LinuxCommandLibrary

kiterunner-scan

Scan web servers for hidden endpoints

TLDR

Scan a target with an Assetnote wordlist (e.g., first 5000 API routes)

$ kiterunner scan [https://example.com] [[-A|--assetnote-wordlist]] [apiroutes-210228:5000]
copy

Scan a target with a kitebuilder wordlist
$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite]
copy

Scan multiple hosts from a file with a kitebuilder wordlist
$ kiterunner scan [path/to/hosts.txt] [[-w|--kitebuilder-list]] [path/to/wordlist.kite]
copy

Scan with an Assetnote wordlist and JSON output
$ kiterunner scan [https://example.com] [[-A|--assetnote-wordlist]] [apiroutes-210228:5000] -o [json]
copy

Scan with custom concurrency settings for performance
$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite] [[-x|--max-connection-per-host]] [5] [[-j|--max-parallel-hosts]] [100]
copy

Scan with a wordlist as a normal wordlist, disabling depth scanning
$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/rafter.txt] [[-d|--preflight-depth]] [0]
copy

Scan with custom headers and ignore specific content length responses
$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite] [[-H|--header]] "[Authorization: Bearer token]" --ignore-length [100-105]
copy

Perform a full kitebuilder scan without phase scanning
$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite] --kitebuilder-full-scan
copy

SYNOPSIS

kiterunner scan [options...] <target_url>

PARAMETERS

-w, --wordlist <path>
    Path to the wordlist file (.kr.wordlist.gz recommended)

-l, --list
    List all available built-in wordlists

--posts
    Brute-force POST endpoints in addition to GET

--matcher <string>
    Custom response matcher (default: or:status:200)

--threads <int>
    Number of threads (default: 25)

--json
    Output results in JSON format

--output <file>
    Save results to file

--timeout <duration>
    Request timeout (default: 10s)

--delay <duration>
    Delay between requests (default: 0s)

--random-agent
    Use random User-Agent headers

--verbose
    Enable verbose logging

--help
    Show help

DESCRIPTION

Kiterunner scan is a high-speed CLI tool for discovering hidden API endpoints by brute-forcing paths from optimized, machine-learning-trained wordlists. It outperforms traditional tools like gobuster or ffuf, achieving up to 25,000 requests per second via a graph-based path traversal approach. Users specify a target URL and wordlist (often compressed .kr.wordlist.gz files), and it probes for valid endpoints using customizable matchers based on HTTP status, response length, or content.

Key strengths include support for GET/POST methods, parallel threading, randomized requests, and JSON output for automation. Ideal for bug bounty hunters and pentesters targeting GraphQL, REST, or microservices APIs. Pre-built wordlists cover popular frameworks like Spring Boot or Express.js. Run with kiterunner scan -w apis.wordlist.gz https://target.com for quick scans.

CAVEATS

Requires significant CPU/RAM for max speed; rate-limited targets may need --delay. Wordlists must be downloaded separately. Not for production use without permission.

INSTALLATION

go install github.com/byt3bl33d3r/kiterunner@latest
Download wordlists: kiterunner wordlist download

EXAMPLE

kiterunner scan -w apis.wordlist.gz --posts https://api.target.com
Discovers endpoints like /api/v1/users

HISTORY

Developed by byt3bl33d3r in 2021 as open-source (GitHub: byt3bl33d3r/Kiterunner). Evolved from Burp Suite extension to standalone CLI with ML-optimized wordlists contributed by community.

SEE ALSO

ffuf(1), gobuster(1), dirsearch(1)

Copied to clipboard