Pen Hunter is a comprehensive vulnerability scanning tool designed for penetration testers, security researchers and bug bounties. it automates the process of collecting subdomains and URLs and tests them for various vulnerabilities including XSS, SQL Injection, Local File Inclusion, Open Redirect, Server-Side Request Forgery, CSRF, and RCE.
PenHunter
Modular Web Vulnerability Scanner
Comprehensive testing for XSS, SQLi, LFI, SSRF, RCE, Open Redirect, and CSRF โ built for penetration testers, bug bounty hunters, and security researchers.
About
PenHunter is a powerful, modular web vulnerability scanner written in Go. It provides comprehensive testing for common web vulnerabilities including XSS, SQL Injection, LFI, SSRF, RCE, Open Redirect, and CSRF โ with concurrent scanning, advanced detection methods, WAF evasion, and integrations with industry tools like dalfox, sqlmap, and nuclei.
PenHunter โ modular vulnerability scanner with interactive and CLI modes.
Table of Contents
- About
- Features
- Installation
- Quick Start
- Usage Examples
- Screenshots
- Command Reference
- Advanced Usage
- Contributing
- License
- Support
Features
Core Capabilities
- Multiple Vulnerability Scanners: XSS, SQLi, LFI, SSRF, RCE, Open Redirect, CSRF
- High Performance: Concurrent scanning with configurable thread pools
- Advanced Detection: Boolean-based, time-based, error-based detection methods
- WAF Evasion: Payload mutation, header rotation, TLS fingerprint randomization
- External Tool Integration: dalfox, sqlmap, nuclei, and more
- Multiple Output Formats: JSON, HTML, TXT
- Interactive CLI: Menu-driven interface for guided scans
- Auto-Update: Built-in update mechanism via GitHub releases
- Organized Results: Automatic directory structure for scan results
Intelligent Detection Engine
Differential analysis, boolean/time/error oracles, and payload mutation built in.
- Differential Response Analysis: Detects subtle behavior changes that confirm vulnerabilities
- Multi-Method Coverage: Boolean-based, time-based, and error-based detection paths per vuln class
- Payload Mutation: Automatic encoding, casing, and obfuscation variants for WAF bypass
- Confidence Scoring: Per-finding confidence to filter true positives from noise
Discovery Pipeline
Subdomain โ URL โ endpoint โ vulnerability
PenHunter integrates the best-in-class recon stack:
Subdomain enumeration:
- subfinder, assetfinder โ passive discovery
- amass (optional) โ active + passive
- httpx โ live host probing
- urlfinder, katana, gospider โ crawler-based URL collection
- gau, gauplus, waybackurls โ wayback machine harvesting
- cariddi, getJS โ JS endpoint mining
- PenHunter native parsing โ built-in JS extractor
- dalfox, sqlmap, nuclei โ best-in-class engines, orchestrated through PenHunter
Vulnerability Classes
Seven vulnerability classes, comprehensive coverage
| Class | Detection Methods | Default Engine | |---|---|---| | XSS | Reflected, stored, DOM | Native + dalfox | | SQLi | Boolean, time, error, union | Native + sqlmap | | LFI | Path traversal, wrapper, log poisoning | Native | | SSRF | Internal, cloud metadata, gopher, file | Native + OOB | | RCE | Command injection, template injection | Native + nuclei | | Open Redirect | Header, parameter, JS-based | Native | | CSRF | Missing token, weak token, predictable | Native |
HTTP & Networking
Production-grade HTTP layer for scaling and stealth
- Custom Headers (
-H): Repeatable headers for authenticated scans - Cookie Support (
-c): Session cookies for protected resources - User-Agent Rotation: Built-in UA rotation for evasion
- Rate Limiting: Configurable request pacing
- Timeouts: Per-request timeout control
- Retry Logic: Exponential backoff on failures
- Proxy Support: Burp Suite and other intercepting proxies
- TLS Bypass: Optional certificate verification skip for testing
Output & Reporting
Three formats, organized result hierarchy
- Console: Color-coded terminal output with severity highlighting
- TXT: Plain text logs for scripting
- JSON: Structured output for automation pipelines
- HTML: Self-contained reports for stakeholder review
Installation
Go Install (Recommended)
go install -v github.com/cc1a2b/PenHunter/cmd/penhunter@latest
penhunter --help
Note:go installships only the binary. To get the bundledconfig/(payloads, encoders, user callbacks), clone the repo or usemake install.
