Wizbisy/gravehound

## 目录 - [Features](#-features) - [Quick Start](#-quick-start) - [Usage Examples](#-usage-examples) - [Optional API Keys (Turbocharge your scans)](#-optional-api-keys--environmental-variables) - [Output Formats](#-output-formats) - [Project Architecture](#%EF%B8%8F-project-architecture) - [Disclaimer](#%EF%B8%8F-disclaimer) ## 功能 Gravehound runs **21 parallel modules** to extract every drop of public intelligence on a target. | Module | Description | Data Sources / Libraries | |--------|------------|-------------------------| | **DNS Lookup** | A, AAAA, MX, NS, TXT, CNAME, SOA records. | `dnspython` | | **WHOIS** | Domain registration, registrar, dates, nameservers, status. | `python-whois` | | **Subdomains** | Discovers hidden subdomains via active brute-forcing and passive certificate transparency logs. | `dnspython`, `crt.sh`, SecurityTrails API | | **Port Scanner** | Lightning fast TCP connect scanner for the Top 100 most common vulnerable ports. | `socket` (stdlib) | | **HTTP Headers** | Security header analysis with severity ratings (HSTS, CSP, Clickjacking, MIME-sniffing). | `httpx` | | **SSL/TLS** | Certificate details, issuer, SANs, expiry dates, cipher suites, and protocol versions. | `ssl`, `socket` | | **Tech Detection** | Fingerprints frameworks, CMS, CDNs, and analytics via HTTP response headers. | `httpx` | | **Geolocation** | Finds the physical location, ISP, and ASN for the target IP address. | `ip-api.com` | | **Email Harvest** | Discovers employee and corporate emails via web scraping and public databases. | Custom scraper, Hunter.io API | | **Wayback Machine** | Searches the Internet Archive for historical snapshots and hidden paths. | `archive.org` CDX API | | **Wayback Secrets** | Scans historical `.env`, `.json`, and `.sql` file archives for leaked API keys (AWS, Google, Stripe). | `archive.org` CDX API | | **DOM Fingerprint** | Bypasses WAFs via Headless Chromium to detect hidden JavaScript frontend frameworks. | `playwright` | | **Dependency Analyzer**| Parses client-side scripts to identify outdated libraries with known CVEs (e.g. ancient jQuery). | `httpx`, regex | | **Threat Intel** | Cross-references the domain against global threat intelligence feeds. | AlienVault OTX, URLScan.io, ThreatFox, HackerTarget | | **Shodan / VT** | Queries the biggest cybersecurity databases for vulnerabilities and malware reputation. | Shodan, VirusTotal, AbuseIPDB | | **Ghost Assets** | Detects dangling DNS records and subdomain takeover vulnerabilities across 31 providers. | `httpx`, DNS resolution | | **Cloud Storage** | Hunts for open/misconfigured cloud buckets across 6 managed providers (AWS S3, Azure Blob, GCP, DO Spaces, Wasabi, Alibaba OSS) and probes for self-hosted storage (MinIO, Ceph RGW, OpenStack Swift, SeaweedFS, Garage) via port scanning and server header fingerprinting. | `httpx`, `tldextract` | | **JS Analyzer** | Fetches and deep-scans JavaScript bundles for 26 hardcoded secret patterns (AWS, Stripe, GitHub, Google, Paystack, Flutterwave, etc.), hidden admin/API endpoints, and internal RFC 1918 URIs. | `httpx`, regex | | **Web3 Recon** | Probes for exposed JSON-RPC endpoints, extracts wallet addresses (EVM, Solana, Bitcoin) with entropy filtering, detects Web3 SDKs, and catches leaked Infura/Alchemy/Moralis keys. | `httpx`, regex | | **Dotfiles** | Scans 56+ common misconfiguration paths across 15 categories (`.git`, `.env`, Docker, Spring Boot Actuator, SQL dumps, AWS creds, etc.) with fingerprint validation to eliminate false positives. | `httpx` | | **CORS Check** | Tests 7 CORS attack vectors (reflected origin, null origin, subdomain trust, prefix/postfix bypass, HTTP downgrade, backtick bypass) on both `GET` and `OPTIONS` preflight requests. | `httpx` | ## 快速开始 ### 1. 