Pricing

Pay per usage

Go to Apify Store

Ghost Shadow Discovery

Try for free

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Zaher el siddik

Actor stats

Bookmarked

Total users

Monthly active users

7 days ago

Last modified

Ghost-Target: Shadow Discovery

Actor 1 of 3 in the Ghost-Target Autonomous Red Team Pipeline.

Performs fully passive external reconnaissance against a target domain. Pulls data from certificate transparency logs, Wayback Machine archives, passive subdomain enumeration, live HTTP probing, GitHub code search, and optional Shodan/Censys enrichment — building a structured "Ghost Inventory" of every asset the target has ever exposed on the internet.

No active scanning. No packets sent to the target. Pure intelligence gathering.

What It Does

Phase 1 — Subdomain Enumeration

Queries three independent passive sources in parallel:

Source	Method	What It Finds
crt.sh	Certificate Transparency logs	Subdomains issued SSL certificates (including wildcards)
Wayback CDX API	Internet Archive index	Historical subdomains and paths the target ever published
subfinder	50+ passive APIs (VirusTotal, Shodan, Chaos, etc.)	Aggregated subdomain intelligence

Phase 2 — GitHub Leak Detection

Searches GitHub for public repositories containing sensitive references to the target domain using 9 dorks:

Exposed .env files with credentials
docker-compose.yml files with passwords
.npmrc files with auth tokens
API keys, secret keys, access tokens
PEM certificates

Phase 3 — Live HTTP Probing

Probes every discovered subdomain over both HTTP and HTTPS using native Node.js:

HTTP status codes and redirect chains
Page titles
Web server headers (Server, X-Powered-By)
Technology fingerprinting (WordPress, Jenkins, Jira, Confluence, GitLab, phpMyAdmin)

Phase 4 — Shodan Enrichment (Optional)

If a Shodan API key is provided, resolves each live host's IP and fetches:

Open ports
Operating system
Organization
Known CVEs (Shodan's own database)

Phase 5 — Risk Scoring

Each asset gets a 0–100 risk score:

Factor	Points
Sensitive ports open (22, 3306, 6379, 27017...)	+30
Dev/staging subdomain pattern	+25
Exposed vulnerable stack (WordPress, Jenkins, etc.)	+20–35
GitHub leak reference	+40
Shodan CVEs	+10 per CVE

Phase 6 — Recursive OSINT (Optional)

When recursiveDepth > 0, newly discovered high-risk subdomains (riskScore ≥ 30) automatically trigger sub-recon. Useful for discovering deeply nested infrastructure (e.g. dev.api.internal.example.com).

Input

Field	Type	Required	Default	Description
`targetDomain`	string	✅	—	Root domain to recon. No scheme, no path. e.g. `example.com`
`logicEngineActorId`	string	—	—	Actor ID of Actor 2 to auto-trigger on completion
`globalKvsName`	string	—	`ghost-target-brain`	Shared Key-Value Store name. Must match across all three actors
`waybackLimit`	integer	—	`5000`	Max URLs to pull from Wayback CDX per domain
`recursiveDepth`	integer	—	`1`	Recursive sub-recon depth (0 = disabled, max 3)
`githubToken`	string	—	—	GitHub personal access token for leak detection
`shodanApiKey`	string	—	—	Shodan API key for port and CVE enrichment
`censysApiId`	string	—	—	Censys API ID (reserved for future use)
`censysApiSecret`	string	—	—	Censys API secret
`apifyApiToken`	string	—	—	Your Apify API token. Required for cross-actor KVS sharing when triggered by another actor
`proxyEnabled`	boolean	—	`false`	Route requests through Apify residential proxies

Tip: When running Actor 1 manually and chaining to Actor 2, pass your apifyApiToken so that downstream actors can access the shared KVS.

Output

Dataset

One row per discovered subdomain:

{
  "subdomain": "dev.example.com",
  "isLive": true,
  "ip": "1.2.3.4",
  "sources": ["crt.sh", "wayback", "subfinder"],
  "statusCode": 200,
  "title": "Dev Portal - Example Inc",
  "webServer": "nginx/1.18.0",
  "technologies": ["nginx/1.18.0", "PHP/7.4"],
  "openPorts": [22, 80, 443, 3306],
  "shodanVulns": ["CVE-2021-44228"],
  "org": "Example Inc",
  "highValuePaths": ["/.env", "/admin"],
  "isNew": true,
  "firstSeen": "2026-05-15T09:44:56.000Z",
  "lastSeen": "2026-05-15T09:44:56.000Z",
  "riskScore": 85
}

Key-Value Store (`ghost-target-brain`)

Saves the full brain state to surface__{domain}:

{
  "domain": "example.com",
  "subdomains": { "dev.example.com": { "firstSeen": "...", "riskScore": 85 } },
  "waybackPaths": ["/.env", "/admin/login", "/api/v2/users"],
  "githubLeaks": [{ "repo": "user/leaked-repo", "file": ".env", "url": "..." }],
  "lastRunSummary": {
    "totalSubdomains": 47,
    "newAssets": 3,
    "liveAssets": 31,
    "highRiskAssets": 5
  },
  "runCount": 2
}

Actor Output (`OUTPUT`)

{
  "domain": "example.com",
  "totalSubdomains": 47,
  "newAssets": 3,
  "liveAssets": 31,
  "highRiskAssets": 5,
  "githubLeakRefs": 2,
  "waybackPathsIndexed": 4821,
  "kvsKey": "surface__example.com"
}

Automatic Pipeline Chaining

When logicEngineActorId is set, this actor automatically triggers Actor 2 (Logic Engine) via the Apify API as soon as it completes — passing the targetDomain, globalKvsName, and apifyApiToken so the scan continues without manual intervention.

