kiterunner-scan

Scan a target with an Assetnote wordlist (e.g., first 5000 API routes)

$ kiterunner scan [https://example.com] [[-A|--assetnote-wordlist]] [apiroutes-210228:5000]

$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite]

$ kiterunner scan [path/to/hosts.txt] [[-w|--kitebuilder-list]] [path/to/wordlist.kite]

$ kiterunner scan [https://example.com] [[-A|--assetnote-wordlist]] [apiroutes-210228:5000] -o [json]

$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite] [[-x|--max-connection-per-host]] [5] [[-j|--max-parallel-hosts]] [100]

$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/rafter.txt] [[-d|--preflight-depth]] [0]

$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite] [[-H|--header]] "[Authorization: Bearer token]" --ignore-length [100-105]

$ kiterunner scan [https://example.com] [[-w|--kitebuilder-list]] [path/to/wordlist.kite] --kitebuilder-full-scan

kiterunner-scan options arguments

Note: While `kiterunner-scan` is used here per prompt, the typical invocation for Kiterunner's scan functionality is `kiterunner scan options arguments.

-u, --url
    Specify the target URL for the scan (e.g., `http://example.com/api`).

-w, --wordlist
    Path to the Kiterunner database (DB) file or a custom text wordlist for path enumeration.

-x, --extension
    Comma-separated list of file extensions to append to discovered paths (e.g., `.php,.bak`).

-o, --output
    File path to write the scan results to.

--open-api
    Path to an OpenAPI/Swagger definition file (JSON/YAML) for schema-based endpoint discovery.

--graphql
    Path to a GraphQL introspection schema file for intelligent endpoint scanning.

--threads
    Number of concurrent requests to send during the scan, impacting speed.

--header
    Add a custom HTTP header to all requests (e.g., `Authorization: Bearer token`). Can be used multiple times.

--data
    HTTP request body to send with requests (e.g., `name=value`). Useful for POST requests.

--proxy
    Use an HTTP or SOCKS proxy for all requests (e.g., `http://127.0.0.1:8080`).

--insecure
    Skip SSL certificate verification for HTTPS connections.

--timeout
    Set a request timeout in seconds for each HTTP request.

Kiterunner is a powerful web reconnaissance tool primarily used for scanning API endpoints. The `kiterunner-scan` command (often invoked as `kiterunner scan`) is its core functionality, designed to uncover hidden paths, files, and potential vulnerabilities in web applications. It leverages a unique approach by processing OpenAPI/Swagger definitions and GraphQL schemas to identify endpoints that might not be immediately visible through traditional enumeration. Beyond schema-based discovery, it also supports brute-forcing paths using custom wordlists, similar to tools like Gobuster, allowing for comprehensive coverage. This makes it an invaluable asset for security professionals and penetration testers aiming to thoroughly map out a web application's attack surface, especially those relying heavily on APIs. It can discover endpoints, identify HTTP methods, and even reveal sensitive paths or files.

• Performance: Large wordlists or extensive schema files combined with high thread counts can consume significant network resources and potentially trigger rate limiting or Web Application Firewalls (WAFs).
• Database Requirement: For efficient wordlist-based scanning, Kiterunner often relies on its optimized proprietary database (DB file) which needs to be generated using `kiterunner build` or downloaded separately. Using a standard text wordlist might be less efficient.
• False Positives/Negatives: Like any scanner, it might produce false positives (reporting non-existent endpoints) or false negatives (missing real ones) depending on server responses and configuration.
• Legal & Ethical Use: Always ensure you have explicit permission before scanning any target system. Unauthorized scanning is illegal and unethical.

Kiterunner's primary strength for wordlist-based scanning comes from its optimized database (DB) files. These contain pre-processed and compressed wordlists specifically designed for fast and effective endpoint discovery, often outperforming raw text wordlists. These files need to be generated using the `kiterunner build` command or downloaded from official sources to leverage Kiterunner's full potential for efficient brute-forcing.

One of Kiterunner's distinguishing features is its ability to parse OpenAPI/Swagger definitions and GraphQL schemas. By providing these files via the `--open-api` or `--graphql` options, the tool can intelligently identify and test endpoints, parameters, and HTTP methods defined within the API specification. This significantly reduces the guesswork in API reconnaissance by targeting known API structures directly.

Kiterunner was developed and open-sourced by Assetnote, a company specializing in external attack surface management. Its creation aimed to provide security professionals with a powerful and efficient tool for API endpoint discovery, specifically addressing the challenges posed by modern web applications relying heavily on OpenAPI/Swagger and GraphQL specifications. It quickly gained traction in the penetration testing community for its speed, unique methodology, and dual capability of both schema-aware scanning and traditional brute-forcing, filling a crucial gap in existing reconnaissance tools.

gobuster(1), dirb(1), ffuf(1), nuclei(1)