kiterunner-scan
Scan web servers for hidden endpoints
TLDR
Scan a target with an Assetnote wordlist (e.g., first 5000 API routes)
Scan a target with a kitebuilder wordlist
Scan multiple hosts from a file with a kitebuilder wordlist
Scan with an Assetnote wordlist and JSON output
Scan with custom concurrency settings for performance
Scan with a wordlist as a normal wordlist, disabling depth scanning
Scan with custom headers and ignore specific content length responses
Perform a full kitebuilder scan without phase scanning
SYNOPSIS
kr scan [options] target
PARAMETERS
-d, --debug
Enable debug output.
-w, --wordlists strings
Comma separated list of wordlists to use.
-c, --config string
Path to the kiterunner config file (default is $HOME/.kiterunner/config.yaml).
-t, --threads int
Number of threads to use (default is 25).
-o, --output string
Output file to store results.
--no-output
Do not write any output to the screen.
-r, --resolvers strings
Comma separated list of resolvers to use.
-H, --header strings
Custom headers to include in requests (e.g., "Authorization: Bearer token").
--ignore-status-codes strings
Comma separated list of status codes to ignore.
--ignore-length strings
Comma separated list of content lengths to ignore.
--scan-depth int
Sets the crawling depth, useful for SPA.
-b, --body string
Request body to send with POST/PUT requests.
-m, --method string
HTTP method to use (GET, POST, PUT, DELETE, etc.). Default is GET.
--proxy string
Proxy server to use (e.g., http://127.0.0.1:8080).
--no-recursion
Disable recursive directory bruteforcing.
--no-wildcard-filters
Disable wildcard filtering. This will show you *every* response from the server.
--ignore-ssl-errors
Ignore SSL certificate errors.
--include-extensions
Enable extensions from the index.
--scan-extensions string
Comma seperated list of extensions to scan for.
--exclude-extensions string
Comma seperated list of extensions to skip from scanning.
--no-redirects
Do not follow redirects.
--timeout int
Sets the HTTP timeout in seconds.
--update-index
Updates the index file.
--list-index
List items in the index.
--index-item string
Show single entry from the index.
DESCRIPTION
Kiterunner Scan (kr scan) is a blazing fast context-aware content discovery tool. It helps security researchers and bug bounty hunters quickly identify interesting files, directories, and endpoints on web applications. It uses a variety of techniques including wordlist generation, crawling, and intelligent filtering to minimize false positives and maximize the chances of finding hidden content. It's designed to be customizable and extensible, allowing users to tailor the scanning process to specific targets. It supports various request methods and can be integrated into automated workflows. Kr scan uses an index with custom extension support and the ability to add custom wordlists. The tool is used for automating and improving the content discovery phase in web application penetration testing.
CAVEATS
Requires a properly configured index file for optimal performance. Incorrect configuration can lead to false positives or missed results. Wildcard filtering relies on identifying common server responses, which may not always be accurate.
INDEX MANAGEMENT
Kiterunner relies on an index file containing wordlists, extensions, and other configuration data. Use the `--update-index` option to update the index. Use `--list-index` to list the contents. Proper index configuration is crucial for effective scanning.
CONFIGURATION
Kiterunner's behavior is heavily influenced by its configuration file, typically located at `$HOME/.kiterunner/config.yaml`. This file allows you to customize various aspects of the scan, such as wordlists, resolvers, and default settings. Familiarize yourself with the configuration options to fine-tune the tool for your specific needs.
