# Ghost Shadow Discovery (`wonderful_beluga/ghost-shadow-discovery`) Actor - **URL**: https://apify.com/wonderful\_beluga/ghost-shadow-discovery.md - **Developed by:** [Zaher el siddik](https://apify.com/wonderful_beluga) (community) - **Categories:** Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Ghost-Target: Shadow Discovery **Actor 1 of 3 in the Ghost-Target Autonomous Red Team Pipeline.** Performs fully passive external reconnaissance against a target domain. Pulls data from certificate transparency logs, Wayback Machine archives, passive subdomain enumeration, live HTTP probing, GitHub code search, and optional Shodan/Censys enrichment — building a structured "Ghost Inventory" of every asset the target has ever exposed on the internet. No active scanning. No packets sent to the target. Pure intelligence gathering. --- ### What It Does #### Phase 1 — Subdomain Enumeration Queries three independent passive sources in parallel: | Source | Method | What It Finds | |---|---|---| | **crt.sh** | Certificate Transparency logs | Subdomains issued SSL certificates (including wildcards) | | **Wayback CDX API** | Internet Archive index | Historical subdomains and paths the target ever published | | **subfinder** | 50+ passive APIs (VirusTotal, Shodan, Chaos, etc.) | Aggregated subdomain intelligence | #### Phase 2 — GitHub Leak Detection Searches GitHub for public repositories containing sensitive references to the target domain using 9 dorks: - Exposed `.env` files with credentials - `docker-compose.yml` files with passwords - `.npmrc` files with auth tokens - API keys, secret keys, access tokens - PEM certificates #### Phase 3 — Live HTTP Probing Probes every discovered subdomain over both HTTP and HTTPS using native Node.js: - HTTP status codes and redirect chains - Page titles - Web server headers (`Server`, `X-Powered-By`) - Technology fingerprinting (WordPress, Jenkins, Jira, Confluence, GitLab, phpMyAdmin) #### Phase 4 — Shodan Enrichment (Optional) If a Shodan API key is provided, resolves each live host's IP and fetches: - Open ports - Operating system - Organization - Known CVEs (Shodan's own database) #### Phase 5 — Risk Scoring Each asset gets a 0–100 risk score: | Factor | Points | |---|---| | Sensitive ports open (22, 3306, 6379, 27017...) | +30 | | Dev/staging subdomain pattern | +25 | | Exposed vulnerable stack (WordPress, Jenkins, etc.) | +20–35 | | GitHub leak reference | +40 | | Shodan CVEs | +10 per CVE | #### Phase 6 — Recursive OSINT (Optional) When `recursiveDepth > 0`, newly discovered high-risk subdomains (riskScore ≥ 30) automatically trigger sub-recon. Useful for discovering deeply nested infrastructure (e.g. `dev.api.internal.example.com`). --- ### Input | Field | Type | Required | Default | Description | |---|---|---|---|---| | `targetDomain` | string | ✅ | — | Root domain to recon. No scheme, no path. e.g. `example.com` | | `logicEngineActorId` | string | — | — | Actor ID of Actor 2 to auto-trigger on completion | | `globalKvsName` | string | — | `ghost-target-brain` | Shared Key-Value Store name. Must match across all three actors | | `waybackLimit` | integer | — | `5000` | Max URLs to pull from Wayback CDX per domain | | `recursiveDepth` | integer | — | `1` | Recursive sub-recon depth (0 = disabled, max 3) | | `githubToken` | string | — | — | GitHub personal access token for leak detection | | `shodanApiKey` | string | — | — | Shodan API key for port and CVE enrichment | | `censysApiId` | string | — | — | Censys API ID (reserved for future use) | | `censysApiSecret` | string | — | — | Censys API secret | | `apifyApiToken` | string | — | — | Your Apify API token. Required for cross-actor KVS sharing when triggered by another actor | | `proxyEnabled` | boolean | — | `false` | Route requests through Apify residential proxies | > **Tip:** When running Actor 1 manually and chaining