AI-Powered Web Attack Surface Enumeration - The future of intelligent discovery
Project description
enumeraite
AI-Powered Web Attack Surface Enumeration
Proof-of-concept research demonstrating the future of intelligent enumeration.
Traditional wordlists are dead. AI-driven discovery is the future.
🌐 Website • 🤗 Models • 📦 GitHub • 📹 Talk
Research presented at DEFCON 33 Recon Village
by Özgün Kültekin (@oz9un)
Features
Two Modes of Operation
| Mode | Command | Purpose |
|---|---|---|
| Generate | enumeraite generate |
Bulk generation from wordlists - feed it known paths/subdomains, get intelligent variants |
| Analyze | enumeraite analyze |
Deep analysis of single targets - understand patterns and generate context-aware results |
Capabilities
| Feature | Description |
|---|---|
| Path Generation | Generate API endpoints from known paths using AI pattern recognition |
| Subdomain Generation | Generate subdomains based on naming patterns and conventions |
| DNS Validation | Validate generated subdomains via DNS resolution (--validate) |
| HTTP Validation | Check HTTP/HTTPS response for validated subdomains (--check-http) |
| Pattern Analysis | Deep decomposition of complex naming patterns (analyze mode) |
| Function-based Discovery | Find endpoints for specific functionality like "user deletion" or "admin ops" |
| Debug Mode | Track token usage and cost estimation (--debug) |
| Tool Integration | Pipe output directly to ffuf, gobuster, dirb, nuclei |
Supported Providers
| Provider | Setup | Best For |
|---|---|---|
| Claude | export ANTHROPIC_API_KEY='...' |
Production use (recommended) |
| OpenAI | export OPENAI_API_KEY='...' |
Production use |
| HuggingFace | No setup needed | Free experimentation (limited quality) |
Quick Start
Installation
git clone https://github.com/oz9un/enumeraite.git
cd enumeraite
pip install -e .
Setup
Option 1: Claude (Recommended)
# Get API key from https://console.anthropic.com/
export ANTHROPIC_API_KEY='your-api-key-here'
# Generate paths with Claude
enumeraite generate path --input paths.txt --provider claude --count 20
Option 2: OpenAI
# Get API key from https://platform.openai.com/api-keys
export OPENAI_API_KEY='your-api-key-here'
# Generate paths with GPT-4
enumeraite generate path --input paths.txt --provider openai --count 20
Option 3: Local Models (Experimental)
# No API key needed, but quality is limited
enumeraite generate path --input paths.txt --provider huggingface --model enumeraite/Enumeraite-x-Qwen3-4B-Path --count 20
Basic Usage Examples
Path Discovery:
# Start with known endpoints
echo "/api/users
/api/auth/login
/admin/dashboard" > known_paths.txt
# Generate intelligent variants
enumeraite generate path --input known_paths.txt --provider claude --count 25
Subdomain Discovery:
# Known subdomains
echo "api.example.com
admin.example.com
staging.example.com" > known_subs.txt
# Generate with DNS validation
enumeraite generate subdomain --input known_subs.txt --provider claude --validate --count 30
Understanding Token Usage and Models
# Monitor token usage with debug flag
enumeraite generate path --input paths.txt --provider claude --count 25 --debug
# Use specific models
enumeraite generate path --input paths.txt --provider openai --model gpt-4 --count 20
enumeraite generate path --input paths.txt --provider claude --model anthropic/claude-sonnet-4 --count 20
enumeraite generate path --input paths.txt --provider huggingface --model enumeraite/Enumeraite-x-Qwen3-4B-Subdomain --count 15
Examples
Bulk Path Generation
enumeraite generate path --input my_paths.txt --provider claude --count 20
Subdomain Generation with DNS Validation
enumeraite generate subdomain --input my_subdomains.txt --provider claude --validate --count 30
Path Function Analysis
enumeraite analyze path "/api/Usr_crt" --function "user deletion" --provider claude
Subdomain Pattern Analysis
enumeraite analyze subdomain "activateiphone-use1-cx02.example.com" --provider claude
Tool Integration
Enumeraite output is designed to work seamlessly with popular fuzzing tools.
