kiterunner
Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning-fast speeds but also brute-forcing routes/endpoints in modern applications.
Details
Category: Discovery
Publisher: trickest
Created Date: 11/13/2021
Container: quay.io/trickest/kiterunner:7d5824c-patch-1
Source URL: https://github.com/assetnote/kiterunner
Parameters
delay
string
Command:
--delay
- Delay to place inbetween requests to a single hosthosts
file
requiredCommand:
- Target hostsquiet
boolean
Command:
--quiet
- Quiet mode. will mute unecessarry pretty textheader
string
Command:
--header
- Headers to add to requests (default [x-forwarded-for: 127.0.0.1])output
string
Command:
--output
- Output format. Can be json,text,pretty (default pretty)kb-mode
boolean
Command:
kb
- Kb mode. Manipulate the kitebuilder schematimeout
string
Command:
--timeout
- Timeout to use on all requests (default 3s)verbose
string
Command:
--verbose
- Level of logging verbosity. can be error,info,debug,trace (default info)wordlist
file
requiredCommand:
-w
- Normal/ogl wordlist to use for scanningscan-mode
boolean
requiredCommand:
scan
- Scan mode.brute-mode
boolean
requiredCommand:
brute
- Bruteforce mode.filter-api
string
Command:
--filter-api
- Only scan apis matching this ksuiduser-agent
string
Command:
--user-agent
- User agent to use for requests (default Chrome. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36)config-file
file
Command:
--config
- Specify the config file.force-method
string
Command:
--force-method
- Whether to ignore the methods specified in the ogl file and force this methodprofile-name
string
Command:
--profile-name
- Name for profile output fileignore-length
string
Command:
--ignore-length
- A range of content length bytes to ignore. you can have multiple. e.g. 100-105 or 1234 or 123,34-53. This is inclusive on both endskb-mode-debug
boolean
Command:
-d
- Debug mode will attempt to convert the schema with error handlingkb-mode-parse
file
Command:
parse
- Parse an kitebuilder schema and print out the prettified datamax-redirects
string
Command:
--max-redirects
- Maximum number of redirects to follow (default 3)wordlist-mode
boolean
Command:
wordlist
- Wordlist mode. Look at your cached wordlists and remote wordlistskb-mode-replay
string
Command:
replay
- Replay a kitebuilder request based on the inputkb-mode-convert
file
Command:
convert
- onvert an input file format into the specified output file formatpreflight-depth
string
Command:
--preflight-depth
- When performing preflight checks, what directory depth do we attempt to check. 0 means that only the docroot is checked (default 1)blacklist-domain
string
Command:
--blacklist-domain
- Domains that are blacklisted for redirects. We will not follow redirects to these domainsdisable-precheck
boolean
Command:
--disable-precheck
- Whether to skip host discoverykitebuilder-list
file
Command:
--kitebuilder-list
- Ogl wordlist to use for scanningfail-status-codes
string
Command:
--fail-status-codes
- Which status codes blacklist as fail. if this is set, this will override success-status-codesassetnote-wordlist
string
requiredCommand:
--assetnote-wordlist
- Use the wordlists from wordlist.assetnote.io. specify the type/name to use, e.g. apiroutes-210228. You can specify an additional maxlength to use only the first N values in the wordlist, e.g. apiroutes-210228;20000 will only use the first 20000 lines in that wordlistmax-parallel-hosts
string
Command:
--max-parallel-hosts
- Max number of concurrent hosts to scan at once (default 50)wildcard-detection
string
Command:
--wildcard-detection
- Can be set to false to disable wildcard redirect detection (default true)wordlist-mode-list
boolean
Command:
list
- List the wordlists cached and availablewordlist-mode-save
string
Command:
save
- Save the wordlists specified (full filename or alias)quarantine-threshold
string
Command:
--quarantine-threshold
- If the host return N consecutive hits, we quarantine the host as wildcard. Set to 0 to disable (default 10)success-status-codes
string
Command:
--success-status-codes
- Which status codes whitelist as success. this is the default modebrute-mode-extensions
string
Command:
--extensions
- Extensions to append while scanningkitebuilder-full-scan
boolean
Command:
--kitebuilder-full-scan
- Perform a full scan without first performing a phase scan.max-connection-per-host
string
Command:
--max-connection-per-host
- Max connections to a single host (default 3)kb-mode-compile-wordlist
file
Command:
compile
- Compile an kitebuilder schema and write the data to the specified filebrute-mode-dirsearch-compat
boolean
Command:
--dirsearch-compat
- This will replace %EXT% with the extensions provided. backwards compat with dirsearch because shubs loves him some dirsearchkb-mode-compile-output-file
string
Command:
- kb-mode-convert-output-file-format
string
Command:
- kb mode convert mode output file format