Custom bash scripts used to automate various penetration testing tasks including recon, scanning,
enumeration, HTML engagement reports, and malicious payload creation using Metasploit. For use with
Kali Linux or Ubuntu.
- Download to your home directory.
cd ~
git clone https://github.com/leebaird/discover
cd discover/
./discover.sh
- Select Update (main menu option 18) to update the operating system and install dependencies (
droopescan,feroxbuster,ffuf,jq,nuclei, etc.). - Some options require root credentials to run.
RECON
1. Domain
2. Person
SCANNING
3. Generate target list
4. CIDR
5. List
6. IP, range, or URL
7. Rerun Nmap scripts and MSF aux
WEB
8. Insecure direct object reference
9. Open multiple tabs in Firefox
10. Nikto
11. SSL
MISC
12. Generate a malicious payload
13. Start a Metasploit listener
14. CVE lookup
15. Parse XML
16. Dev
17. Notes
18. Update
19. Exit
RECON
1. Passive
2. Breaches
3. Find registered domains
4. Google dorks
5. Web search
6. Import names
7. Import names, titles, and emails
8. Import subdomains
9. Active
10. Import report
11. Export report
12. Previous menu
Note: Passive and Active cannot be run as root.
Typical domain engagement path:
- Passive — build
$HOME/data/<domain>/HTML report. - Import names / Import names, titles, and emails / Import subdomains — enrich contacts and hosts.
- Active — httpx / whatweb / gowitness; Active and Subdomains pages; optional NVD CVSS.
- Software filter on Active → filtered Subdomains → host scans (Nuclei, droopescan when CMS, Nikto, ffuf) in operator mode.
- Import report — reopen the live tree later for more testing (operator mode).
- Export report — Client, Defender, or Audit-only package for delivery.
- Reports → Audit in the HTML report — Target scans, Audit log, and Exports.
Uses Amass, ARIN, DNSRecon, dnstwist, Metasploit, subfinder, sublist3r, theHarvester, Whois, and multiple websites.
- Acquire free API keys for maximum results with theHarvester.
- Add API keys to
$HOME/.theHarvester/api-keys.yaml. - Passive builds an HTML report at
$HOME/data/<domain>/. - Find registered domains updates
pages/registered-domains.htmin an existing report. - Active uses httpx, whatweb, and gowitness; optional NVD API key speeds CVSS enrichment (see NVD API key).
- HTML Reports menu: Passive, Active, and Audit.
Script: recon/import-names.sh (Domain menu 6).
Run after a passive scan to add or enrich contacts from manual research (LinkedIn, company sites, phone directories, etc.).
Enter the location of your previous passive scan:
/home/user/data/example.com
Enter manual contacts file (or press Enter for default):
- Edit
$HOME/data/<domain>/tools/names-manual.tsv - Format: Name, Title, Phone (tab-separated, one person per line)
- Lines starting with
#are comments - Title and phone may be left blank
- Re-run Import names whenever you add rows to the manual file
Merges three sources, then refreshes pages/names.htm:
tools/names— auto-discovered names from the passive scanpages/names.htm— existing report tabletools/names-manual.tsv— manual entries (wins for title/phone when filled in)
The merged TSV is saved back to tools/names. The Names page is a sortable three-column table: Name, Title, Phone.
Script: recon/import-names-titles-emails.sh (Domain menu 7).
Merge a separate names dump (with optional titles and emails) into an existing passive engagement.
Enter the location of the names file:
/home/user/data/names-from-osint.txt
Enter the location of your previous passive scan:
/home/user/data/example.com
- Requires a readable source file and a report that already has
pages/names.htm - Accepts free-form lines (
Name Title email@domain) and tab-separated rows (Name,Title,Email,Phone) - Merges into
tools/namesandtools/emails, and refreshespages/names.htm/ passive summary counts - Useful when contacts come from a tool or export outside Discover’s manual TSV
Script: recon/import-subdomains.sh (Domain menu 8).
Run after a passive scan to add or enrich hosts from Pentest-Tools or manual research.
Enter the location of your previous passive scan:
/home/user/data/example.com
Enter import file or firefox (or press Enter for default):
Supported imports:
-
firefox— pullpinia/scansfrom your Firefox profile (free Pentest-Tools scans) -
Firefox
pinia/scansexport (pinia-scans.json) -
Pentest-Tools JSON (
pentest-tools-<domain>.json) -
Pentest-Tools text export (
pentest-tools.txt) -
Tab-separated host/IP rows
-
Edit
$HOME/data/<domain>/tools/subdomains-import.tsvfor manual entries -
Format: Subdomain, IP (tab-separated; IP optional)
-
Hosts without an IP are resolved with
digduring import -
Re-run Import subdomains whenever you add rows or run a new Pentest-Tools scan
Merges with existing tools/subdomains, assigns categories from old/subdomain-categories.tsv, splits private IPs to tools/private-subs, and refreshes pages/subdomains.htm with Subdomain, Category, and IP columns only. Run Active afterward to populate Photo, Status, Web Server, and Technologies.
