awesome-kai-moana

Kai Moana (Hawaiian) — "food from the sea." The ocean's bounty, harvested by those who know where to look.

A curated collection of high-performance recon tools built in Rust, each born from stracing its Go predecessor at the syscall level and engineering a replacement that eliminates every measured bottleneck. No guesswork. No premature optimization. Every design decision traces to a strace -c -f timestamp.

12.9 MB replaces 152 MB. Same targets. More results. Fewer syscalls.

---

The Fleet

Three tools. Three ocean predators. One pipeline.

leviathan -d target.com -s | puhi --resp --recon | mano -s --title --status-code --tech-detect

The sea monster finds them. The moray eel maps every record. The shark devours them.

---

leviathan — subdomain discovery

The biblical sea monster that drags everything from the deep.

Replaces subfinder (ProjectDiscovery) | GitHub

Metric	subfinder	leviathan	Delta
Binary size	42 MB	5.9 MB	86% smaller
Wall clock (passive)	30.4s	4.8s	6.3x faster
CPU time	2.58s	0.04s	64x less
Subdomains found	16	28	75% more
Total syscalls	524,770	4,400	119x fewer
Futex calls	214,744	690	311x fewer
nanosleep calls	4,220	23	183x fewer

Key bottlenecks eliminated:

• Goroutine-per-source + unbuffered channel → tokio async + bounded MPSC
• Spin-wait rate limiter → timer-based governor token bucket
• Per-source HTTP clients → shared reqwest connection pool
• IPv6 ENETUNREACH fallback waste → IPv4-only at client level

5-phase pipeline:

1. Passive OSINT sources (crt.sh, Wayback, AlienVault, CertSpotter, URLScan, RapidDNS, Anubis, HackerTarget)
2. DNS record mining (SPF/DMARC/MX/NS/SOA/SRV/CNAME) + NSEC zone walking + TLS SAN harvesting
3. HTTP header mining (CSP, CORS, Location) + JavaScript static analysis
4. Reverse DNS /24 CIDR sweep
5. Smart permutation brute-force from discovered labels

# Passive only — drop-in subfinder replacement
leviathan -d example.com --passive -s

# Full 5-phase deep recon
leviathan -d example.com -s

# Multiple domains
leviathan -d example.com,target.org -s

---

puhi — DNS resolution & brute-force

The moray eel — lurks in every crevice, strikes with precision.

Replaces dnsx (ProjectDiscovery) | GitHub

Metric	dnsx	puhi	Delta
Binary size	41 MB	2.1 MB	95% smaller
Wall clock	1.09s	0.10s	10.3x faster
DNS records found	120	163	36% more
Total syscalls	33,047	5,132	6.4x fewer
Futex calls	7,168	764	9.4x fewer
epoll calls	16,005	639	25x fewer
nanosleep calls	690	2	345x fewer

Key bottlenecks eliminated:

• 100 goroutines with independent UDP sockets → single shared hickory-resolver with caching
• 8 resolvers queried in parallel per hostname → single resolver, cached results
• Unbuffered channels → buffer_unordered with zero scheduling overhead
• tokio::join! for parallel record type queries within a single task

Supports: A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, PTR, CAA

# Resolve A records
leviathan -d example.com -s | puhi -a

# All record types with response values
leviathan -d example.com -s | puhi --recon --resp

# DNS brute-force
puhi -d example.com -w wordlist.txt -a --resp

# JSON output
puhi -l hosts.txt --recon -j

---

mano — HTTP probe & fingerprint

The shark — one pass and it knows everything about the target.

Replaces httpx (ProjectDiscovery) | GitHub

Metric	httpx	mano	Delta
Binary size	69 MB	4.9 MB	93% smaller
Wall clock	1.59s	0.25s	6.4x faster
CPU time	1.98s	0.04s	49x less
nanosleep calls	1,222	3	407x fewer
CPU utilization	124%	15%	88% less CPU

Key bottlenecks eliminated:

• DisableKeepAlives: true + MaxIdleConnsPerHost: -1 → shared connection pool with keep-alive
• Go runtime scheduler overhead (124% CPU for 17 targets) → tokio async (15% CPU)
• 69MB binary (wappalyzer, headless Chrome, 3 DB drivers) → 4.9MB with only what's needed
• 5 DNS resolvers queried per target → system resolver with caching

