# Huntr

Bulk vulnerability scanner for exposed credential files, secrets, and misconfigurations. Built in Go with a full terminal UI. Designed to process large target lists (77k+ domains from Product Hunt datasets) and surface real-world exposure — leaked `.env` files, open `.git` repos, database dumps, debug pages, cloud keys, API tokens, and more.

## Features

- **1,107 credential paths** probed per domain across 45+ categories
- **357 secret patterns** matched against response bodies (API keys, tokens, connection strings, private keys)
- **Cross-platform** — pre-built binaries for Windows and Linux with shared data in the root folder
- **Concurrent scanner** with configurable worker pool (default: 20 workers, 2 per domain)
- **Live database persistence** — findings flush to SQLite in real-time via WAL checkpointing (no data loss on crash)
- **Resume support** — completed domains are tracked so interrupted scans pick up where they left off
- **Arrow-key TUI** — navigate menus, select target files, and view results with keyboard controls
- **Bulk scan** — load target lists from `.txt` files in the `targets/` folder
- **CSV export** of findings
- **Session logging** to `logs/`
- **DB Viewer** — open `db-viewer.html` in a browser to explore findings visually

## What It Checks

| Category | Examples |
|---|---|
| Environment files | `.env`, `.env.production`, `.env.local`, `.env.backup` + 30 variants |
| Git exposure | `.git/config`, `.git/HEAD`, `.gitconfig`, `.svn/entries` |
| Frontend frameworks | Next.js, React, Vue, Nuxt, SvelteKit, Remix, Astro, Angular configs |
| BaaS configs | Firebase, Supabase, Appwrite, Convex |
| Auth providers | Clerk, Auth0, Okta, Cognito, NextAuth |
| Payment configs | Stripe, PayPal, Razorpay, Square |
| Database configs & ORMs | Prisma, Drizzle, TypeORM, Sequelize, Knex, schema files |
| Database dumps | `.sql`, `.sqlite`, `.csv`, `.bak` backup files |
| WordPress | `wp-config.php`, `wp-config.php.bak`, debug logs, user enumeration |
| PHP / Laravel / Symfony | `config.php`, `.env`, `parameters.yml`, CodeIgniter, Magento |
| Python / Django / Flask | `settings.py`, `local_settings.py`, `config.py`, FastAPI |
| Ruby / Rails | `secrets.yml`, `database.yml`, `master.key`, `credentials.yml.enc` |
| Java / Spring / Tomcat | `application.properties`, actuator endpoints (`/env`, `/heapdump`) |
| .NET / ASP.NET | `web.config`, `appsettings.json`, `connectionstrings.config` |
| Go / Rust | `go.mod`, `.env`, `Cargo.toml`, config files |
| Node.js / NPM / Bun / Deno | `package.json`, `.npmrc`, `yarn.lock`, `bun.lockb` |
| API documentation | Swagger, OpenAPI, GraphQL, Redoc, Postman collections |
| Cloud providers | AWS credentials, GCP service accounts, Azure configs, DO tokens |
| Infrastructure as Code | Terraform state, Pulumi configs, Ansible vaults, Vagrant |
| Containers | Dockerfile, docker-compose, Kubernetes secrets, Helm values |
| CI/CD pipelines | GitHub Actions, GitLab CI, Jenkins, CircleCI, Travis, Bitbucket |
| SSH / certificates | Private keys (RSA, EC, DSA, Ed25519, PGP), `.pem`, `.pfx` |
| IDE / editor files | `.vscode/settings.json`, `.idea/`, launch configs with env vars |
| Debug / info pages | `phpinfo.php`, `/debug`, `/trace`, Spring actuators, error pages |
| Admin panels | 30+ common admin paths (`/admin`, `/wp-admin`, `/phpmyadmin`, etc.) |
| CMS systems | Drupal, Joomla, Magento, Ghost, Strapi |
| Mobile | React Native, Flutter, Expo configs |
| AI coding tools | Replit, Cursor, Claude Code, Bolt.new, Lovable, Base44, v0, Windsurf, Copilot, Devin, Amazon Q, Codex CLI, Tempo Labs, Softgen, Kiro, Roo, Zed, Aider, Continue, Tabby, Cody, Tabnine |
| MCP configs | `mcp.json`, `mcp-config.json`, `mcp-servers.json`, tool-specific MCP configs |
| Jupyter notebooks | `notebook.ipynb`, `Untitled.ipynb`, `main.ipynb` and other common names |
| No-code / low-code | Retool, Appsmith, Budibase, ToolJet, Wasp, Amplication |
| Vibe coder leaks | `.dev.vars`, `.env.vault`, Doppler, Infisical, Turso, PlanetScale, Neon, Upstash |
| Package managers | `.npmrc`, `.pypirc`, `.gem/credentials`, Composer auth, NuGet |
| Backup / archive files | `.zip`, `.tar.gz`, `.sql.gz`, `backup/`, `old/` |
| Shell / system history | `.bash_history`, `.zsh_history`, `.psql_history`, `.mysql_history` |
| Database client configs | `.pgpass`, `.my.cnf`, `redis.conf`, `.mongorc.js` |
| Cryptocurrency / Web3 | Hardhat, Truffle, Foundry configs, wallet keys |
| Source maps | `.js.map` files that expose original source code |
| Secrets / token files | `credentials.json`, `secrets.json`, `.htpasswd`, `.netrc` |

