Current Version: v1.2.0 · Changelog
KeyHunter is a powerful tool designed to discover API key leaks from subdomains and archived URLs. It automates the process of subdomain enumeration, URL collection, and API key detection, making it an essential tool for security researchers and bug bounty hunters.
- Subdomain Enumeration: Utilizes
subfinderto discover subdomains of a given domain. - URL Collection: Uses
waybackurlsto gather URLs from the Wayback Machine andkatanafor active crawling with JavaScript support. - Enhanced URL Discovery: Combines Wayback Machine archives and active crawling with katana for maximum URL coverage.
- Direct URL Scanning: Scan URLs directly from a file without domain enumeration using the
-lflag. - Automatic Dependency Installation: Install missing dependencies automatically with the
--installflag (requires sudo). - URL Validation: Filters out invalid URLs and checks for live endpoints.
- API Key Detection: Scans live URLs for potential API key leaks using customizable patterns.
- Asynchronous Processing: Efficiently handles multiple URLs concurrently for faster results.
- Customizable Patterns: Supports YAML-based patterns for detecting API keys from various providers.
- Exclusion List: Allows exclusion of specific file extensions to focus on relevant URLs.
- Focused Reporting: Saves results in a structured JSON format, focusing on the domain and detected API keys.
- Multiple Domain Support: Accepts a list of domains from an external file for batch scanning.
- X-Request-For Header: Supports custom headers for Bug Bounty programs that require a specific header.
- Cookie Authentication: Allows authenticated requests by providing a cookie for the target domain.
- Random User-Agent: Uses a random User-Agent for each request to avoid detection and blocking.
| Cloudinary | Firebase URL | Firebase Bucket | Firebase Database | Slack Token |
|---|---|---|---|---|
| PGP Private Key | AWS Access Key | Amazon MWS Token | Facebook Token | Facebook OAuth |
| GitHub Token | Generic API Key | Generic Secret | Google OAuth | MailChimp |
| Mailgun | Stripe | Square Token | Square Secret | Twilio |
| Telegram | GitLab PAT | NPM Token | Dropbox | SendGrid |
| Mapbox | URL Password | PayPal Braintree | Picatic | Slack Webhook |
| Laravel ENV | Alibaba Cloud | Grafana API | OpenAI | Postman |
| GitLab CI/CD | OAuth2 Bearer | Grafana SA Token | Discord Webhook | Heroku |
| Microsoft Azure | Vercel | Shopify | JWT | |
| RSA Private Key | React App ENV |
- Python 3.7+
katana,httpx,subfinderandwaybackurlsinstalled and available in your system's PATH.
-
Clone the Repository:
git clone https://github.com/bigzooooz/KeyHunter.git cd KeyHunter -
Install Dependencies:
pip install -r requirements.txt
-
Install External Tools:
- Option 1: Automatic installation (requires sudo):
sudo python3 Keyhunter.py --install
- Option 2: Manual installation - Install
katana,subfinder,waybackurls, andhttpxby following their respective installation guides.
- Option 1: Automatic installation (requires sudo):
-
Configure API Key Patterns:
- Modify
api_patterns.yamlto include patterns for detecting API keys from different providers.
- Modify
-
Run KeyHunter:
python Keyhunter.py -d example.com
To scan a single domain for API key leaks:
python Keyhunter.py -d example.comTo scan multiple domains from a file:
python Keyhunter.py -f domains.txtTo scan URLs directly from a file:
python Keyhunter.py -l urls.txtTo scan only the provided domain(s) without enumerating subdomains:
python Keyhunter.py -d example.com --no-subsThe tool will generate a JSON file in the output directory for each domain, containing the results of the scan, including:
- The target domain
- Detected API keys
KeyHunter supports the following command-line options to customize and control the scanning process:
-d, --domain– Specify the target domain for scanning.-f, --file– Provide a file containing a list of domains to scan.-l, --urls-file– Provide a file containing a list of URLs to scan directly (skips domain enumeration).-ns, --no-subs– Disable subdomain enumeration (default: enabled).--cookie– Supply a cookie for authenticated requests.--x-request-for– Set a customX-Request-Forheader (e.g.,--x-request-for HackerOne).--install, --setup– Install missing dependencies automatically (requires sudo).--update– Update KeyHunter to the latest version.--version– Display the current version of KeyHunter.-v, --verbose– Enable verbose output for detailed logs.
These options provide flexibility to scan domains efficiently while allowing customization for different use cases. 🚀
This file contains regular expressions for detecting API keys from various providers. You can add or modify patterns as needed.
Example:
aws:
- "AKIA[0-9A-Z]{16}"
google:
- "AIza[0-9A-Za-z\\-_]{35}"This file lists file extensions to exclude from the URL validation process.
Example:
excluded_extensions:
- .jpg
- .png
- .css
- .js{
"domain": "example.com",
"api_keys_found": {
"http://example.com/page1": {
"aws": ["AKIA1234567890ABCDEF"]
}
}
}Contributions are welcome! Please feel free to submit issues or pull requests to improve the tool.
This project is licensed under the MIT License. See the LICENSE file for details.
- Giving it a ⭐ on GitHub!
- Buying me a coffee ☕️ or Supporting me on PayPal 💸
- Sharing it with others who might benefit from it!
- Providing feedback and suggestions for improvement.
- Contributing to the project.
Disclaimer: This tool is intended for educational and research purposes only. The author is not responsible for any misuse or damage caused by this tool. Use responsibly and do not violate any laws or policies.
