SurfaceMapper is a lightweight Bash-based reconnaissance tool designed for attack surface mapping during bug bounty hunting and web penetration testing.
- Live endpoint detection
- Open ports & service detection
- URL & parameter extraction
- JavaScript & interesting files discovery
- Potential secrets detection
This tool does not perform subdomain enumeration by itself. You must first collect subdomains using external tools, then provide them as input.
Use any subdomain enumeration tools you prefer, such as:
- subfinder
- assetfinder
- amass
- findomain
Save all discovered subdomains into a file named subs.txt
Once you have your subdomains list, run the script by providing:
- The target domain
- The subdomains file
./SurfaceMapper.sh target.com subs.txtThis tool is intended for educational purposes, bug bounty testing, and authorized security assessments only.
You must have explicit permission from the owner of any target domain before running this toolkit.
Unauthorized use may be illegal and is solely your responsibility.