Skip to content

List of Modules

Module Type Needs API Key Description Flags Consumed Events Produced Events
ajaxpro scan No Check for potentially vulnerable Ajaxpro instances active, safe, web-thorough HTTP_RESPONSE, URL FINDING, VULNERABILITY
baddns scan No Check hosts for domain/subdomain takeovers active, baddns, cloud-enum, safe, subdomain-hijack, web-basic DNS_NAME, DNS_NAME_UNRESOLVED FINDING, VULNERABILITY
baddns_zone scan No Check hosts for DNS zone transfers and NSEC walks active, baddns, cloud-enum, safe, subdomain-enum DNS_NAME FINDING, VULNERABILITY
badsecrets scan No Library for detecting known or weak secrets across many web frameworks active, safe, web-basic, web-thorough HTTP_RESPONSE FINDING, TECHNOLOGY, VULNERABILITY
bucket_amazon scan No Check for S3 buckets related to target active, cloud-enum, safe, web-basic, web-thorough DNS_NAME, STORAGE_BUCKET FINDING, STORAGE_BUCKET
bucket_azure scan No Check for Azure storage blobs related to target active, cloud-enum, safe, web-basic, web-thorough DNS_NAME, STORAGE_BUCKET FINDING, STORAGE_BUCKET
bucket_digitalocean scan No Check for DigitalOcean spaces related to target active, cloud-enum, safe, slow, web-thorough DNS_NAME, STORAGE_BUCKET FINDING, STORAGE_BUCKET
bucket_firebase scan No Check for open Firebase databases related to target active, cloud-enum, safe, web-basic, web-thorough DNS_NAME, STORAGE_BUCKET FINDING, STORAGE_BUCKET
bucket_google scan No Check for Google object storage related to target active, cloud-enum, safe, web-basic, web-thorough DNS_NAME, STORAGE_BUCKET FINDING, STORAGE_BUCKET
bypass403 scan No Check 403 pages for common bypasses active, aggressive, web-thorough URL FINDING
dastardly scan No Lightweight web application security scanner active, aggressive, deadly, slow, web-thorough HTTP_RESPONSE FINDING, VULNERABILITY
dotnetnuke scan No Scan for critical DotNetNuke (DNN) vulnerabilities active, aggressive, web-thorough HTTP_RESPONSE TECHNOLOGY, VULNERABILITY
ffuf scan No A fast web fuzzer written in Go active, aggressive, deadly URL URL_UNVERIFIED
ffuf_shortnames scan No Use ffuf in combination IIS shortnames active, aggressive, iis-shortnames, web-thorough URL_HINT URL_UNVERIFIED
filedownload scan No Download common filetypes such as PDF, DOCX, PPTX, etc. active, safe, web-basic, web-thorough HTTP_RESPONSE, URL_UNVERIFIED
fingerprintx scan No Fingerprint exposed services like RDP, SSH, MySQL, etc. active, safe, service-enum, slow OPEN_TCP_PORT PROTOCOL
generic_ssrf scan No Check for generic SSRFs active, aggressive, web-thorough URL VULNERABILITY
git scan No Check for exposed .git repositories active, safe, web-basic, web-thorough URL FINDING
gowitness scan No Take screenshots of webpages active, safe, web-screenshots SOCIAL, URL TECHNOLOGY, URL, URL_UNVERIFIED, WEBSCREENSHOT
host_header scan No Try common HTTP Host header spoofing techniques active, aggressive, web-thorough HTTP_RESPONSE FINDING
httpx scan No Visit webpages. Many other modules rely on httpx active, cloud-enum, safe, social-enum, subdomain-enum, web-basic, web-thorough OPEN_TCP_PORT, URL, URL_UNVERIFIED HTTP_RESPONSE, URL
hunt scan No Watch for commonly-exploitable HTTP parameters active, safe, web-thorough HTTP_RESPONSE FINDING
iis_shortnames scan No Check for IIS shortname vulnerability active, iis-shortnames, safe, web-basic, web-thorough URL URL_HINT
masscan scan No Port scan with masscan. By default, scans top 100 ports. active, aggressive, portscan IP_ADDRESS, IP_RANGE OPEN_TCP_PORT
newsletters scan No Searches for Newsletter Submission Entry Fields on Websites active, safe HTTP_RESPONSE FINDING
nmap scan No Port scan with nmap. By default, scans top 100 ports. active, aggressive, portscan, web-thorough DNS_NAME, IP_ADDRESS, IP_RANGE OPEN_TCP_PORT
ntlm scan No Watch for HTTP endpoints that support NTLM authentication active, safe, web-basic, web-thorough HTTP_RESPONSE, URL DNS_NAME, FINDING
nuclei scan No Fast and customisable vulnerability scanner active, aggressive, deadly URL FINDING, VULNERABILITY
oauth scan No Enumerate OAUTH and OpenID Connect services active, affiliates, cloud-enum, safe, subdomain-enum, web-basic, web-thorough DNS_NAME, URL_UNVERIFIED DNS_NAME
paramminer_cookies scan No Smart brute-force to check for common HTTP cookie parameters active, aggressive, slow, web-paramminer HTTP_RESPONSE FINDING
paramminer_getparams scan No Use smart brute-force to check for common HTTP GET parameters active, aggressive, slow, web-paramminer HTTP_RESPONSE FINDING
