tldr/pages/common/kiterunner-brute.md

kiterunner brute

A contextual web scanner for bruteforcing API paths and web endpoints using wordlists. The brute subcommand targets one or multiple hosts. More information: https://github.com/assetnote/kiterunner.

• Bruteforce a target with an Assetnote wordlist (e.g., first 20,000 API routes):

kiterunner brute {{https://example.com}} {{[-A|--assetnote-wordlist]}} {{apiroutes-210328:20000}}

• Bruteforce a target with a custom wordlist:

kiterunner brute {{https://example.com}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}}

• Bruteforce using a dirsearch-style wordlist with extension substitution:

kiterunner brute {{https://example.com}} {{[-w|--wordlist]}} {{path/to/dirsearch.txt}} {{[-D|--dirsearch-compat]}} {{[-e|--extensions]}} {{json,txt}}

• Bruteforce with specific file extensions appended and output in JSON format:

kiterunner brute {{https://example.com}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}} {{[-e|--extensions]}} {{aspx,ashx}} {{[-o|--output]}} {{json}}

• Bruteforce a list of targets from a file with custom concurrency settings for performance:

kiterunner brute {{path/to/targets.txt}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}} {{[-x|--max-connection-per-host]}} {{5}} {{[-j|--max-parallel-hosts]}} {{100}}

• Bruteforce and ignore specific content length responses:

kiterunner brute {{https://example.com}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}} --ignore-length {{100-105}}

• Bruteforce with custom HTTP headers:

kiterunner brute {{https://example.com}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}} {{[-H|--header]}} "{{Authorization: Bearer token}}"

• Bruteforce a list of targets from a file with fail status code filtering:

kiterunner brute {{path/to/targets.txt}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}} --fail-status-codes {{400,401,404}}