to Actor 2, pass your `apifyApiToken` so that downstream actors can access the shared KVS. --- ### Output #### Dataset One row per discovered subdomain: ```json { "subdomain": "dev.example.com", "isLive": true, "ip": "1.2.3.4", "sources": ["crt.sh", "wayback", "subfinder"], "statusCode": 200, "title": "Dev Portal - Example Inc", "webServer": "nginx/1.18.0", "technologies": ["nginx/1.18.0", "PHP/7.4"], "openPorts": [22, 80, 443, 3306], "shodanVulns": ["CVE-2021-44228"], "org": "Example Inc", "highValuePaths": ["/.env", "/admin"], "isNew": true, "firstSeen": "2026-05-15T09:44:56.000Z", "lastSeen": "2026-05-15T09:44:56.000Z", "riskScore": 85 } ```` #### Key-Value Store (`ghost-target-brain`) Saves the full brain state to `surface__{domain}`: ```json { "domain": "example.com", "subdomains": { "dev.example.com": { "firstSeen": "...", "riskScore": 85 } }, "waybackPaths": ["/.env", "/admin/login", "/api/v2/users"], "githubLeaks": [{ "repo": "user/leaked-repo", "file": ".env", "url": "..." }], "lastRunSummary": { "totalSubdomains": 47, "newAssets": 3, "liveAssets": 31, "highRiskAssets": 5 }, "runCount": 2 } ``` #### Actor Output (`OUTPUT`) ```json { "domain": "example.com", "totalSubdomains": 47, "newAssets": 3, "liveAssets": 31, "highRiskAssets": 5, "githubLeakRefs": 2, "waybackPathsIndexed": 4821, "kvsKey": "surface__example.com" } ``` *** ### Automatic Pipeline Chaining When `logicEngineActorId` is set, this actor automatically triggers **Actor 2 (Logic Engine)** via the Apify API as soon as it completes — passing the `targetDomain`, `globalKvsName`, and `apifyApiToken` so the scan continues without manual intervention. ``` Actor 1 finishes → webhook → Actor 2 starts → webhook → Actor 3 starts ``` *** ### Prerequisites This actor uses two Go binaries bundled in the Docker image: - **[subfinder v2.6.6](https://github.com/projectdiscovery/subfinder)** — passive subdomain enumeration - **[httpx v1.6.10](https://github.com/projectdiscovery/httpx)** — HTTP probing and tech fingerprinting Both are downloaded as pre-built binaries at Docker build time — no Go compiler needed at runtime. *** ### Usage Example #### Standalone run ```json { "targetDomain": "example.com", "waybackLimit": 5000, "recursiveDepth": 1, "githubToken": "ghp_xxxxxxxxxxxx", "shodanApiKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "globalKvsName": "ghost-target-brain" } ``` #### With full pipeline chaining ```json { "targetDomain": "example.com", "logicEngineActorId": "YOUR_USERNAME/ghost-logic-engine", "globalKvsName": "ghost-target-brain", "apifyApiToken": "apify_api_xxxxxxxxxxxxxxxxxxxxxxxx", "githubToken": "ghp_xxxxxxxxxxxx", "shodanApiKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } ``` *** ### Safe Test Targets | Domain | Why | |---|---| | `demo.testfire.net` | IBM Altoro Mutual — intentional vuln demo bank | | `testphp.vulnweb.com` | Acunetix intentional vuln PHP app | | `juice-shop.herokuapp.com` | OWASP Juice Shop | | Your own domain | Best for real results | *** ### Legal Notice This tool is for **authorized penetration testing and security research only**. Always obtain written permission before running reconnaissance against any domain. Unauthorized use may violate computer fraud and abuse laws in your jurisdiction. # Actor input Schema ## `targetDomain` (type: `string`): Root domain to recon (e.g. example.com). No scheme or path. ## `shodanApiKey` (type: `string`): Optional. Shodan API key to enrich IP/port data. ## `censysApiId` (type: `string`): Optional. Censys API ID for certificate search. ## `censysApiSecret` (type: `string`): Optional. Censys API secret. ## `githubToken` (type: `string`): Optional. Used to search GitHub for leaked credentials and mentions of the domain. ## `waybackLimit` (type: `integer`): Max URLs to pull from Wayback Machine CDX API per domain. ## `recursiveDepth` (type: `integer`): When new subdomains