Skip to content

RedTeamPentesting/monsoon

Repository files navigation

monsoon

A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time

Release GitHub Action: Check Software License Go Report Card

monsoon is a fast and flexible HTTP fuzzer that can be used for a wide variety of actions ranging from content discovery to credential bruteforcing. You can read about the various use cases in our blog posts "Introducing monsoon - a lean and versatile HTTP enumerator" and "Bringing Monsoon to the Next Level".

In the following example, an HTTP GET request is sent for each entry in filenames.txt, ignoring all responses with the status code 404:

basic demo

Installation

As monsoon is a single statically linked binary, you can simply download a pre-build binary for your operating system from the releases page.

Building from source

These instructions will get you a compiled version of the code in the main branch. First, you'll need a recent version of the Go compiler, at least version 1.18. If your compiler is set up, clone the monsoon repository and run the following command from within the checkout:

$ go build

Afterwards you'll find a monsoon binary in the current directory. It can be for other operating systems such as Windows as follows:

$ GOOS=windows GOARCH=amd64 go build -o monsoon.exe

Unofficial Packages

Please note that unofficial packages are not maintained by RedTeam Pentesting

For Arch Linux based distributions monsoon is available as an unofficial package on the AUR. Using your AUR helper of choice such as yay:

yay -S monsoon

Documentation

The program has several subcommands, the most important one is fuzz which contains the main functionality. You can display a list of commands as follows:

$ ./monsoon -h
Usage:
  monsoon command [options]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  fuzz        Execute and filter HTTP requests
  help        Help about any command
  list        List and filter previous runs of 'fuzz'
  show        Construct and display an HTTP request
  test        Execute and filter HTTP requests
  version     Print the current version

Options:
  -h, --help   help for monsoon

Use "monsoon [command] --help" for more information about a command.

For each command, calling it with --help (e.g. monsoon fuzz --help) will display a description of all the options, and calling monsoon help fuzz also shows an extensive list of examples.

Wordlists

The SecLists Project collects wordlists that can be used with monsoon.