Kunyu – More Efficient Corporate Asset Collection

Click the icon to Follow me:- twitterTelegramRedditDiscord

Kunyu, More Efficient Corporate Asset Collection

0x00 Introduce

Tool introduction

Kunyu (kunyu), whose name is taken from , is actually a professional subject related to geographic information, which counts the geographic information of the sea, land, and sky. The same applies to cyberspace. The same is true for discovering unknown and fragile assets. It is more like a cyberspace map, which is used to comprehensively describe and display cyberspace assets, various elements of cyberspace and the relationship between elements, as well as cyberspace and real space. The mapping relationship. So I think “Kun Yu” still fits this concept.

Kunyu aims to make corporate asset collection more efficient and enable more security-related practitioners to understand and use cyberspace surveying and mapping technology.

You need to log in with ZoomEye

0x03 Tool instructions

Detailed command

kunyu console



Encryption method interface HostCrash <IP> <Domain> Host Header Scan hidden assets Seebug <Query> Search Seebug

HOST host search

Web host search

Batch IP search

Icon Search

When collecting corporate assets, we can use this method to retrieve the same ico icon assets, which usually has a good effect when associating related corporate assets. But it should be noted that if some sites also use this ico icon, irrelevant assets may be associated (but people who are bored with other people’s ico icons are always in the minority). Support url or local file search.


SSL certificate search

Query through the serial number of the SSL certificate, so that the associated assets are more accurate, and services that use the same certificate can be searched. When you encounter an https site, you can use this method.

Multi-factor query

Similarly, Kunyu also supports multi-factor conditional query related assets, which can be realized through ZoomEye logic operation syntax.


Feature Search

Through HTTP request packet features or website-related features, the same framework assets can be concatenated more accurately

Associated Domain/Subdomain Search

Search for associated domain names and subdomains, and query associated domain names by default. Two modes can be set by setting the dtype parameter.


Encoding hash calculation

In some scenarios, you can use this command to perform common HASH encryption/encoding, such as BASE64, MD5, mmh3, HEX encoding, and debug in this way.

Seebug vulnerability query

You can query historical related

Setting parameters

When set page = 2, the returned results are 40. You can modify the page parameter to set the number of pages to be queried. Note that 1 page = 20/items. You can modify the value according to your needs to get more returned results.

The configurable parameters and the current values of the parameters are displayed through show.


Pocsuite linkage

In versions after v1.3.1, you can use kunyu to link the console mode of pocsuite3 for integrated use.

HOSTS head collision

Through the HOSTS collision, the hidden assets in the intranet can be effectively collided, and the intranet service can be accessed according to the ServerName domain name and IP configured in the middleware httpf.conf. This can be achieved by setting the local hosts file later, because the local hosts file takes precedence. The level is higher than DNS server resolution. Support reverse check through ZoomEye domain name library or read TXT file to get the list of domain names.

HOSTS cross collision

Data result

All search results are saved in the user’s root directory, and the directory is created based on the current timestamp. All query results of a single start are stored in an Excel format under one directory, giving a more intuitive experience. The output path can be returned through the ExportPath command.

0x04 Loading

​ In fact, there are still many ideas, but as an Alpha version, this is the case, and it will continue to be improved in the later period. I hope that Kunyu can be known to more security practitioners. Thank you for your support.

​ The tool framework has reference to Kunlun Mirror and Pocsuite3, which are all very good works.

​ Thanks to all the friends of KnownSec 404 Team.

“ 看得清 ” 是能力的体现,是 “ 器 ” ,而 “ 看得见 ” 就是思想的体现,那最后关联的是 “ 道 ”。

​ –SuperHei

0x05 Issue

1、Multi-factor search

ZoomEye search can use multi-factor search, dork:cisco +port:80 (note the space) can search all data that meet the conditions of cisco and port:80, if there is no space in between, it is the same search condition, it is that cisco is satisfied and the port is All data for 80. Kunyu’s dork does not require quotation marks.

2、High-precision geographical location

ZoomEye gives privileged users high-precision geographic location data, but it should be noted that ordinary users do not have this function, so I hope you know.

3、Username/password login

If you use username/password as the initialization condition, the token will be valid for 12 hours. If you find that your search cannot return data, you may wish to info. If the session times out, the initialization command prompt will be returned. In most cases, we recommend that you use the API KEY method, there is no invalidation problem. This design is also for the security of your account and password. After all, the API KEY can be reset and the token will become invalid. However, with the account and password, it is possible to log in to your ZoomEye account.

4、Cert certificate search

It should be noted that, according to the normal logic, you need to encode the serial number of the target SSL certificate in

Download Kunyu

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.


Original Source
Available for Amazon Prime