AI-Powered Web Attack Surface Enumeration - The future of intelligent discovery
Project description
enumeraite
AI-Powered Web Attack Surface Enumeration
Proof-of-concept research demonstrating the future of intelligent enumeration.
Traditional wordlists are dead. AI-driven discovery is the future.
🌐 Website • 🤗 Models • 📦 GitHub • 📹 Talk
Research presented at DEFCON 33 Recon Village
by Özgün Kültekin (@oz9un)
📺 Watch the Talk
Click to watch the presentation
Features
Two Modes of Operation
| Mode | Command | Purpose |
|---|---|---|
| Generate | enumeraite generate |
Bulk generation from wordlists - feed it known paths/subdomains, get intelligent variants |
| Analyze | enumeraite analyze |
Deep analysis of single targets - understand patterns and generate context-aware results |
Capabilities
| Feature | Description |
|---|---|
| Path Generation | Generate API endpoints from known paths using AI pattern recognition |
| Subdomain Generation | Generate subdomains based on naming patterns and conventions |
| DNS Validation | Validate generated subdomains via DNS resolution (--validate) |
| HTTP Validation | Check HTTP/HTTPS response for validated subdomains (--check-http) |
| Pattern Analysis | Deep decomposition of complex naming patterns (analyze mode) |
| Function-based Discovery | Find endpoints for specific functionality like "user deletion" or "admin ops" |
| Debug Mode | Track token usage and cost estimation (--debug) |
| Tool Integration | Pipe output directly to ffuf, gobuster, dirb, nuclei |
Supported Providers
| Provider | Setup | Quality | Download Size | Included by Default |
|---|---|---|---|---|
| Claude | export ANTHROPIC_API_KEY='...' |
⭐⭐⭐⭐⭐ Excellent | ~3MB | ✅ Yes |
| OpenAI | export OPENAI_API_KEY='...' |
⭐⭐⭐⭐⭐ Excellent | ~5MB | ✅ Yes |
| HuggingFace | pip install "enumeraite[huggingface]" |
⭐⭐⚫⚫⚫ Limited | ~3GB | ❌ Optional |
Quick Start
30-Second Start
# Install enumeraite (includes Claude + OpenAI support)
pip install enumeraite
# Set API key
export ANTHROPIC_API_KEY='your-key-here'
# Create sample paths file
echo -e "/api/users\n/api/auth/login\n/admin/dashboard" > paths.txt
# Generate intelligent variants
enumeraite generate path --input paths.txt --count 20
Installation
Default (Recommended) - Best Quality, Lightweight:
# Includes Claude + OpenAI providers (~8MB download)
pip install enumeraite
With Local Models (Heavy Download):
# Adds HuggingFace models (~3GB+ download, limited quality)
pip install "enumeraite[huggingface]"
# Everything including heavy local models
pip install "enumeraite[all]"
From Source (Development):
git clone https://github.com/oz9un/enumeraite.git
cd enumeraite
pip install -e .
💡 Why this structure?
- Default: Get the best quality tools (Claude + OpenAI) with minimal download
- HuggingFace: Only install if you need offline/local models (much larger, lower quality)
Setup
Both Claude and OpenAI are included by default! Just add your API key:
Claude (Recommended):
# Get API key from https://console.anthropic.com/
export ANTHROPIC_API_KEY='your-api-key-here'
# Ready to use!
enumeraite generate path --input paths.txt --provider claude --count 20
OpenAI:
# Get API key from https://platform.openai.com/api-keys
export OPENAI_API_KEY='your-api-key-here'
# Ready to use!
enumeraite generate path --input paths.txt --provider openai --count 20
HuggingFace Local Models (Optional):
# First install the heavy dependencies (~3GB)
pip install "enumeraite[huggingface]"
# No API key needed, but quality is limited
enumeraite generate path --input paths.txt --provider huggingface --model enumeraite/Enumeraite-x-Qwen3-4B-Path --count 20
💡 Smart Dependency Design
Why we include Claude + OpenAI by default:
| Approach | Download Size | Quality | Cost | Offline |
|---|---|---|---|---|
| Default (Claude/OpenAI) | ~8MB | ⭐⭐⭐⭐⭐ | Pay-per-use | ❌ |
| HuggingFace Local | ~3GB+ | ⭐⭐⚫⚫⚫ | Free | ✅ |
- Most users want: High quality results, minimal setup → Use default
- Researchers/offline use: Local models, no API costs → Add
[huggingface]
Basic Usage Examples
Path Discovery:
# Start with known endpoints
echo "/api/users
/api/auth/login
/admin/dashboard" > known_paths.txt
# Generate intelligent variants
enumeraite generate path --input known_paths.txt --provider claude --count 25
Subdomain Discovery:
# Known subdomains
echo "api.example.com
admin.example.com
staging.example.com" > known_subs.txt
# Generate with DNS validation
enumeraite generate subdomain --input known_subs.txt --provider claude --validate --count 30
Understanding Token Usage and Models
# Monitor token usage with debug flag (Claude + OpenAI included by default)
enumeraite generate path --input paths.txt --provider claude --count 25 --debug
# Use specific models (no extra installation needed)
enumeraite generate path --input paths.txt --provider openai --model gpt-4 --count 20
enumeraite generate path --input paths.txt --provider claude --model anthropic/claude-sonnet-4 --count 20
# HuggingFace models (requires: pip install "enumeraite[huggingface]")
enumeraite generate path --input paths.txt --provider huggingface --model enumeraite/Enumeraite-x-Qwen3-4B-Subdomain --count 15
Examples
Bulk Path Generation
enumeraite generate path --input my_paths.txt --provider claude --count 20
Subdomain Generation with DNS Validation
enumeraite generate subdomain --input my_subdomains.txt --provider claude --validate --count 30
Path Function Analysis
enumeraite analyze path "/api/Usr_crt" --function "user deletion" --provider claude
Subdomain Pattern Analysis
enumeraite analyze subdomain "activateiphone-use1-cx02.example.com" --provider claude
Tool Integration
Enumeraite output is designed to work seamlessly with popular fuzzing tools.