Script: recon/active.sh (Domain menu 9).
Run after a passive scan (and optionally Import subdomains) to probe which public hosts respond over HTTP/HTTPS, fingerprint technologies, and capture screenshots.
Enter the location of your previous passive scan:
/home/user/data/example.com
Requires httpx, whatweb, gowitness, python3, and Chrome or Chromium (install via Update).
- Reads public hostnames from
tools/subdomains(RFC1918 IPs are skipped) - Probes hostnames with httpx; writes
tools/httpx.jsonl - Treats responses with status 200–399, 401, 403, or 405 as alive
- Fingerprints alive URLs with whatweb; writes
tools/whatweb.json - Screenshots alive URLs with gowitness (go-rod driver) under
tools/gowitness/ - Merges httpx and whatweb with
recon/active-tech.pyand refreshespages/subdomains.htm - Writes an Active summary to
pages/active.htm(Reports menu → Active), including software versions enriched with NVD CVSS when available - Re-run Active to replace httpx/whatweb/gowitness artifacts and rebuild Active columns
HTML Reports menu: Passive (pages/passive.htm), Active (pages/active.htm), Audit (pages/audit.htm).
On Active Software versions, versions that have NVD CVEs are linked to a filtered Subdomains view (subdomains.htm?software=…). In operator mode (live tree opened via Import report), expandable rows show host-scan boxes (quietest → loudest):
| Tool | Role | When shown |
|---|---|---|
| Nuclei | Template recon (software tags) then auto Pass 2 CVE/KEV templates from the engagement software-CVE cache + CISA KEV (local nuclei templates only) | Always on filtered expand |
| droopescan | CMS enum (scan drupal / wordpress / …; -e a -t 4) |
Gated: only when the software filter is a supported CMS (Drupal, WordPress, Joomla, Moodle, Silverstripe — including version labels like Drupal:7) |
| Nikto | Web server checks; report TXT + HTM when present | Always on filtered expand |
| ffuf | Content discovery (quiet defaults); report TXT + URL (open each finding in Firefox) | Always on filtered expand |
Each box shows the tool name and a blue Run button on one line, plus last-run time and green output buttons (TXT / HTM / URL as applicable).
ffuf quiet defaults (misc/run-host-scan.sh):
- No custom
-mc(ffuf defaults keep 2xx, 500, etc.) -fc 301,302,307,400,401,403,404,405,429(drop redirects and common noise; keep 500s for version banners)-t 8 -rate 20 -noninteractive; SecListscommon.txt(or fallbacks)- Report text is ANSI-cleaned (no progress ESC junk); Duration stripped from hit lines
- URL uses
discover-ffuf:→misc/open-ffuf-tabs.sh(Firefox CLI, one tab per unique finding URL; cap 40)
Nuclei writes a structured output.txt (Pass 1 / Pass 2). Empty findings files say No vulnerabilities discovered.
Launches use the discover-scan: handler / misc/run-host-scan.sh (one tool at a time). Prefer ~/.local/bin for droopescan on Python 3.12+ (Update runs misc/patch-droopescan-py314.sh for cement/imp + setuptools). Optional live status via localhost misc/host-scan-statusd.py. Client and defender export packages disable launches.
| Metric | Meaning |
|---|---|
| Public subdomains | Hosts in tools/subdomains with non-RFC1918 IPs |
| Private subdomains | Rows in tools/private-subs |
| Responding hosts | Unique hosts with an httpx status (any code) |
Status codes on the Active page count all httpx responses (including 404/5xx). Screenshots, whatweb, and Alive by category still use the alive subset only (status 200–399, 401, 403, or 405).
| Column | Source |
|---|---|
| Subdomain, Category, IP | Passive scan / Import subdomains |
| Photo | gowitness screenshot link when captured |
| Status | httpx status code |
| Web Server | httpx/whatweb Server header |
| Title / Technologies | httpx page title (filtered) + httpx tech / whatweb plugins |
The private subdomains table stays three columns (Subdomain, Category, Private IP Address).
active-tech.py merges and deduplicates overlapping data between columns — for example, OpenSSL and mod_jk versions drop out of Web Server when already listed in Technologies, Microsoft IIS/10 shortens to Microsoft IIS when IIS:10 is present, Apache/2.4.37 shortens to Apache when Apache HTTP Server:2.4.37 is present, OS names such as Red Hat are removed from Technologies when already shown in the Web Server banner, and httpx Nginx labels are normalized to nginx.
