{"id":50752363,"url":"https://github.com/djunekz/merlin","last_synced_at":"2026-06-11T02:05:24.337Z","repository":{"id":353213101,"uuid":"1218427153","full_name":"djunekz/merlin","owner":"djunekz","description":"Analyst website vulnerabillity scanner","archived":false,"fork":false,"pushed_at":"2026-05-15T17:40:58.000Z","size":127,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-15T19:56:27.451Z","etag":null,"topics":["awesome-lists","environtment","linux","linux-tools","termux","termux-app-store","termux-tools","vulnerability-scanners","webanalyzer"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/djunekz.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-22T21:40:28.000Z","updated_at":"2026-05-15T17:40:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/djunekz/merlin","commit_stats":null,"previous_names":["djunekz/merlin"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/djunekz/merlin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/djunekz%2Fmerlin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/djunekz%2Fmerlin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/djunekz%2Fmerlin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/djunekz%2Fmerlin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/djunekz","download_url":"https://codeload.github.com/djunekz/merlin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/djunekz%2Fmerlin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34178825,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome-lists","environtment","linux","linux-tools","termux","termux-app-store","termux-tools","vulnerability-scanners","webanalyzer"],"created_at":"2026-06-11T02:05:23.586Z","updated_at":"2026-06-11T02:05:24.332Z","avatar_url":"https://github.com/djunekz.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n```\n ___ ___ _______ _______ ___ __ ____ ____\n (\" \\ /\" | /\" | /\" \\ |\" | |\" \\ (\\\" \\|\" |\n \\ \\ // |(: ______)|: ||| | || ||.\\ \\ |\n /\\ \\/. | \\/ ||_____/ )|: | |: ||: \\. \\ |\n |: \\. | // _____) // / \\ |___ |. ||. \\ \\. |\n |. \\ /: |(: ||: __ \\ ( \\_|: \\| || \\ \\ |\n |___|\\__/|___| \\_______)|__| \\___) \\_______)\\___)\\___|\\___\\)\n```\n\n**Website Vulnerability Scanner for Termux \u0026 Linux**\n\n[![Version](https://img.shields.io/badge/version-1.1.0-brightgreen?style=flat-square)](https://github.com/djunekz/merlin)\n[![Python](https://img.shields.io/badge/python-3.x-blue?style=flat-square)](https://www.python.org/)\n[![Platform](https://img.shields.io/badge/platform-Termux%20%7C%20Linux-orange?style=flat-square)](https://termux.dev/)\n[![License](https://img.shields.io/badge/license-MIT-yellow?style=flat-square)](LICENSE)\n[![Author](https://img.shields.io/badge/author-djunekz-purple?style=flat-square)](https://github.com/djunekz)\n\n\u003c/div\u003e\n\n---\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eAbout\u003c/h1\u003e\n\u003c/div\u003e\n\n**Merlin** is a command-line website vulnerability scanner built with Python, designed to run on **Termux** (Android) and **Linux**. It provides a comprehensive suite of tools for security analysts to assess website vulnerabilities through an easy-to-use terminal interface.\n\n\u003e [!NOTE]\n\u003e **For authorized security testing only.** Always obtain written permission before scanning any target. See [DISCLAIMER](DISCLAIMER.md), [SECURITY](SECURITY.md), and [LICENSE](LICENSE).\n\n---\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eFeatures\u003c/h1\u003e\n\u003c/div\u003e\n\n| Module | Description |\n|---|---|\n| **WP Vuln** | WordPress vulnerability checker — plugins, themes, core CVEs, xmlrpc abuse, REST API user enumeration, version disclosure |\n| **SQLi Scan** | SQL injection (45 payloads) + XSS (30 payloads) + SSTI + Path Traversal + Open Redirect + Info Disclosure |\n| **WebShake** | Web crawler — CMS detection, email/phone harvest, secret/API key detection, broken link tracker, metadata scraper, JSON report |\n| **Web Analyzer** | 14-module full-stack audit — CORS, cookie flags, clickjacking, broken access control, sensitive data exposure, score summary |\n| **Port Scanner** | Multi-thread port scanner — banner grab, service fingerprint, HTTP probe per port, risky port warnings |\n| **DNS Lookup** | Full DNS records + zone transfer + passive subdomain enumeration + SPF/DMARC analysis + DNSSEC check |\n| **WHOIS Lookup** | Domain registration info with expiry countdown, abuse contact, EPP status explanation, privacy detection |\n| **Tech Fingerprint** | 70+ technology signatures — CMS, framework, CDN, analytics, JS libraries, payment gateways, version extraction |\n| **Header Grabber** | Security header grading A+ to F — CSP/HSTS deep analysis, cookie