VOOZH about

URL: https://apify.com/wonderful_beluga/ghost-shadow-discovery

โ‡ฑ Ghost Shadow Discovery ยท Apify

Pricing

Pay per usage

Go to Apify Store

Pricing

Pay per usage

Rating

0.0

(0)

Developer

๐Ÿ‘ Zaher el siddik

Zaher el siddik

Maintained by Community

Actor stats

0

Bookmarked

3

Total users

2

Monthly active users

a month ago

Last modified

Categories

Share

Ghost-Target: Shadow Discovery

Actor 1 of 3 in the Ghost-Target Autonomous Red Team Pipeline.

Performs fully passive external reconnaissance against a target domain. Pulls data from certificate transparency logs, Wayback Machine archives, passive subdomain enumeration, live HTTP probing, GitHub code search, and optional Shodan/Censys enrichment โ€” building a structured "Ghost Inventory" of every asset the target has ever exposed on the internet.

No active scanning. No packets sent to the target. Pure intelligence gathering.

What It Does

Phase 1 โ€” Subdomain Enumeration

Queries three independent passive sources in parallel:

SourceMethodWhat It Finds
crt.shCertificate Transparency logsSubdomains issued SSL certificates (including wildcards)
Wayback CDX APIInternet Archive indexHistorical subdomains and paths the target ever published
subfinder50+ passive APIs (VirusTotal, Shodan, Chaos, etc.)Aggregated subdomain intelligence

Phase 2 โ€” GitHub Leak Detection

Searches GitHub for public repositories containing sensitive references to the target domain using 9 dorks:

  • Exposed .env files with credentials
  • docker-compose.yml files with passwords
  • .npmrc files with auth tokens
  • API keys, secret keys, access tokens
  • PEM certificates

Phase 3 โ€” Live HTTP Probing

Probes every discovered subdomain over both HTTP and HTTPS using native Node.js:

  • HTTP status codes and redirect chains
  • Page titles
  • Web server headers (Server, X-Powered-By)
  • Technology fingerprinting (WordPress, Jenkins, Jira, Confluence, GitLab, phpMyAdmin)

Phase 4 โ€” Shodan Enrichment (Optional)

If a Shodan API key is provided, resolves each live host's IP and fetches:

  • Open ports
  • Operating system
  • Organization
  • Known CVEs (Shodan's own database)

Phase 5 โ€” Risk Scoring

Each asset gets a 0โ€“100 risk score:

FactorPoints
Sensitive ports open (22, 3306, 6379, 27017...)+30
Dev/staging subdomain pattern+25
Exposed vulnerable stack (WordPress, Jenkins, etc.)+20โ€“35
GitHub leak reference+40
Shodan CVEs+10 per CVE

Phase 6 โ€” Recursive OSINT (Optional)

When recursiveDepth > 0, newly discovered high-risk subdomains (riskScore โ‰ฅ 30) automatically trigger sub-recon. Useful for discovering deeply nested infrastructure (e.g. dev.api.internal.example.com).

Input

FieldTypeRequiredDefaultDescription
targetDomainstringโœ…โ€”Root domain to recon. No scheme, no path. e.g. example.com
logicEngineActorIdstringโ€”โ€”Actor ID of Actor 2 to auto-trigger on completion
globalKvsNamestringโ€”ghost-target-brainShared Key-Value Store name. Must match across all three actors
waybackLimitintegerโ€”5000Max URLs to pull from Wayback CDX per domain
recursiveDepthintegerโ€”1Recursive sub-recon depth (0 = disabled, max 3)
githubTokenstringโ€”โ€”GitHub personal access token for leak detection
shodanApiKeystringโ€”โ€”Shodan API key for port and CVE enrichment
censysApiIdstringโ€”โ€”Censys API ID (reserved for future use)
censysApiSecretstringโ€”โ€”Censys API secret
apifyApiTokenstringโ€”โ€”Your Apify API token. Required for cross-actor KVS sharing when triggered by another actor
proxyEnabledbooleanโ€”falseRoute requests through Apify residential proxies

Tip: When running Actor 1 manually and chaining to Actor 2, pass your apifyApiToken so that downstream actors can access the shared KVS.