Artifacts under tools/:
active-targets.txt— public hostnames sent to httpxhttpx.jsonl— httpx JSON outputactive-alive.tsv— host, URL, and status for alive responsesactive.txt— alive URLs sent to whatweb and gowitnesswhatweb.json— whatweb JSON outputgowitness/screenshots/— JPEG screenshotsgowitness/gowitness.jsonlandgowitness/gowitness.db— gowitness metadatasoftware-cves-cache.json— cached NVD CVSS/CVE lookups for the Active report
Active recon can enrich the Software versions table on pages/active.htm with CVSS scores and CVE IDs from the National Vulnerability Database. Lookups are implemented in recon/software-cve.py.
Without a key: enrichment still runs, but NVD’s anonymous rate limits apply (slower).
With a key: authenticated rate limits (much faster).
Skip enrichment entirely:
export DISCOVER_SKIP_CVE=1
Get a free API key
- Request an NVD API key
- Confirm the email NIST sends
- Provide the key to Discover (shell export and/or private
.env— see below)
How Discover finds the key (non-empty values higher in the list win):
- Shell environment —
export NVD_API_KEY=... - Private
.envin the Discover install —$DISCOVER/.env - Private
.envin your home config —~/.discover/.env
Example .env line (no quotes required):
NVD_API_KEY=your-key-here
- Copy the template:
cp ~/discover/.env.example ~/discover/.envormkdir -p ~/.discover && cp ~/discover/.env.example ~/.discover/.env .envis gitignored; never commit real keys.env.exampleis tracked as documentation only
| Variable | Purpose |
|---|---|
NVD_API_KEY |
Optional NVD API key for faster CVSS lookups |
DISCOVER_SKIP_CVE=1 |
Skip NVD queries; Software table still lists versions |
DISCOVER_CVE_PROGRESS=1 |
Print each product lookup while building Active |
Cache file: <report>/tools/software-cves-cache.json. CVSS values are triage leads from NVD CPE matches, not confirmed findings — validate before reporting to a client.
Discover Update (main menu option 18 / misc/update.sh) downloads the CISA KEV JSON catalog into Discover’s resource/ folder:
$DISCOVER/resource/known_exploited_vulnerabilities.json
- Feed: CISA KEV JSON
- Catalog: CISA Known Exploited Vulnerabilities
If the download fails, any previous local catalog is left in place. The file is gitignored (refreshed by Update, not committed).
On the Active Software versions table, Top CVE prefers a CISA KEV match when any of the product’s NVD CVEs appear in the KEV catalog (highest CVSS among KEVs wins). Otherwise Top CVE is the highest-CVSS NVD result. KEV selections show an orange KEV badge next to the linked CVE ID.
Script: recon/import-report.sh (Domain menu 10).
Reopen an existing engagement HTML report for continued operator work (does not re-run Passive/Active).
Enter the location of your report:
/home/user/data/example.com
- Accepts a report root directory (or a page under it such as
index.htm/pages/active.htm) - Marks the live tree as operator mode (
assets/report-mode.json, launches enabled) - Saves the engagement path to
~/.discover/current-reportfor host-scan helpers - Seeds
tools/audit/and refreshespages/audit.htm - Syncs host-scan UI assets and ensures Reports → Audit on all pages (including the homepage)
- Opens the report in a browser when possible
Empty or invalid paths show an error and exit (same style as Active / Import names).
Script: recon/export-report.sh (Domain menu 11).
Package a snapshot for delivery without leaving the live tree in client mode.
Package for:
c) Client — HTML report; audit log redacts operator egress IPs (default)
d) Defender — HTML report; audit log keeps operator egress IPs
a) Audit only (defenders) — plain-text audit log with operator IPs
Export label (e.g. briefing, update) [briefing]:
- Prefers the session engagement from Import report when available
- Client — ZIP of the HTML report; operator IPs redacted in the shipped audit log; scan launches disabled
- Defender — ZIP of the HTML report; operator IPs kept; launches disabled
- Audit only — plain-text audit log with operator IPs (for defenders)
- Writes an Exports entry under
tools/exports/and an audit log line - Live report under
$HOME/data/<domain>/stays operator mode for continued testing
Built by recon/audit-build.py into pages/audit.htm (HTML Reports → Audit).
| Section | Content |
|---|---|
| Target scans | Per-host history for Nuclei, droopescan, Nikto, ffuf (quietest → loudest columns). Timestamp plus TXT / HTM / URL buttons when outputs exist |
| Audit log | Newest-first by default; Time (UTC), Operator IP, Action, Output. Hides routine noise (report open, nuclei pass-2 start/finish). Strips successful (exit 0) from display |
| Exports | Label, kind (Client / Defender / Audit only), exported time (UTC), operator IPs (Included / Redacted), file name |
Import report rebuilds this page. Host scans and exports append data under tools/ that appears on Audit after the next rebuild (Import, host-scan finish, or export path).
