This post to tell you about an API scanner called Kiterunner, I heard about it through Ms. Alissa Knight’s white paper “Go Fuzz Yourself”, which talks about the importance of Fuzzing during API tests.
This tool is written in Go, and it is recommended that you use it with Linux, and Assetnote’s GitHub (the creators of Kiterunner) actually have a clear step by step installation, for Linux.
It can work on Windows (I’ve only done a simple test), but it does take a little finagling, which is why I decided to do a quick post about it here, lets go.
// Downloads Needed:
In order to get this to work, you will need to download 3 main things:
- The Go Lang installer for Windows ( GoLang.org ).
- The Kiterunner source code zip file ( Kiterunner Releases page ).
- Kitrunner’s wordlists, I recommend getting both ‘.kite’ files. ( Provided in their GitHub page ).
The ‘.json’ are the same files, they are just kindly provided to you in case you want to use that same wordlist with another scanner.
// Installation Steps:
- First thing you need to do is install GO.
- Second thing is to extract the Source Code zip file.
- Open CMD > Navigate into that folder “kiterunner-1.0.2” or which ever version you have.
- Then in your terminal window, you run this command.
go build -o dist/kr.exe ./cmd/kiterunner
- This will create a “dist” folder, and in there will be your “kr.exe” file.
// Getting It To Work:
- Open CMD as Administrator
- Navigate to where the “kr.exe” file is (the /dist folder)
- Run your scan commands from there:
kr scan http://ip/ -w routes-small.kite
For me, it was giving me the error “failed to open file” for some reason, even though I wasn’t opening a file, I was giving it a URL.
- My work around was to put the website in a ‘hosts.txt’ file, so the command would look like this.
kr scan hosts.txt -w routes-small.kite -o text
- That worked.
I have a “-o text” at the end of the command. The reason for this is that the original “pretty” colored version, does not output correctly on Windows. So if your on Windows, make sure to use add that “-o text” at the end, it will make the result a lot easier to read. Not colorful, but much easier to read.
// A Couple of Basic Commands:
kr scan https:/ip/ -w routes-large.kite
kr brute https:/ip/ -A=apiroutes-210228
There you go.
Now I do recommend you watch InsiderPhD’s video “API Recon with Kiterunner”, and to read Ms. Alissa’s “Go Fuzz Yourself” white paper, because they both provide some really great information, and are much more wiser in the field of API hacking than I am.
I hope that was helpful.
Go (ethically) Hack The Planet.