## Pattern Matching

Response bodies are scanned for 357 secret indicators including:

- Cloud keys: `AWS_SECRET_ACCESS_KEY`, `GOOGLE_PRIVATE_KEY`, `AZURE_CLIENT_SECRET`
- AI services: `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GEMINI_API_KEY`, `GROQ_API_KEY`, `MISTRAL_API_KEY`, `DEEPSEEK_API_KEY`, `COHERE_API_KEY`
- AI coding tools: `DEVIN_API_KEY`, `CURSOR_API_KEY`, `REPLIT_API_KEY`, `BOLT_API_KEY`, `CODEX_API_KEY`
- Payment: `STRIPE_SECRET_KEY`, `PAYPAL_CLIENT_SECRET`, `RAZORPAY_SECRET`
- Auth: `CLERK_SECRET_KEY`, `AUTH0_CLIENT_SECRET`, `NEXTAUTH_SECRET`, `JWT_SECRET`
- Database: `DATABASE_URL`, `SUPABASE_SERVICE_ROLE_KEY`, `MONGO_URI`, `REDIS_PASSWORD`
- Connection strings: `mongodb://`, `postgres://`, `mysql://`, `redis://`, `jdbc:`
- Private key headers: `-----BEGIN RSA PRIVATE KEY-----`, `-----BEGIN OPENSSH PRIVATE KEY-----`
- Framework secrets: `APP_KEY=base64:`, `DJANGO_SECRET_KEY`, `RAILS_MASTER_KEY`
- CI/CD tokens: `GITHUB_TOKEN`, `NPM_TOKEN`, `DOCKER_PASSWORD`
- And 270+ more across every major SaaS, hosting, and infrastructure provider

## Folder Structure

```
Huntr/
  Windows/
    huntr.exe           # Windows binary
    db-viewer.html      # Browser-based findings viewer
  Linux/
    huntr               # Linux binary
    Huntr.desktop       # Desktop launcher
    db-viewer.html      # Browser-based findings viewer
  targets/              # Shared target lists (.txt files)
  logs/                 # Session logs
  huntr.db              # Shared SQLite database (auto-created)
  README.md
```

Both binaries read/write to the same root `Huntr/` folder. The database, targets, and logs are shared across platforms. Pull the `.db` file out and the tool starts fresh.

## Build

Requires Go 1.21+. No CGO — all dependencies are pure Go.

### Windows

```
cd Huntr
GOOS=windows GOARCH=amd64 go build -o Windows/huntr.exe .
```

### Linux

```bash
cd Huntr
GOOS=linux GOARCH=amd64 go build -o Linux/huntr .
chmod +x Linux/huntr
```

### Run

Launch from the respective platform folder:

```
# Windows
cd Windows
.\huntr.exe

# Linux
cd Linux
./huntr
# or double-click Huntr.desktop
```

## Controls

| Key | Action |
|---|---|
| Up/Down arrows | Navigate menu items and file selection |
| Enter | Execute selected command |
| F5 | Refresh target file list |
| Esc | Cancel / return to menu |
| Ctrl+C | Quit |

## Database

Huntr uses SQLite with WAL (Write-Ahead Logging) mode for concurrent scan writes. A `PRAGMA wal_checkpoint(PASSIVE)` runs after every batch commit so findings are flushed to the main `.db` file in real-time. On clean shutdown, a `TRUNCATE` checkpoint consolidates everything.

This means:
- No data loss if the tool crashes mid-scan
- Scans resume from where they left off (completed domains are skipped)
- The `.db` file can be opened by external tools while scans are running

## Stack

- Go + [tcell/v2](https://github.com/gdamore/tcell) (TUI)
- [modernc.org/sqlite](https://pkg.go.dev/modernc.org/sqlite) (persistence, pure Go)

## Authors

- [Ringmast4r](https://github.com/Ringmast4r)
- [tikket1](https://github.com/tikket1)