paramminer_headers scan No Use smart brute-force to check for common HTTP header parameters active, aggressive, slow, web-paramminer HTTP_RESPONSE FINDING
robots scan No Look for and parse robots.txt active, safe, web-basic, web-thorough URL URL_UNVERIFIED
secretsdb scan No Detect common secrets with secrets-patterns-db active, safe, web-basic, web-thorough HTTP_RESPONSE FINDING
smuggler scan No Check for HTTP smuggling active, aggressive, slow, web-thorough URL FINDING
sslcert scan No Visit open ports and retrieve SSL certificates active, affiliates, email-enum, safe, subdomain-enum, web-basic, web-thorough OPEN_TCP_PORT DNS_NAME, EMAIL_ADDRESS
telerik scan No Scan for critical Telerik vulnerabilities active, aggressive, web-thorough HTTP_RESPONSE, URL FINDING, VULNERABILITY
url_manipulation scan No Attempt to identify URL parsing/routing based vulnerabilities active, aggressive, web-thorough URL FINDING
vhost scan No Fuzz for virtual hosts active, aggressive, deadly, slow URL DNS_NAME, VHOST
wafw00f scan No Web Application Firewall Fingerprinting Tool active, aggressive URL WAF
wappalyzer scan No Extract technologies from web responses active, safe, web-basic, web-thorough HTTP_RESPONSE TECHNOLOGY
affiliates scan No Summarize affiliate domains at the end of a scan affiliates, passive, report, safe *
anubisdb scan No Query jldc.me's database for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
asn scan No Query ripe and bgpview.io for ASNs passive, report, safe, subdomain-enum IP_ADDRESS ASN
azure_realm scan No Retrieves the "AuthURL" from login.microsoftonline.com/getuserrealm affiliates, cloud-enum, passive, safe, subdomain-enum, web-basic, web-thorough DNS_NAME URL_UNVERIFIED
azure_tenant scan No Query Azure for tenant sister domains affiliates, cloud-enum, passive, safe, subdomain-enum DNS_NAME DNS_NAME
bevigil scan Yes Retrieve OSINT data from mobile applications using BeVigil passive, safe, subdomain-enum DNS_NAME DNS_NAME, URL_UNVERIFIED
binaryedge scan Yes Query the BinaryEdge API passive, safe, subdomain-enum DNS_NAME DNS_NAME
bucket_file_enum scan No Works in conjunction with the filedownload module to download files from open storage buckets. Currently supported cloud providers: AWS cloud-enum, passive, safe STORAGE_BUCKET URL_UNVERIFIED
builtwith scan Yes Query Builtwith.com for subdomains affiliates, passive, safe, subdomain-enum DNS_NAME DNS_NAME
c99 scan Yes Query the C99 API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
censys scan Yes Query the Censys API passive, safe, subdomain-enum DNS_NAME DNS_NAME
certspotter scan No Query Certspotter's API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
chaos scan Yes Query ProjectDiscovery's Chaos API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
columbus scan No Query the Columbus Project API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
credshed scan Yes Send queries to your own credshed server to check for known credentials of your targets passive, safe DNS_NAME EMAIL_ADDRESS, HASHED_PASSWORD, PASSWORD, USERNAME
crobat scan No Query Project Crobat for subdomains passive, safe DNS_NAME DNS_NAME
crt scan No Query crt.sh (certificate transparency) for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
dehashed scan Yes Execute queries against dehashed.com for exposed credentials email-enum, passive, safe DNS_NAME HASHED_PASSWORD, PASSWORD, USERNAME
digitorus scan No Query certificatedetails.com for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
dnscommonsrv scan No Check for common SRV records passive, safe, subdomain-enum DNS_NAME DNS_NAME
dnsdumpster scan No Query dnsdumpster for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
emailformat scan No Query email-format.com for email addresses email-enum, passive, safe DNS_NAME EMAIL_ADDRESS
fullhunt scan Yes Query the fullhunt.io API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
github_codesearch scan Yes Query Github's API for code containing the target domain name passive, safe, subdomain-enum DNS_NAME CODE_REPOSITORY, URL_UNVERIFIED
github_org scan No Query Github's API for organization and member repositories passive, safe, subdomain-enum ORG_STUB, SOCIAL CODE_REPOSITORY
hackertarget scan No Query the hackertarget.com API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
hunterio scan Yes Query hunter.io for emails email-enum, passive, safe, subdomain-enum DNS_NAME DNS_NAME, EMAIL_ADDRESS, URL_UNVERIFIED
internetdb scan No Query Shodan's InternetDB for open ports, hostnames, technologies, and vulnerabilities passive, portscan, safe, subdomain-enum DNS_NAME, IP_ADDRESS DNS_NAME, FINDING, OPEN_TCP_PORT, TECHNOLOGY, VULNERABILITY
ip2location scan Yes Query IP2location.io's API for geolocation information. passive, safe IP_ADDRESS GEOLOCATION
ipneighbor scan No Look beside IPs in their surrounding subnet aggressive, passive, subdomain-enum IP_ADDRESS IP_ADDRESS
ipstack scan Yes Query IPStack's GeoIP API passive, safe IP_ADDRESS GEOLOCATION
leakix scan No Query leakix.net for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
massdns scan No Brute-force subdomains with massdns (highly effective) aggressive, passive, subdomain-enum DNS_NAME DNS_NAME
myssl scan No Query myssl.com's API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
otx scan No Query otx.alienvault.com for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
passivetotal scan Yes Query the PassiveTotal API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
pgp scan No Query common PGP servers for email addresses email-enum, passive, safe DNS_NAME EMAIL_ADDRESS
postman scan No Query Postman's API for related workspaces, collections, requests passive, safe, subdomain-enum DNS_NAME URL_UNVERIFIED
rapiddns scan No Query rapiddns.io for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
riddler scan No Query riddler.io for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
securitytrails scan Yes Query the SecurityTrails API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
shodan_dns scan Yes Query Shodan for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
sitedossier scan No Query sitedossier.com for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
skymem scan No Query skymem.info for email addresses email-enum, passive, safe DNS_NAME EMAIL_ADDRESS
social scan No Look for social media links in webpages passive, safe, social-enum URL_UNVERIFIED SOCIAL
subdomaincenter scan No Query subdomain.center's API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
sublist3r scan No Query sublist3r's API for subdomains passive, safe DNS_NAME DNS_NAME
threatminer scan No Query threatminer's API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
urlscan scan No Query urlscan.io for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME, URL_UNVERIFIED
viewdns scan No Query viewdns.info's reverse whois for related domains affiliates, passive, safe DNS_NAME DNS_NAME
virustotal scan Yes Query VirusTotal's API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME
wayback scan No Query archive.org's API for subdomains passive, safe, subdomain-enum DNS_NAME DNS_NAME, URL_UNVERIFIED
zoomeye scan Yes Query ZoomEye's API for subdomains affiliates, passive, safe, subdomain-enum DNS_NAME DNS_NAME
asset_inventory output No Merge hosts, open ports, technologies, findings, etc. into a single asset inventory CSV DNS_NAME, FINDING, HTTP_RESPONSE, IP_ADDRESS, OPEN_TCP_PORT, TECHNOLOGY, URL, VULNERABILITY, WAF IP_ADDRESS, OPEN_TCP_PORT
csv output No Output to CSV *
discord output No Message a Discord channel when certain events are encountered *
emails output No Output any email addresses found belonging to the target domain email-enum EMAIL_ADDRESS
http output No Send every event to a custom URL via a web request *
human output No Output to text *
json output No Output to Newline-Delimited JSON (NDJSON) *
neo4j output No Output to Neo4j *
python output No Output via Python API *
slack output No Message a Slack channel when certain events are encountered *
splunk output No Send every event to a splunk instance through HTTP Event Collector *
subdomains output No Output only resolved, in-scope subdomains subdomain-enum DNS_NAME, DNS_NAME_UNRESOLVED
teams output No Message a Teams channel when certain events are encountered *
web_report output No Create a markdown report with web assets FINDING, TECHNOLOGY, URL, VHOST, VULNERABILITY
websocket output No Output to websockets *
aggregate internal No Summarize statistics at the end of a scan passive, safe
excavate internal No Passively extract juicy tidbits from scan data passive HTTP_RESPONSE URL_UNVERIFIED
speculate internal No Derive certain event types from others by common sense passive AZURE_TENANT, DNS_NAME, DNS_NAME_UNRESOLVED, HTTP_RESPONSE, IP_ADDRESS, IP_RANGE, SOCIAL, STORAGE_BUCKET, URL, URL_UNVERIFIED, USERNAME DNS_NAME, FINDING, IP_ADDRESS, OPEN_TCP_PORT, ORG_STUB

For a list of module config options, see Module Options.