xnlinkfinder

--depthThe level of depth to search. For example, if a value of 2 is passed, then all links initially found will then be searched for more links (default: 1). This option is ignored for Burp files because they can be huge and consume lots of memory. It is also advisable to use the -sp (--scope-prefix) argument to ensure a request to links found without a domain can be attempted.

Input a URL or domain.

--configPath to the YML config file. If not passed, a default 'config.yml' is used which has some excludes some words/extensions and defines some stopwords.

--originWhether you want the origin of the link to be in the output. Displayed as LINK-URL [ORIGIN-URL] in the output (default: false)

--cookiesAdd cookies to pass with HTTP requests. Pass in the format 'name1=value1; name2=value2;'

--excludeLink exclusions in a comma separated list, e.g. careers,forum

--headersAdd custom headers to pass with HTTP requests. Pass in the format 'Header1: value1; Header2: value2;'

--includeInclude input links in the output (default: false)

--timeoutHow many seconds to wait for the server to send data before giving up (default: 10 seconds)

--verboseVerbose output

--all-tldsAll links found will be returned, even if the TLD is not common. This can result in a number of false positives where variable names, etc. may also be a possible genuine domain. By default, only links that have a TLD in the common TLDs (commonTLDs in config.yml) will be returned.

-insecureWhether TLS certificate checks should be made disabled making requests (default: false)

--prefixedWhether you want to see which links were prefixed in the output. Displays (PREFIXED) after link and origin in the output (default: false)

--no-bannerHides the tool banner.

--processesBasic multithreading is done when getting requests for a URL, or file of URLs (not a Burp file). This argument determines the number of processes (threads) used (default: 25)

-ascii-onlyWhether links and parameters will only be added if they only contain ASCII characters (default: False). This can be useful when you know the target is likely to use ASCII characters and you also get a number of false positives from binary files for some reason.

--user-agentWhat User Agents to get links for, e.g. 'desktop mobile'

--regex-afterRegEx for filtering purposes against found endpoints before output (e.g. /api/v[0-9].[0-9]* ). If it matches, the link is output.

-s403Stop when > 95 percent of responses return 403 Forbidden (default: false)

-s429Stop when > 95 percent of responses return 429 Too Many Requests (default: false)

-replay-proxyFor active link finding with URL (or file of URLs), replay the requests through this proxy.

--scope-filterWill filter output links to only include it if the domain of the link is in the scope specified.

--scope-prefixAny links found starting with / will be prefixed with scope domain in the output instead of the original link.

--vverboseIncreased verbose output

--max-file-sizeThe maximum file size (in bytes) of a file to be checked if -i is a directory. If the file size os over, it will be ignored (default: 500 MB). Setting to 0 means no files will be ignored, regardless of size.

--content-lengthShow the Content-Length of the response when crawling.

--max-time-limitThe maximum time limit (in minutes) to run before stopping (default: 0). If 0 is passed, there is no limit.

--stopwords-fileA file of additional Stop Words (in addition to stopWords in the YML Config file) used to exclude words from the target specific wordlist. Stop Words are used in Natural Language Processing and different lists can be found in different libraries. You may want to add words in different languages, depending on your target.

-sTOStop when > 95 percent of requests time out (default: false)

--wordlist-maxlenThe maximum length of words to add to the target specific wordlist (excluding plurals).

--memory-thresholdThe memory threshold percentage. If the machines memory goes above the threshold, the program will be stopped and ended gracefully before running out of memory (default: 95)

--scope-filterWill filter output links to only include them if the domain of the link is in the scope specified.

--scope-prefixAny links found starting with / will be prefixed with scope domains in the output instead of the original link.

--user-agent-customA custom User Agent string to use for all requests. This will override the -u/--user-agent argument. This can be used when a program requires a specific User Agent header to identify you for example.

--no-wordlist-digitsExclude any words from the target specific wordlist with numerical digits in.

--no-wordlist-imgaltBy default, any image 'alt' attributes will be processed for the target specific wordlist. If this argument is used, they will not be processed.

--no-wordlist-pluralsWhen words are found for a target specific wordlist, by default new words are added if there is a singular word from a plural, and vice versa. If this argument is used, this process is not done.

--burpfile-remove-tagsWhether to remove tags if a Burp file is passed as input. This is asked interactively if the flag is not passed. Pass as True or False.

--no-wordlist-commentsBy default, any comments in pages will be processed for the target specific wordlist. If this argument is used, they will not be processed.

--no-wordlist-lowercaseBy default, any word added with any uppercase characters in will also add the word in lowercase. If this argument is used, the lowercase words will not be added.

--no-wordlist-pathwordsBy default, any path words found in the links will be processed for the target specific wordlist. If this argument is used, they will not be processed.

--scope-prefix-originalIf a scope-prefix is passed, then this determines whether the original link starting with / is also included in the output (default: false).

-xrelBy default, if any links in the results start with `./` or `../`, they will be included. If this argument is used, these relative links will not be added.

--no-wordlist-parametersBy default, any parameters found in the links will be processed for the target specific wordlist. If this argument is used, they will not be processed.

--scope-prefix-keep-failedIf argument -spkf is passed, then this determines whether a prefixed link will be kept in the output if it was a 404 or a RequestException occurred (default: false).

-sCEStop when > 95 percent of requests have connection errors (default: false)