cc1a2b
PenHunter
Go

Pen Hunter is a comprehensive vulnerability scanning tool designed for penetration testers, security researchers and bug bounties. it automates the process of collecting subdomains and URLs and tests them for various vulnerabilities including XSS, SQL Injection, Local File Inclusion, Open Redirect, Server-Side Request Forgery, CSRF, and RCE.

Last updated Jul 9, 2026
29
Stars
6
Forks
0
Issues
0
Stars/day
Attention Score
54
Language breakdown
Go 98.3%
Makefile 1.7%
โ–ธ Files click to expand
README

PenHunter

License Go Version Release GitHub stars Platform

Modular Web Vulnerability Scanner

Comprehensive testing for XSS, SQLi, LFI, SSRF, RCE, Open Redirect, and CSRF โ€” built for penetration testers, bug bounty hunters, and security researchers.

About

PenHunter is a powerful, modular web vulnerability scanner written in Go. It provides comprehensive testing for common web vulnerabilities including XSS, SQL Injection, LFI, SSRF, RCE, Open Redirect, and CSRF โ€” with concurrent scanning, advanced detection methods, WAF evasion, and integrations with industry tools like dalfox, sqlmap, and nuclei.

PenHunter Demo

PenHunter โ€” modular vulnerability scanner with interactive and CLI modes.


Table of Contents


Features

Core Capabilities

  • Multiple Vulnerability Scanners: XSS, SQLi, LFI, SSRF, RCE, Open Redirect, CSRF
  • High Performance: Concurrent scanning with configurable thread pools
  • Advanced Detection: Boolean-based, time-based, error-based detection methods
  • WAF Evasion: Payload mutation, header rotation, TLS fingerprint randomization
  • External Tool Integration: dalfox, sqlmap, nuclei, and more
  • Multiple Output Formats: JSON, HTML, TXT
  • Interactive CLI: Menu-driven interface for guided scans
  • Auto-Update: Built-in update mechanism via GitHub releases
  • Organized Results: Automatic directory structure for scan results

Intelligent Detection Engine

Differential analysis, boolean/time/error oracles, and payload mutation built in.
  • Differential Response Analysis: Detects subtle behavior changes that confirm vulnerabilities
  • Multi-Method Coverage: Boolean-based, time-based, and error-based detection paths per vuln class
  • Payload Mutation: Automatic encoding, casing, and obfuscation variants for WAF bypass
  • Confidence Scoring: Per-finding confidence to filter true positives from noise

Discovery Pipeline

Subdomain โ†’ URL โ†’ endpoint โ†’ vulnerability

PenHunter integrates the best-in-class recon stack:

Subdomain enumeration:

  • subfinder, assetfinder โ€” passive discovery
  • amass (optional) โ€” active + passive
HTTP probing & URL discovery:
  • httpx โ€” live host probing
  • urlfinder, katana, gospider โ€” crawler-based URL collection
  • gau, gauplus, waybackurls โ€” wayback machine harvesting
Endpoint extraction:
  • cariddi, getJS โ€” JS endpoint mining
  • PenHunter native parsing โ€” built-in JS extractor
Vulnerability scanning:
  • dalfox, sqlmap, nuclei โ€” best-in-class engines, orchestrated through PenHunter

Vulnerability Classes

Seven vulnerability classes, comprehensive coverage

| Class | Detection Methods | Default Engine | |---|---|---| | XSS | Reflected, stored, DOM | Native + dalfox | | SQLi | Boolean, time, error, union | Native + sqlmap | | LFI | Path traversal, wrapper, log poisoning | Native | | SSRF | Internal, cloud metadata, gopher, file | Native + OOB | | RCE | Command injection, template injection | Native + nuclei | | Open Redirect | Header, parameter, JS-based | Native | | CSRF | Missing token, weak token, predictable | Native |

HTTP & Networking

Production-grade HTTP layer for scaling and stealth
  • Custom Headers (-H): Repeatable headers for authenticated scans
  • Cookie Support (-c): Session cookies for protected resources
  • User-Agent Rotation: Built-in UA rotation for evasion
  • Rate Limiting: Configurable request pacing
  • Timeouts: Per-request timeout control
  • Retry Logic: Exponential backoff on failures
  • Proxy Support: Burp Suite and other intercepting proxies
  • TLS Bypass: Optional certificate verification skip for testing

Output & Reporting

Three formats, organized result hierarchy
  • Console: Color-coded terminal output with severity highlighting
  • TXT: Plain text logs for scripting
  • JSON: Structured output for automation pipelines
  • HTML: Self-contained reports for stakeholder review

Installation

Go Install (Recommended)

go install -v github.com/cc1a2b/PenHunter/cmd/penhunter@latest
penhunter --help
Note: go install ships only the binary. To get the bundled config/ (payloads, encoders, user callbacks), clone the repo or use make install.