需求 - **Python 3.10+** - Works on **Windows**, **macOS**, and **Linux** ### 2. 安装 The fastest way to get started is to clone the repository and set up a virtual environment. ``` # 克隆仓库 git clone https://github.com/WIzbisy/gravehound.git cd gravehound # 创建虚拟环境（推荐） python -m venv venv # 激活虚拟环境 # 在 Windows 上： .\venv\Scripts\activate # 在 Linux/Mac 上： source venv/bin/activate # 安装所需依赖项 pip install -r requirements.txt ``` ### 隐私 **OPSEC Warning for Security Researchers:** Running Gravehound from your personal IP address will leave a massive footprint in target access logs and can quickly get you rate-limited or blocked by platforms like GitHub, Shodan, or cloud providers. To anonymize your scans and protect your identity, Gravehound features native Tor integration. Simply ensure the Tor background daemon (port `9050`) or the Tor Browser (port `9150`) is running locally, then construct your commands with the `--tor` flag. The tool will automatically hook the environment to route all OSINT modules through the proxy and cryptographically verify your IP is concealed before firing any probes. ### 自动身份轮换 Gravehound can automatically request brand new IPs (circuit rotation) via Tor's Control Port to prevent exit node rate-limiting. To allow this, you must configure your Tor installation to accept local control port requests. 1. Locate your `torrc` configuration file. - **Linux daemon:** `/etc/tor/torrc` - **Tor Browser (Windows):** `Tor Browser\Browser\TorBrowser\Data\Tor\torrc` - **Tor Browser (macOS):** `~/Library/Application Support/TorBrowser-Data/Tor/torrc` 2. Open it in any text editor and add this line to the bottom: CookieAuthentication 1 3. Restart your Tor daemon or the Tor Browser. Gravehound will now natively rotate identities on the fly. ## 使用示例 Gravehound is built on top of `click` for a clean, intuitive command-line interface. ### 运行完整扫描 Run all 21 modules against a target domain. ``` python -m gravehound scan example.com ``` ### 针对性扫描 Only care about subdomains and open ports? Use the `--modules` (or `-m`) flag. ``` python -m gravehound scan example.com -m subdomains,ports,dns ``` ### 安全聚焦扫描 Run only the vulnerability detection modules. ``` python -m gravehound scan example.com -m cloud_storage,js_analyzer,web3_recon,dotfiles,cors_check ``` ### 匿名扫描（Tor） Route all OSINT traffic through the Tor network to hide your origin IP. Autodetects the Tor daemon (9050) or Tor Browser (9150). ``` python -m gravehound scan example.com --tor ``` If you are running Tor on a custom port or external machine, pass the proxy URI directly: ``` python -m gravehound scan example.com --tor-proxy socks5h://[IP_ADDRESS] ``` ### 生成精美报告 Gravehound generates interactive HTML reports that are perfect for delivering to clients or bug bounty programs. ``` # 输出结果到 HTML 文件 python -m gravehound scan example.com --output report.html # 运行匿名扫描并输出为 HTML python -m gravehound scan example.com --tor --output report.html # 输出结果为机器可读的 JSON（适用于 CI/CD 或 jq 解析） python -m gravehound scan example.com --output results.json ``` ### 帮助菜单 View all available commands and modules. ``` python -m gravehound --help python -m gravehound modules ``` ## 可选的 API 密钥/环境变量 Graound performs highly effective reconnaissance **out-of-the-box with zero configuration.