Build from Source
git clone https://github.com/cc1a2b/PenHunter.git
cd PenHunter
make build
make install # installs to $HOME/penhunter/
Add to PATH
# Linux/macOS
export PATH="$HOME/penhunter/bin:$PATH"
Or symlink
sudo ln -sf $HOME/penhunter/bin/penhunter /usr/local/bin/penhunter
From Releases
Download the latest release from GitHub Releases and extract to your$HOME/penhunter/ directory.
System Requirements
- Go 1.21+ (for building from source)
- Linux, macOS, or Windows (64-bit)
- External recon tools (optional but recommended): subfinder, assetfinder, httpx, katana, gau, dalfox, sqlmap, nuclei
Quick Start
Interactive mode
penhunter
Launches the menu where you choose between single-domain or subdomain scanning, vulnerability classes, and engines.
Single URL scan
penhunter -u https://example.com -v xss,sqli
Multi-URL scan with JSON output
penhunter -l urls.txt -v xss -t 50 --json results.json
Update PenHunter
penhunter --update
Usage Examples
# Test single URL for XSS + SQLi
penhunter -u https://example.com -v xss,sqli
Multi-URL scan with custom thread count
penhunter -l urls.txt -v xss -t 50 --json results.json
Full vulnerability sweep
penhunter -u https://target.com -v xss,sqli,lfi,ssrf,rce,redirect,csrf -t 30
Stealth scan through Burp Suite
penhunter -u https://target.com -v xss --proxy http://127.0.0.1:8080 -R 1000
Authenticated scan with cookies and headers
penhunter -u https://target.com -v xss,sqli \
-c "session=abc123" \
-H "Authorization: Bearer eyJ..."
Check installed external tools
penhunter --check-tools
Check for updates
penhunter --check-update
Screenshots
LFI vulnerability scan โ path traversal detection with confirmed payload.
XSS vulnerability scan โ reflected payload confirmed in response.
Command Reference
Usage:
penhunter [flags]
Modes: (no args) Launch interactive menu -u, --url URL Test a single URL -l, --list FILE Test URLs from a file -v, --vulns LIST Comma-separated vulns (xss, sqli, lfi, ssrf, rce, redirect, csrf)
HTTP & Performance: -t, --threads INT Concurrent threads (default: 10) -H, --header "K: V" Custom HTTP headers (repeatable) -c, --cookies STR Session cookies -p, --proxy URL HTTP/HTTPS/SOCKS proxy -k, --skip-tls Skip TLS verification -R, --rate-limit MS Request delay (milliseconds)
Output: -o, --output FILE Output file --json FILE Structured JSON output --html FILE HTML report
Maintenance: --update Update PenHunter to latest --check-update Check if a new version is available --check-tools Verify external tools are installed -h, --help Show help -V, --version Show version
Advanced Usage
Bug Bounty Workflow
# 1. Subdomain enumeration โ URL collection โ vuln scan
subfinder -d target.com | httpx | tee live.txt
gau < live.txt | tee urls.txt
penhunter -l urls.txt -v xss,sqli,redirect -t 30 --json findings.json
CI / Continuous Scanning
penhunter -l production-urls.txt -v xss,sqli \
--json "scan-$(date +%F).json" \
-R 2000 \
--proxy http://internal-proxy:8080
WAF Evasion Scan
penhunter -u https://target.com -v xss \
-H "X-Forwarded-For: 1.1.1.1" \
-H "X-Real-IP: 1.1.1.1" \
-R 1500
Contributing
Contributions welcome from the security community.
- Report bugs via GitHub Issues
- Suggest features or new vulnerability classes
- Improve documentation
- Submit pull requests with new payloads, detectors, or integrations
Development Setup
git clone https://github.com/cc1a2b/PenHunter.git
cd PenHunter
go mod tidy
make build
License
PenHunter is released under the MIT License. See LICENSE for details.
Copyright (c) 2024-2026 Hussain Alsharman
Licensed under MIT License โ free for commercial and personal use
Support
If PenHunter helps with your security research:
Star this repo โข Follow @cc1a2b โข Share with the security community
PenHunter โ Modular Web Vulnerability Scanner
Built with by cc1a2b for the security community