Overview
DS1 Hunter is an autonomous, self-hosted web application and API security scanner built by DigitalSecurity1. It runs a structured 5-phase assessment pipeline against a target URL and produces a risk-scored, evidence-backed report.
Unlike point tools that check a single vulnerability class, DS1 Hunter chains discovery findings into active exploit attempts, linking what it finds in Phase 1 directly into payload selection in Phase 3. Nothing is sent to external servers. No API keys. No telemetry.
Key Capabilities
- 5-phase autonomous pipeline: recon, crawl, vulnerability scan, exploitation, reporting
- 43 attack and discovery modules covering OWASP Top 10 and beyond
- Think Mode: adaptive AI-assisted payload tuning (Deep and Aggressive scans)
- Safe proof-of-concept generation: logs exact exploit chains, no destructive actions
- CLI and local Web UI interfaces
- Proxy and Tor support for stealth engagements
- Session / cookie injection for authenticated scans
- HTML, JSON, and Markdown report output
System Requirements
| Component | Minimum | Recommended |
|---|---|---|
OS | Kali 2024+, Debian 12, Ubuntu 22.04 / macOS Ventura 13+ / Windows 10 21H2+ | Kali Linux 2024+ or Ubuntu 24.04 |
CPU | 2 cores | 4+ cores |
RAM | 4 GB | 8 GB (Think Mode benefits significantly) |
Python | 3.10 (auto-installed) | 3.13 (auto-installed) |
Disk | 2 GB | 4 GB (for report storage) |
Download DS1 Hunter Community Edition
Free to download. Self-hosted. No account required. No usage limits.
Linux (Kali, Debian, Ubuntu)
⬇ Download for Linux ds1hunter-CE-v1.0.0-linux.run# Run the downloaded installer: sudo bash ds1hunter-CE-v1.0.0-linux.run # Handles Python, Node.js, and all dependencies automatically. # Credentials are printed once at the end. Save them.
macOS (Ventura 13 and later)
⬇ Download for macOS ds1hunter-CE-v1.0.0-macos.runsudo bash ds1hunter-CE-v1.0.0-macos.run # If macOS Gatekeeper blocks it: xattr -d com.apple.quarantine ds1hunter-CE-v1.0.0-macos.run sudo bash ds1hunter-CE-v1.0.0-macos.run
Windows (PowerShell as Administrator)
⬇ Download for Windows ds1hunter-CE-v1.0.0-windows.ps1# Open PowerShell as Administrator, then run: powershell -ExecutionPolicy Bypass -File ds1hunter-CE-v1.0.0-windows.ps1 # Handles Python, Node.js, services, and certificate automatically.
Quick Start
Run your first scan against an authorized target:
# Normal scan (default) ds1hunter https://target.example.com # Deep scan with Think Mode ds1hunter https://target.example.com --depth deep --think # Open the Web UI in your browser # https://127.0.0.1:13000
After install, open https://127.0.0.1:13000 in your browser for the full Web UI, or use the CLI directly. Reports are saved to ./ds1hunter-reports/ by default.
CLI Reference
Core Options
| Flag | Description | Default |
|---|---|---|
--target URL | Target URL (must include https://) | required |
--depth MODE | normal, deep, aggressive | normal |
--report FORMAT | html, json, md, all | html |
--out DIR | Output directory for reports | ./ds1hunter-reports |
--threads N | Override thread count for scan depth | depth default |
--timeout N | Per-request timeout in seconds | 10 |
--ui | Open Web UI at https://127.0.0.1:13000 | off |
--version | Print version and exit |
Authentication
| Flag | Description | Default |
|---|---|---|
--cookie "K=V" | Session cookie for all requests | |
--header "K: V" | Custom HTTP header (repeatable) | |
--auth user:pass | HTTP Basic credentials | |
--token "Bearer ..." | Authorization header value |
Stealth / Proxy
| Flag | Description | Default |
|---|---|---|
--proxy URL | HTTP/HTTPS/SOCKS5 proxy URL | |
--tor | Route through Tor (requires Tor running locally) | off |
--delay N | Milliseconds between requests | 0 |
--user-agent UA | Override default User-Agent string | ds1hunter/1.0 |
Module Control
| Flag | Description | Default |
|---|---|---|
--modules LIST | Comma-separated modules to run | all |
--skip LIST | Comma-separated modules to skip | |
--list-modules | Print all module names and exit |
Scan Depths
Three presets control rate, concurrency, wordlist size, and Think Mode payload budget.