Extracts: status codes, page titles, server headers, content length, technology fingerprints (nginx, Cloudflare, WordPress, React, Django, etc.), TLS certificates (CN, SANs, issuer), body hashes (MD5, SHA-256), line/word counts, response time

# Basic probe
leviathan -d example.com -s | mano -s --status-code --title

# Full fingerprint
leviathan -d example.com -s | mano -a

# JSON output with TLS
mano -l hosts.txt --json --tls-grab

# Filter by status code
mano -l hosts.txt --mc 200,301 -s --title --tech-detect

---

The Pipeline

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  leviathan   │────▶│    puhi     │────▶│    mano     │
│  5.9 MB      │     │  2.1 MB     │     │  4.9 MB     │
│              │     │              │     │              │
│  find subs   │     │  map DNS     │     │  probe HTTP  │
│  28 found    │     │  200 records │     │  11 alive    │
│  4.8s        │     │  0.1s        │     │  0.25s       │
└─────────────┘     └─────────────┘     └─────────────┘
    replaces            replaces            replaces
   subfinder              dnsx               httpx
    42 MB                41 MB              69 MB

One-liner:

leviathan -d hackerone.com -s | puhi --resp --recon | mano -s --title --status-code --tech-detect

---

Why Rust over Go for recon tools

This isn't a language war. It's a measurement.

What we measured	Go (ProjectDiscovery)	Rust (Kai Moana)
Combined binary	152 MB	12.9 MB
Futex calls (subfinder)	214,744	690
epoll calls (dnsx)	16,005	639
nanosleep calls (httpx)	1,222	3
CPU for 17 HTTP probes	124%	15%
Subdomains found	16	28
DNS records found	120	163

The Go runtime's goroutine scheduler, garbage collector, and sysmon thread create measurable overhead that compounds at scale. When you're scanning thousands of targets from a VPS, Lambda function, or jump box during a pentest, that overhead becomes the bottleneck — not the network.

Every number above came from strace -c -f. Every design decision traces to a syscall count.

---

Methodology

Each tool in the fleet was built using the same process:

1. Clone the Go tool from ProjectDiscovery
2. Build the binary, note the size
3. strace -c -f — run with real targets, capture full syscall summary
4. strace -f -e trace=futex,nanosleep,connect — deep dive into contention, sleep patterns, network behavior
5. Analyze — identify the top 5 bottlenecks by wall-clock time
6. Map each bottleneck to a Rust architectural decision
7. Build the replacement with zero-overhead async, shared resources, and minimal dependencies
8. Benchmark — head-to-head on identical targets with identical flags
9. strace the replacement — verify the bottlenecks are eliminated
10. Publish — with full strace data in the README

No guesswork. No "Rust is faster because Rust." Measured, mapped, eliminated.

---

Install

Each tool is standalone. Install what you need:

# The whole fleet
git clone https://github.com/copyleftdev/leviathan.git && cd leviathan && cargo build --release && sudo cp target/release/leviathan /usr/local/bin/ && cd ..
git clone https://github.com/copyleftdev/puhi.git && cd puhi && cargo build --release && sudo cp target/release/puhi /usr/local/bin/ && cd ..
git clone https://github.com/copyleftdev/mano.git && cd mano && cargo build --release && sudo cp target/release/mano /usr/local/bin/ && cd ..

Requires Rust 1.70+. No runtime dependencies.

---

Naming

All tools are named from Hawaiian ocean life — Kai Moana means "food from the sea."

Tool	Hawaiian	English	Role
leviathan	—	Biblical sea monster	Drags subdomains from the deep
puhi	puhi	Moray eel	Probes every crevice of DNS
mano	mano	Shark	Devours HTTP targets on the surface

---

Contributing

The fleet follows one rule: measure first, build second.

If you want to add a tool:

1. Pick a Go recon tool (naabu, katana, ffuf, nuclei, etc.)
2. strace -c -f it with real targets
3. Identify the top bottlenecks
4. Build the Rust replacement
5. Show the head-to-head numbers
6. Name it after an ocean creature

PRs welcome.

---

License

MIT — all tools in the fleet.

---

Links

• leviathan — subdomain discovery (replaces subfinder)
• puhi — DNS resolver (replaces dnsx)
• mano — HTTP prober (replaces httpx)