go-auxs: The Bug Bounty Hunter's Swiss Army Knife You've Never Heard Of

Hook

While most security researchers cobble together fragile bash scripts and chained grep commands, a collection of purpose-built Go utilities has been quietly solving reconnaissance workflow problems for years—with almost no documentation.

Context

In the world of bug bounty hunting and penetration testing, the reconnaissance phase generates massive amounts of data: millions of subdomains, hundreds of thousands of URLs, enormous lists of IP ranges. Traditional tools like grep, awk, and sed struggle with the specific data structures and scale involved. You end up with duplicate URLs that differ only in parameter order, CDN addresses polluting your target lists, and multi-gigabyte files that choke standard Unix utilities.

go-auxs emerged from this chaos as a personal toolkit addressing these exact pain points. Rather than building a monolithic platform, it follows the Unix philosophy: small, composable programs that do one thing well and connect via pipes. Each utility tackles a specific reconnaissance workflow problem—SSL certificate parsing, IP range manipulation, intelligent URL deduplication, and chunk-based processing of enormous datasets. It's the kind of toolkit that gets built when someone spends enough time in the trenches to recognize patterns in their daily frustrations.

Technical Insight

The architecture of go-auxs is deliberately minimalist. Each tool is an independent binary compiled from Go, with no shared libraries or complex dependencies. This design choice means you can drop a single binary into /usr/local/bin and start using it immediately, no installation ceremony required. The stdin/stdout interface isn't just convention—it's the primary API.

Take 'durl', the URL deduplication tool, as an example of how go-auxs solves domain-specific problems that generic tools can't. Standard deduplication with 'sort | uniq' treats URLs as simple strings. But in security reconnaissance, these URLs are functionally identical:

https://example.com/api?id=1&session=abc
https://example.com/api?session=xyz&id=2

Both hit the same endpoint with the same parameter names—only the values differ. For fuzzing or identifying attack surface, you only need to test one. durl implements hostname-path-paramName deduplication:

cat urls.txt | durl
# Output: https://example.com/api?id=1&session=abc
# The second URL is dropped as duplicate structure

This seemingly simple behavior requires parsing URLs into components, extracting and normalizing parameter names, then hashing the combination. A naive bash script would be hundreds of lines and orders of magnitude slower.

The 'chrunk' utility demonstrates another workflow-specific insight: how to process files too large to fit in memory without complex stream processing logic. When you're working with 50GB subdomain wordlists or massive scan outputs, even tools designed for large files can fail. chrunk splits input into manageable chunks:

cat massive-wordlist.txt | chrunk -c 100000 -o chunks/part
# Creates chunks/part-0001 through chunks/part-NNNN
# Each containing 100,000 lines

This enables parallel processing patterns:

#!/bin/bash
for chunk in chunks/*; do
  cat $chunk | httprobe | tee -a live-hosts.txt &
done
wait

Each chunk processes independently, parallelizing work across CPU cores without specialized job management tools. The Go implementation handles file I/O efficiently, buffering writes and managing file handles without leaking resources.

The 'punyCon' tool addresses a subtle security issue: internationalized domain names (IDN) encoded as punycode. An attacker might register 'xn--80ak6aa92e.com' (apple in Cyrillic) to phish users. Security tools often miss these because they only search ASCII domains. punyCon converts between representations:

echo "xn--80ak6aa92e.com" | punyCon -d
# Output: яблоко.com

echo "münchen.de" | punyCon -e  
# Output: xn--mnchen-3ya.de

This bidirectional conversion integrates into recon pipelines, ensuring you catch internationalized variants of target domains. The underlying implementation uses Go's 'golang.org/x/net/idna' package, which handles the complex Unicode normalization and transformation rules.

The 'cleansub' utility removes wildcard DNS records and CDN addresses that pollute subdomain enumeration results. When tools like subfinder return thousands of subdomains, many resolve to the same IP (wildcard DNS) or CDN addresses (Cloudflare, Fastly). cleansub filters these programmatically:

cat subdomains.txt | cleansub | httprobe | aquatone

It likely works by resolving domains, grouping by IP, and applying heuristics to identify wildcards (many subdomains → same IP) and known CDN ranges. This preprocessing step dramatically reduces false positives in later pipeline stages.

Gotcha

The biggest limitation of go-auxs is documentation—or rather, the near-complete absence of it. The README lists tool names with one-sentence descriptions, but provides no usage examples, flag documentation, or input/output format specifications. You'll spend significant time running tools with '--help' flags and experimenting to understand behavior. Some tools may have undocumented edge cases or assumptions about input format that cause silent failures.

Maintenance is another concern. The repository shows sporadic commit activity, and some tools are likely outdated. The 'arank' tool fetches Alexa rankings, but Amazon discontinued the Alexa ranking service in May 2022, making this utility completely non-functional. There's no visible test suite, CI/CD pipeline, or issue tracking suggesting active maintenance. If you encounter bugs or need features, you're likely on your own to fork and modify the code. The lack of community around the project means no ecosystem of plugins, integrations, or shared knowledge beyond the source code itself.

Verdict

Use go-auxs if you're a security researcher or bug bounty hunter working primarily in command-line environments with large-scale reconnaissance data. The tools are purpose-built for your workflows, integrate seamlessly into shell pipelines, and solve genuinely annoying problems that generic Unix utilities can't handle. The lightweight Go binaries are fast enough for production use and portable across platforms. You're comfortable reading source code to understand behavior and don't mind occasional rough edges. Skip if you need comprehensive documentation, active maintenance, or enterprise support. Also skip if you're building automated systems that can't tolerate undocumented behavior changes or if you need tools with active communities. Consider ProjectDiscovery's httpx/katana suite instead for similar functionality with better documentation and maintenance, or build custom tooling using Go libraries like 'net/url' and 'golang.org/x/net/idna' if you need full control and testing.