AutoAR
AutoAR is an automated security reconnaissance tool and Discord bot for bug bounty hunters and penetration testers. It automates gathering subdomains, scanning ports, detecting technologies, mapping GitHub repositories, fuzzing, testing vulnerabilities, and AI analysis.
Install / Use
/learn @h0tak88r/AutoARREADME
AutoAR — Automated Attack & Reconnaissance Platform
<div align="center">The ultimate bug bounty automation framework. Scan smarter, find more, ship faster.
AutoAR is a powerful, end-to-end automated security reconnaissance and vulnerability hunting platform built in Go. It is purpose-built for bug bounty hunters and penetration testers who want to automate the full recon-to-report pipeline at scale — from subdomain enumeration and DNS takeover detection to nuclei scanning, JavaScript secrets extraction, GitHub exposure, mobile app analysis, and more.
Results are automatically uploaded to Cloudflare R2 storage and linked directly in your output — no hunting through directories.
✨ Feature Highlights
| Category | What AutoAR Does |
|---|---|
| 🌐 Subdomains | Enumerate using 15+ sources: Subfinder, CertSpotter, SecurityTrails, Chaos, crt.sh, OTX, VirusTotal, and more |
| 🔍 Live Hosts | Detect alive hosts using httpx with follow-redirects and status detection |
| 🕳️ DNS Takeovers | Detect CNAME, NS, Azure/AWS cloud, DNSReaper, and dangling-IP takeover opportunities |
| 💥 Nuclei Scanning | Automated vulnerability scanning using Nuclei templates with rate limiting |
| 🧠 Zero-Days | Smart scan configured for detected tech stacks — finds active CVEs |
| ☁️ S3 Buckets | Enumerate and scan AWS S3 buckets for exposure and misconfig |
| 🔗 JavaScript | Extract secrets, API endpoints, auth tokens from JS files |
| 🐙 GitHub Recon | Org-level and repo-level scanning for secrets, dependency confusion |
| 📱 Mobile Apps | APK/IPA analysis with MobSF + MITM traffic interception |
| ⚙️ Misconfigs | 100+ service misconfiguration checks |
| 🏴☠️ BB Scope | Fetch scope from HackerOne, Bugcrowd, Intigriti, YesWeHack, Immunefi |
| 🔄 Monitoring | Subdomain + URL change monitoring daemon with Discord alerts & DB history |
| 🤖 AI Agent | Full AI hunt loop (CLI + Discord /ai & /brain) — powered by Step-3.5 Flash via OpenRouter (free tier) — zero cost required |
| 📤 R2 Storage | Auto-upload every non-empty result file to Cloudflare R2 and print the public URL |
| 🔔 Smart Alerts | Rich Discord notifications for zero-findings scans — no more empty files or spam |
🗂️ Complete Command Reference
Workflows (Start Here)
autoar domain run -d <domain> Full end-to-end workflow: subdomains → live hosts → ports →
[--skip-ffuf] tech → DNS → S3 → nuclei → JS → URLs → GF → backup → misconfig
autoar subdomain run -s <subdomain> Focused deep-dive on a single subdomain:
live check → ports → JS → vuln scan → nuclei
autoar lite run -d <domain> Lighter workflow: livehosts → reflection → JS → CNAME → DNS → misconfig
autoar fastlook run -d <domain> Quick recon: subdomains → live hosts → URLs/JS collection
Reconnaissance
autoar subdomains get -d <domain> Enumerate subdomains (15+ passive sources + Subfinder)
autoar livehosts get -d <domain> Detect live hosts via httpx
autoar cnames get -d <domain> Collect all CNAME records
autoar urls collect -d <domain> Collect URLs (Wayback, gau, katana)
[--subdomain] Focus on specific subdomain URLs
autoar tech detect -d <domain> Detect web technologies (Wappalyzer, headers)
autoar ports scan -d <domain> Port scan with naabu
Vulnerability Scanning
autoar nuclei run -d <domain> Run Nuclei templates on all live hosts
autoar zerodays scan -d <domain> Smart CVE scanning based on detected tech
-s <subdomain> Scan a specific subdomain
-f <domains_file> Scan domains from a file
[--cve <CVE-ID>] Target a specific CVE
[--dos-test] Include DoS checks (use on your own targets only)
[--silent] Output only vulnerable hosts
autoar reflection scan -d <domain> Scan for XSS/injection reflection points
autoar dalfox run -d <domain> Advanced XSS scanning with Dalfox
autoar sqlmap run -d <domain> SQL injection testing with SQLMap
autoar gf scan -d <domain> Grep for interesting patterns (SQLi, SSTI, LFI, etc.)
