npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@pown/buster

v2.7.2

Published

Pownage guaranteed

Downloads

3

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

pdparchitectpdparchitect

Keywords

exploitframework

Readme

Follow on Twitter NPM Fury

Pown Buster

Pown Buster is a multi-service bruteforce discovery tool.

Credits

This tool is part of secapps.com open-source initiative.

  ___ ___ ___   _   ___ ___  ___
 / __| __/ __| /_\ | _ \ _ \/ __|
 \__ \ _| (__ / _ \|  _/  _/\__ \
 |___/___\___/_/ \_\_| |_|  |___/
  https://secapps.com

Quickstart

This tool is meant to be used as part of Pown.js but it can be invoked separately as an independent tool.

Install Pown first as usual:

$ npm install -g pown@latest

Invoke directly from Pown:

$ pown buster

Library Use

install this module locally from the root of your project:

$ npm install @pown/buster --save

Once done, invoke pown cli:

$ ./node_modules/.bin/pown-cli buster

You can also use the global pown to invoke the tool locally:

$ POWN_ROOT=. pown buster

Usage

WARNING: This pown command is currently under development and as a result will be subject to breaking changes.

pown buster <command>

Multi-service bruteforce discovery tool

Commands:
  pown bust web [options] <url>       Web file and directory bruteforcer (a.k.a dirbuster)
  pown bust email [options] <domain>  Email bruteforce discovery tool (via smtp)  [aliases: emails]

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown bust web

pown bust web [options] <url>

Web file and directory bruteforcer (a.k.a dirbuster)

Options:
  --version                   Show version number  [boolean]
  --help                      Show help  [boolean]
  --write, -w                 Write to file  [string]
  --request-method, -X        Request method  [string] [default: "GET"]
  --name-dictionary, -n       Name dictionary file  [string]
  --extension-dictionary, -e  Extension dictionary file  [string]
  --name-prefix               Name prefix  [string] [default: "/"]
  --name-suffix               Name suffix  [string] [default: ""]
  --extension-prefix          Extension prefix  [string] [default: "."]
  --extension-suffix          Extension suffix  [string] [default: ""]
  --request-concurrency, -r   The number of request to run concurrently  [string] [default: Infinity]
  --load-concurrency, -l      The number of assync operations to run concurrently  [string] [default: Infinity]
  --header, -H                Set header  [array] [default: []]
  --timeout, -t               Request timeout in milliseconds  [number] [default: 30000]
  --all, -a                   Display all results  [boolean] [default: false]
  --yes, -y                   Answer yes to all questions  [boolean] [default: false]
  --blessed, -b               Start with blessed ui  [boolean] [default: false]

Examples:
  pown buster -X HEAD -n words.txt http://target                                             Send requests using the HEAD HTTP method
  pown buster -H 'Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l' -n words.txt http://target  Send basic authentication headers
  pown buster -b --all -n words.txt http://target                                            Start buster but also open the results in nice text user interface

pown bust emails

pown bust email [options] <domain>

Email bruteforce discovery tool (via smtp)

Options:
  --version         Show version number  [boolean]
  --help            Show help  [boolean]
  --write, -w       Write to file  [string]
  --dictionary, -d  Dictionary file  [string]
  --servers, -s     Servers to use  [array] [default: []]
  --scale, -e       Scale servers times  [number] [default: 10]
  --all, -a         Display all results  [boolean] [default: false]
  --yes, -y         Answer yes to all questions  [boolean] [default: false]

Performance

Notes from the author:

@pdp: Pown Buster is written such as that none of the requests and internal scheduling mechanisms are blocking. Although I was initially skeptical that this is going to lead to significant performance improvements, it turns out that it does. I compared the performance to other tools written in more concurrent languages such as Go. It appears that Pown Buster is at least 6 times faster in default configuration when compared to these tools.

That being said, speed is not always a good thing. In my own tests, many servers will start throwing 5xx errors if you are sending too fast. You can control the concurrency of the tool using --request-concurrency and --load-concurrency options. The former caps how many concurrent request you would like to send to the server as the name suggests. The later is slightly trickier. This option indicates how many concurrent operations can be pre-loaded in advance. The higher the number the more Promises will be instantiated in advance increasing the performance but at the same time increasing the memory profile. The lower the number the less memory will be used but more operations have to be fetch at some intermediary point. If you are dealing with huge-dictionaries this option helps control the tool behaviour without making your hardware sweat. In normal circumstances you may want to leave this option alone and use --request-concurrency intead.

Blessed

Pown Buster comes with an optional text interface which comes handy when investigating all results in detail. Use either -b or --blessed options to activate it. Using this feature will not result in performance degradation.

Screenshot

Suggestions and Improvements

The following list of improvements are just around the corner:

  • Loading full requests instead of just uris
  • Curses mode - preview in nice curses table
  • Export - ability to serialise request and responses
  • Support for HTTP/2 - should be available soon
  • Split the blessed UI in a separate thread
  • Support for request pipelining and other paralel options - see @pown/request