** However, you can turbocharge the modules by providing API keys for premium (but free-tier) services. Gravehound uses `python-dotenv` to automatically load keys. Create a `.env` file in the root directory like this: ``` # 增强端口扫描器并检查已知 CVE SHODAN_API_KEY=your_shodan_key_here # 检查目标是否被 70 多个反病毒引擎检测 VIRUSTOTAL_API_KEY=your_vt_key_here # 检查目标 IP 是否已被报告为恶意活动 ABUSEIPDB_API_KEY=your_abuseipdb_key_here # 从 Hunter 庞大的企业邮箱数据库中提取 HUNTER_API_KEY=your_hunter_key_here # 从 DNS 历史记录中提取数千个历史子域名 SECURITYTRAILS_API_KEY=your_securitytrails_key_here ``` **Where to get free keys:** - [Shodan](https://account.shodan.io/register) (Free 100 queries/month) - [VirusTotal](https://www.virustotal.com/gui/join-us) (Free 500 queries/day) - [AbuseIPDB](https://www.abuseipdb.com/register) (Free 1000 queries/day) - [Hunter.io](https://hunter.io) (Free 50 searches/month) - [SecurityTrails](https://securitytrails.com/app/signup) (Free 50 queries/month) ## 输出格式 1. **Terminal (Rich)**: Beautiful, color-coded tables, progress bars, and panels rendered natively in your terminal using the `rich` library. 2. **HTML Report**: A stunning, self-contained, dark-themed HTML report. It parses the data into clean tables with security score widgets. 3. **JSON**: A complete data dump for building automation pipelines. ## 项目架构 If you want to contribute or build your own modules, here is the architecture: ``` gravehound/ ← repo root ├── gravehound/ │ ├── cli.py # CLI entry point (Click) │ ├── scanner.py # Orchestrator — runs modules with context passing │ ├── config.py # Global configuration & constants │ ├── modules/ │ │ ├── dns_lookup.py # DNS records module │ │ ├── whois_lookup.py # WHOIS data module │ │ ├── subdomains.py # Subdomain discovery (crt.sh & SecurityTrails) │ │ ├── port_scanner.py # Top 100 ports scanner │ │ ├── http_headers.py # Security headers analyzer │ │ ├── ssl_info.py # SSL/TLS cert evaluator │ │ ├── tech_detect.py # Tech fingerprinting │ │ ├── geo_lookup.py # IP geolocation │ │ ├── email_harvest.py # Email discovery (Scraping & Hunter.io) │ │ ├── wayback.py # Wayback Machine API │ │ ├── wayback_secrets.py # Historical API Key detection │ │ ├── dom_fingerprint.py # Headless browser framework detection │ │ ├── dependency_chain.py# Frontend vulnerable libs check │ │ ├── threat_intel.py # AlienVault OTX, URLScan, ThreatFox │ │ ├── shodan_vt.py # Shodan, VirusTotal, AbuseIPDB │ │ ├── ghost_assets.py # Subdomain takeover scanner │ │ ├── cloud_storage.py # Cloud bucket hunter + self-hosted storage │ │ ├── js_analyzer.py # JavaScript secret & endpoint analysis │ │ ├── web3_recon.py # Web3 RPC, wallet, and key recon │ │ ├── dotfiles.py # Exposed config & dotfile scanner │ │ └── cors_check.py # CORS misconfiguration checker │ └── reporting/ │ ├── console.py # Terminal rendering logic (Rich) │ ├── json_report.py # JSON export logic │ └── html_report.py # HTML template and rendering ├── requirements.txt # Project dependencies ├── .env # (You create this) API Keys ├── .gitignore # Ignored files for git ├── setup.py # Package setup and installation ├── CONTRIBUTING.md # Guide for contributors ├── LICENSE # MIT License └── README.md # Project documentation ``` ## ⚖️ 免责声明 ## 📄 许可证 This project is licensed under the [MIT License](LICENSE).

标签：Bug Bounty, ESC4, Internet Archive, OSINT, Python, SecurityTrails, ThreatFox, Tor, URLScan.io, 上下文感知, 免费API, 动态插桩, 匿名网络, 可自定义解析器, 并行执行, 无后门, 智能路由, 模块化, 网络调试, 自动化, 运行时操纵, 逆向工具