Build from Source

git clone https://github.com/cc1a2b/PenHunter.git
cd PenHunter
make build
make install                # installs to $HOME/penhunter/

Add to PATH

# Linux/macOS
export PATH="$HOME/penhunter/bin:$PATH"

Or symlink

sudo ln -sf $HOME/penhunter/bin/penhunter /usr/local/bin/penhunter

From Releases

Download the latest release from GitHub Releases and extract to your $HOME/penhunter/ directory.

System Requirements

  • Go 1.21+ (for building from source)
  • Linux, macOS, or Windows (64-bit)
  • External recon tools (optional but recommended): subfinder, assetfinder, httpx, katana, gau, dalfox, sqlmap, nuclei

Quick Start

Interactive mode

penhunter
Launches the menu where you choose between single-domain or subdomain scanning, vulnerability classes, and engines.

Single URL scan

penhunter -u https://example.com -v xss,sqli

Multi-URL scan with JSON output

penhunter -l urls.txt -v xss -t 50 --json results.json

Update PenHunter

penhunter --update

Usage Examples

# Test single URL for XSS + SQLi
penhunter -u https://example.com -v xss,sqli

Multi-URL scan with custom thread count

penhunter -l urls.txt -v xss -t 50 --json results.json

Full vulnerability sweep

penhunter -u https://target.com -v xss,sqli,lfi,ssrf,rce,redirect,csrf -t 30

Stealth scan through Burp Suite

penhunter -u https://target.com -v xss --proxy http://127.0.0.1:8080 -R 1000

Authenticated scan with cookies and headers

penhunter -u https://target.com -v xss,sqli \ -c "session=abc123" \ -H "Authorization: Bearer eyJ..."

Check installed external tools

penhunter --check-tools

Check for updates

penhunter --check-update

Screenshots

PenHunter โ€” LFI detection

LFI vulnerability scan โ€” path traversal detection with confirmed payload.



PenHunter โ€” XSS detection

XSS vulnerability scan โ€” reflected payload confirmed in response.


Command Reference

Usage:
  penhunter [flags]

Modes: (no args) Launch interactive menu -u, --url URL Test a single URL -l, --list FILE Test URLs from a file -v, --vulns LIST Comma-separated vulns (xss, sqli, lfi, ssrf, rce, redirect, csrf)

HTTP & Performance: -t, --threads INT Concurrent threads (default: 10) -H, --header "K: V" Custom HTTP headers (repeatable) -c, --cookies STR Session cookies -p, --proxy URL HTTP/HTTPS/SOCKS proxy -k, --skip-tls Skip TLS verification -R, --rate-limit MS Request delay (milliseconds)

Output: -o, --output FILE Output file --json FILE Structured JSON output --html FILE HTML report

Maintenance: --update Update PenHunter to latest --check-update Check if a new version is available --check-tools Verify external tools are installed -h, --help Show help -V, --version Show version


Advanced Usage

Bug Bounty Workflow

# 1. Subdomain enumeration โ†’ URL collection โ†’ vuln scan
subfinder -d target.com | httpx | tee live.txt
gau < live.txt | tee urls.txt
penhunter -l urls.txt -v xss,sqli,redirect -t 30 --json findings.json

CI / Continuous Scanning

penhunter -l production-urls.txt -v xss,sqli \
  --json "scan-$(date +%F).json" \
  -R 2000 \
  --proxy http://internal-proxy:8080

WAF Evasion Scan

penhunter -u https://target.com -v xss \
  -H "X-Forwarded-For: 1.1.1.1" \
  -H "X-Real-IP: 1.1.1.1" \
  -R 1500

Contributing

Contributions welcome from the security community.

  • Report bugs via GitHub Issues
  • Suggest features or new vulnerability classes
  • Improve documentation
  • Submit pull requests with new payloads, detectors, or integrations

Development Setup

git clone https://github.com/cc1a2b/PenHunter.git
cd PenHunter
go mod tidy
make build

License

PenHunter is released under the MIT License. See LICENSE for details.

Copyright (c) 2024-2026 Hussain Alsharman
Licensed under MIT License โ€” free for commercial and personal use

Support

If PenHunter helps with your security research:

Star this repo โ€ข Follow @cc1a2b โ€ข Share with the security community


PenHunter โ€” Modular Web Vulnerability Scanner

Built with by cc1a2b for the security community

๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท cc1a2b/PenHunter ยท Updated daily from GitHub