loading
loading
Fuzzing
Website directory and file brute forcing at extreme scale.
overview
crithit flips the usual content-discovery pattern. Instead of hammering one host with every wordlist entry, it takes a single wordlist item and tests it across a large list of hosts before moving to the next item. Spreading requests this way avoids the low per-host limits a Web Application Firewall enforces, so a brute force can keep running where a single-target tool would get banned.
Built for breadth, crithit drives content discovery over an entire scope at once. It supports proxy lists for rotation, signature matching for interesting responses, and a configurable set of positive status codes so only meaningful hits surface. Verification through different proxies confirms a result is real rather than a WAF artifact.
Run it after you have probed a wide host list, then feed the discovered paths into a prober or scanner.
source github.com/codingo/crithit
use cases
Test each wordlist item across every host in --target-list, so content discovery covers an estate in one pass instead of host by host.
Spread requests across many hosts and rotate through a --proxy list so no single target sees enough traffic to trigger a low-limit firewall ban.
Use --verify to recheck successful results through different proxies and separate genuine findings from rate-limit responses.
Set --statuscodes or --statuscodesblacklist so only the responses you care about are reported, cutting noise on large runs.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-list | FILE | --target-list | A file containing the list of targets to brute force across. |
| word-list | FILE | --word-list | Required wordlist of paths to test against every host. |
| target | STRING | --target | The target URL for a single-host run. |
| statuscodes | STRING | --statuscodes | Positive status codes that count as hits (default includes 200, 301, 302, 401, 403). |
| proxy | FILE | --proxy | A file of proxies (IP:port) to rotate through. |
| verify | STRING | --verify | Verify successful results with different proxies. |
| threads | STRING | --threads | Number of threads to use (default 4). |
| signatures | FILE | --signatures | File of signatures to look out for across top-level domains. |
Showing key inputs. crithit exposes 15 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| proxy | FILE | --proxy | A file containing list of proxy names and port [IP:port]. |
| target | STRING | --target | The target URL. |
| verify | STRING | --verify | Verify successful results with different proxies. |
| threads | STRING | --threads | Number of threads to use (default: 4). |
| verbose | BOOLEAN | --verbose | Be verbose with output. |
| read-for | STRING | --read-for | Wait N seconds to receive data from server (default: 10). |
| wait-for | STRING | --wait-for | Wait N seconds to connect/send data to server (default: 5). |
| word-list | FILE | --word-list | (required) A filename containing list of words to use. |
| exceptions | FILE | --exceptions | File containing words. |
| signatures | FILE | --signatures | File containing list of signatures to look out for in top-level domains. |
| max-sockets | STRING | --max-sockets | Number of sockets to use. |
| statuscodes | STRING | --statuscodes | Positive status codes (will be overwritten with statuscodesblacklist if set) (default: 200,204,301,302,307,401,403,408). |
| target-list | FILE | --target-list | A file containing the list of targets. |
| randomize-agent | BOOLEAN | --randomize-agent | Use random user agents for requests. |
| statuscodesblacklist | STRING | --statuscodesblacklist | Negative status codes (will override statuscodes if set). |
example
# rotate one path across many hosts to dodge WAF limitscrithit --target-list hosts.txt --word-list paths.txt --threads 8 --statuscodes 200,204,301,302,401,403 --randomize-agenthttps://www.example.com/admin -> 401https://api.example.com/admin -> 403https://staging.example.com/backup -> 200https://app.example.com/.env -> 200https://cdn.example.com/server-status -> 403https://dev.example.com/console -> 302https://198.51.100.10/login -> 200https://203.0.113.25/.git/HEAD -> 200guidance
Use CritHit when you need to brute force content across many hosts and a WAF would ban a single-target run. For deep discovery against one host, ffuf or feroxbuster give richer filtering and recursion. CritHit trades depth per host for breadth across the scope.
Fast single-target FUZZ engine with rich response filtering. CritHit spreads across hosts instead.
Recursive content discovery against one host. CritHit favors breadth and WAF evasion.
Simple per-host directory brute forcing, no cross-host rotation.
faq
related
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, packaged for virtual host discovery.
Fastest recursive HTTP fuzzer, like a Ferrari.
A host list and a wordlist feed CritHit, which spreads each path across every host to dodge WAF limits and writes the discovered paths as a queryable output.
Facts on this page come from the live Trickest tool library.