flags, redirect chain tracking |\n| **SSL Audit** | Certificate expiry countdown, cipher suite check, deprecated protocol detection (TLS 1.0/1.1) |\n| **WAF Detect** | Web Application Firewall identification from headers and response patterns |\n| **Content Discovery** | Probe 40+ sensitive file paths — `.env`, `.git`, `backup.zip`, `config.php`, and more |\n| **HIBP Check** | Leaked credential lookup via HaveIBeenPwned API (k-anonymity, no plain-text password sent) |\n| **Settings** | Persistent JSON config — 15+ options including proxy, HIBP API key, report format, crawl depth |\n| **Update Checker** | Auto-detect latest version from GitHub and pull updates via git |\n\n---\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eProject Structure\u003c/h1\u003e\n\u003c/div\u003e\n\n```\nmerlin/\n├── merlin.sh # Main launcher (loading screen + entry point)\n├── install.sh # Installer for Termux / Linux\n├── LICENSE\n├── README.md\n├── CHANGELOG.md\n├── CONTRIBUTING.md\n├── SECURITY.md\n├── core/ # Python source modules\n│ ├── __init__.py # Version \u0026 author — single source of truth\n│ ├── merlin.py # Main menu \u0026 router (14 options)\n│ ├── merlincolor.py # ANSI color constants\n│ ├── merlinset.py # Shared variables (version, author, prompts)\n│ ├── merlinlogo.py # ASCII banner \u0026 menu strings\n│ ├── merlinconf.py # Config loader / editor (15+ settings)\n│ ├── merlinup.py # Update checker\n│ ├── wpvuln.py # WordPress vulnerability scanner\n│ ├── websqli.py # SQLi + XSS + SSTI + Path Traversal scanner\n│ ├── webshake.py # Web crawler \u0026 recon\n│ ├── webanalyst.py # Full web stack analyzer (14 modules)\n│ ├── portscan.py # Port scanner + banner grab\n│ ├── dnslookup.py # DNS lookup \u0026 subdomain enumeration\n│ ├── whoislookup.py # WHOIS lookup\n│ ├── techfinger.py # Technology fingerprinting (70+ signatures)\n│ ├── headergrab.py # HTTP header security grader (A+ to F)\n│ ├── sslaudit.py # SSL/TLS audit\n│ ├── wafdetect.py # WAF detection\n│ ├── hibpcheck.py # HaveIBeenPwned credential check\n│ └── contentdiscovery.py # Sensitive file discovery\n└── .github/\n ├── ISSUE_TEMPLATE/\n │ ├── bug_report.md\n │ └── feature_request.md\n └── PULL_REQUEST_TEMPLATE.md\n```\n\n---\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eInstallation\u003c/h1\u003e\n\u003c/div\u003e\n\n### Quick Install\n\n```bash\ngit clone https://github.com/djunekz/merlin\ncd merlin\nbash install.sh\n```\n\nThe installer will auto-detect your environment and present a menu:\n\n```\n [1] Install for Termux\n [2] Install for Linux (apt / Debian / Ubuntu)\n [3] Install for Arch Linux\n [4] Install for Fedora / RHEL\n [x] Exit\n```\n\nAfter installation, a symlink is created so you can run Merlin from anywhere:\n\n```bash\nmerlin\n```\n\n### Manual Install\n\n#### Termux\n```bash\npkg update \u0026\u0026 pkg install python git\npip install requests colorama beautifulsoup4 lxml urllib3 dnspython python-whois\ngit clone https://github.com/djunekz/merlin\ncd merlin\nbash merlin.sh\n```\n\n#### Linux\n```bash\nsudo apt-get update \u0026\u0026 sudo apt-get install python3 python3-pip git\npip3 install requests colorama beautifulsoup4 lxml urllib3 dnspython python-whois\ngit clone https://github.com/djunekz/merlin\ncd merlin\nbash merlin.sh\n```\n\n---\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eUsage\u003c/h1\u003e\n\u003c/div\u003e\n\n### Launch via symlink (after install)\n```bash\nmerlin\n```\n\n### Or launch directly\n```bash\nbash merlin.sh\n```\n\n### Or run Python directly\n```bash\ncd core \u0026\u0026 python merlin.py\n```\n\n### Menu Options\n\n```\n[1] Check WP Vuln — WordPress vulnerability scan\n[2] Check SQLi / XSS — SQL injection + XSS + SSTI + Path Traversal\n[3] WebShake / Crawler — Web crawler \u0026 recon\n[4] Web Analyzer — Full web stack audit (14 modules)\n[5] Port Scanner — Multi-thread port scan + banner grab\n[6] DNS Lookup — Full DNS records + subdomain enumeration\n[7] WHOIS Lookup — Domain registration info + abuse contact\n[8] Tech Fingerprint — Identify 70+ technologies\n[9] Header Grabber — Security header grading A+ to F\n[10] SSL Audit — Certificate \u0026 cipher suite check\n[11] WAF Detect — Web Application Firewall identification\n[12] Content Discovery — Scan for exposed sensitive files\n[13] HIBP Check — Leaked credential lookup\n[14] Settings / Config — Edit scanner configuration\n[15] Check Update — Check and pull latest version\n[x] Exit\n```\n\n---\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eConfiguration\u003c/h1\u003e\n\u003c/div\u003e\n\nSettings are stored in `core/merlin_config.json` and can be edited from within the tool via **[14] Settings / Config**.