_____ _ _ _____ _ _ _ _ _ _ _ _______ ______ _____
/ ____| \ | | /\ |_ _| | | | | | | | | \ | |__ __| ____| __ \
| (___ | \| | / \ | | | | | |__| | | | | \| | | | | |__ | |__) |
\___ \| . ` | / /\ \ | | | | | __ | | | | . ` | | | | __| | _ /
____) | |\ |/ ____ \ _| |_| |____| | | | |__| | |\ | | | | |____| | \ \
|_____/|_| \_/_/ \_\_____|______|_| |_|\____/|_| \_| |_| |______|_| \_\
AI-Powered Bug Bounty Hunting Automation Platform
Let AI do the heavy lifting while you collect the bounties.
Features β’ Quick Start β’ Usage β’ Architecture β’ Tools
SnailHunter is a fully automated bug bounty hunting platform that combines traditional security tools with AI-powered analysis. It orchestrates reconnaissance, discovery, vulnerability scanning, false positive filtering, and generates submission-ready reports.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β TARGET βββΊ RECON βββΊ DISCOVERY βββΊ SCAN βββΊ VALIDATE βββΊ π β
β β
β example.com π πΊοΈ π― π€ REPORT β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Problem | SnailHunter Solution |
|---|---|
| π Manual tool orchestration | Automated 6-stage pipeline |
| π¨ False positive overload | AI-powered FP filtering with confidence scores |
| π Report writing takes forever | Auto-generated submission-ready reports |
| π Missing vulnerability chains | AI detects SSRFβRCE, XSSβATO patterns |
| β° Wasted time on duplicates | Smart deduplication and chain detection |
# One command. Full scan. Reports generated.
snailhunter scan example.com -p "HackerOne Program"- False Positive Filtering - Confidence scoring (0-100%)
- Vulnerability Chaining - Detects exploitable chains automatically
- CVSS v3.1 Calculation - With full justification
- Report Enhancement - Business impact framing
Orchestrates best-in-class security tools:
| Tool | Purpose | Status |
|---|---|---|
| Nuclei | Template-based scanning | β Integrated |
| SQLMap | SQL injection | β Integrated |
| Dalfox | XSS scanning | β Integrated |
| ffuf | Content discovery | β Integrated |
| httpx | HTTP probing | β Integrated |
| subfinder | Subdomain enum | β Integrated |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π― Hunt Results β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β π Statistics β
β βββ Duration: 142.3s β
β βββ Targets scanned: 47 β
β βββ Total findings: 12 β
β β
β π₯ Severity Breakdown β
β βββ Critical: 2 β
β βββ High: 4 β
β βββ Medium: 6 β
β β
β βοΈ Vulnerability Chains β
β βββ Cloud Takeover Chain (critical) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π NICE! High-value findings detected! β
β Review the reports and prepare your submissions. β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Clone the repository
git clone https://github.com/SnailSploit/TheMothership.git
cd TheMothership
# Install SnailHunter
pip install -e .
# Set up your API key (for AI features)
cp .env.example .env
# Edit .env and add your ANTHROPIC_API_KEY or OPENAI_API_KEY
# Check tool status
snailhunter tools# Go-based tools (requires Go 1.21+)
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/ffuf/ffuf/v2@latest
go install github.com/hahwul/dalfox/v2@latest
# Python tools
pip install sqlmap# Full automated scan
snailhunter scan bugcrowd-target.com -p "Target Program"
# View results
ls ./output/# Basic scan
snailhunter scan example.com
# With program name (for report metadata)
snailhunter scan example.com -p "HackerOne - Example"
# Focus on critical/high severity
snailhunter scan example.com --severity critical,high
# With specific Nuclei tags
snailhunter scan example.com --tags cve,rce,sqli
# Passive only (no active scanning)
snailhunter scan example.com --passive-only
# Skip reconnaissance (direct scanning)
snailhunter scan https://api.example.com --skip-recon
# JSON output for scripting
snailhunter scan example.com --json# Reconnaissance only
snailhunter recon example.com
snailhunter recon example.com --passive -o recon.json
# Content discovery
snailhunter discover https://example.com
snailhunter discover https://example.com -i thorough
# Validate findings file
snailhunter validate findings.json --threshold 0.7
# Generate report for a finding
snailhunter report FINDING_ID -f hackerone -o report.md# View configuration
snailhunter config
# Check installed tools
snailhunter tools
# View scan history
snailhunter history -n 20βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SNAILHUNTER β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββ βββββββββββ βββββββββββββ βββββββββββ ββββββββββββββ β
β β SCOPE ββββΊβ RECON ββββΊβ DISCOVERY ββββΊβ SCANNINGββββΊβ VALIDATION β β
β βββββββββββ βββββββββββ βββββββββββββ βββββββββββ ββββββββββββββ β
β β β β β β β
β βΌ βΌ βΌ βΌ βΌ β
β Parse scope Subdomains Directories Nuclei AI FP Filter β
β HackerOne Live hosts Parameters SQLMap Chain detect β
β Bugcrowd Tech stack API endpoints Dalfox CVSS scoring β
β β β
β βΌ β
β ββββββββββββββ β
β β REPORTING β β
β ββββββββββββββ β
β β β
β βΌ β
β Markdown/JSON β
β HackerOne fmt β
β Bugcrowd fmt β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β TOOLS β AI PROVIDERS β STORAGE β OUTPUT β
β βββββββββββ β βββββββββββββ β βββββββ β ββββββ β
β Nuclei β Anthropic β SQLite β Markdown reports β
β SQLMap β OpenAI β JSON files β JSON exports β
β Dalfox β Ollama β β Platform formats β
β ffuf β β β β
β httpx β β β β
β subfinder β β β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Stage | Description | Tools Used |
|---|---|---|
| 1. Scope | Parse program rules, extract targets | Custom parser |
| 2. Recon | Subdomain enum, live host detection, tech fingerprinting | subfinder, httpx |
| 3. Discovery | Content discovery, parameter mining, API detection | ffuf, custom |
| 4. Scanning | Vulnerability scanning with multiple tools | nuclei, sqlmap, dalfox |
| 5. Validation | AI-powered FP filtering, chain detection, CVSS | Claude/GPT |
| 6. Reporting | Generate submission-ready reports | AI-enhanced |
# LLM Provider (anthropic, openai, ollama)
SNAILHUNTER_LLM_PROVIDER=anthropic
# API Keys
SNAILHUNTER_ANTHROPIC_API_KEY=sk-ant-...