For US public companies, Discover pulls executives and directors from SEC EDGAR before the names merge step:
- DEF 14A — proxy statement prose and board tables for full titles
- Form 4 — recent insider filings to supplement officers and directors
- Results are written to
zsec-peopleand merged intotools/names(Name, Title, Phone; phone left blank). - SEC filings do not provide work emails or per-person phone numbers.
- Manual override:
tools/sec-people-manual.tsv(tab-separated: Name, Title, Phone).
During passive recon, Discover attempts to fill the address and phone block on pages/summary.htm:
- SEC EDGAR 10-K — principal executive office from the latest 10-K (inline XBRL
dei:tags) - Website footer — homepage footer / contact pages when SEC has no match
- Manual override —
tools/company-manual.tsv
Results go to tools/company.json and pages/summary.htm.
During passive recon, Discover extracts official social profile links (Facebook, Instagram, LinkedIn, X, YouTube) and attempts follower counts.
- Results:
tools/social.tsv→pages/summary.htm - Blocked platforms show Blocked
- Manual URLs:
tools/social-manual.tsv(Platform, URL)
RECON
First name:
Last name:
- Combines info from multiple websites.
SCANNING
1. ARP scan
2. Ping sweep
3. Previous menu
- Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover, and Nmap pingsweep.
Type of scan:
1. External
2. Internal
3. Previous menu
- External scan sets the Nmap source port to 53 and max-rtt-timeout to 1500ms.
- Internal scan sets the Nmap source port to 88 and max-rtt-timeout to 500ms.
- Nmap performs host discovery, port scanning, service enumeration, and OS identification.
- Nmap scripts and Metasploit auxiliary modules provide additional enumeration.
- Additional tools: enum4linux, smbclient, and ike-scan.
Using Burp, authenticate to a site, map & Spider, then log out.
Target > Site map > select the URL > right click > Copy URLs in
this host. Paste the results into a new file.
Enter the location of your file:
Open multiple tabs in Firefox with:
1. List
2. Files in a directory
3. Directories in robots.txt
4. Previous menu
Examples:
- A list containing multiple IPs and/or URLs
- Open every Nikto HTML report in a directory
- wget a domain’s
robots.txt, then open listed directories
This option cannot be run as root.
Run multiple instances of Nikto in parallel.
1. List of IPs
2. List of IP:port
3. Previous menu
Check for SSL certificate issues.
List of IP:port.
Enter the location of your file:
- Uses sslscan, sslyze, and Nmap to check for SSL/TLS certificate issues.
Main menu option 12.
Malicious Payloads
1. android/meterpreter/reverse_tcp (.apk)
2. cmd/windows/reverse_powershell (.bat)
3. java/jsp_shell_reverse_tcp (Linux) (.jsp)
4. java/jsp_shell_reverse_tcp (Windows) (.jsp)
5. java/shell_reverse_tcp (.war)
6. linux/x64/meterpreter_reverse_https (.elf)
7. linux/x64/meterpreter_reverse_tcp (.elf)
8. linux/x64/shell/reverse_tcp (.elf)
9. osx/x64/meterpreter_reverse_https (.macho)
10. osx/x64/meterpreter_reverse_tcp (.macho)
11. php/meterpreter_reverse_tcp (.php)
12. python/meterpreter_reverse_https (.py)
13. python/meterpreter_reverse_tcp (.py)
14. windows/x64/meterpreter_reverse_https (multi)
15. windows/x64/meterpreter_reverse_tcp (multi)
16. Previous menu
Main menu option 13.
Metasploit Listeners
1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. java/jsp_shell_reverse_tcp
4. linux/x64/meterpreter_reverse_https
5. linux/x64/meterpreter_reverse_tcp
6. linux/x64/shell/reverse_tcp
7. osx/x64/meterpreter_reverse_https
8. osx/x64/meterpreter_reverse_tcp
9. php/meterpreter/reverse_tcp
10. python/meterpreter_reverse_https
11. python/meterpreter_reverse_tcp
12. windows/x64/meterpreter_reverse_https
13. windows/x64/meterpreter_reverse_tcp
14. Previous menu
Main menu option 14 (misc/cve.sh).
CVE:
CVE-2018-7600
- Accepts
CVE-YYYY-NNNN(normalized to uppercase) - Opens Firefox tabs for NVD, Rapid7, Tenable, Exploit-DB, GitHub (site search), and CISA KEV search
- Related: Active Top CVE multi-tab opens use
misc/open-cve-tabs.sh/discover-cve:handler
Main menu option 15.
