Ghost-CLI is a high-speed, passive OSINT and reconnaissance tool designed to bypass search engine restrictions. By leveraging historical archives and SSL certificate transparency logs, it uncovers subdomains, forgotten endpoints, and sensitive files without ever sending a single packet to the target server or being blocked by Google CAPTCHAs.
π‘οΈ Passive Recon: Gathers data from 3rd-party archives so your IP never touches the target.
π Wayback Crawler: Pulls thousands of historical URLs to find old config, backup, and admin paths.
π Cert-Log Discovery: Uses Certificate Transparency logs to find subdomains that aren't even indexed on Google.
β‘ Secret Scanner: Built-in regex engine to scan archived URLs for potential API keys and tokens.
π Auto-Workspace: Automatically organizes every scan into a dedicated ghost_results/ folder.
1. Clone & Set Permissions
git clone https://github.com/hackops-academy/Ghost-CLI.git
chmod +x ghost.sh2. Run the tool
./ghost.sh target.comEvery scan creates a timestamped folder to keep your data organized:
ghost_results/example.com_20251228/
βββ subdomains.txt # Discovered subdomains from SSL logs
βββ all_urls.txt # Full history from Wayback Machine
βββ sensitive_paths.txt # Filtered list (.php, .env, .sql, etc.)
βββ potential_secrets.txt # Flagged URLs containing 'token' or 'key'
This tool is for educational purposes and authorized security auditing only. The author is not responsible for any misuse. Always respect the legal boundaries of OSINT gathering.
Developed by Hackops Academy