Skip to content

cc1a2b/PenHunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

17 Commits
.github/workflows
.github/workflows
Β 
Β 
cli
cli
Β 
Β 
cmd/penhunter
cmd/penhunter
Β 
Β 
config
config
Β 
Β 
core
core
Β 
Β 
encoders
encoders
Β 
Β 
output
output
Β 
Β 
scanners
scanners
Β 
Β 
types
types
Β 
Β 
utils
utils
Β 
Β 
CHANGELOG.md
CHANGELOG.md
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
go.mod
go.mod
Β 
Β 

Repository files navigation

PenHunter

License Go Version Release GitHub stars Platform

πŸ” Modular Web Vulnerability Scanner

Comprehensive testing for XSS, SQLi, LFI, SSRF, RCE, Open Redirect, and CSRF β€” built for penetration testers, bug bounty hunters, and security researchers.

πŸ“– About

PenHunter is a powerful, modular web vulnerability scanner written in Go. It provides comprehensive testing for common web vulnerabilities including XSS, SQL Injection, LFI, SSRF, RCE, Open Redirect, and CSRF β€” with concurrent scanning, advanced detection methods, WAF evasion, and integrations with industry tools like dalfox, sqlmap, and nuclei.

PenHunter Demo

PenHunter β€” modular vulnerability scanner with interactive and CLI modes.

πŸ“‘ Table of Contents

✨ Features

🎯 Core Capabilities

  • πŸ” Multiple Vulnerability Scanners: XSS, SQLi, LFI, SSRF, RCE, Open Redirect, CSRF
  • πŸš€ High Performance: Concurrent scanning with configurable thread pools
  • 🎯 Advanced Detection: Boolean-based, time-based, error-based detection methods
  • πŸ›‘οΈ WAF Evasion: Payload mutation, header rotation, TLS fingerprint randomization
  • πŸ”§ External Tool Integration: dalfox, sqlmap, nuclei, and more
  • πŸ“Š Multiple Output Formats: JSON, HTML, TXT
  • 🎨 Interactive CLI: Menu-driven interface for guided scans
  • πŸ”„ Auto-Update: Built-in update mechanism via GitHub releases
  • πŸ“ Organized Results: Automatic directory structure for scan results

🧠 Intelligent Detection Engine

Differential analysis, boolean/time/error oracles, and payload mutation built in.

  • 🎯 Differential Response Analysis: Detects subtle behavior changes that confirm vulnerabilities
  • 🏒 Multi-Method Coverage: Boolean-based, time-based, and error-based detection paths per vuln class
  • 🧠 Payload Mutation: Automatic encoding, casing, and obfuscation variants for WAF bypass
  • πŸ“Š Confidence Scoring: Per-finding confidence to filter true positives from noise

🌐 Discovery Pipeline

Subdomain β†’ URL β†’ endpoint β†’ vulnerability

PenHunter integrates the best-in-class recon stack:

Subdomain enumeration:

  • πŸ”§ subfinder, assetfinder β€” passive discovery
  • πŸͺ amass (optional) β€” active + passive

HTTP probing & URL discovery:

  • 🎭 httpx β€” live host probing
  • 🌐 urlfinder, katana, gospider β€” crawler-based URL collection
  • 🧭 gau, gauplus, waybackurls β€” wayback machine harvesting

Endpoint extraction:

  • πŸ” cariddi, getJS β€” JS endpoint mining
  • πŸ“‹ PenHunter native parsing β€” built-in JS extractor

Vulnerability scanning:

  • πŸ›‘οΈ dalfox, sqlmap, nuclei β€” best-in-class engines, orchestrated through PenHunter

πŸ” Vulnerability Classes

Seven vulnerability classes, comprehensive coverage
Class Detection Methods Default Engine
πŸ”‘ XSS Reflected, stored, DOM Native + dalfox
🎫 SQLi Boolean, time, error, union Native + sqlmap
πŸ”₯ LFI Path traversal, wrapper, log poisoning Native
πŸ“‹ SSRF Internal, cloud metadata, gopher, file Native + OOB
πŸ›‘οΈ RCE Command injection, template injection Native + nuclei
πŸ”— Open Redirect Header, parameter, JS-based Native
πŸ“Š CSRF Missing token, weak token, predictable Native

🌐 HTTP & Networking

Production-grade HTTP layer for scaling and stealth
  • πŸ”§ Custom Headers (-H): Repeatable headers for authenticated scans
  • πŸͺ Cookie Support (-c): Session cookies for protected resources
  • 🎭 User-Agent Rotation: Built-in UA rotation for evasion
  • ⏱️ Rate Limiting: Configurable request pacing
  • ⏰ Timeouts: Per-request timeout control
  • πŸ”„ Retry Logic: Exponential backoff on failures
  • πŸ”— Proxy Support: Burp Suite and other intercepting proxies
  • πŸ”’ TLS Bypass: Optional certificate verification skip for testing

πŸ“€ Output & Reporting

Three formats, organized result hierarchy
  • πŸ–₯️ Console: Color-coded terminal output with severity highlighting
  • πŸ“„ TXT: Plain text logs for scripting
  • πŸ“Š JSON: Structured output for automation pipelines
  • πŸ“ˆ HTML: Self-contained reports for stakeholder review

πŸ“¦ Installation

Go Install (Recommended)

go install -v github.com/cc1a2b/PenHunter/cmd/penhunter@latest
penhunter --help

Note: go install ships only the binary. To get the bundled config/ (payloads, encoders, user callbacks), clone the repo or use make install.

