PhantomCrawler is a lightweight web application reconnaissance and security testing tool designed for security researchers and penetration testers. It performs multi-threaded crawling, JavaScript analysis, secret detection, GraphQL endpoint probing, JWT token analysis, security header validation, and form fuzzing for XSS vulnerabilities, with comprehensive JSON and HTML reporting.
- Multi-threaded crawling with rate limiting
- JavaScript analysis for risky patterns
- Secret and credential detection
- GraphQL endpoint discovery and testing
- JWT token analysis
- Security header validation
- Form discovery and XSS fuzzing
- Comprehensive JSON and HTML reporting
- Current Version: 1.0
PhantomCrawler requires Python 3.8+. Kali Linux typically includes Python 3 pre-installed.
Verify your Python version:
python3 --versionsudo apt update
sudo apt upgrade -ysudo apt install python3-pip -y# Create a directory for security tools
mkdir -p ~/security-tools
cd ~/security-tools
# Clone the repository
git clone https://github.com/[YourGitHubUsername]/phantomcrawler.git
cd phantomcrawlerPhantomCrawler requires requests, beautifulsoup4, and colorama. These are listed in requirements.txt.
pip3 install -r requirements.txtNote: Dependencies like lxml, certifi, and urllib3 are typically included with requests or beautifulsoup4. If you encounter issues, install them manually:
pip3 install lxml certifi urllib3chmod +x phantomcrawler.pypython3 phantomcrawler.py --helpYou should see the help menu with available options.
To run PhantomCrawler from anywhere:
sudo ln -s $(pwd)/phantomcrawler.py /usr/local/bin/phantomcrawlerThen run it as:
phantomcrawler https://example.com --depth 2For isolated dependencies:
# Install venv
sudo apt install python3-venv -y
# Create and activate virtual environment
python3 -m venv phantom-env
source phantom-env/bin/activate
# Install dependencies
pip install -r requirements.txt
# Run the tool
python phantomcrawler.py https://example.com
# Deactivate when done
deactivatepython3 phantomcrawler.py https://example.com --depth 2 --threads 5python3 phantomcrawler.py https://example.com --depth 3 --fuzz --threads 10python3 phantomcrawler.py https://api.example.com --graphql --depth 1python3 phantomcrawler.py https://example.com --depth 3 --fuzz --graphql --threads 8 --out full_audit.jsonpython3 phantomcrawler.py https://example.com --out my_report.jsonpython3 phantomcrawler.py --help| Option | Description | Default |
|---|---|---|
target |
Base target URL (e.g., https://example.com) |
Required |
--depth |
Crawl depth | 1 |
--threads |
Number of threads | 3 |
--fuzz |
Enable XSS fuzzing on forms | Disabled |
--graphql |
Probe GraphQL endpoints | Disabled |
--out |
Output report file | phantom_report.json |
--no-html |
Skip HTML report generation | HTML enabled |
Solution: Install the missing module:
pip3 install <module_name>Solution: Ensure the script is executable:
chmod +x phantomcrawler.pySolution: Update certifi:
pip3 install --upgrade certifiSolution: Install pip:
sudo apt install python3-pipTo remove PhantomCrawler:
# Remove the repository
rm -rf ~/security-tools/phantomcrawler
# Remove symlink (if created)
sudo rm /usr/local/bin/phantomcrawler
# Uninstall Python packages (if not used by other tools)
pip3 uninstall requests beautifulsoup4 colorama lxml certifi urllib3This project is licensed under the MIT License - see the LICENSE file for details.