monsoon
A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time.
Example
Run an HTTP GET request for each entry in filenames.txt, hide all responses with the status code 404:
Common usage of monsoon is also covered in our blog article "Introducing monsoon - a lean and versatile HTTP enumerator".
Installation
Building from source
These instructions will get you a compiled version of the code in the main branch.
You'll need a recent version of the Go compiler, at
least version 1.17. For Debian, install the package golang-go.
Clone the repository, then from within the checkout run the following command:
$ go build
Afterwards you'll find a monsoon binary in the current directory. It can be
for other operating systems as follows:
$ GOOS=windows GOARCH=amd64 go build -o monsoon.exe
Unofficial Packages
For Arch Linux based distributions monsoon is available as an unofficial
package on the AUR. Using your
AUR helper of choice such as yay:
yay -S monsoonGetting Help
The program has several subcommands, the most important one is fuzz which
contains the main functionality. You can display a list of commands as follows:
$ ./monsoon -h
Usage:
monsoon command [options]
Available Commands:
fuzz Execute and filter HTTP requests
help Help about any command
show Construct and display an HTTP request
test Send an HTTP request to a server and show the result
version Display version information
Options:
-h, --help help for monsoon
Use "monsoon [command] --help" for more information about a command.
For each command, calling it with --help (e.g. monsoon fuzz --help) will
display a description of all the options, and calling monsoon help fuzz
also shows an extensive list of examples.
Wordlists
The SecLists Project collects
wordlists that can be used with monsoon.