Output

Dataset

One row per discovered subdomain:

{
"subdomain":"dev.example.com",
"isLive":true,
"ip":"1.2.3.4",
"sources":["crt.sh","wayback","subfinder"],
"statusCode":200,
"title":"Dev Portal - Example Inc",
"webServer":"nginx/1.18.0",
"technologies":["nginx/1.18.0","PHP/7.4"],
"openPorts":[22,80,443,3306],
"shodanVulns":["CVE-2021-44228"],
"org":"Example Inc",
"highValuePaths":["/.env","/admin"],
"isNew":true,
"firstSeen":"2026-05-15T09:44:56.000Z",
"lastSeen":"2026-05-15T09:44:56.000Z",
"riskScore":85
}

Key-Value Store (ghost-target-brain)

Saves the full brain state to surface__{domain}:

{
"domain":"example.com",
"subdomains":{"dev.example.com":{"firstSeen":"...","riskScore":85}},
"waybackPaths":["/.env","/admin/login","/api/v2/users"],
"githubLeaks":[{"repo":"user/leaked-repo","file":".env","url":"..."}],
"lastRunSummary":{
"totalSubdomains":47,
"newAssets":3,
"liveAssets":31,
"highRiskAssets":5
},
"runCount":2
}

Actor Output (OUTPUT)

{
"domain":"example.com",
"totalSubdomains":47,
"newAssets":3,
"liveAssets":31,
"highRiskAssets":5,
"githubLeakRefs":2,
"waybackPathsIndexed":4821,
"kvsKey":"surface__example.com"
}

Automatic Pipeline Chaining

When logicEngineActorId is set, this actor automatically triggers Actor 2 (Logic Engine) via the Apify API as soon as it completes โ€” passing the targetDomain, globalKvsName, and apifyApiToken so the scan continues without manual intervention.

Actor 1 finishes โ†’ webhook โ†’ Actor 2 starts โ†’ webhook โ†’ Actor 3 starts

Prerequisites

This actor uses two Go binaries bundled in the Docker image:

Both are downloaded as pre-built binaries at Docker build time โ€” no Go compiler needed at runtime.

Usage Example

Standalone run

{
"targetDomain":"example.com",
"waybackLimit":5000,
"recursiveDepth":1,
"githubToken":"ghp_xxxxxxxxxxxx",
"shodanApiKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"globalKvsName":"ghost-target-brain"
}

With full pipeline chaining

{
"targetDomain":"example.com",
"logicEngineActorId":"YOUR_USERNAME/ghost-logic-engine",
"globalKvsName":"ghost-target-brain",
"apifyApiToken":"apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
"githubToken":"ghp_xxxxxxxxxxxx",
"shodanApiKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

Safe Test Targets

DomainWhy
demo.testfire.netIBM Altoro Mutual โ€” intentional vuln demo bank
testphp.vulnweb.comAcunetix intentional vuln PHP app
juice-shop.herokuapp.comOWASP Juice Shop
Your own domainBest for real results

Legal Notice

This tool is for authorized penetration testing and security research only. Always obtain written permission before running reconnaissance against any domain. Unauthorized use may violate computer fraud and abuse laws in your jurisdiction.

You might also like

Ghost Email Scraper - Advanced, Fast & Cheapest

contacts-api/ghost-email-scraper-fast-advanced-and-cheapest

๐Ÿ‘ป Ghost Email Scraper helps you find writer and publication emails from Ghost-powered sites ๐Ÿ” Ideal for content marketing and partnerships ๐Ÿ“ง

Ghost Email Scraper โ€“ Advanced, Cheapest & Reliable ๐Ÿ“งโšก

contactminerlabs/ghost-email-scraper---advanced-cheapest-reliable

๐Ÿ” Scrape Ghost.org Emails Enter your search parameters to collect verified contact emails from public Ghost profiles, along with profile title, bio, source URL & platform info โœ‰๏ธ๐Ÿ“Š Perfect for lead generation, influencer outreach & data enrichment in tools like Google Sheets or CRMsโšก๐Ÿงฉ

๐Ÿ‘ User avatar

ContactMinerLabs

5

Ghost Explore Newsletter Directory Scraper

jungle_synthesizer/ghost-explore-newsletter-directory-scraper

Scrapes the Ghost Explore newsletter directory (explore.ghost.org), listing Ghost-hosted publications with member counts, descriptions, newsletter URLs, social links, and category tags. Covers ranking pages (Top Members, Top Revenue, Trending, Recent) and 30+ topic categories.

๐Ÿ‘ User avatar

BowTiedRaccoon

2

Ghost Job Detector

badruddeen/ghost-job-detector

Identify ghost, fake, or reposted LinkedIn and company jobs. Monitors listings, extracts signals, and calculates a Hiring Likelihood Score to help job seekers focus on genuine opportunities.

๐Ÿ‘ User avatar

Badruddeen Naseem

13