbrute`, `dnscaa`, `dnscommonsrv`, `dnsdumpster`, `dnstlsrpt`, `docker_pull`, `dockerhub`, `emailformat`, `ffuf_shortnames`, `ffuf`, `filedownload`, `fullhunt`, `git_clone`, `git`, `gitdumper`, `github_codesearch`, `github_org`, `github_usersearch`, `github_workflows`, `gitlab`, `google_playstore`, `gowitness`, `graphql_introspection`, `hackertarget`, `httpx`, `hunt`, `hunterio`, `iis_shortnames`, `ipneighbor`, `jadx`, `leakix`, `myssl`, `ntlm`, `oauth`, `otx`, `paramminer_cookies`, `paramminer_getparams`, `paramminer_headers`, `passivetotal`, `pgp`, `postman_download`, `postman`, `rapiddns`, `reflected_parameters`, `robots`, `securitytrails`, `securitytxt`, `shodan_dns`, `shodan_idb`, `sitedossier`, `skymem`, `social`, `sslcert`, `subdomaincenter`, `subdomainradar`, `trickest`, `trufflehog`, `urlscan`, `virustotal`, `wappalyzer`, `wayback`, `zoomeye`") ## **lightfuzz-heavy** @@ -724,7 +725,7 @@ Quick web scan -Modules: [18]("`azure_realm`, `baddns`, `badsecrets`, `bucket_amazon`, `bucket_azure`, `bucket_firebase`, `bucket_google`, `ffuf_shortnames`, `filedownload`, `git`, `httpx`, `iis_shortnames`, `ntlm`, `oauth`, `robots`, `securitytxt`, `sslcert`, `wappalyzer`") +Modules: [19]("`azure_realm`, `baddns`, `badsecrets`, `bucket_amazon`, `bucket_azure`, `bucket_firebase`, `bucket_google`, `ffuf_shortnames`, `filedownload`, `git`, `graphql_introspection`, `httpx`, `iis_shortnames`, `ntlm`, `oauth`, `robots`, `securitytxt`, `sslcert`, `wappalyzer`") ## **web-screenshots** @@ -770,7 +771,7 @@ Aggressive web scan -Modules: [30]("`ajaxpro`, `azure_realm`, `baddns`, `badsecrets`, `bucket_amazon`, `bucket_azure`, `bucket_digitalocean`, `bucket_firebase`, `bucket_google`, `bypass403`, `dotnetnuke`, `ffuf_shortnames`, `filedownload`, `generic_ssrf`, `git`, `host_header`, `httpx`, `hunt`, `iis_shortnames`, `lightfuzz`, `ntlm`, `oauth`, `reflected_parameters`, `robots`, `securitytxt`, `smuggler`, `sslcert`, `telerik`, `url_manipulation`, `wappalyzer`") +Modules: [32]("`ajaxpro`, `aspnet_bin_exposure`, `azure_realm`, `baddns`, `badsecrets`, `bucket_amazon`, `bucket_azure`, `bucket_digitalocean`, `bucket_firebase`, `bucket_google`, `bypass403`, `dotnetnuke`, `ffuf_shortnames`, `filedownload`, `generic_ssrf`, `git`, `graphql_introspection`, `host_header`, `httpx`, `hunt`, `iis_shortnames`, `lightfuzz`, `ntlm`, `oauth`, `reflected_parameters`, `robots`, `securitytxt`, `smuggler`, `sslcert`, `telerik`, `url_manipulation`, `wappalyzer`") ## Table of Default Presets @@ -778,33 +779,33 @@ Modules: [30]("`ajaxpro`, `azure_realm`, `baddns`, `badsecrets`, `bucket_amazon` Here is a the same data, but in a table: -| Preset | Category | Description | # Modules | Modules | -|----------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| baddns-intense | | Run all baddns modules and submodules. | 4 | baddns, baddns_direct, baddns_zone, httpx | -| cloud-enum | | Enumerate cloud resources such as storage buckets, etc. | 59 | anubisdb, asn, azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, bevigil, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, bufferoverrun, builtwith, c99, censys, certspotter, chaos, crt, crt_db, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, fullhunt, github_codesearch, github_org, hackertarget, httpx, hunterio, ipneighbor, leakix, myssl, oauth, otx, passivetotal, postman, postman_download, rapiddns, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, social, sslcert, subdomaincenter, subdomainradar, trickest, urlscan, virustotal, wayback, zoomeye | -| code-enum | | Enumerate Git repositories, Docker images, etc. | 19 | apkpure, code_repository, docker_pull, dockerhub, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, httpx, jadx, postman, postman_download, social, trufflehog | -| dirbust-heavy | web | Recursive web directory brute-force (aggressive) | 5 | ffuf, ffuf_shortnames, httpx, iis_shortnames, wayback | -| dirbust-light | web | Basic web directory brute-force (surface-level directories only) | 4 | ffuf, ffuf_shortnames, httpx, iis_shortnames | -| dotnet-audit | web | Comprehensive scan for all IIS/.NET specific modules and module settings | 8 | ajaxpro, badsecrets, dotnetnuke, ffuf, ffuf_shortnames, httpx, iis_shortnames, telerik | -| email-enum | | Enumerate email addresses from APIs, web crawling, etc. | 8 | dehashed, dnscaa, dnstlsrpt, emailformat, hunterio, pgp, skymem, sslcert | -| fast | | Scan only the provided targets as fast as possible - no extra discovery | 0 | | -| iis-shortnames | web | Recursively enumerate IIS shortnames | 3 | ffuf_shortnames, httpx, iis_shortnames | -| kitchen-sink | | Everything everywhere all at once | 90 | anubisdb, apkpure, asn, azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, badsecrets, bevigil, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, bufferoverrun, builtwith, c99, censys, certspotter, chaos, code_repository, crt, crt_db, dehashed, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, docker_pull, dockerhub, emailformat, ffuf, ffuf_shortnames, filedownload, fullhunt, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, gowitness, hackertarget, httpx, hunt, hunterio, iis_shortnames, ipneighbor, jadx, leakix, myssl, ntlm, oauth, otx, paramminer_cookies, paramminer_getparams, paramminer_headers, passivetotal, pgp, postman, postman_download, rapiddns, reflected_parameters, robots, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, skymem, social, sslcert, subdomaincenter, subdomainradar, trickest, trufflehog, urlscan, virustotal, wappalyzer, wayback, zoomeye | -| lightfuzz-heavy | web | Discover web parameters and lightly fuzz them for vulnerabilities, with more intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, and adds paramminer modules for parameter discovery. | 10 | badsecrets, httpx, hunt, lightfuzz, paramminer_cookies, paramminer_getparams, paramminer_headers, portfilter, reflected_parameters, robots | -| lightfuzz-light | web | Discover web parameters and lightly fuzz them for vulnerabilities, with only the most common vulnerabilities and minimal extra modules. Safest to run alongside larger scans. | 3 | httpx, lightfuzz, portfilter | -| lightfuzz-medium | web | Discover web parameters and lightly fuzz them for vulnerabilities. Uses all lightfuzz modules, without some of the more intense discovery techniques. Does not send POST requests. This is the default lightfuzz preset; if you're not sure which one to use, this is a good starting point. | 6 | badsecrets, httpx, hunt, lightfuzz, portfilter, reflected_parameters | -| lightfuzz-superheavy | web | Discover web parameters and lightly fuzz them for vulnerabilities, with the most intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, adds paramminer modules for parameter discovery, and tests each unique parameter-value instance individually. | 10 | badsecrets, httpx, hunt, lightfuzz, paramminer_cookies, paramminer_getparams, paramminer_headers, portfilter, reflected_parameters, robots | -| lightfuzz-xss | web | Discover web parameters and lightly fuzz them, limited to just GET-based xss vulnerabilities. This is an example of a custom lightfuzz preset, selectively enabling a single lightfuzz module. | 5 | httpx, lightfuzz, paramminer_getparams, portfilter, reflected_parameters | -| nuclei | nuclei | Run nuclei scans against all discovered targets | 3 | httpx, nuclei, portfilter | -| nuclei-budget | nuclei | Run nuclei scans against all discovered targets, using budget mode to look for low hanging fruit with greatly reduced number of requests | 3 | httpx, nuclei, portfilter | -| nuclei-intense | nuclei | Run nuclei scans against all discovered targets, allowing for spidering, against ALL URLs, and with additional discovery modules. | 6 | httpx, nuclei, portfilter, robots, urlscan, wayback | -| nuclei-technology | nuclei | Run nuclei scans against all discovered targets, running templates which match discovered technologies | 3 | httpx, nuclei, portfilter | -| paramminer | web | Discover new web parameters via brute-force, and analyze them with additional modules | 6 | httpx, hunt, paramminer_cookies, paramminer_getparams, paramminer_headers, reflected_parameters | -| spider | | Recursive web spider | 1 | httpx | -| spider-intense | | Recursive web spider with more aggressive settings | 1 | httpx | -| subdomain-enum | | Enumerate subdomains via APIs, brute-force | 52 | anubisdb, asn, azure_realm, azure_tenant, baddns_direct, baddns_zone, bevigil, bufferoverrun, builtwith, c99, censys, certspotter, chaos, crt, crt_db, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, fullhunt, github_codesearch, github_org, hackertarget, httpx, hunterio, ipneighbor, leakix, myssl, oauth, otx, passivetotal, postman, postman_download, rapiddns, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, social, sslcert, subdomaincenter, subdomainradar, trickest, urlscan, virustotal, wayback, zoomeye | -| tech-detect | | Detect technologies via Wappalyzer, Nuclei, and FingerprintX | 4 | fingerprintx, httpx, nuclei, wappalyzer | -| web-basic | | Quick web scan | 18 | azure_realm, baddns, badsecrets, bucket_amazon, bucket_azure, bucket_firebase, bucket_google, ffuf_shortnames, filedownload, git, httpx, iis_shortnames, ntlm, oauth, robots, securitytxt, sslcert, wappalyzer | -| web-screenshots | | Take screenshots of webpages | 3 | gowitness, httpx, social | -| web-thorough | | Aggressive web scan | 30 | ajaxpro, azure_realm, baddns, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dotnetnuke, ffuf_shortnames, filedownload, generic_ssrf, git, host_header, httpx, hunt, iis_shortnames, lightfuzz, ntlm, oauth, reflected_parameters, robots, securitytxt, smuggler, sslcert, telerik, url_manipulation, wappalyzer | +| Preset | Category | Description | # Modules | Modules | +|----------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| baddns-intense | | Run all baddns modules and submodules. | 4 | baddns, baddns_direct, baddns_zone, httpx | +| cloud-enum | | Enumerate cloud resources such as storage buckets, etc. | 59 | anubisdb, asn, azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, bevigil, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, bufferoverrun, builtwith, c99, censys, certspotter, chaos, crt, crt_db, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, fullhunt, github_codesearch, github_org, hackertarget, httpx, hunterio, ipneighbor, leakix, myssl, oauth, otx, passivetotal, postman, postman_download, rapiddns, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, social, sslcert, subdomaincenter, subdomainradar, trickest, urlscan, virustotal, wayback, zoomeye | +| code-enum | | Enumerate Git repositories, Docker images, etc. | 19 | apkpure, code_repository, docker_pull, dockerhub, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, httpx, jadx, postman, postman_download, social, trufflehog | +| dirbust-heavy | web | Recursive web directory brute-force (aggressive) | 5 | ffuf, ffuf_shortnames, httpx, iis_shortnames, wayback | +| dirbust-light | web | Basic web directory brute-force (surface-level directories only) | 4 | ffuf, ffuf_shortnames, httpx, iis_shortnames | +| dotnet-audit | web | Comprehensive scan for all IIS/.NET specific modules and module settings | 9 | ajaxpro, aspnet_bin_exposure, badsecrets, dotnetnuke, ffuf, ffuf_shortnames, httpx, iis_shortnames, telerik | +| email-enum | | Enumerate email addresses from APIs, web crawling, etc. | 8 | dehashed, dnscaa, dnstlsrpt, emailformat, hunterio, pgp, skymem, sslcert | +| fast | | Scan only the provided targets as fast as possible - no extra discovery | 0 | | +| iis-shortnames | web | Recursively enumerate IIS shortnames | 3 | ffuf_shortnames, httpx, iis_shortnames | +| kitchen-sink | | Everything everywhere all at once | 91 | anubisdb, apkpure, asn, azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, badsecrets, bevigil, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, bufferoverrun, builtwith, c99, censys, certspotter, chaos, code_repository, crt, crt_db, dehashed, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, docker_pull, dockerhub, emailformat, ffuf, ffuf_shortnames, filedownload, fullhunt, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, gowitness, graphql_introspection, hackertarget, httpx, hunt, hunterio, iis_shortnames, ipneighbor, jadx, leakix, myssl, ntlm, oauth, otx, paramminer_cookies, paramminer_getparams, paramminer_headers, passivetotal, pgp, postman, postman_download, rapiddns, reflected_parameters, robots, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, skymem, social, sslcert, subdomaincenter, subdomainradar, trickest, trufflehog, urlscan, virustotal, wappalyzer, wayback, zoomeye | +| lightfuzz-heavy | web | Discover web parameters and lightly fuzz them for vulnerabilities, with more intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, and adds paramminer modules for parameter discovery. | 10 | badsecrets, httpx, hunt, lightfuzz, paramminer_cookies, paramminer_getparams, paramminer_headers, portfilter, reflected_parameters, robots | +| lightfuzz-light | web | Discover web parameters and lightly fuzz them for vulnerabilities, with only the most common vulnerabilities and minimal extra modules. Safest to run alongside larger scans. | 3 | httpx, lightfuzz, portfilter | +| lightfuzz-medium | web | Discover web parameters and lightly fuzz them for vulnerabilities. Uses all lightfuzz modules, without some of the more intense discovery techniques. Does not send POST requests. This is the default lightfuzz preset; if you're not sure which one to use, this is a good starting point. | 6 | badsecrets, httpx, hunt, lightfuzz, portfilter, reflected_parameters | +| lightfuzz-superheavy | web | Discover web parameters and lightly fuzz them for vulnerabilities, with the most intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, adds paramminer modules for parameter discovery, and tests each unique parameter-value instance individually. | 10 | badsecrets, httpx, hunt, lightfuzz, paramminer_cookies, paramminer_getparams, paramminer_headers, portfilter, reflected_parameters, robots | +| lightfuzz-xss | web | Discover web parameters and lightly fuzz them, limited to just GET-based xss vulnerabilities. This is an example of a custom lightfuzz preset, selectively enabling a single lightfuzz module. | 5 | httpx, lightfuzz, paramminer_getparams, portfilter, reflected_parameters | +| nuclei | nuclei | Run nuclei scans against all discovered targets | 3 | httpx, nuclei, portfilter | +| nuclei-budget | nuclei | Run nuclei scans against all discovered targets, using budget mode to look for low hanging fruit with greatly reduced number of requests | 3 | httpx, nuclei, portfilter | +| nuclei-intense | nuclei | Run nuclei scans against all discovered targets, allowing for spidering, against ALL URLs, and with additional discovery modules. | 6 | httpx, nuclei, portfilter, robots, urlscan, wayback | +| nuclei-technology | nuclei | Run nuclei scans against all discovered targets, running templates which match discovered technologies | 3 | httpx, nuclei, portfilter | +| paramminer | web | Discover new web parameters via brute-force, and analyze them with additional modules | 6 | httpx, hunt, paramminer_cookies, paramminer_getparams, paramminer_headers, reflected_parameters | +| spider | | Recursive web spider | 1 | httpx | +| spider-intense | | Recursive web spider with more aggressive settings | 1 | httpx | +| subdomain-enum | | Enumerate subdomains via APIs, brute-force | 52 | anubisdb, asn, azure_realm, azure_tenant, baddns_direct, baddns_zone, bevigil, bufferoverrun, builtwith, c99, censys, certspotter, chaos, crt, crt_db, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, fullhunt, github_codesearch, github_org, hackertarget, httpx, hunterio, ipneighbor, leakix, myssl, oauth, otx, passivetotal, postman, postman_download, rapiddns, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, social, sslcert, subdomaincenter, subdomainradar, trickest, urlscan, virustotal, wayback, zoomeye | +| tech-detect | | Detect technologies via Wappalyzer, Nuclei, and FingerprintX | 4 | fingerprintx, httpx, nuclei, wappalyzer | +| web-basic | | Quick web scan | 19 | azure_realm, baddns, badsecrets, bucket_amazon, bucket_azure, bucket_firebase, bucket_google, ffuf_shortnames, filedownload, git, graphql_introspection, httpx, iis_shortnames, ntlm, oauth, robots, securitytxt, sslcert, wappalyzer | +| web-screenshots | | Take screenshots of webpages | 3 | gowitness, httpx, social | +| web-thorough | | Aggressive web scan | 32 | ajaxpro, aspnet_bin_exposure, azure_realm, baddns, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dotnetnuke, ffuf_shortnames, filedownload, generic_ssrf, git, graphql_introspection, host_header, httpx, hunt, iis_shortnames, lightfuzz, ntlm, oauth, reflected_parameters, robots, securitytxt, smuggler, sslcert, telerik, url_manipulation, wappalyzer |