Parse XML to CSV.
1. Burp (Base64)
2. Nessus (.nessus)
3. Nexpose (XML 2.0)
4. Nmap
5. Qualys
6. Previous menu
Main menu option 17.
Opens Discover’s notes HTML (notes/index.htm) in a browser when available.
Main menu option 18 (misc/update.sh).
- Updates the operating system, git pull from various repos, and update the locate database
- Installs tools used by recon and dev scanners (for example
ffuf,nuclei,droopescan,feroxbuster,jq,trivy, ProjectDiscovery stack) - Patches droopescan for modern Python (3.12+) via
misc/patch-droopescan-py314.shafter pipx install (cementimp+ setuptools/distutils) - Registers desktop handlers:
discover-scan:,discover-cve:,discover-ffuf:(open ffuf finding URLs in Firefox) - Refreshes the default scanner User-Agent (Microsoft Edge) in
resource/user-agent.txtfor Nikto, Nmap, ffuf, Active, and related tools - Downloads/refreshes the CISA KEV catalog under
resource/
Main menu option 16. Dev is documented in the DEV section below.
Security scanners by Yiğit ibrahim (ibrahimsql). Reachable from main menu option 16 or by running scripts under dev/ directly.
Scan results are written under $HOME/data/ unless noted otherwise. Dev scanners produce standalone reports in their own output directories (api-scan_*, cloud-scan_*, etc.). They source discover.sh for menu helpers and colors when needed, but do not write to or update Discover’s domain recon HTML report ($HOME/data/<domain>/pages/*.htm).
Dev scripts originally by ibrahimsql
1. API Security
2. Cloud Security
3. Container Security
4. OAuth and JWT Security
5. Open Redirect Scanner
6. Sensitive Information
7. WAF Detection
8. Web and API Security
9. Previous menu
dev/
├── api-scanner.sh
├── cloud-scanner.sh
├── container-scanner.sh
├── oauth-jwt-scanner.sh
├── open-redirect.sh
├── sensitive-scanner.sh
├── waf-detect.sh
├── web-api-scanner.sh
├── data/
│ ├── api-paths.txt
│ ├── openredirect-payloads.txt
│ ├── sensitive-denylist.txt
│ ├── sensitive-patterns.tsv
│ ├── sensitive-skip-paths.txt
│ ├── sensitive-web-paths-quick.txt
│ ├── sensitive-web-paths-full.txt
│ ├── waf-aliases.tsv
│ ├── waf-labels.tsv
│ ├── waf-signatures.tsv
│ ├── web-api-phases.tsv
│ ├── web-api-tech-signatures.tsv
│ └── swagger-paths.txt
└── lib/
├── api-scanner/
│ └── common.sh
├── cloud-scanner/
│ ├── common.sh
│ ├── aws.sh
│ ├── azure.sh
│ └── gcp.sh
├── container-scanner/
│ ├── common.sh
│ ├── docker.sh
│ └── k8s.sh
├── oauth-jwt-scanner/
│ ├── common.sh
│ ├── oauth.sh
│ └── jwt.sh
├── open-redirect-scanner/
│ ├── common.sh
│ └── engine.py
├── sensitive-scanner/
│ ├── common.sh
│ ├── files.sh
│ ├── web.sh
│ ├── filescan.py
│ ├── engine.py
│ ├── fixtures/
│ └── run-tests.sh
├── waf-detect/
│ ├── common.sh
│ ├── probe.sh
│ ├── fixtures/
│ └── run-tests.sh
└── web-api-scanner/
├── common.sh
├── phases.sh
├── waf.sh
├── targets.sh
├── msf.sh
├── msf_parse.py
├── probe.sh
├── fixtures/
└── run-tests.sh
Script: dev/api-scanner.sh.
Phased API discovery and security testing. Shared helpers and wordlists are in dev/lib/api-scanner/ and dev/data/.