Actor 1 finishes → webhook → Actor 2 starts → webhook → Actor 3 starts

Prerequisites

This actor uses two Go binaries bundled in the Docker image:

subfinder v2.6.6 — passive subdomain enumeration
httpx v1.6.10 — HTTP probing and tech fingerprinting

Both are downloaded as pre-built binaries at Docker build time — no Go compiler needed at runtime.

Usage Example

Standalone run

{
  "targetDomain": "example.com",
  "waybackLimit": 5000,
  "recursiveDepth": 1,
  "githubToken": "ghp_xxxxxxxxxxxx",
  "shodanApiKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "globalKvsName": "ghost-target-brain"
}

With full pipeline chaining

{
  "targetDomain": "example.com",
  "logicEngineActorId": "YOUR_USERNAME/ghost-logic-engine",
  "globalKvsName": "ghost-target-brain",
  "apifyApiToken": "apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
  "githubToken": "ghp_xxxxxxxxxxxx",
  "shodanApiKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

Safe Test Targets

Domain	Why
`demo.testfire.net`	IBM Altoro Mutual — intentional vuln demo bank
`testphp.vulnweb.com`	Acunetix intentional vuln PHP app
`juice-shop.herokuapp.com`	OWASP Juice Shop
Your own domain	Best for real results

Legal Notice

This tool is for authorized penetration testing and security research only. Always obtain written permission before running reconnaissance against any domain. Unauthorized use may violate computer fraud and abuse laws in your jurisdiction.

Ghost Email Scraper - Advanced, Fast & Cheapest

contacts-api/ghost-email-scraper-fast-advanced-and-cheapest

👻 Ghost Email Scraper helps you find writer and publication emails from Ghost-powered sites 🔍 Ideal for content marketing and partnerships 📧

Lead Heaven

Ghost Email Scraper – Advanced, Cheapest & Reliable 📧⚡

contactminerlabs/ghost-email-scraper---advanced-cheapest-reliable

🔍 Scrape Ghost.org Emails Enter your search parameters to collect verified contact emails from public Ghost profiles, along with profile title, bio, source URL & platform info ✉️📊 Perfect for lead generation, influencer outreach & data enrichment in tools like Google Sheets or CRMs⚡🧩

ContactMinerLabs

Ghost Logic Engine

wonderful_beluga/ghost-logic-engine

Zaher el siddik

Ghost Newsletter Scraper

webdatalabs/ghost-newsletter-scraper

Extract structured data from any Ghost-powered newsletter - track posts, monitor pricing, analyze publishing patterns, and research the creator economy.

WebDataLabs

5.0

Ghost Exploit Synthesizer

wonderful_beluga/ghost-exploit-synthesizer

Zaher el siddik

Ghost Job Detector

badruddeen/ghost-job-detector

Identify ghost, fake, or reposted LinkedIn and company jobs. Monitors listings, extracts signals, and calculates a Hiring Likelihood Score to help job seekers focus on genuine opportunities.

Badruddeen Naseem

🔍 TikTok Shadow Ban Checker | $10/1K | Instant Check

apivault_labs/tiktok-shadow-ban-checker

Check if TikTok videos are shadowbanned by analyzing the indexEnabled property. Supports batch URL checking with automatic proxy rotation.

Apivault Labs

Newsletter Archiver: Substack, Beehiiv, Ghost, RSS

aitoolbreakdown/atb-newsletter-archiver

Point it at a newsletter's public RSS feed. Returns every post as structured JSON: title, date, full HTML + plaintext, author, URL. Works with Substack, Beehiiv, Ghost, and any Atom/RSS 2.0 feed.

AI Tool Breakdown

Ghost Job Filter And Resume Deep Tailor

openfrontier_ai/Ghost-Job-Filter-And-Deep-Tailor

An AI detective exposing 'Ghost Jobs' by gathering detailed info and cross-verifying listings against official company portals. It also provides a 'Deep Tailor' feature for resume optimization to align your profile with verified opportunities and bypass automated ATS filters.

OpenFrontier AI

5.0

Agentic Accessibility Checker

myro-e54de05da1/Agentic-Accessibility-Checker

Lighthouse for AI Agents. Audit your Agent-Ready Score (ARS) using 5-pillar analysis. Features structural classification (Docs, E-com, SaaS), Shadow-Markdown simulation (SNR), Semantic Desync detection, and full browser rendering. Ensure your site is discovery-ready for the agentic web.