AttackSurfaceMapper: Attack Surface Expander

AttackSurfaceMapper: Attack Surface Expander

AttackSurfaceMapper is a reconnaissance tool which allows the user to automatically expand the attack surface of the target. The attack surface is the number of different points from which an attacker can enter a private network. This tool allows the attacker to use public breaches, search engines and online networking sites to access employee data and possibly credentials.

AttackSurfaceMapper Logo

AttackSurfaceMapper: Attack Surface Expander

After defining a target, AttackSurfaceMapper will use numerous techniques to find related targets such as subdomains and IP addresses. Once the target list has been fully explored, AttackSurfaceMapper will begin to implement reconnaissance techniques on the target by taking screenshots of the target, generating visual maps and looking up credentials in public data breaches.


  • Find potential targets who are related to the original target.
  • Passive port scanning with Shodan
  • Use LinkedIn to find employees of the target organization

Supported Platforms:

  • Linux, ChromeOS, MacOS, Windows


  • Git
  • Python 3+


Clone the GitHub repo:

$ git clone

Navigate to the working directory and install the requirements:

$ cd AttackSurfaceMapper
$ python3 -m pip install --no-cache-dir -r requirements.txt


Enter the following command to list available option/commands:

$ python3 -h 
usage: [-h] [-f FORMAT] [-o OUTPUT] [-sc] [-sth] [-t TARGET] [-V]
              [-w WORDLIST] [-sw SUBWORDLIST] [-e] [-ln] [-v]
|<------ AttackSurfaceMapper - Help Page ------>|
positional arguments:
  targets               Sets the path of the target IPs file.
optional arguments:
  -h, --help            show this help message and exit
  -f FORMAT, --format FORMAT
                        Choose between CSV and TXT output file formats.
  -o OUTPUT, --output OUTPUT
                        Sets the path of the output file.
  -sc, --screen-capture
                        Capture a screen shot of any associated Web Applications.
  -sth, --stealth       Passive mode allows reconaissaince using OSINT techniques only.
  -t TARGET, --target TARGET
                        Set a single target IP.
  -V, --version         Displays the current version.
  -w WORDLIST, --wordlist WORDLIST
                        Specify a list of subdomains.
  -sw SUBWORDLIST, --subwordlist SUBWORDLIST
                        Specify a list of child subdomains.
  -e, --expand          Expand the target list recursively.
  -ln, --linkedinner    Extracts emails and employees details from linkedin.
  -v, --verbose         Verbose ouput in the terminal window.
Authors: Andreas Georgiou (@superhedgy)
         Jacob Wilkin (@greenwolf)


$ python3 -t -ln -w resources/top100_sublist.txt -o demo_run

Check out the demo below.

Documentation Box
Download Box