Interactive menu
1. API Discovery and Testing (full)
2. API Quick Scan (discovery + docs)
3. JWT Token Analysis
4. Full API Assessment (orchestrated)
5. Previous menu
CLI (skips the menu when -u is set):
./dev/api-scanner.sh -u https://target.example --quick --authorized
./dev/api-scanner.sh -u https://target.example --full --token 'eyJ…' --authorized
./dev/api-scanner.sh --resume ~/data/api-scan_20260703-1200 -u https://target.example
./dev/api-scanner.sh -u https://target.example --orchestrate --authorized
./dev/api-scanner.sh --help
| Flag | Purpose |
|---|---|
--quick |
Discovery and documentation only |
--full |
All phases (default) |
--orchestrate |
Full scan, then prompts for related scanners |
--token |
Bearer token for authenticated requests |
--cookie-file |
Netscape cookie jar |
--max-parallel N |
Concurrent workers (default: 3) |
--max-endpoints N |
Cap endpoints tested after merge |
--skip PHASE |
Skip a phase (repeatable) |
--resume DIR |
Resume using an existing output directory |
--authorized |
Skip the authorization confirmation prompt |
--aggressive-http |
Include TRACE/CONNECT method tests |
Phases (full scan): HTML/JS link extraction, ffuf/feroxbuster fuzzing, path probing, OpenAPI/Swagger discovery, GraphQL tests (introspection, depth, batching), CORS (GET + preflight), HTTP method checks, rate-limit burst, JWT analysis.
Output: $HOME/data/api-scan_<timestamp>/api_scanner/
report.txtandreport.md— scanner-local findings (not merged into Discover recon report)findings.json— consolidated JSON export of all findingsfindings_registry.tsv— tab-separated finding log (source for JSON export)scan.log— request audit trail.checkpoint/— resume markers per phase
Requires curl and jq. Uses ffuf or feroxbuster when installed (install via Discover Update). Sources discover.sh when run directly for f_banner / menu helpers.
Script: dev/cloud-scanner.sh.
Phased cloud misconfiguration audit for AWS, Azure, and GCP. Shared helpers live in dev/lib/cloud-scanner/.
Interactive menu
1. AWS (Amazon Web Services)
2. Azure (Microsoft Azure)
3. GCP (Google Cloud Platform)
4. All providers
5. Previous menu
CLI (skips the menu when provider flags are set):
./dev/cloud-scanner.sh --aws --quick
./dev/cloud-scanner.sh --azure --gcp --full
./dev/cloud-scanner.sh --aws --output-dir ~/data/cloud-scan_custom
./dev/cloud-scanner.sh --resume ~/data/cloud-scan_20260704-1200 --aws
./dev/cloud-scanner.sh --help
| Flag | Purpose |
|---|---|
--aws / --azure / --gcp |
Run one provider (combine for multiple) |
--quick |
Exposure-focused checks (public access, MFA, open ingress) |
--full |
Comprehensive audit including IAM deep-dive, multi-region EC2/SG, extras |
--output-dir DIR |
Custom output directory |
--resume DIR |
Resume using an existing scan directory (skips completed phases) |
-h, --help |
Show usage |
Results are written under $HOME/data/cloud-scan_YYYYMMDD-HHMM/ (or --output-dir):
findings_registry.tsv— severity, provider, service, resource, check, detail, evidencefindings.json— consolidated JSON export of all findingsreport.txt/report.md— scanner-local rollup (not merged into Discover recon report)scan.log— API activity and finding log.checkpoint/— phase markers for--resume
Requires jq and the relevant cloud CLI (aws, az, gcloud/gsutil) with credentials configured before scanning. The scanner does not auto-install CLIs or run interactive aws configure / gcloud init. Sources discover.sh when run directly for f_banner / menu helpers.
Script: dev/container-scanner.sh.
Comprehensive Docker and Kubernetes security assessment using Trivy, Docker, and kubectl. Standalone output under $HOME/data/container-scan_* (does not update Discover recon HTML reports).
- Docker images — Trivy vulnerability/secret/config scan, SBOM (full mode), Dockerfile analysis
- Docker containers — privileged mode, mounts, capabilities, runtime checks (full mode)
- Kubernetes — RBAC, NetworkPolicies, PSS labels, deprecated APIs, pod security
Scan types: docker-images, docker-containers, kubernetes, or all (default when run from Discover menu).
CLI options: --quick, --full, --output-dir, --resume, --dockerfile-root, --include-ns, --exclude-ns, --trivy-jobs, --menu, -h
Output artifacts: findings_registry.tsv, findings.json, report.txt, report.md, scan.log, container_security_report.txt
Dependencies: docker, kubectl (kubernetes scan), trivy, jq, numfmt — install via Discover Update; no auto-install.
Environment: CONTAINER_OUTPUT_DIR, CONTAINER_DOCKERFILE_ROOT, CONTAINER_SCAN_MODE, CONTAINER_EXCLUDE_NS
Script: dev/oauth-jwt-scanner.sh.
OAuth/OIDC discovery, live authorize probes, offline JWT analysis, and optional live token verification. Complements api-scanner.sh JWT checks. Standalone output under $HOME/data/oauth-jwt-scan_*.
- OAuth/OIDC — discovery metadata, JWKS, redirect_uri/state/PKCE/implicit probes
- JWT offline — alg=none, RS256→HS256 confusion, jku/x5u/kid attacks, claim hygiene, privilege-escalation payloads
- JWT live — optional Bearer tests against
--jwt-endpoint(auto-filled from userinfo when discovered)
Scan types: oauth, jwt, or all (combined).
