LinuxCommandLibrary

kiterunner-brute

Brute-force subdomains and hidden endpoints

TLDR

Bruteforce a target with an Assetnote wordlist (e.g., first 20,000 API routes)

$ kiterunner brute [https://example.com] [[-A|--assetnote-wordlist]] [apiroutes-210328:20000]
copy

Bruteforce a target with a custom wordlist
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt]
copy

Bruteforce using a dirsearch-style wordlist with extension substitution
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/dirsearch.txt] [[-D|--dirsearch-compat]] [[-e|--extensions]] [json,txt]
copy

Bruteforce with specific file extensions appended and output in JSON format
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] [[-e|--extensions]] [aspx,ashx] [[-o|--output]] [json]
copy

Bruteforce a list of targets from a file with custom concurrency settings for performance
$ kiterunner brute [path/to/targets.txt] [[-w|--wordlist]] [path/to/wordlist.txt] [[-x|--max-connection-per-host]] [5] [[-j|--max-parallel-hosts]] [100]
copy

Bruteforce and ignore specific content length responses
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] --ignore-length [100-105]
copy

Bruteforce with custom HTTP headers
$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] [[-H|--header]] "[Authorization: Bearer token]"
copy

Bruteforce a list of targets from a file with fail status code filtering
$ kiterunner brute [path/to/targets.txt] [[-w|--wordlist]] [path/to/wordlist.txt] --fail-status-codes [400,401,404]
copy

SYNOPSIS

kiterunner-brute [options] target_url

PARAMETERS

-w, --wordlist
    Specify the wordlist file containing the paths to bruteforce.

-o, --output
    Save the results to a specified output file.

-r, --rate
    Set the number of requests per second.

-t, --threads
    Define the number of concurrent threads.

-e, --extensions
    Specify file extensions to append to the wordlist entries (e.g., php,txt,html).

-x, --exclude-status
    Exclude specific HTTP status codes from the results (e.g., 404,500).

-v, --verbose
    Enable verbose output for debugging and monitoring.

-s, --status-codes
    Specify the HTTP status codes to display (e.g., 200-299).

-I, --include-length
    Include results with specified content lengths.

-X, --exclude-length
    Exclude results with specified content lengths.

-H, --header
    Add a custom HTTP header to each request.

-a, --user-agent
    Specify the user-agent string to use in requests.

--no-color
    Disable colored output.

--skip-tls-verify
    Skip TLS certificate verification (not recommended for production).

--version
    Show version information.

-h, --help
    Display help message.

DESCRIPTION

The kiterunner-brute command is a part of the Kiterunner suite, a reconnaissance tool focused on discovering interesting endpoints and content on web servers. Specifically, kiterunner-brute performs directory and file bruteforcing using provided wordlists. It efficiently probes for hidden files and directories that might reveal sensitive information, configuration details, or unpatched vulnerabilities.

This tool significantly enhances the effectiveness of web application security assessments and penetration testing exercises by automating the tedious process of manually trying various URLs. It leverages concurrent requests and filters results based on status codes, content length, and other configurable criteria to minimize false positives and highlight potential areas of interest. The tool's effectiveness heavily relies on the quality and relevance of the wordlists supplied.

CAVEATS

The effectiveness of kiterunner-brute is heavily dependent on the quality and relevance of the wordlists used.

Aggressive bruteforcing can generate significant network traffic and potentially disrupt or overload web servers, especially if the request rate is set too high. Always use responsibly and with authorization.

OPTIMIZATION

For optimized usage, experiment with thread count and request rate. Monitor server response times and adjust parameters to avoid overwhelming the target.

SEE ALSO

curl(1), wget(1), gobuster(1)

Copied to clipboard