Normal
~1,000 requests. 5 threads. Up to 25 pages crawled. Standard wordlists. No Think Mode. Ideal for quick assessments or rate-limited environments.
ds1hunter --target https://target.example.com --depth normal
Deep (recommended)
~5,000 requests. 10 threads. Up to 100 pages. Extended wordlists. Think Mode active: 500 adaptive payloads per module tuned to the detected tech stack.
ds1hunter --target https://target.example.com --depth deep
Aggressive
25,000+ requests. 25 threads. Unlimited crawl. Maximum wordlists. Think Mode: 2,000+ payloads per module. Likely to trigger WAF and IDS alerts. Use only with explicit written authorization.
ds1hunter --target https://target.example.com --depth aggressive --report all
Think Mode
Think Mode is DS1 Hunter's adaptive intelligence layer, active on Deep and Aggressive depths. Instead of static payload lists it:
- Detects the target tech stack (framework, server, language, WAF) during Phase 1 recon
- Generates context-aware payloads tuned to the detected environment
- Chains Phase 2 discoveries into Phase 3 payload selection
- Adjusts retry and encoding strategies based on observed response patterns
Think Mode runs entirely locally. No external API calls. The intelligence is bundled with the DS1 Hunter installation.
--depth deep over aggressive to benefit from Think Mode at lower resource cost.Scan Phases
All scans run the same 5-phase pipeline. Depth controls how deeply each phase executes.
Phase 1: Recon
Technology fingerprinting, DNS enumeration, subdomain discovery, open port survey, WAF detection, SSL/TLS analysis, email and metadata harvesting. Output builds Think Mode's stack profile.
Phase 2: Crawl and Map
Authenticated and unauthenticated spider. Form discovery, API endpoint enumeration, JavaScript analysis for hidden routes, path fuzzing, parameter extraction. Produces the full URL and parameter map used by Phase 3.
Phase 3: Vulnerability Scan
All 43 modules run against the Phase 2 map. Each module tests a specific vulnerability class with payloads selected by Think Mode (if active) or static lists. Results are scored by severity and confidence.
Phase 4: Exploitation
Medium-confidence or higher findings from Phase 3 are re-tested with proof-of-concept exploit chains. DS1 Hunter generates safe exploit proofs: captured outputs, reflected payloads, and access demonstrations without destructive actions.
Phase 5: Reporting
All findings, exploit chains, and evidence compiled into a risk-scored report. CVSS-style scoring per finding. Remediation guidance included for each vulnerability class.
All 43 Modules
Use --list-modules to print the full list at any time. Use --skip module-name or --modules list to control which run.
Injection (8)
Cross-Site Scripting (3)
Broken Access Control (5)
Authentication and Session (6)
Server-Side (7)
API and Modern Web (5)
Infrastructure and Recon (6)
Source Code Review (1)
Total across all categories: 41 active modules + 2 passive recon probes = 43.
Key Module Details
sqli / sqli-blind / sqli-time
Tests GET/POST parameters, HTTP headers (Cookie, User-Agent, Referer), and JSON/XML body values. Error-based, boolean-blind, and time-delay techniques. Think Mode adjusts payload encoding based on detected DBMS (MySQL, PostgreSQL, MSSQL, Oracle).
xss-reflected / xss-stored / xss-dom
Reflected: all injectable positions. Stored: submits to forms and revisits to detect persistence. DOM: analyzes JavaScript for document.write, innerHTML, and eval sinks fed by URL-controlled sources.
ssrf
Tests URL parameters and file-fetch endpoints for Server-Side Request Forgery. Attempts outbound connections to a canary host and cloud metadata endpoints (169.254.169.254, AWS/GCP/Azure internal ranges).
jwt-abuse
Tests for algorithm confusion (RS256 to HS256), alg: none bypass, weak HMAC secrets (wordlist-based), and key injection. Detects JWT tokens in Authorization headers and cookies automatically.
idor / bola
Iterates numeric and UUID object references in parameter values and API paths. Checks whether authorization is validated per-object. Maps to OWASP API Security Top 10 #1.
Reports
Saved to ./ds1hunter-reports/<target>_<timestamp>/ by default. Change with --out /path/to/dir.
HTML Report
Self-contained single HTML file. Executive summary, findings sorted by severity, per-finding request/response evidence, exploit chain notes, and remediation guidance. No server required.
JSON Report
Machine-readable. Suitable for CI pipelines and issue trackers. Schema is stable across minor versions.
{
"id": "sqli-001",
"module": "sqli",
"severity": "critical",
"confidence": "confirmed",
"cvss": 9.1,
"url": "https://target.example.com/api/users",
"parameter": "id",
"payload": "1' OR 1=1--",
"evidence": { "request": "...", "response_diff": "..." },
"remediation": "Use parameterized queries..."
}
Markdown Report
Plain-text Markdown. Paste directly into pentest report templates, Notion pages, or GitHub issues.
Output Formats
# Single format ds1hunter --target https://target.example.com --report json # All formats at once ds1hunter --target https://target.example.com --report all # Custom output directory ds1hunter --target https://target.example.com --report html --out /tmp/pentest-reports/
Config File
DS1 Hunter reads ~/.ds1hunter/config.yml on startup. CLI flags override config file values.