Menu: OAuth test, JWT test, combined scan, or previous menu.
CLI examples:
./dev/oauth-jwt-scanner.sh --target https://app.example.com --full
./dev/oauth-jwt-scanner.sh --jwt 'eyJhbG...' --jwt-endpoint https://app.example.com/api/me
./dev/oauth-jwt-scanner.sh --target https://app.example.com --api-scan-dir ~/data/api-scan_20260101-1200 --allOptions: --target, --jwt, --jwt-file, --api-scan-dir, --jwt-endpoint, --client-id, --redirect-uri, --quick, --full, --oauth, --jwt-only, --all, --output-dir, --resume, --menu, -h
Output: findings_registry.tsv, findings.json, report.txt, report.md, scan.log
Dependencies: curl, jq
Script: dev/open-redirect.sh.
Fuzzes redirect parameters (inject + mutate existing query params) with configurable canary hosts. Detects 3xx Location (with one-hop follow), meta refresh, and JavaScript/body redirects. Full mode adds POST and header probes. Confirmation pass uses a second canary host to reduce false positives. Python engine: dev/lib/open-redirect-scanner/engine.py; payloads: dev/data/openredirect-payloads.txt. Standalone output under $HOME/data/openredirect-scan_*.
Menu: Single URL, domain, URL file, advanced options, prior scan dir, or previous menu.
CLI examples:
./dev/open-redirect.sh --url https://app.example.com/login?next=/home --full
./dev/open-redirect.sh --domain example.com --quick
./dev/open-redirect.sh --scan-dir ~/data/api-scan_20260101-1200 --crawl --quick
./dev/open-redirect.sh --file ~/targets.txt --max-requests 500 --rps 5Options: --url, --domain, --file, --scan-dir, --wordlist, --canary-host, --quick, --full, --crawl, --workers, --delay, --rps, --max-requests, --no-confirm, --quiet, --output-dir, --resume, --menu, -h
Output: findings_registry.tsv, findings.json, report.txt, report.md, scan.log, openredirect_engine/results.json, openredirect_engine/checkpoint.json
Dependencies: python3, requests (Discover Update installs python3-requests), jq
Script: dev/sensitive-scanner.sh.
Hunts for secrets, credentials, and PII in local files/directories and exposed web paths. Bash orchestration plus Python engines: filescan.py (single-pass file scan) and engine.py (parallel web probing). Pattern data: dev/data/sensitive-patterns.tsv, sensitive-denylist.txt, sensitive-skip-paths.txt. Standalone output under $HOME/data/sensitive-scan_*.
- File scan — one pass per file via
filescan.py; denylist, skip globs, entropy filter, Luhn/SSN/TC validation; optionalgitleaks/trufflehog(--external auto) - Web scan — parallel workers/RPS, per-path checkpoint resume, robots disallow + sitemap paths, api-scanner endpoint import, soft-404 guard, directory listing detection, deep
filescan.pyon HTTP 200 bodies - api-scanner hook — inline response checks use
filescan.py; orchestrator can auto-launch--allwith bearer token - Reports — deduplicated
findings_registry.tsv,findings.json,report.txt,report.md;--no-store-content/--shred-contentfor safer artifacts
Menu: File or folder, URL, file/folder + prior scan dir, URL + api-scan output, or previous menu.
Examples:
./dev/sensitive-scanner.sh --path ./myapp --files --full
./dev/sensitive-scanner.sh --url https://app.example.com --web --quick --workers 8 --rps 5
./dev/sensitive-scanner.sh --url https://app.example.com --scan-dir ~/data/api-scan_20260101-1200 --all --quick --bearer-token "$TOKEN"
./dev/sensitive-scanner.sh --path /var/www/html/config.php --files --external gitleaks
./dev/lib/sensitive-scanner/run-tests.sh
Options: --path, --url, --scan-dir, --wordlist, --quick, --full, --workers, --delay, --rps, --max-paths, --bearer-token, --insecure, --no-store-content, --shred-content, --redact-emails, --entropy-min, --external, --files, --web, --all, --output-dir, --resume, --quiet, --menu, -h
Output: findings_registry.tsv, findings.json, report.txt, report.md, scan.log, sensitive_info/, web_sensitive/engine/{results,checkpoint}.json
Dependencies: python3, jq, find; web scans need python3-requests; optional gitleaks, trufflehog, rg
Script: dev/waf-detect.sh.