SNAILHUNTER_OPENAI_API_KEY=sk-...
# Model selection
SNAILHUNTER_LLM_MODEL=claude-sonnet-4-20250514
# Rate limiting (requests per second)
SNAILHUNTER_RATE_LIMIT_REQUESTS_PER_SECOND=10
# Database path
SNAILHUNTER_DB_PATH=./data/snailhunter.db
# Logging
SNAILHUNTER_LOG_LEVEL=INFO# Start Ollama
ollama serve
# Pull a model
ollama pull llama3
# Configure SnailHunter
export SNAILHUNTER_LLM_PROVIDER=ollama
export SNAILHUNTER_LLM_MODEL=llama3
export SNAILHUNTER_OLLAMA_BASE_URL=http://localhost:11434
# Run without cloud AI
snailhunter scan example.comTheMothership/
βββ src/snailhunter/
β βββ cli.py # π₯οΈ CLI with rich output
β βββ core/
β β βββ pipeline.py # π Main orchestrator
β β βββ config.py # βοΈ Settings management
β β βββ state.py # πΎ SQLite persistence
β βββ stages/
β β βββ scope.py # π Scope parsing
β β βββ recon.py # π Reconnaissance
β β βββ discovery.py # πΊοΈ Content discovery
β β βββ scanning.py # π― Vulnerability scanning
β β βββ validation.py # π€ AI validation
β β βββ reporting.py # π Report generation
β βββ tools/
β β βββ nuclei.py # Nuclei wrapper
β β βββ sqlmap.py # SQLMap wrapper
β β βββ dalfox.py # Dalfox wrapper
β β βββ ffuf.py # ffuf wrapper
β β βββ httpx_tool.py # httpx wrapper
β β βββ subfinder.py # subfinder wrapper
β βββ ai/
β β βββ llm.py # π§ LLM abstraction
β β βββ prompts/ # π AI prompt templates
β βββ models/
β βββ finding.py # Finding dataclass
β βββ target.py # Target dataclass
βββ tests/ # π§ͺ Test suite
βββ pyproject.toml # π¦ Package config
βββ .env.example # π Environment template
βββ CLAUDE.md # π€ AI assistant guide
- SQL Injection (Boolean, Error, Union, Time-based, Stacked)
- Cross-Site Scripting (Reflected, Stored, DOM-based)
- Server-Side Request Forgery (SSRF)
- XML External Entity (XXE)
- Remote Code Execution (RCE)
- Local/Remote File Inclusion (LFI/RFI)
- Insecure Direct Object Reference (IDOR)
- Open Redirect
- CORS Misconfiguration
- Security Misconfigurations
- AWS Metadata SSRF (169.254.169.254)
- S3 Bucket Misconfigurations
- Azure Blob Storage Exposure
- GCP Service Account Leaks
| Chain | Pattern |
|---|---|
| Cloud Takeover | SSRF β Metadata β IAM Keys β Full Access |
| Account Takeover | XSS β Cookie Theft β Session Hijack |
| Privilege Escalation | IDOR β Admin Access β User Data |
| OAuth Bypass | Open Redirect β OAuth Flow β Token Theft |
# Install dev dependencies
pip install -e ".[dev]"
# Run tests
pytest
# Run with coverage
pytest --cov=src/snailhunter --cov-report=html
# Type checking
mypy src/
# Linting
ruff check src/
ruff format src/SnailHunter is for authorized security testing only.
- β Only test targets you have explicit permission to test
- β Respect program scope and exclusions
- β Follow responsible disclosure practices
- β Use rate limiting to avoid service disruption
- β Never test without authorization
- β Never exceed program scope
- β Never use for malicious purposes
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing) - Make your changes
- Run tests (
pytest) - Commit (
git commit -m 'Add amazing feature') - Push (
git push origin feature/amazing) - Open a Pull Request
MIT License - See LICENSE for details.
Built with π by SnailSploit
Hunt slow, strike fast.