# Default scan settings default_depth: deep default_report: html output_dir: ~/ds1hunter-reports timeout: 15 threads: 10 # Proxy (comment out to disable) proxy: socks5://127.0.0.1:9050 # User-Agent override user_agent: Mozilla/5.0 (compatible; ds1hunter/1.0) # Think Mode (deep and aggressive only) think_mode: true
Proxy / Tor
HTTP/HTTPS proxy
ds1hunter --target https://target.example.com --proxy http://127.0.0.1:8080
Tor (SOCKS5)
# Start Tor first sudo service tor start ds1hunter --target https://target.example.com --tor
--tor is a shorthand for --proxy socks5://127.0.0.1:9050. Think Mode and proxy are fully compatible.Authenticated Scans
Cookie injection
ds1hunter --target https://app.example.com \ --cookie "sessionid=abc123; csrftoken=xyz789"
Bearer token
ds1hunter --target https://api.example.com \ --token "Bearer eyJhbGciOiJIUzI1NiJ9..."
Custom headers
ds1hunter --target https://api.example.com \ --header "X-Api-Key: sk-live-abc123" \ --header "X-Tenant-ID: 42"
FAQ
Does DS1 Hunter send any data to external servers?
No. DS1 Hunter is fully self-hosted. No telemetry, no cloud API calls, no usage reporting. The only outbound traffic is the scan traffic you direct at your target.
Is Think Mode a cloud AI service?
No. Think Mode runs locally using model files bundled with the DS1 Hunter package. There is no dependency on any external AI API.
Can I use DS1 Hunter in a CI/CD pipeline?
Yes. The JSON output and non-zero exit code on findings make it suitable for CI integration. Use --depth normal for pipeline scans to keep runtime under a few minutes.
A clean report means the target is secure?
No. A clean report means no automated vulnerabilities were detected at the tested scan depth. It does not replace a manual penetration test. Complex business logic flaws and second-order issues require human analysis. See our pentest services.
How do I update DS1 Hunter?
Download the new installer for your platform from the releases page and run it the same way as the initial install. The installer handles the update automatically.
Scans are slow. How can I speed them up?
Increase threads with --threads N, skip unused modules with --skip mod1,mod2, and avoid aggressive depth unless required. On low-RAM machines, avoid --depth aggressive entirely.
Uninstall
These commands completely remove DS1 Hunter and all its components from your system. All stored hunts and reports inside the installation directory will be deleted.
/opt/ds1hunter (Linux/macOS) or C:\ds1hunter (Windows) is removed entirely.Linux
# Stop and disable services sudo systemctl stop ds1hunter-api ds1hunter-ui sudo systemctl disable ds1hunter-api ds1hunter-ui # Remove service unit files sudo rm -f /etc/systemd/system/ds1hunter-api.service sudo rm -f /etc/systemd/system/ds1hunter-ui.service sudo systemctl daemon-reload # Remove installation, CLI, and service user sudo rm -rf /opt/ds1hunter sudo rm -f /usr/local/bin/ds1hunter sudo userdel ds1hunter 2>/dev/null sudo rm -rf /var/lib/ds1hunter # Optional: remove logs sudo rm -rf /var/log/ds1hunter
macOS
# Unload and remove launchd services sudo launchctl unload /Library/LaunchDaemons/com.ds1hunter.api.plist 2>/dev/null sudo launchctl unload /Library/LaunchDaemons/com.ds1hunter.ui.plist 2>/dev/null sudo rm -f /Library/LaunchDaemons/com.ds1hunter.api.plist sudo rm -f /Library/LaunchDaemons/com.ds1hunter.ui.plist # Remove installation and CLI sudo rm -rf /opt/ds1hunter sudo rm -f /usr/local/bin/ds1hunter # Remove service user sudo dscl . -delete /Users/_ds1hunter 2>/dev/null # Remove certificate from System Keychain sudo security delete-certificate -c "ds1hunter.local" \ /Library/Keychains/System.keychain 2>/dev/null # Optional: remove logs sudo rm -rf /var/log/ds1hunter
Windows
# Stop and remove Windows services Stop-Service DS1HunterAPI, DS1HunterUI -Force -ErrorAction SilentlyContinue & "C:\ds1hunter\bin\nssm.exe" remove DS1HunterAPI confirm & "C:\ds1hunter\bin\nssm.exe" remove DS1HunterUI confirm # Remove installation directory and CLI Remove-Item -Path "C:\ds1hunter" -Recurse -Force -ErrorAction SilentlyContinue Remove-Item "C:\Windows\System32\ds1hunter.exe" -Force -ErrorAction SilentlyContinue # Remove TLS certificate from Root CA store Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.FriendlyName -eq "DS1 Hunter TLS" } | Remove-Item -Force # Remove Windows Defender exclusion Remove-MpPreference -ExclusionPath "C:\ds1hunter" -ErrorAction SilentlyContinue
Legal Notice
- Only scan systems you own or have explicit written permission to test.
- Unauthorized access to computer systems is a criminal offense under Canadian Criminal Code s.342.1, the US CFAA, and most other jurisdictions.
- DigitalSecurity1 Inc. is not liable for misuse of this tool.
- By downloading and using DS1 Hunter you agree to use it only for lawful, authorized security testing.
For professional penetration testing with full legal coverage and a signed report, see our Penetration Testing services or contact us.