\n\n| Key | Default | Description |\n|---|---|---|\n| `timeout` | `10` | HTTP request timeout in seconds |\n| `user_agent` | Mobile Chrome | User-Agent header for requests |\n| `max_threads` | `5` | Maximum concurrent threads |\n| `output_dir` | `./merlin_output` | Directory to save scan results |\n| `proxy` | *(empty)* | HTTP/HTTPS proxy (e.g. `http://127.0.0.1:8080`) |\n| `verbose` | `false` | Show verbose output during scans |\n| `crawl_depth` | `2` | Maximum crawl depth for WebShake |\n| `sqli_deep_scan` | `false` | Enable deep scan mode (45 payloads, slower) |\n| `port_range` | `1-1024` | Default port range for port scanner |\n| `dns_resolvers` | `[]` | Custom DNS resolvers (empty = system default) |\n| `save_reports` | `true` | Auto-save JSON report after each scan |\n| `report_format` | `json` | Report format (`json` / `html` — html planned) |\n| `follow_redirects` | `true` | Follow HTTP redirects |\n| `ssl_verify` | `true` | Verify SSL certificates on requests |\n| `hibp_api_key` | *(empty)* | HaveIBeenPwned API key for email breach lookup |\n\n---\n\n## Requirements\n\n- Python 3.6+\n- Git\n- pip packages: `requests`, `colorama`, `beautifulsoup4`, `lxml`, `urllib3`, `dnspython`, `python-whois`\n\n---\n\n## Contributing\n\nContributions are welcome! Please read [CONTRIBUTING](CONTRIBUTING.md) before submitting a pull request.\n\n---\n\n## Security\n\nPlease read [SECURITY](SECURITY.md) for the responsible disclosure policy.\n\n---\n\n## License\n\nThis project is licensed under the MIT License — see [LICENSE](LICENSE) for details.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eKnown Gaps \u0026 TODO\u003c/h1\u003e\n\u003c/div\u003e\n\n\u003e Things that are missing, incomplete, or need further work before the next release.\n\n### Critical — Must Fix\n| Item | Notes |\n|---|---|\n| `install.sh` not updated | Missing new dependencies: `dnspython` and `python-whois`. Without them, the DNS and WHOIS modules will crash immediately on a fresh install |\n| `merlin.sh` out of sync | The loading screen still references 6 modules; it needs to reflect the current 14+ |\n| `merlinlogo.py` out of sync | The ASCII menu in the logo still shows the old 6-option layout, not matching the actual `merlin.py` menu |\n| `webshakeset.py` needs review | Unclear whether the `min` variable shadowing built-in `min()` was fixed here; requires a manual check |\n\n### Important — Incomplete\n| Item | Notes |\n|---|---|\n| HTML report export | `report_format: html` is accepted in config but not yet implemented — only JSON works |\n| `hibpcheck.py` requires a paid API key | HIBP v3 API for email breach lookup requires a paid subscription key; setup instructions need to be added to the docs |\n| SSL cipher check limited on Termux | Python's built-in `ssl` module on Termux is restricted — cipher enumeration may be incomplete compared to native OpenSSL |\n| `contentdiscovery.py` wordlist is hardcoded | The 40+ sensitive paths are hardcoded; loading a custom wordlist from an external file is not yet supported |\n| Subdomain enumeration is passive only | `dnslookup.py` uses a static 80-word wordlist — no integration with passive sources like crt.sh or SecurityTrails API |\n| `CONTRIBUTING.md` and `SECURITY.md` are placeholders | Both files exist but contain no real content; they need to be written properly |\n\n### Nice to Have — Roadmap\n| Item | Notes |\n|---|---|\n| CVE lookup integration | Query NVD/NIST API directly from WP plugin/theme scan results |\n| Batch URL scanning | Accept a `.txt` file of multiple URLs and scan them in sequence |\n| Proxy authentication | Proxy with `username:password` credentials not yet supported |\n| Scheduled scan / cron mode | Run scans automatically on a schedule and diff results against previous runs |\n| Plugin system | Allow external modules to be dropped in without editing `merlin.py` directly |\n| TUI (Terminal UI) | More interactive interface using `curses` or `rich` layout instead of plain input/print |\n| PDF report export | Print-ready PDF report output |\n\n---\n\n## ⚠️ Disclaimer\n\n\u003e [!NOTE]\n\u003e Please read [DISCLAIMER](DISCLAIMER.md). This tool is intended for **educational purposes** and **authorized penetration testing only**. The author is not responsible for any misuse or damage caused by this tool. Always obtain proper authorization before scanning any target system.\n\n---\n\n\u003cdiv align=\"center\"\u003e\nOfficial developer by \u003ca href=\"https://github.com/djunekz\"\u003edjunekz\u003c/a\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdjunekz%2Fmerlin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdjunekz%2Fmerlin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdjunekz%2Fmerlin/lists"}