are found, re-run recon on them up to this depth. ## `logicEngineActorId` (type: `string`): Actor ID of Actor 2 (ghost-logic-engine) to trigger via webhook on completion. ## `globalKvsName` (type: `string`): Name of the shared Key-Value Store acting as the pipeline brain. ## `proxyEnabled` (type: `boolean`): Route requests through Apify residential proxies to avoid rate-limiting. ## Actor input object example ```json { "targetDomain": "example.com", "waybackLimit": 5000, "recursiveDepth": 1, "globalKvsName": "ghost-target-brain", "proxyEnabled": false } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "targetDomain": "example.com", "waybackLimit": 5000, "recursiveDepth": 1, "globalKvsName": "ghost-target-brain" }; // Run the Actor and wait for it to finish const run = await client.actor("wonderful_beluga/ghost-shadow-discovery").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "targetDomain": "example.com", "waybackLimit": 5000, "recursiveDepth": 1, "globalKvsName": "ghost-target-brain", } # Run the Actor and wait for it to finish run = client.actor("wonderful_beluga/ghost-shadow-discovery").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "targetDomain": "example.com", "waybackLimit": 5000, "recursiveDepth": 1, "globalKvsName": "ghost-target-brain" }' | apify call wonderful_beluga/ghost-shadow-discovery --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=wonderful_beluga/ghost-shadow-discovery", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Ghost Shadow Discovery", "version": "1.0", "x-build-id": "ryAdS0qnnYGFhSCGL" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/wonderful_beluga~ghost-shadow-discovery/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-wonderful_beluga-ghost-shadow-discovery", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/wonderful_beluga~ghost-shadow-discovery/runs": { "post": { "operationId": "runs-sync-wonderful_beluga-ghost-shadow-discovery", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/wonderful_beluga~ghost-shadow-discovery/run-sync": { "post": { "operationId": "run-sync-wonderful_beluga-ghost-shadow-discovery", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "targetDomain" ], "properties": { "targetDomain": { "title": "Target Domain", "type": "string", "description": "Root domain to recon (e.g. example.com). No scheme or path." }, "shodanApiKey": { "title": "Shodan API Key", "type": "string", "description": "Optional. Shodan API key to enrich IP/port data." }, "censysApiId": { "title": "Censys API ID", "type": "string", "description": "Optional. Censys API ID for certificate search." }, "censysApiSecret": { "title": "Censys API Secret", "type": "string", "description": "Optional. Censys API secret." }, "githubToken": { "title": "GitHub Token", "type": "string", "description": "Optional. Used to search GitHub for leaked credentials and mentions of the domain." }, "waybackLimit": { "title": "Wayback URL Limit", "minimum": 100, "maximum": 50000, "type": "integer", "description": "Max URLs to pull from Wayback Machine CDX API per domain.", "default": 5000 }, "recursiveDepth": { "title": "Recursive Recon Depth", "minimum": 0, "maximum": 3, "type": "integer", "description": "When new subdomains are found, re-run recon on them up to this depth.", "default": 1 }, "logicEngineActorId": { "title": "Logic Engine Actor ID", "type": "string", "description": "Actor ID of Actor 2 (ghost-logic-engine) to trigger via webhook on completion." }, "globalKvsName": { "title": "Global KVS Name", "type": "string", "description": "Name of the shared Key-Value Store acting as the pipeline brain.", "default": "ghost-target-brain" }, "proxyEnabled": { "title": "Use Apify Proxy", "type": "boolean", "description": "Route requests through Apify residential proxies to avoid rate-limiting.", "default": false } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```