https://github.com/djnnvx/yellow
pentest companion on the CLI (project mirror)
https://github.com/djnnvx/yellow
automation osint pentest recon scanner web
Last synced: 3 months ago
JSON representation
pentest companion on the CLI (project mirror)
- Host: GitHub
- URL: https://github.com/djnnvx/yellow
- Owner: djnnvx
- License: mit
- Created: 2025-06-22T07:27:27.000Z (about 1 year ago)
- Default Branch: current
- Last Pushed: 2026-02-01T08:33:25.000Z (5 months ago)
- Last Synced: 2026-02-01T19:08:20.286Z (5 months ago)
- Topics: automation, osint, pentest, recon, scanner, web
- Language: Go
- Homepage: https://evil.djnn.sh/yellow/file/README.md.html
- Size: 396 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.txt
- License: LICENSE
Awesome Lists containing this project
README
~ yellow
```
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣤⣤⣤⣤⣤⣤⣤⣄⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀ ⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠛⠻⠿⢿⣿⣿⣿⣿⣿⣶⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
Y E L L O W ⠀⠀⠀⢀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠻⣿⣿⣿⣿⣿⣿⣶⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣷⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⢿⣿⣿⣿⣿⣿⣿⣦⡀⠀⠀⠀⠀⠀⠀⠀
-------- ⠀⠀⢸⣿⣿⣿⣿⣷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⣀⣀⣙⢿⣿⣿⣿⣿⣿⣿⣦⡀⠀⠀⠀⠀⠀
⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠻⣿⣿⣿⣿⣿⣿⣿⣄⠀⠀⠀⠀
djnn.sh⠀⠀⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇⠀⠀⢹⣿⣿⣿⣿⣿⣿⣿⣆⠀⠀⠀
⠀v0.0.5 ⠀⠀⢠⣿⣿⣿⣿⡟⠹⠿⠟⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡏⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⡆⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡿⠋⡬⢿⣿⣷⣤⣤⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠀⠀⠀⠀⠀⠸⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠰⡇⢸⡇⢸⣿⣿⣿⠟⠁⢀⣬⢽⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣧⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⣧⣈⣛⣿⣿⣿⡇⠀⠀⣾⠁⢀⢻⣿⣿⣿⣿⠇⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿⡀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣿⣿⣿⣿⣿⣿⣧⣄⣀⠙⠷⢋⣼⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣿⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⣿⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠁
⣿⣿⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⡀⠀⠀⠀⠀⠀⠀⢀⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠀
⠸⣿⣿⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⡀⠀⠀⠀⢀⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀
⠀⢹⣿⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀
⠀⠀⠹⣿⣿⣿⣷⣄⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀
⠀⠀⠀⠙⣿⣿⣿⣿⣿⣶⣤⣀⠀⠀⠀⠀⣿⣿⣿⣿⣿⣿s/o jenaye :)~⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀
⠀⠀⠀⠀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣷⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⣿matro7sh⣿⣿⣿⣿⣿⣿⣿⠟⠁⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠉⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠁⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠈⠛⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠋⠅⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠻⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠈⠂⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⠛⠛⠛⠛⠛⠛⠛⠋⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
<=[ Pentest companion for scanning, OSINT, and quick wins ]=>
```
**yellow** is a tiny golang CLI to quickly set up scanning at the beginning of a pentest. :)~
Based on yelaa: https://github.com/matro7sh/Yelaa.
# 1. Disclaimer
This software is provided as-is, at the discretion of professionals.
Developpers assume no responsability for your lack of morals or overall stupidity.
Please use at your own risk, in a controlled environnement. Thanks<3
# 2. Roadmap
For next version, i want to take care of at least two items described here:
* scan: integrate browser-dependant tools (katana, ...) (still TBD),
* osint: add support for more dorks
## 2.a Bugfixes
* sitemap should be stored to a file & fetch robots.txt
feel free to suggest more ideas. :)~
if you'd like to do so, reach me by mail or on social media: https://djnn.sh/pgp
## 2.b Contributing
This software's code is public, but not open to contributions.
The reason for that is that if something is integrated, I want to make sure I
am able to maintain it afterwards.
# 3. Installing
Using go v1.25.
```bash
git clone https://evil.djnn.sh/yellow.git
cd yellow/
make
```
## 3.a Using docker
```bash
cd yellow/
make docker
```
# 4. Running
## 4.a Create your directory tree
At the beginning of your mission, you might want to have a nice little dir tree.
Easy enough:
```bash
./yellow -d djnn.sh
# example tree output for djnn.sh/
djnn.sh
├── extracted
│ ├── assets
│ ├── code
│ └── creds
├── scans
│ ├── infra
│ ├── nessus
│ ├── screenshots
│ └── ssl
└── www
├── exploits
└── tools
13 directories, 0 files
```
## 4.b Run passive enumeration
Run various scans to retrieve more targets, using OSINT techniques.
```bash
./yellow osint --help
# or, if in a hurry
./yellow osint -d djnn.sh
```
## 4.c Run active scans
Run scans against the target actively. (You might want to use a proxy for this !)
```bash
./yellow scan --help
# run scan on ports 80, 443, 8080 & 8443
nmap -T4 -Pn -p 80,443,8080,8443 --open -oA domains -iL djnn.sh/scans/domains.txt
cat *.gnmap | grep -i "open/tcp" | cut -d " " -f2 | sort -u > djnn.sh/scans/web-targets.txt
# you can also just run the domains.txt file directly
./yellow scan -d djnn.sh/scans/infra --file djnn.sh/scans/web-targets.txt
```
#### Running port scans:
You can run a TCP port scan with service fingerprinting as part of the scan command:
```bash
./yellow scan -d djnn.sh --port-scan
# or with custom ports
./yellow scan -d djnn.sh --port-scan --ports "22,80,443,8080-8090"
```
#### Filter inactive web domains from a list of domains:
The `osint` subcommand is nice, but as it retrieves historical domains, it means there are
some domains that are not reachable anymore. To filter them out, you can run:
```bash
./yellow prune -f djnn.sh/scans/domains.txt -o djnn.sh/scans/cleaned-web-targets.txt
```
#### Retrieving CVEs automatically:
CVE lookups use the [NVD API v2](https://nvd.nist.gov/developers/vulnerabilities) (NIST National
Vulnerability Database) — no account required. Results are queried by detected technology name and
saved to `cves.json` in your scan path.
Without an API key, NVD allows 5 requests per 30 seconds (yellow sleeps 7s between queries to stay
safe). For faster scans, grab a free key at https://nvd.nist.gov/developers/request-an-api-key
and set it:
```bash
export NVD_API_KEY=your-key-here
```
#### Credential Leak Checking (Leaker)
The `osint` subcommand can check for credential leaks using the integrated
[leaker](https://github.com/vflame6/leaker) library.
Some leaker sources (like LeakCheck) require API keys. Create a provider config file:
```yaml
# ~/.config/leaker/provider-config.yml
leakcheck: [your-api-key-here]
```
Set the config path via environment variable:
```bash
export LEAKER_PROVIDER_CONFIG=~/.config/leaker/provider-config.yml
```
Usage:
```bash
./yellow osint -d target.com --emails /path/to/emails.txt
```
#### Running fingerprinting
If you don't want to scan the whole website, but just run the fingerprint and retrieve the CVEs,
you can also run this:
```bash
./yellow fingerprint -d djnn.sh/scans/infra --file djnn.sh/scans/web-targets.txt
```