-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.example.yaml
More file actions
144 lines (126 loc) · 5.01 KB
/
Copy pathconfig.example.yaml
File metadata and controls
144 lines (126 loc) · 5.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# ══════════════════════════════════════════
# recon0 Configuration
# ══════════════════════════════════════════
# Copy this file to recon0.yaml and customize.
# General
output_dir: ./runs
resume: true
disk_min_gb: 20
url_cap: 2000000
# Resource management
resources:
auto: true # auto-detect CPU/RAM (cgroup-aware)
max_threads: 0 # 0 = unlimited (auto)
max_rate: 5000 # global max requests/sec
# Logging
log:
level: info # debug | info | warn | error
format: color # color | json | plain
file: true # write pipeline.log
# Status API + Job Queue
api:
enabled: true
port: 8484
listen: 0.0.0.0 # 127.0.0.1 for local only
# ── Providers ──
# Each provider: enabled + tool-specific parameters
# enabled: false → provider won't run but stays registered
providers:
subfinder:
enabled: true
timeout: 30 # minutes — per-source HTTP timeout
# all: true # use all passive sources
# recursive: true # recursive enumeration
amass:
enabled: true
timeout: 30 # minutes — overall enumeration timeout
# amass runs in passive mode (-passive) alongside subfinder
# both run in parallel, results are merged and deduplicated
dnsx:
enabled: true
# retry: 3
# record_types: [a, aaaa, cname]
# takeover_check: true
permute:
enabled: true # active recon — generates DNS traffic
enrich: true # alterx -enrich: extract words from input
max_candidates: 50000 # safety cap on alterx output
# Pipeline: alive.txt → alterx (permutations) → dnsx (resolve)
# Wildcard IPs detected during resolve stage are filtered out.
# Requires: alterx + dnsx binaries in PATH.
patterns:
- "{{sub}}{{number}}.{{suffix}}"
- "{{sub}}-{{number}}.{{suffix}}"
- "{{number}}{{sub}}.{{suffix}}"
- "{{number}}-{{sub}}.{{suffix}}"
- "{{number}}.{{sub}}.{{suffix}}"
- "{{sub}}-{{word}}.{{suffix}}"
- "{{word}}-{{sub}}.{{suffix}}"
- "{{word}}.{{sub}}.{{suffix}}"
- "{{word}}{{number}}-{{sub}}.{{suffix}}"
- "{{word}}-{{number}}-{{sub}}.{{suffix}}"
- "{{word}}{{number}}.{{sub}}.{{suffix}}"
- "{{word}}-{{number}}.{{sub}}.{{suffix}}"
- "{{number}}{{word}}-{{sub}}.{{suffix}}"
- "{{number}}-{{word}}-{{sub}}.{{suffix}}"
- "{{number}}{{word}}.{{sub}}.{{suffix}}"
- "{{number}}-{{word}}.{{sub}}.{{suffix}}"
- "{{sub}}-{{word}}{{number}}.{{suffix}}"
- "{{sub}}-{{word}}-{{number}}.{{suffix}}"
- "{{sub}}-{{number}}{{word}}.{{suffix}}"
- "{{sub}}-{{number}}-{{word}}.{{suffix}}"
httpx:
enabled: true
ports: [80, 443, 8080, 8443, 8000, 8081, 8888, 3000, 5000, 9090]
# store_response: true
# follow_redirect: true
tlsx:
enabled: true
# san: true
# jarm: true
cdpcrawl:
enabled: true
headless: true # false = visible browser (debug)
timeout_per_page: 30s
click_depth: 2 # rounds of page interaction
max_concurrent_tabs: 5 # concurrent browser tabs
user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
viewport_width: 1920
viewport_height: 1080
naabu:
enabled: true
top_ports: 100
# scan_type: s # SYN scan (needs NET_RAW)
discover:
enabled: true
# Parses HAR files + JS files for endpoint discovery
# No external binary needed
analyzer:
enabled: true
# custom_rules: /path/to/custom-rules.yaml
# DSL engine with ~60 built-in rules for secrets, headers, paths
collector:
enabled: true
# Generates investigations.json for AI agent verification
# and intel.json summary report
smartfuzz:
enabled: true # smart fuzzer: known-path + discovery-based probing
timeout: 10s # HTTP request timeout per probe
max_concurrent: 30 # concurrent probe workers
skip_cors: false # skip CORS misconfiguration check
cdn_mode: critical_only # skip | critical_only | full
prefix_expansion: true # /actuator/env → /manage/actuator/env, etc.
discovery_fuzz: true # fuzz based on discovered endpoints
max_probes_per_host: 500 # max probes per host (higher for discovered-prefix mode)
# Features:
# Universal probes: .env, .git, actuator/health, swagger.json (ALL hosts)
# Runtime tech discovery: if /actuator/health returns 200 → run all Spring probes
# Prefix expansion: tries /manage/, /admin/, /api/, /v1/, /v2/ variations
# Tech-specific: Spring Boot, WordPress, Node.js, Laravel, Django, .NET, Go
# Discovery-based: path siblings, extension swaps from endpoints.json
# CDN-aware: reduces probing for CDN-hosted targets
nuclei:
enabled: false # run manually on filtered targets
severity: [medium, high, critical]
# custom_templates: ~/nuclei-custom/
# exclude_tags: [dos, fuzz]