Identifies web application firewalls and CDN edge layers in front of targets. Modular library: dev/lib/waf-detect/{common,probe}.sh, wafw00f_run.py; data: dev/data/waf-signatures.tsv, waf-aliases.tsv, waf-labels.tsv. Standalone output under $HOME/data/waf-detection_*.
- True passive (default for api-scanner hook) —
--passivesends a normal HTTP GET only; matches response headers/body againstwaf-signatures.tsv. No wafw00f, no SQLi triggers, noX-Forwarded-Forinjection. - Active mode — wafw00f via
wafw00f_run.py(primary, high confidence) plus supplemental signature/behavioral probes. Non-interactive active scans require--i-understand. - Supplemental —
--supplemental autoskips redundant probes after a confident wafw00f hit; behavioral findings require WAF header corroboration - Consolidated findings — one row per vendor with confidence (
high/medium/low), source, and type (waf/cdn/both) - Structured hits —
waf_engine/hits.jsonlandfindings.jsonhits[]for downstream tooling - Resume —
--resume DIRcontinues fromwaf_engine/checkpoint.json - Reports —
findings_registry.tsv,findings.json,report.txt,report.md,waf_results.tsv
Menu: Single target, targets file, or previous menu (with active/passive choice).
Examples:
./dev/waf-detect.sh --url https://app.example.com --passive
./dev/waf-detect.sh --file ~/targets.txt --passive --delay 2
./dev/waf-detect.sh --url example.com --i-understand --output-dir ~/data/waf-test
./dev/waf-detect.sh --resume ~/data/waf-detection_20260704-1200 --workers 4
./dev/lib/waf-detect/run-tests.sh
Options: --url, --file, --output-dir, --resume, --passive, --i-understand, --waf-only, --insecure, --no-redirect, --proxy, --delay, --max-targets, --workers, --wafw00f, --supplemental, --input-format, --quiet, --menu, -h
Output: findings_registry.tsv, findings.json, report.txt, report.md, waf_results.tsv, scan.log, waf_engine/{hits.jsonl,checkpoint.json,*.json}
Dependencies: curl, jq, grep, python3; optional wafw00f (active mode, recommended)
api-scanner integration: api-scanner.sh --orchestrate prompts to run waf-detect after the main scan (passive by default).
Script: dev/web-api-scanner.sh.
Metasploit-based web/API assessment. Modular library: dev/lib/web-api-scanner/{common,phases,msf,probe,waf,targets}.sh, msf_parse.py; data: dev/data/web-api-{phases,tech-signatures}.tsv. Standalone output under $HOME/data/web-api-scan_*.
- Tiers —
passive(recon) |standard/--quick(recon + tech scanners) |intrusive(+ SQLi/brute) |exploit(+ exploit checks) - Phase control —
--phases,--skip-phases; per-phasemsfconsolewith--phase-timeout - Technology fingerprint — weighted
web-api-tech-signatures.tsv(Laravel, Spring, Swagger, nginx, …) - WAF-aware — skips brute phases when WAF/CDN detected (
--scan-diror header signatures) - Auth —
--bearer-token,--cookie-filefor curl + MSF - api-scanner integration —
--scan-dirloadsapi_scanner/all_endpoints.txtforbrute_dirspaths - Structured hits —
msf_parse.py→msf_engine/hits.jsonl+findings.jsonhits[] - Multi-target —
--file,--workers,--max-targets - Stealth —
--delay,--jitter,--proxy, tier-basedTHREADS - MSF DB — checks only by default;
--msf-db-bootstrapfor opt-in setup
Menu: Scan URL (passive default) or previous menu.
Examples:
./dev/web-api-scanner.sh --url https://app.example.com --passive
./dev/web-api-scanner.sh --url example.com --quick --scan-dir ~/data/api-scan_*/
./dev/web-api-scanner.sh --url example.com --tier exploit --i-understand --bearer-token "$TOKEN"
./dev/web-api-scanner.sh --file ~/targets.txt --quick --workers 2 --max-targets 10
WEBAPI_RUN_LIVE_MSF=1 ./dev/lib/web-api-scanner/run-tests.sh
Options: --url, --file, --tier, --quick, --phases, --skip-phases, --scan-dir, --bearer-token, --cookie-file, --proxy, --phase-timeout, --workers, --threads, --jitter, --target-ip, --output-dir, --resume, --passive, --i-understand, --dry-run, --skip-msf-db, --msf-db-bootstrap, --keep-resources, --no-waf-aware, --insecure, --delay, --quiet, --menu, -h
Output: findings_registry.tsv, findings.json, report.txt, report.md, scan.log, msf_engine/
Dependencies: curl, jq, grep, msfconsole; PostgreSQL recommended for MSF DB (optional with --skip-msf-db)
api-scanner integration: api-scanner.sh --orchestrate prompts to run web-api-scanner (passive by default).