Build from Source

git clone https://github.com/cc1a2b/PenHunter.git
cd PenHunter
make build
make install                # installs to $HOME/penhunter/

Add to PATH

# Linux/macOS
export PATH="$HOME/penhunter/bin:$PATH"

# Or symlink
sudo ln -sf $HOME/penhunter/bin/penhunter /usr/local/bin/penhunter

From Releases

Download the latest release from GitHub Releases and extract to your $HOME/penhunter/ directory.

System Requirements

  • Go 1.21+ (for building from source)
  • Linux, macOS, or Windows (64-bit)
  • External recon tools (optional but recommended): subfinder, assetfinder, httpx, katana, gau, dalfox, sqlmap, nuclei

πŸš€ Quick Start

Interactive mode

penhunter

Launches the menu where you choose between single-domain or subdomain scanning, vulnerability classes, and engines.

Single URL scan

penhunter -u https://example.com -v xss,sqli

Multi-URL scan with JSON output

penhunter -l urls.txt -v xss -t 50 --json results.json

Update PenHunter

penhunter --update

πŸ’‘ Usage Examples

# Test single URL for XSS + SQLi
penhunter -u https://example.com -v xss,sqli

# Multi-URL scan with custom thread count
penhunter -l urls.txt -v xss -t 50 --json results.json

# Full vulnerability sweep
penhunter -u https://target.com -v xss,sqli,lfi,ssrf,rce,redirect,csrf -t 30

# Stealth scan through Burp Suite
penhunter -u https://target.com -v xss --proxy http://127.0.0.1:8080 -R 1000

# Authenticated scan with cookies and headers
penhunter -u https://target.com -v xss,sqli \
  -c "session=abc123" \
  -H "Authorization: Bearer eyJ..."

# Check installed external tools
penhunter --check-tools

# Check for updates
penhunter --check-update

πŸ–ΌοΈ Screenshots

PenHunter β€” LFI detection

LFI vulnerability scan β€” path traversal detection with confirmed payload.



PenHunter β€” XSS detection

XSS vulnerability scan β€” reflected payload confirmed in response.

πŸ“‹ Command Reference

Usage:
  penhunter [flags]

Modes:
  (no args)                       Launch interactive menu
  -u, --url URL                   Test a single URL
  -l, --list FILE                 Test URLs from a file
  -v, --vulns LIST                Comma-separated vulns
                                  (xss, sqli, lfi, ssrf, rce, redirect, csrf)

HTTP & Performance:
  -t, --threads INT               Concurrent threads (default: 10)
  -H, --header "K: V"             Custom HTTP headers (repeatable)
  -c, --cookies STR               Session cookies
  -p, --proxy URL                 HTTP/HTTPS/SOCKS proxy
  -k, --skip-tls                  Skip TLS verification
  -R, --rate-limit MS             Request delay (milliseconds)

Output:
  -o, --output FILE               Output file
  --json FILE                     Structured JSON output
  --html FILE                     HTML report

Maintenance:
  --update                        Update PenHunter to latest
  --check-update                  Check if a new version is available
  --check-tools                   Verify external tools are installed
  -h, --help                      Show help
  -V, --version                   Show version

πŸ”§ Advanced Usage

Bug Bounty Workflow

# 1. Subdomain enumeration β†’ URL collection β†’ vuln scan
subfinder -d target.com | httpx | tee live.txt
gau < live.txt | tee urls.txt
penhunter -l urls.txt -v xss,sqli,redirect -t 30 --json findings.json

CI / Continuous Scanning

penhunter -l production-urls.txt -v xss,sqli \
  --json "scan-$(date +%F).json" \
  -R 2000 \
  --proxy http://internal-proxy:8080

WAF Evasion Scan

penhunter -u https://target.com -v xss \
  -H "X-Forwarded-For: 1.1.1.1" \
  -H "X-Real-IP: 1.1.1.1" \
  -R 1500

🀝 Contributing

Contributions welcome from the security community.

  • πŸ› Report bugs via GitHub Issues
  • πŸ’‘ Suggest features or new vulnerability classes
  • πŸ“ Improve documentation
  • πŸ”§ Submit pull requests with new payloads, detectors, or integrations

Development Setup

git clone https://github.com/cc1a2b/PenHunter.git
cd PenHunter
go mod tidy
make build

πŸ“„ License

PenHunter is released under the MIT License. See LICENSE for details.

Copyright (c) 2024-2026 Hussain Alsharman
Licensed under MIT License β€” free for commercial and personal use

β˜• Support

If PenHunter helps with your security research:

Buy Me A Coffee

⭐ Star this repo β€’ 🐦 Follow @cc1a2b β€’ πŸ“’ Share with the security community

πŸ” PenHunter β€” Modular Web Vulnerability Scanner

Built with ❀️ by cc1a2b for the security community

About

Pen Hunter is a comprehensive vulnerability scanning tool designed for penetration testers, security researchers and bug bounties. it automates the process of collecting subdomains and URLs and tests them for various vulnerabilities including XSS, SQL Injection, Local File Inclusion, Open Redirect, Server-Side Request Forgery, CSRF, and RCE.

Topics

open-source sql xss pentesting bugbounty pentest lfi pentest-tool pentesting-tools penetration-testing-tools bugbountytips bugbounty-tool

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

25 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages