ExploitCraft · Open-Source Security Tooling
// toolkit
HACKERINC_
Open-source CLI toolkit for pentesters, bug bounty hunters, and developers who think offensively. Five tools — one ecosystem — covering the full recon-to-exploit surface.
5_
Tools
51+
Recon Phases
100+
Secret Patterns
597+
Tests
3_
Platforms
Ecosystem Map
🥷 ReconNinjav8.2.1
51-phase automated recon framework. Subdomain enum → port scan → web discovery → CVE lookup → 30 intelligence modules → AI consensus + attack paths → local desktop GUI.
🐾 VaultHoundv1.0.0
Secret & credential scanner. URL mode, directory mode, git history mode. 43 patterns with entropy filtering.
🔐 envleaksv1.1.0
Codebase, git history, and Docker image secret scanner with SARIF output and CI/CD pipeline mode.
🎯 gitdorkv1.1.1
Google, Shodan, and GitHub dork generator. Feed it a target domain or repo — get 100+ ready-to-use queries.
📡 wifi-passviewv1.1.1
Cross-platform CLI to dump saved WiFi credentials in one command. Linux, Windows, macOS.
Authorized use only. Only scan targets you own or have explicit written permission to test. Unauthorized scanning is illegal.
Installation
# Standard
pip install ReconNinja
# With AI providers (Groq, Gemini, OpenAI)
pip install "ReconNinja[ai]"
# With DNS zone transfer support
pip install "ReconNinja[dns]"
# v7 extras — LDAP, SNMP, ASN mapping
pip install "ReconNinja[v7]"
# Full — AI + Shodan + dnspython + v7 extras
pip install "ReconNinja[full]"
# From source (always latest)
pip install git+https://github.com/ExploitCraft/ReconNinja.git
# From source with install script
git clone https://github.com/ExploitCraft/ReconNinja.git
cd ReconNinja && chmod +x install.sh && ./install.sh| Extra | Includes |
|---|---|
| ai | groq, google-generativeai, openai |
| shodan | shodan |
| dns | dnspython — required for zone transfer |
| v7 | ipwhois, ldap3, pysnmp — required for v7 protocol modules |
| full | All of the above |
Quick Start
# Interactive guided setup
ReconNinja
# Standard scan
ReconNinja -t example.com
# Full 51-phase pipeline
ReconNinja -t example.com --profile full_suite -y
# v8 web attack modules
ReconNinja -t example.com \
--api-fuzz --oauth-scan \
--web-vulns --open-redirect -y
# v8 OSINT + mobile + blockchain
ReconNinja -t example.com \
--linkedin --paste-monitor \
--se-osint --anon-detect \
--web3-scan --ens-lookup -y
# APK static analysis
ReconNinja --apk-scan /path/to/app.apk
# v8 AI upgrades — consensus + attack paths
ReconNinja -t example.com \
--ai --ai-consensus --attack-paths \
--ai-remediate --ai-key YOUR_KEY -y
# Push findings to Jira
ReconNinja -t example.com \
--jira https://jira.example.com:user@example.com:TOKEN:SEC -y
# Launch desktop GUI
ReconNinja --gui
# Resume interrupted scan
ReconNinja --resume reports/example.com_20260501/state.json51-Phase Pipeline
Each phase feeds results into the next. 7 new phases in v6. 17 new phases in v7. 13 new phases in v8. All phases checkpoint to state.json for resume.
Phase 1
Passive Recon
Subdomain enumeration via amass, subfinder, crt.sh
Phase 2
RustScan
Ultra-fast port discovery across all 65,535 ports (BUG-FIX v6: ports now persisted)
Phase 2b
Async TCP
Pure-Python asyncio fallback — no root required
Phase 3
Masscan
Optional SYN sweep (root required)
Phase 4
Nmap
Deep service / version / script analysis on confirmed-open ports
Phase 4b
CVE Lookup
NVD API CVE matching on detected service versions
Phase 5
httpx
Live web detection + technology fingerprinting
Phase 5b ★
WAF Detection
20 WAF signatures — passive header fingerprinting + wafw00f. --waf
Phase 5c ★
CORS Scanner
Crafted Origin probes — arbitrary reflection, null origin, wildcard+credentials. --cors
Phase 6
Directory Scan
feroxbuster → ffuf → dirsearch fallback chain
Phase 6b ★
JS Extraction
Download JS, extract API endpoints + secrets. --js-extract
Phase 7–9
WhatWeb · Nikto · Nuclei
Technology fingerprinting, web vulnerabilities, template-based detection
Phase 10
Screenshots
aquatone → gowitness fallback (BUG-FIX v6: now receives full URLs)
Phase 11
AI Analysis
Groq / Ollama / Gemini / OpenAI. Rule-based fallback fixed in v6. --ai
Phase 12
Intelligence
WHOIS · Wayback · SSL · VirusTotal · Shodan
Phase 13a ★
GitHub OSINT
Search public GitHub for exposed secrets and config files. --github-osint
Phase 13b ★
Cloud Buckets
AWS S3, Azure Blob, GCS public bucket enumeration. --cloud-buckets
Phase 13c ★
DNS Zone Transfer
AXFR against all nameservers. Saves leaked zone. --dns-zone
Phase 14a ◈
Email Security
SPF/DKIM/DMARC validation + spoofability score 0–100. --email-security
Phase 14b ◈
Breach Check
HaveIBeenPwned domain + email breach lookup. --breach-check
Phase 14c ◈
Cloud Metadata SSRF
AWS IMDSv1/v2, Azure IMDS, GCP metadata endpoint probe. --cloud-meta
Phase 14d ◈
GraphQL Scanner
Endpoint discovery, introspection, batching DoS, field suggestion. --graphql
Phase 14e ◈
JWT Scanner
none-algorithm bypass + weak HMAC secret cracker. --jwt-scan
Phase 14f ◈
ASN / BGP Mapping
BGP/ASN → all owned IP CIDRs via RIPE Stat API. --asn-map
Phase 14g ◈
Supply Chain
Outdated jQuery/Angular/Lodash/polyfill.io + npm package squatting. --supply-chain
Phase 14h ◈
Kubernetes / Docker Probe
Unauthenticated K8s API server + Docker socket detection. --k8s-probe
Phase 14i ◈
Database Exposure
Unauthenticated Elasticsearch, Redis, MongoDB, Memcached. --db-exposure
Phase 14j ◈
SMTP Enumeration
User enumeration via VRFY/EXPN/RCPT TO. --smtp-enum
Phase 14k ◈
SNMP Scan
Community string brute-force + MIB walk. --snmp-scan
Phase 14l ◈
LDAP Enumeration
Anonymous bind, user/group/attribute dump. --ldap-enum
Phase 14m ◈
DevOps Scan
Terraform state file exposure + Jenkins anon access / RCE check. --devops-scan
Phase 14n ◈
GreyNoise Lookup
IP tagging: noise / RIOT / unknown — filters internet background noise. --greynoise
Phase 14o ◈
Typosquatting
200+ lookalike domain variants + live DNS resolution. --typosquat
Phase 14p ◈
Censys Intelligence
Host intelligence + DNS history via VirusTotal PDNS. --censys --dns-history
Phase 14q ◈
SARIF Export
SARIF 2.1.0 report for GitHub / VSCode / Azure DevOps. --sarif
Phase 15a ✦
REST API Fuzzer
OpenAPI/Swagger discovery, endpoint enum, IDOR probes, auth-bypass header testing, mass assignment, method confusion. --api-fuzz
Phase 15b ✦
OAuth / OIDC Scanner
Implicit flow, PKCE enforcement, open redirect in redirect_uri, state CSRF, token endpoint CORS, exposed client creds. --oauth-scan
Phase 15c ✦
Web Vuln Probes
Reflected XSS, error-based + time-based SQLi, LFI/path traversal, SSRF (IMDS detection). --web-vulns
Phase 15d ✦
Open Redirect Scanner
30 common redirect params with bypass-payload variants. --open-redirect
Phase 15e ✦
LinkedIn OSINT
Employee enum via Google dorking, tech stack inference from job postings, high-value target ID. --linkedin
Phase 15f ✦
Paste Monitor
Pastebin / GitHub Gist / paste.ee credential dump scanner — AWS keys, GitHub tokens, OpenAI keys, base64 blobs. --paste-monitor
Phase 15g ✦
SE OSINT
Email address + phone number harvesting from contact pages, Hunter.io, and Google dorking. --se-osint
Phase 15h ✦
APK Static Analysis
Manifest permissions, hardcoded secrets (10 patterns), dangerous APIs, embedded URLs, internal IP exposure. --apk-scan APK_PATH
Phase 15i ✦
App Store Recon
Google Play + Apple App Store metadata scraper — version, permissions, reviews, privacy labels. --app-store
Phase 15j ✦
Anon Detect
Tor exit node, VPN, hosting provider, and proxy IP detection via multiple intelligence feeds. --anon-detect
Phase 15k ✦
DNS Leak Check
DNS rebinding, open resolver detection, internal hostname exposure via DNS leaks. --dns-leak
Phase 15l ✦
Web3 / Blockchain Recon
Smart contract discovery, ABI extraction, on-chain transaction history. --web3-scan
Phase 15m ✦
ENS Lookup
Ethereum Name Service domain resolution + on-chain social profile (avatar, email, GitHub). --ens-lookup
Phase 16a ✦
AI Consensus
Run analysis across multiple AI providers and synthesize a consensus threat report. --ai-consensus
Phase 16b ✦
MITRE ATT&CK Kill-Chain
AI-generated attack path mapping to MITRE ATT&CK tactics and techniques. --attack-paths
Phase 16c ✦
AI Remediation + CVSSv3
Per-finding remediation guidance with CVSSv3 base score calculation. --ai-remediate
Phase 17–18
Plugins · Reports
Custom plugin execution + HTML / JSON / Markdown / PDF / SARIF report generation + Jira / GitHub Issues / SIEM push
v7 New Modules 17 modules
All v7 modules are enabled by --profile full_suite or individually with their flags. Install ReconNinja[v7] for LDAP, SNMP, and ASN extras.
--email-security
Email Security
SPF/DKIM/DMARC validation with a spoofability score from 0–100.
--breach-check [--hibp-key]
Breach Check
HaveIBeenPwned domain + email breach check. Key optional for email-level lookups.
--cloud-meta
Cloud Metadata SSRF
Probes AWS IMDSv1/v2, Azure IMDS, and GCP metadata endpoints for SSRF exposure.
--graphql
GraphQL Scanner
Discovers endpoints, runs introspection, tests batching DoS, and field suggestion attacks.
--jwt-scan
JWT Scanner
Detects none-algorithm bypass and attempts weak HMAC secret cracking.
--asn-map
ASN / BGP Mapping
Resolves target ASN via RIPE Stat API, returns all owned IP CIDRs.
--supply-chain
Supply Chain
Detects outdated JS libraries (jQuery, Angular, Lodash, polyfill.io) and npm squatting.
--k8s-probe
K8s / Docker Probe
Detects unauthenticated Kubernetes API servers and exposed Docker sockets.
--db-exposure
Database Exposure
Tests for unauthenticated access to Elasticsearch, Redis, MongoDB, and Memcached.
--smtp-enum
SMTP Enumeration
Enumerates valid users via VRFY, EXPN, and RCPT TO commands.
--snmp-scan
SNMP Scan
Brute-forces SNMP community strings and performs a MIB walk. Requires ReconNinja[v7].
--ldap-enum
LDAP Enumeration
Anonymous bind attempt, dumps users, groups, and attributes. Requires ReconNinja[v7].
--devops-scan
DevOps Scan
Checks for exposed Terraform state files and Jenkins (anonymous jobs, script console RCE).
--greynoise [--greynoise-key]
GreyNoise
Tags IPs as noise / RIOT / unknown to filter out internet background scanners.
--typosquat
Typosquatting
Generates 200+ lookalike domain variants and checks which resolve via live DNS.
--censys [--censys-id --censys-secret]
Censys Intelligence
Host intelligence lookup via Censys API.
--dns-history [--vt-key]
DNS History
Historical DNS resolutions via VirusTotal Passive DNS. Requires VT key.
v8 New Modules 13 modules + 3 AI upgrades
v8 adds deep web-attack probing, mobile/blockchain recon, social-engineering intel, and a full AI upgrade pass. All modules available individually or via --profile full_suite.
API & Web Attack
--api-fuzz
REST API Fuzzer
OpenAPI/Swagger discovery, endpoint enumeration, IDOR probes, auth-bypass header testing, mass assignment, method confusion, sensitive key detection.
--oauth-scan
OAuth 2.0 / OIDC Scanner
Implicit flow detection, PKCE enforcement check, open redirect in redirect_uri, state CSRF, token endpoint CORS, exposed client credentials in JS.
--web-vulns
Web Vuln Probes
Reflected XSS, error-based + time-based SQLi, LFI/path traversal, SSRF with IMDS detection.
--open-redirect
Open Redirect Scanner
Scans 30 common redirect parameters with bypass-payload variants.
Social Engineering & OSINT
--linkedin
LinkedIn OSINT
Employee enumeration via Google dorking, tech stack inference from job postings, high-value target identification (IT/security roles), email format guessing.
--paste-monitor
Paste Monitor
Pastebin / GitHub Gist / paste.ee credential dump scanner — AWS keys, GitHub tokens, OpenAI keys, passwords, base64 blobs.
--se-osint
SE OSINT
Social engineering OSINT: email address and phone number harvesting from contact pages, Hunter.io, and Google.
Mobile & Blockchain
--apk-scan APK_PATH
APK Static Analysis
Manifest permissions (dangerous perm flagging), hardcoded secrets (10 patterns), dangerous API calls (WebView JS bridge, TrustAllCerts), embedded URL extraction, internal IP exposure.
--app-store
App Store Recon
Google Play + Apple App Store metadata — version history, permissions, ratings, privacy nutrition labels.
--web3-scan
Web3 / Blockchain
Smart contract discovery, ABI extraction, on-chain transaction analysis.
--ens-lookup
ENS Lookup
Ethereum Name Service domain resolution + on-chain social profile (avatar, email, GitHub).
Network Intel
--anon-detect
Anon Detect
Tor exit node, VPN, hosting provider, and proxy IP detection via multiple intelligence feeds.
--dns-leak
DNS Leak Check
DNS rebinding vulnerability, open resolver detection, internal hostname exposure via DNS leaks.
AI Upgrades 3 new
--ai-consensus
AI Consensus
Runs threat analysis across multiple AI providers simultaneously and synthesizes a consensus report.
--attack-paths
MITRE ATT&CK Kill-Chain
AI-generated attack path mapping — findings mapped to MITRE ATT&CK tactics, techniques, and procedures.
--ai-remediate
AI Remediation + CVSSv3
Per-finding remediation guidance with CVSSv3 base score calculation and priority ranking.
All Flags
-t, --targetDomain, IP, CIDR, or path to list file
-p, --profilefast · standard · thorough · stealth · web_only · port_only · full_suite · custom
--all-portsScan all 65,535 ports
--top-ports NScan top N ports (default: 1000)
--timing T1–T5Nmap timing template (default: T4)
--threads NConcurrent threads (default: 20)
--shodan --shodan-keyShodan host intelligence
--vt --vt-keyVirusTotal reputation (auto-routes domain vs IP)
--whois --wayback --sslFree intelligence modules — no keys needed
--cve [--nvd-key]NVD CVE lookup. Key optional (raises limit 5→50 req/30s)
--ai --ai-providerAI analysis — groq · ollama · gemini · openai
--github-osint [--github-token]GitHub secret hunting v6
--js-extractJS endpoint + credential extraction v6
--cloud-bucketsAWS S3, Azure Blob, GCS enumeration v6
--dns-zoneDNS zone transfer (AXFR) v6
--wafWAF detection — 20 signatures v6
--corsCORS misconfiguration scanner v6
--diff A.json B.jsonCompare two scan reports v6
--notify URLMid-scan Slack / Discord / webhook alerts v6
--email-securitySPF/DKIM/DMARC + spoofability score v7
--breach-check [--hibp-key]HaveIBeenPwned domain breach check v7
--cloud-metaAWS/Azure/GCP metadata SSRF probe v7
--graphqlGraphQL endpoint discovery + introspection v7
--jwt-scanJWT none-algorithm + weak HMAC cracker v7
--asn-mapBGP/ASN → all owned IP CIDRs v7
--supply-chainOutdated JS libs + npm squatting v7
--k8s-probeKubernetes / Docker unauthenticated API detection v7
--db-exposureUnauthenticated Redis / Elasticsearch / MongoDB / Memcached v7
--smtp-enumSMTP user enumeration via VRFY/EXPN/RCPT TO v7
--snmp-scanSNMP community string brute-force + MIB walk v7
--ldap-enumLDAP anonymous bind + attribute dump v7
--devops-scanTerraform state file + Jenkins exposure v7
--greynoise [--greynoise-key]GreyNoise IP context — noise vs targeted v7
--typosquat200+ lookalike domain variant detection v7
--censys [--censys-id --censys-secret]Censys host intelligence v7
--dns-historyDNS resolution history via VirusTotal PDNS v7
--sarifExport findings as SARIF 2.1.0 v7
--api-fuzzREST API fuzzer: endpoint discovery, IDOR, auth bypass, mass assignment v8
--oauth-scanOAuth 2.0/OIDC misconfiguration scanner v8
--web-vulnsWeb vuln probes: XSS, SQLi, LFI, SSRF v8
--open-redirectOpen redirect vulnerability scanner v8
--linkedinLinkedIn employee OSINT + tech stack inference v8
--paste-monitorScan paste sites for credential/secret leaks v8
--se-osintSocial engineering OSINT: emails, phones, contacts v8
--apk-scan APK_PATHAPK static analysis (provide path to .apk file) v8
--app-storeGoogle Play + Apple App Store metadata scraper v8
--anon-detectTor/VPN/proxy/hosting IP detection v8
--dns-leakDNS leak check: rebinding, open resolver, internal exposure v8
--web3-scanBlockchain/Web3 recon: smart contracts, ABI, on-chain data v8
--ens-lookupENS domain lookup + on-chain social profile resolution v8
--ai-consensusMulti-provider AI consensus threat report v8 AI
--attack-pathsAI-generated MITRE ATT&CK kill-chain attack paths v8 AI
--ai-remediateAI per-finding remediation + CVSSv3 scoring v8 AI
--pdf-reportExport pentest-ready PDF report (requires weasyprint or fpdf2) v8
--jira URL:EMAIL:TOKEN:PROJECTPush findings to Jira as issues v8
--gh-issues TOKEN:OWNER/REPOPush findings to GitHub Issues v8
--siem URL:TOKEN[:type]Push findings to Splunk/Elastic HEC endpoint v8
--gui [--gui-port N]Launch local desktop GUI at http://127.0.0.1:7117 v8
--resume FILEResume from state.json checkpoint
--exclude PHASESSkip specific pipeline phases
--output-formatall · html · json · md · txt · pdf · sarif
--timeout NGlobal per-operation timeout in seconds (default: 30)
--rate-limit NSeconds between requests (default: 0)
--update [--force-update]Check for updates and install latest version
-y, --yesSkip confirmation (CI/automation)
AI Analysis
Phase 11 feeds all results into an LLM for threat prioritisation. Rule-based fallback runs automatically when no key is provided. v8 adds three AI-upgrade modes for deeper analysis.
| Provider | Default Model | Key |
|---|---|---|
| groq | llama3-70b-8192 | Required |
| ollama | llama3 | None — local |
| gemini | gemini-1.5-flash | Required |
| openai | gpt-4o-mini | Required |
| rule-based | Built-in | None — auto-fallback |
# Standard AI analysis
ReconNinja -t example.com --ai --ai-key YOUR_GROQ_KEY
ReconNinja -t example.com --ai --ai-provider ollama # local, free
ReconNinja -t example.com --ai # rule-based fallback (no key needed)
# v8 — AI consensus across providers
ReconNinja -t example.com --ai --ai-consensus --ai-key KEY
# v8 — MITRE ATT&CK attack paths
ReconNinja -t example.com --ai --attack-paths --ai-key KEY
# v8 — Per-finding remediation + CVSSv3
ReconNinja -t example.com --ai --ai-remediate --ai-key KEY
# Full AI stack
ReconNinja -t example.com \
--ai --ai-consensus --attack-paths --ai-remediate \
--ai-provider groq --ai-key KEY -yGUI v8 new
v8.0.0 ships a local Flask-based desktop GUI accessible via browser. Run scans point-and-click with real-time SSE progress streaming and an in-app findings dashboard. Requires pip install flask (auto-installed by install.sh).
Point-and-Click Scans
Select profile, modules, output formats, and timeout without touching the CLI.
Live Progress (SSE)
Real-time log streaming via Server-Sent Events — see output the moment it arrives.
In-App Findings Table
Vulnerability findings grouped by severity with inline detail view.
Scan History
Browse and re-open previous scan reports from the History tab.
# Launch GUI (opens browser automatically)
ReconNinja --gui
# Custom port
ReconNinja --gui --gui-port 8080
# GUI URL
# → http://127.0.0.1:7117
# Install Flask if not installed
pip install flaskChangelog
v8.2.1
2026-05-01
PATCH
pyproject.toml fix — corrected project metadata in
pyproject.toml. No functional changes.
v8.1.0
2026-05-01
PATCH
Bug #1 (High) —
Bug #2 (Low) — Module docstring header in
Bug #3 (Medium) —
Bug #4 (Medium) — SSE keepalive in
Bug #5 (Medium) —
VERSION = "7.0.0" hardcoded in reconninja.py despite being v8 code; affected startup banner, argparse description, and --update version comparison. Fixed to 8.1.0.Bug #2 (Low) — Module docstring header in
reconninja.py still read v7.0.0. Updated.Bug #3 (Medium) —
gui/app.py: autocomplete="of" typo on target input — browsers showed autocomplete suggestions for security tool targets. Fixed to autocomplete="off".Bug #4 (Medium) — SSE keepalive in
gui/app.py used type: "log" with text: "…", appending a noise dot to the progress log every 30 s during idle. Changed to type: "keepalive" which the JS client silently ignores.Bug #5 (Medium) —
_scan_queues and _scan_results dicts in gui/app.py never cleaned up after scan completion, causing unbounded memory growth in long-running GUI sessions. Both dicts now pruned in the run_scan finally block.
v8.0.0
2026-05-01
MAJOR
13 new modules (Phases 15a–15m): REST API fuzzer, OAuth scanner, web vuln probes, open redirect, LinkedIn OSINT, paste monitor, SE OSINT, APK static analysis, app store recon, anon detect, DNS leak check, Web3 scan, ENS lookup.
3 AI upgrades: multi-provider consensus, MITRE ATT&CK kill-chain attack paths, per-finding AI remediation with CVSSv3 scoring.
Local desktop GUI via Flask + SSE —
Output integrations:
17 pre-release bugs fixed across 13 files — including 19 missing imports in
3 AI upgrades: multi-provider consensus, MITRE ATT&CK kill-chain attack paths, per-finding AI remediation with CVSSv3 scoring.
Local desktop GUI via Flask + SSE —
--gui flag.Output integrations:
--pdf-report, --jira, --gh-issues, --siem.17 pre-release bugs fixed across 13 files — including 19 missing imports in
orchestrator.py, 12 broken f-strings, broken dnstwist output path in typosquat.py, dead slab assignment in db_exposure.py, and SARIF shadow import loop.
v7.1.0
2026-04-04
BUGFIX
Bug #1 (Medium) — 19 module-level functions introduced in v7.0.0 raised
NameError at runtime because their imports were missing from core/orchestrator.py. All 17 missing from core.* statements added. smtp_user_enum aliased to match call sites. flake8 --select=F821 now exits clean.
v7.0.0
2026-04-04
MAJOR
Added 17 new intelligence modules (phases 14a–14q): email security, breach check, cloud metadata SSRF, GraphQL scanner, JWT scanner, ASN mapping, supply chain analysis, K8s/Docker probe, database exposure, SMTP enum, SNMP scan, LDAP enum, DevOps scan, GreyNoise, typosquatting, Censys intelligence, and SARIF export.
v6.0.0
2026-03-20
MAJOR
Added 6 new modules: GitHub OSINT, JS extraction, cloud bucket enum, DNS zone transfer, WAF detection, CORS scanner. Added 2 new utilities: scan diff and webhook notifications. 8 critical bug fixes.
v5.x / v4.x
2026-03-09 – 2026-03-18
BUGFIX
v4.0.0 added Shodan, VirusTotal, WHOIS, Wayback, SSL modules + full pip packaging. v5.x series focused on bug sweeps:
--exclude now applied, VirusTotal correctly routes domain vs IP, pyflakes clean across all source files.
Full history: CHANGELOG.md on GitHub
Authorized use only. Only scan targets you own or have explicit written permission to test.
URL Mode
Fetches HTML, JS files, API responses, and probes 15 common secret-exposing paths.
Directory Mode
Recursively scans repos, configs, and source files across 25+ file types.
Git History
Walks commit diffs to catch secrets committed then deleted from history.
Entropy Filter
Eliminates placeholder / example false positives using Shannon entropy.
Dark HTML Report
Same aesthetic as ReconNinja — dark-mode dashboard that works standalone.
ReconNinja Plugin
Drop vaulthound_plugin.py into ReconNinja's plugins/ — runs automatically as a phase.
Usage
# Install
pip install vaulthound
# Scan a live URL (HTML + JS + 15 sensitive path probes)
vaulthound -u https://example.com
# Scan a local directory
vaulthound -d /path/to/repo
# Directory + full git history
vaulthound -d /path/to/repo --git
# Deep JS scanning
vaulthound -u https://example.com --js
# Only critical and high severity
vaulthound -d . --severity high
# Custom output directory + skip prompt
vaulthound -d . --output /tmp/results -y43 Detection Patterns
☁️
Cloud
AWS Access Key, AWS Secret, GCP API Key, GCP Service Account, Azure Storage Key, Azure Connection String
💳
Payment
Stripe live/restricted, Square, PayPal/Braintree
📡
Communication
Twilio, SendGrid, Mailgun, Slack bot/user/webhook, Discord
🐙
Source Control
GitHub PAT/OAuth/App Token, GitLab Token, NPM Token, PyPI Token
🤖
AI / LLM
OpenAI, Anthropic/Claude, Groq, HuggingFace
🗄️
Database
MySQL, PostgreSQL, MongoDB, Redis connection strings, MongoDB Atlas URI
🔑
Private Keys
RSA, EC, OpenSSH, PGP private key blocks
🎫
Generic Tokens
JWT, generic API keys, generic passwords, generic tokens, Bearer tokens
Output
Reports saved to vaulthound_reports/<target>_<timestamp>/
| File | Description |
|---|---|
| report.html | Dark-mode HTML dashboard — open in browser |
| report.json | Machine-readable findings for pipeline integration |
| report.txt | Plain text summary |
| vaulthound.log | Full debug log |
| scan_config.json | Exact configuration used |
60+ Patterns
AWS, GitHub, OpenAI, Anthropic, Stripe, Slack, Twilio, DB strings, private keys, JWT, and more.
Git History
Scans every past commit — catches secrets deleted from current files.
Docker Ready
Works inside containers and CI/CD pipelines out of the box.
SARIF Output
GitHub Advanced Security compatible — results appear in the Security tab.
CI Mode
--ci flag exits with code 1 on findings — blocks the pipeline automatically.
Severity Filter
Focus on critical,high only and skip the noise.
Usage
# Install
pip install envleaks
# Scan current directory
envleaks scan .
# Critical and high only
envleaks scan . --severity critical,high
# Also scan all past git commits
envleaks scan . --git-history
# Export JSON report
envleaks scan . --format json --output report.json
# CI mode — exits 1 if findings
envleaks scan . --ci --severity critical,high
# SARIF for GitHub Advanced Security
envleaks scan . --format sarif --output envleaks.sarif
# List all detection rules
envleaks list-rules
envleaks list-rules --severity criticalDetection Rules
| Category | Rules | Examples |
|---|---|---|
| AWS | 3 | Access Key, Secret Key, Session Token |
| GitHub | 5 | Classic PAT, OAuth, Fine-Grained PAT, App tokens |
| Google / GCP | 3 | API Key, Service Account JSON |
| OpenAI | 2 | API Key, Organization ID |
| Anthropic | 1 | API Key |
| Stripe | 4 | Live/Test Secret, Webhook, Publishable |
| Slack | 4 | Bot Token, User Token, App Token, Webhook URL |
| Database URLs | 2 | PostgreSQL, MongoDB Atlas URI |
| Private Keys | 5 | RSA, EC, OpenSSH, PGP, PKCS#8 |
| JWT | 1 | JSON Web Token |
| Discord / Telegram | 3 | Bot tokens, Webhook URLs |
| Firebase | 2 | Database URL, FCM Server Key |
| Generic | 3 | Secret assignments, Bearer tokens, Basic Auth in URLs |
| NPM | 2 | Registry auth token, Access token |
| + more | 20+ | Twilio, SendGrid, Heroku, Azure, Cloudflare, DigitalOcean... |
CI/CD Integration
- name: Scan for secrets
run: |
pip install envleaks
envleaks scan . --ci --severity critical,high
# Full SARIF → GitHub Security tab
- name: Scan (SARIF)
run: |
pip install envleaks
envleaks scan . --format sarif --output envleaks.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: envleaks.sarifGoogle Dorks
site:, filetype:, intitle:, inurl: — 40+ templates across 8 categories.
Shodan Dorks
hostname:, port:, ssl:, product: — 30+ infrastructure recon queries.
GitHub Search
org:, filename:, extension: — 35+ code search dorks for secret hunting.
Tech Stack Detection
Fetch GitHub metadata to generate tech-specific dorks (Django, AWS, Kubernetes, etc.).
Clickable URLs
Every dork includes a direct search URL — click and run.
Markdown Export
Export full dork report to Markdown — perfect for bug bounty writeups.
Usage
# Install
pip install gitdork
# Generate dorks for a domain
gitdork generate example.com
# Generate for a GitHub org/repo
gitdork generate ExploitCraft/ReconNinja
# Google dorks only
gitdork generate example.com --engine google
# Secrets and misconfigs only
gitdork generate example.com --category secrets,misconfigs
# Enrich with GitHub API for tech-stack dorks
gitdork generate ExploitCraft/ReconNinja --enrich
# Export to JSON
gitdork generate example.com --format json --output dorks.json
# Export to Markdown (for reports)
gitdork generate example.com --format markdown --output dorks.md
# Group output by category
gitdork generate example.com --group-by category
# List all categories / engines
gitdork list-categories
gitdork list-enginesDork Categories
| ID | Description | Examples |
|---|---|---|
| secrets | API keys, tokens, passwords, private keys | filetype:env "api_key", BEGIN RSA PRIVATE KEY |
| sensitive_files | .env, .sql, .log, .bak, config files | filetype:sql, inurl:".git/config" |
| exposed_dirs | Open directory listings | intitle:"index of /" |
| misconfigs | phpMyAdmin, Jenkins, Grafana, debug mode | inurl:phpMyAdmin, port:2375 |
| login_panels | Admin panels, login pages | inurl:admin, intitle:"login" |
| error_pages | Stack traces, PHP errors, SQL errors | "stack trace", "SQL syntax" |
| subdomains | Subdomain enumeration, infra discovery | site:*.example.com |
| code_leaks | TODO credentials, internal-only code | "do not commit" |
Engines
| Engine | Operators | Best For |
|---|---|---|
| site: filetype: intitle: inurl: | Exposed files, admin panels, error pages | |
| shodan | hostname: port: ssl: product: | Open ports, exposed services, infra recon |
| github | org: filename: extension: | Hardcoded secrets, leaked credentials in repos |
Linux
NetworkManager, wpa_supplicant, iwd. Full passwords with sudo.
Windows
netsh wlan extraction. No admin required for current user profiles.
macOS
Keychain via security find-generic-password.
Redact Mode
--redact partially masks passwords — safe for screenshots and sharing.
Search
Filter profiles by SSID with wifi-passview search "HomeNet".
CSV / JSON
Machine-readable output for integration into other tools.
Use only on devices you own or have explicit permission to audit.
Usage
# Install
pip install wifi-passview
# Dump all saved WiFi profiles
wifi-passview dump
# Redact passwords (safe for screenshots)
wifi-passview dump --redact
# Hide passwords entirely
wifi-passview dump --no-password
# Export to JSON
wifi-passview dump --format json --output wifi.json
# Export to CSV
wifi-passview dump --format csv --output wifi.csv
# Search for a specific network
wifi-passview search "HomeNetwork"
# Linux — run with sudo for full passwords from NetworkManager
sudo wifi-passview dumpPlatform Notes
| Platform | Method | Requires |
|---|---|---|
| Linux | NetworkManager /etc/NetworkManager/system-connections/ | sudo for passwords |
| Linux | wpa_supplicant /etc/wpa_supplicant/wpa_supplicant.conf | sudo |
| Linux | iwd /var/lib/iwd/*.psk | sudo |
| Linux | nmcli fallback — SSID list only | No root |
| Windows | netsh wlan show profiles + key=clear | No admin |
| macOS | security find-generic-password (Keychain) | Keychain permission |