kiterunner-brute

Bruteforce a target with an Assetnote wordlist (e.g., first 20,000 API routes)

$ kiterunner brute [https://example.com] [[-A|--assetnote-wordlist]] [apiroutes-210328:20000]

$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt]

$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/dirsearch.txt] [[-D|--dirsearch-compat]] [[-e|--extensions]] [json,txt]

$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] [[-e|--extensions]] [aspx,ashx] [[-o|--output]] [json]

$ kiterunner brute [path/to/targets.txt] [[-w|--wordlist]] [path/to/wordlist.txt] [[-x|--max-connection-per-host]] [5] [[-j|--max-parallel-hosts]] [100]

$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] --ignore-length [100-105]

$ kiterunner brute [https://example.com] [[-w|--wordlist]] [path/to/wordlist.txt] [[-H|--header]] "[Authorization: Bearer token]"

$ kiterunner brute [path/to/targets.txt] [[-w|--wordlist]] [path/to/wordlist.txt] --fail-status-codes [400,401,404]

kiterunner brute [OPTIONS] <TARGET>

-w, --wordlist <PATH>
    Path to one or more wordlists for brute-forcing paths. Multiple wordlists can be specified by repeating the flag or providing a comma-separated list.

-x, --extensions <EXTS>
    Comma-separated list of extensions to append to discovered paths (e.g., .php,.html,.js).

-H, --header <HEADER>
    Add a custom HTTP header to all requests (e.g., 'Authorization: Bearer token'). Can be specified multiple times.

-d, --data <DATA>
    HTTP POST data to send with requests. Typically used in conjunction with -X POST.

-X, --method <METHOD>
    HTTP method to use for requests (e.g., GET, POST, PUT). Defaults to GET.

-c, --concurrency <NUM>
    Number of concurrent requests to send (default: 100).

-t, --timeout <SECONDS>
    Request timeout in seconds (default: 10).

-s, --status-codes <CODES>
    Comma-separated list of HTTP status codes to consider valid discoveries (e.g., 200,301,403).

-S, --skip-status-codes <CODES>
    Comma-separated list of HTTP status codes to ignore (e.g., 404,500).

-L, --follow-redirects
    Follow HTTP redirects for discovered paths.

--proxy <URL>
    HTTP/SOCKS5 proxy to use for requests (e.g., http://127.0.0.1:8080).

-o, --output <FILE>
    Write results to the specified file.

-v, --verbose
    Enable verbose output, showing more details during the scan.

--crawl
    Enable recursive crawling of discovered directories, adding their content to the scan scope.

--config <FILE>
    Path to a YAML configuration file to load scan settings.

--delay <MILLISECONDS>
    Delay between requests in milliseconds to avoid overwhelming the target.

--filter-response-size <FILTER>
    Filter responses by size (e.g., '+100,-200' to include sizes over 100 bytes and exclude sizes over 200 bytes).

--ignore-wildcard
    Attempt to ignore wildcard responses where the server returns a consistent response for non-existent paths, reducing false positives.

Kiterunner's brute subcommand performs web content discovery by systematically brute-forcing paths against a target URL or host. It iterates through permutations from provided wordlists and appends extensions to uncover hidden or unlinked directories and files.

The tool intelligently identifies valid paths by analyzing response sizes, HTTP status codes, and other filtering criteria. It's an essential utility for security professionals conducting reconnaissance, aiming to expand the known attack surface and discover potentially sensitive endpoints or misconfigurations on web applications. It can be tailored with numerous options for highly specific and effective scans.

Usage of kiterunner-brute can generate significant network traffic, potentially triggering intrusion detection/prevention systems (IDS/IPS) or web application firewalls (WAFs).

The effectiveness of the brute-force attack is highly dependent on the quality and relevance of the provided wordlists.

Always ensure you have explicit authorization before performing scans against any target, as unauthorized use may be illegal.

The choice of wordlists is paramount for the effectiveness of kiterunner-brute. For optimal results, consider using technology-specific wordlists (e.g., for Node.js, PHP, ASP.NET) or those derived from public datasets like CommonSpeak or SecLists.

Combining multiple wordlists using the -w flag can significantly increase coverage of potential paths.

Kiterunner-brute includes robust wildcard detection logic, which helps in automatically identifying and ignoring responses that are consistent for both valid and invalid paths. This feature, enabled by --ignore-wildcard, is crucial for reducing noise and false positives in the scan results, making the output more actionable.

Kiterunner, including its brute subcommand, was developed by Assetnote, a company specializing in attack surface management. It emerged as an open-source tool to enhance web content discovery, particularly in the context of identifying hidden assets and vulnerabilities within modern web applications. Its development focuses on performance, flexibility, and intelligent filtering to minimize false positives, continuously incorporating community feedback and new techniques for effective reconnaissance.

ffuf(1), gobuster(1), dirb(1), wfuzz(1)