Pipe to ffuf
# Generate paths and fuzz directly
enumeraite generate path -i known_paths.txt -c 100 | ffuf -w - -u https://target.com/FUZZ
# Save to file first, then use
enumeraite generate path -i known_paths.txt -o wordlist.txt
ffuf -w wordlist.txt -u https://target.com/FUZZ
Pipe to gobuster
enumeraite generate path -i known_paths.txt | gobuster dir -u https://target.com -w -
With nuclei
# Generate subdomains, validate, then scan
enumeraite generate subdomain -i subs.txt --validate -o live_subs.txt
nuclei -l live_subs.txt -t cves/
Command Reference
generate path
enumeraite generate path -i <input> [options]
Options:
-i, --input PATH Input file with known paths (required)
-o, --output PATH Output file (default: stdout)
-c, --count INT Number to generate (default: 50)
--provider TEXT AI provider: claude, openai, huggingface
--model TEXT Specific model to use
--debug Show token usage and cost
generate subdomain
enumeraite generate subdomain -i <input> [options]
Options:
-i, --input PATH Input file with known subdomains (required)
-o, --output PATH Output file (default: stdout)
-c, --count INT Number to generate (default: 50)
--provider TEXT AI provider: claude, openai, huggingface
--model TEXT Specific model to use
--validate Enable DNS validation
--check-http Check HTTP response (requires --validate)
--debug Show token usage and cost
analyze path
enumeraite analyze path <path> -f <function> [options]
Options:
-f, --function TEXT Functionality to find (required)
-c, --count INT Number of variants (default: 20)
-o, --output PATH Output file (default: stdout)
--provider TEXT AI provider: claude, openai, huggingface
--debug Show debug info
analyze subdomain
enumeraite analyze subdomain <subdomain> [options]
Options:
-c, --count INT Number of variants (default: 20)
-o, --output PATH Output file (default: stdout)
--provider TEXT AI provider: claude, openai, huggingface
--debug Show debug info
Future Vision
This research opens several exciting directions:
Near-term Improvements:
- Better fine-tuned models trained on real application data
- Target-specific wordlist generation based on technology stack
- Response-aware fuzzing that adapts based on HTTP responses
- Integration with existing tools (ffuf, dirb, gobuster)
Long-term Potential:
- RAG-enhanced models with application-specific knowledge bases
- Multi-modal analysis incorporating HTML, JavaScript, and API schemas
Research Applications:
- Academic study of AI in offensive security
- Benchmark for evaluating enumeration approaches
- Foundation for specialized security AI models
Quality Comparison
| Model | Quality | Consistency | Cost | Use Case |
|---|---|---|---|---|
| Claude Sonnet | ⭐⭐⭐⭐⭐ | Excellent | Low | Production research |
| GPT-4 | ⭐⭐⭐⭐⭐ | Very Good | Medium | Production research |
| Custom Enumeraite Models | ⭐⭐⚫⚫⚫ | Poor | Free | Demo/testing only |
Contributing to Research
We welcome contributions that advance the methodology:
- Model improvements and training data
- Integration with existing tools
- Novel enumeration techniques
- Evaluation metrics and benchmarks
- Real-world case studies
License
This research project is licensed under the MIT License - see the LICENSE file for details.
⚠️ Ethical Use Disclaimer
This research tool is intended for authorized security testing and academic research only.
Users are responsible for ensuring they have proper permission to test target systems.
Research Status
This is proof-of-concept research software. Results may vary.
For production security testing, combine with traditional methods.
"The future of enumeration is not about having the biggest wordlist,
but about having the smartest approach."
For detailed documentation, examples, and advanced usage:
Visit enumeraite.com
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file enumeraite-0.1.0.tar.gz.
File metadata
- Download URL: enumeraite-0.1.0.tar.gz
- Upload date:
- Size: 35.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0918f87ced9f6fcebb71979d467399b5678cd10c14a8765a4f56548ed5fc9865
|
|
| MD5 |
644b6fa7961fa79a14498f97e097f347
|
|
| BLAKE2b-256 |
430cacddbbe553f43896731c4cdf945acd99aab24d5320a4288c4e62863f90d7
|
File details
Details for the file enumeraite-0.1.0-py3-none-any.whl.
File metadata
- Download URL: enumeraite-0.1.0-py3-none-any.whl
- Upload date:
- Size: 43.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9f95428f824b96d1e86d880279d859f3da1b0566445294f3390cc95aca3be909
|
|
| MD5 |
907a8d19f5b43f9065214b930424fcd2
|
|
| BLAKE2b-256 |
23a57083c91f6c3892e9574c11d1a40957ab7e8ecb3bd4876b9d65d84ea4d502
|
