HuntKit – Docker Image for Pentesting, Bug Bounty, and CTF


What is this?

HuntKit is a collection of penetration testing, bug bounty hunting, capture the flag, red teaming tools in a single Docker image. Simply run the image and start using the tools.


I got sick of waiting for VitualBox to start, Kali to boot, then dealing with the slugish-ness of operating in a VM. I still use Kali for certain tasks. But for a quick nmap scan (for example), using this container is a lot quicker.


Run from DockerHub

docker run -it mcnamee/huntkit

# - OR -

# Advanced:
# Line 2: maps ~/Projects to the Docker /root/projects
# Line 3: Allows OpenVPN
# Line 4: Opens and maps port 4444 (for listeners such as Metasploit)
# Line 5: Sets the machine's hostname to huntkit
docker run -it \
  -v ~/Projects:/root/projects \
  --cap-add=NET_ADMIN --device=/dev/net/tun \
  -p 4444:4444 \
  -h huntkit \


# 1. Clone the repo
git clone && cd huntkit

# 2. Build the image
docker build . -t mcnamee/huntkit



ToolDescription & Example
amassNetwork mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
amass enum -v -src -ip -brute -min-for-recursive 2 -d
brutesprayService scanner by bruteforcing.
brutespray --file nmap.gnmap
cloudfailCloudFail is a tool to find origin servers of websites protected by CloudFlare.
cloudfail --target
cloudflairCloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don’t restrict network access to the CloudFlare IP ranges as they should.
export CENSYS_API_ID=... && export CENSYS_API_SECRET=...
commixCommand injection exploiter – used to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.
commix --url="" --level=3
dalfoxXSS Scanning and Parameter Analysis tool.
dalfox url\?cat\=123 -b
dirbLooks for existing (and/or hidden) Web Objects, by launching a dictionary based attack against a web server and analyzing the response.
dirb $WORDLISTS/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
dnmasscandnmasscan is a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan.
dnmasscan listofdomains.txt dns.log -p80,443 - oG masscan.log
dnsxAllows you to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.
cat domains.txt
ffufA fast web fuzzer.
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401
gaugetallurls (gau) fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
httpxTake a list of domains and probe for working http and https servers.
cat domains.txt
linkfinderDiscover endpoints and their parameters in JavaScript files.
linkfinder -i -d -o cli
masscanAn Internet-scale port scanner.
masscan -p1-65535 -iL listofips.txt --max-rate 1800 -oG masscan.log
megA tool for fetching lots of URLs but still being ‘nice’ to servers.
meg paths.txt hosts.txt
niktoWeb server scanner which performs comprehensive tests against web servers for multiple items (dangerous files, outdated dependencies…).
nikto -host=
nmapA utility for network discovery and security auditing.
nmap -sV
nucleiNuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use..
nuclei -l urls.txt -t $ADDONS/nuclei/ADDONS/nuclei/technologies/ -o ~/projects/results.txt
pagodoPassive Google dork script to collect potentially vulnerable web pages and applications on the Internet..
pagodo -d $DOMAIN -g dorks/sensitive_directories.dorks -l 100 -s -e 35.0 -j 1.1
recon-ngWeb-based open source reconnaissance framework.
sherlockHunt down social media accounts by username across social networks.
sherlock user1 user2 user3
subfinderSubdomain discovery tool to find valid subdomains for websites by using passive online sources.
subfinder -d -v
subjsFetches javascript files from a list of URLS or subdomains. Analyzing javascript files can help you find undocumented endpoints, secrets, and more.
`cat urls.txt
subjackA Subdomain Takeover tool.
SJFP=$(find "${GOPATH}/pkg" -name fingerprints.json)
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -a -c $SJFP
sublist3rEnumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and more.
sublist3r -d
sqlmapAutomates the process of detecting and exploiting SQL injection flaws and taking over of database servers
sqlmap -u --forms --crawl=10 --level=5 --risk=3
theharvesterGather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
theharvester -d -b "bing, certspotter, dnsdumpster, dogpile, duckduckgo, google, hunter, linkedin, linkedin_links, twitter, yahoo"
wafw00fWeb Application Firewall Fingerprinting Tool.
whatwebScans websites and highlights the CMS used, JavaScript libraries, web servers, version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
wpscanWordPress Security Scanner.
wpscan --url
xsstrikeAdvanced XSS Detection Suite.
xsstrike -u="" --data="query"


ToolDescription & Example
breach-parseA tool for parsing breached passwords.
breach-parse tesla.txt "~/Downloads/BreachCompilation/data"
crunchWordlist generator where you can specify a standard character set or a character set you specify.
crunch 6 6 0123456789abcdef -o 6chars.txt
cuppPersonal wordlist generator.
cupp -i
johnJohn the Ripper is a fast password cracker.
zip2john > hash.txt
john hash.txt
jwttoolA toolkit for validating, forging and cracking JWTs (JSON Web Tokens).
jwttool eyJ0eXAiOiJ.eyJsb2dpbi.aqNCvShlN -A
metasploitA penetration testing platform that enables you to find, exploit, and validate vulnerabilities..
hydrahydra -f -l -P $WORDLISTS/seclists/Passwords/darkweb2017-top1000.txt http-post-form "/login:user=^USER^&pass=^PASS^:Failed"
netcatA networking utility which reads and writes data across network connections, using the TCP/IP protocol.
nc -nvlp 1234
searchsploitSearchable archive from The Exploit Database.
searchsploit oracle windows remote
setoolkitSocial Engineering Toolkit.


FTPConnect to an FTP server.
GoThe PHP programming language
InterlaceEasily turn single threaded command line applications into a fast, multi-threaded application.
interlace -tL targets.txt -threads 5 -c "gobuster dns -d _target_ -w wordlist.txt --noprogress --quiet >> _target_.txt" -v
NodeJSNode.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine.
Oh My ZshZsh is a framework for managing your zsh configuration, bundled with thousands of helpful functions, helpers, plugins, themes.
OpenVPNConnect to a VPN.
Add --cap-add=NET_ADMIN --device=/dev/net/tun to the docker run to use OpenVPN.
PerlPerl is a highly capable, feature-rich programming language with over 30 years of development.
PHPThe PHP scripting language.
ProxychainsRedirects connections through SOCKS4a/5 or HTTP proxies.
Python 2 & 3The Python programming language
RubyA dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write.
smbclientsmbclient \\\Media
TorBrowse Privately.
tmuxtmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal.
CNTR+b c Create window
CNTR+b n Switch to next window
unfurlPull out bits of URLs provided on stdin.
`cat urls.txt
zshZsh is an extended Bourne shell with many improvements, including some features of Bash, ksh, and tcsh.


  • Amass
  • Dirb
  • Kali’s rockyou.txt
  • Metasploit
  • The Harvester
  • SecLists


Please follow and like us:

Leave a Reply

Your email address will not be published.