Pipe to ffuf
# Generate paths and fuzz directly
enumeraite generate path -i known_paths.txt -c 100 | ffuf -w - -u https://target.com/FUZZ
# Save to file first, then use
enumeraite generate path -i known_paths.txt -o wordlist.txt
ffuf -w wordlist.txt -u https://target.com/FUZZ
Pipe to gobuster
enumeraite generate path -i known_paths.txt | gobuster dir -u https://target.com -w -
With nuclei
# Generate subdomains, validate, then scan
enumeraite generate subdomain -i subs.txt --validate -o live_subs.txt
nuclei -l live_subs.txt -t cves/
Command Reference
generate path
enumeraite generate path -i <input> [options]
Options:
-i, --input PATH Input file with known paths (required)
-o, --output PATH Output file (default: stdout)
-c, --count INT Number to generate (default: 50)
--provider TEXT AI provider: claude, openai, huggingface
--model TEXT Specific model to use
--debug Show token usage and cost
generate subdomain
enumeraite generate subdomain -i <input> [options]
Options:
-i, --input PATH Input file with known subdomains (required)
-o, --output PATH Output file (default: stdout)
-c, --count INT Number to generate (default: 50)
--provider TEXT AI provider: claude, openai, huggingface
--model TEXT Specific model to use
--validate Enable DNS validation
--check-http Check HTTP response (requires --validate)
--debug Show token usage and cost
analyze path
enumeraite analyze path <path> -f <function> [options]
Options:
-f, --function TEXT Functionality to find (required)
-c, --count INT Number of variants (default: 20)
-o, --output PATH Output file (default: stdout)
--provider TEXT AI provider: claude, openai, huggingface
--debug Show debug info
analyze subdomain
enumeraite analyze subdomain <subdomain> [options]
Options:
-c, --count INT Number of variants (default: 20)
-o, --output PATH Output file (default: stdout)
--provider TEXT AI provider: claude, openai, huggingface
--debug Show debug info
Future Vision
This research opens several exciting directions:
Near-term Improvements:
- Better fine-tuned models trained on real application data
- Target-specific wordlist generation based on technology stack
- Response-aware fuzzing that adapts based on HTTP responses
- Integration with existing tools (ffuf, dirb, gobuster)
Long-term Potential:
- RAG-enhanced models with application-specific knowledge bases
- Multi-modal analysis incorporating HTML, JavaScript, and API schemas
Research Applications:
- Academic study of AI in offensive security
- Benchmark for evaluating enumeration approaches
- Foundation for specialized security AI models
Quality Comparison
| Model | Quality | Consistency | Cost | Use Case |
|---|---|---|---|---|
| Claude Sonnet | ⭐⭐⭐⭐⭐ | Excellent | Low | Production research |
| GPT-4 | ⭐⭐⭐⭐⭐ | Very Good | Medium | Production research |
| Custom Enumeraite Models | ⭐⭐⚫⚫⚫ | Poor | Free | Demo/testing only |
Contributing to Research
We welcome contributions that advance the methodology:
- Model improvements and training data
- Integration with existing tools
- Novel enumeration techniques
- Evaluation metrics and benchmarks
- Real-world case studies
License
This research project is licensed under the MIT License - see the LICENSE file for details.
⚠️ Ethical Use Disclaimer
This research tool is intended for authorized security testing and academic research only.
Users are responsible for ensuring they have proper permission to test target systems.
Research Status
This is proof-of-concept research software. Results may vary.
For production security testing, combine with traditional methods.
"The future of enumeration is not about having the biggest wordlist,
but about having the smartest approach."
For detailed documentation, examples, and advanced usage:
Visit enumeraite.com
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
enumeraite-0.1.4.tar.gz
(37.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file enumeraite-0.1.4.tar.gz.
File metadata
- Download URL: enumeraite-0.1.4.tar.gz
- Upload date:
- Size: 37.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
797e5cc0862d005bc46553f19b255476b14910e4ea53f24a90fd05a5fa4a6ba7
|
|
| MD5 |
11712225c7929b9447e9de0ec1c8cc7d
|
|
| BLAKE2b-256 |
eda3cc54edb92f0ed7fbe2c271c1c097d0555319eed69db8a01efcc22dae4cc6
|
File details
Details for the file enumeraite-0.1.4-py3-none-any.whl.
File metadata
- Download URL: enumeraite-0.1.4-py3-none-any.whl
- Upload date:
- Size: 44.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
068678ff6086710a9014d4878f0dc8739b119145956533ed84e5609c58f4e726
|
|
| MD5 |
6cd9c3d7d958e175fe6423d62da6f5bb
|
|
| BLAKE2b-256 |
10ecfa2224969b8164a703a2569484a9debcbaf80b2325a4c4169d20ac7ff61e
|