autoar jwt scan --token <JWT_TOKEN> Analyze JWT tokens for vulnerabilities
[--skip-crack]
[--test-attacks]
[-w <wordlist>]
DNS Takeover Detection
autoar dns takeover -d <domain> Comprehensive DNS takeover scan (all methods)
autoar dns cname -d <domain> CNAME takeover detection
autoar dns ns -d <domain> Nameserver takeover detection
autoar dns azure-aws -d <domain> Azure/AWS cloud service takeover
autoar dns dnsreaper -d <domain> DNSReaper-based detection
autoar dns dangling-ip -d <domain> Dangling IP detection
autoar dns all -d <domain> Run all DNS checks simultaneously
JavaScript Scanning
autoar js scan -d <domain> Scan all JS files for secrets and endpoints
[-s <subdomain>] Scope to a specific subdomain's JS
Fuzzing (FFUF)
autoar ffuf fuzz -u <url> Fuzz a URL (must contain FUZZ placeholder)
-d <domain> Fuzz all live hosts for a domain
[-w <wordlist>] Custom wordlist (default: Wordlists/quick_fuzz.txt)
[-t <threads>] Thread count
[--bypass-403] Attempt 403 bypass techniques
[--recursion] Recursive fuzzing
[-e <extensions>] File extensions to fuzz
[--header <k:v>] Custom headers
Backup File Discovery
autoar backup scan -d <domain> Hunt for exposed backup files on a domain
-l <live_hosts_file> Scan from a file of live hosts
-f <domains_file> Scan from a file of domains
[-m <method>] Methods: regular, withoutdots, withoutvowels,
reverse, mixed, withoutdv, shuffle, all
[-ex .zip,.rar] Specific extensions to hunt
[-t <threads>] Thread count
S3 Bucket Hunting and Cloud Storage
autoar s3 enum -b <root_domain> Generate and check S3 bucket name permutations
autoar s3 scan -b <bucket_name> Scan a specific bucket for access
[-r <region>] AWS region
GitHub Reconnaissance
autoar github scan -r <owner/repo> Scan a single repository for secrets
autoar github org -o <org> Full org-level scan (all repos)
[-m <max-repos>] Limit number of repos scanned
autoar github depconfusion -r <owner/repo> Check for dependency confusion
autoar github experimental -r <owner/repo> Deep experimental analysis
autoar github-wordlist scan -o <github_org> Build wordlist from org's codebase
Misconfiguration Detection
autoar misconfig scan <target> Scan for common misconfigurations (100+ checks)
[--service <id>] Test a specific service
[--delay <ms>] Request delay
[--permutations] Include path permutations
autoar misconfig service <target> <service> Test a single service
autoar misconfig list List all available service checks
autoar misconfig update Update built-in templates
API Key Validation
autoar keyhack list List all API key validation templates
autoar keyhack search <query> Search for a specific provider
autoar keyhack validate <provider> <api_key> Generate validation command for an API key
autoar keyhack add <name> <cmd> <desc> Add a custom validation template
Adobe Experience Manager (AEM)
autoar aem scan -d <domain> Detect AEM instances and test vulnerabilities
-l <live_hosts_file> Scan from a file
[--ssrf-host <host>] SSRF callback host
[--proxy <proxy>] HTTP proxy
Mobile Application Analysis (APKx)
autoar apkx scan -i <apk_or_ipa_path> Analyze an APK or IPA file
-p <package_id> Download and scan by package ID
[--platform android|ios]
[--mitm] Set up MITM proxy interception
autoar apkx mitm -i <apk_path> Patch APK for MITM traffic analysis
Dependency Confusion
autoar depconfusion scan <file> Scan a local dependency file
autoar depconfusion github repo <owner/repo> Scan a GitHub repo's dependencies
autoar depconfusion github org <org> Scan all repos in a GitHub org
autoar depconfusion web <url> [url2...] Scan web targets
autoar depconfusion web-file <file> Scan targets listed in a file
autoar wpDepConf scan -d <domain> WordPress plugin dependency confusion
-l <live_hosts_file>
Bug Bounty Platform Scope Fetching
auto
