Repository files navigation

💬

README_中文 •Compile/Install/Run •Parameter Description •How to use •Scenario •POC List •Custom Scan •Best Practices

• Free one id Multi-target web netcat for reverse shell
• What is scan4all: integrated vscan, nuclei, ksubdomain, subfinder, etc., fully automated and intelligent。red team toolsCode-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects.In principle, do not repeat the wheel, unless there are bugs, problems
• Cross-platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.
• Support [23] password blasting, support custom dictionary, open by "priorityNmap": true
  • RDP
  • VNC
  • SSH
  • Socks5
  • rsh-spx
  • Mysql
  • MsSql
  • Oracle
  • Postgresql
  • Redis
  • FTP
  • Mongodb
  • SMB, also detect MS17-010 (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148), SmbGhost (CVE- 2020-0796)
  • Telnet
  • Snmp
  • Wap-wsp (Elasticsearch)
  • RouterOs
  • HTTP BasicAuth(Authorization), contains Webdav、SVN（Apache Subversion） crack
  • Weblogic, enable nuclei through enableNuclei=true at the same time, support T3, IIOP and other detection
  • Tomcat
  • Jboss
  • Winrm(wsman)
  • POP3/POP3S
• By default, http password intelligent blasting is enabled, and it will be automatically activated when an HTTP password is required, without manual intervention
• Detect whether there is nmap in the system, and enable nmap for fast scanning through priorityNmap=true, which is enabled by default, and the optimized nmap parameters are faster than masscanDisadvantages of using nmap: Is the network bad, because the traffic network packet is too large, which may lead to incomplete resultsUsing nmap additionally requires setting the root password to an environment variable

export PPSSWWDD=yourRootPswd

More references: config/doNmapScan.shBy default, naabu is used to complete port scanning -stats=true to view the scanning progressCan I not scan Ports?

noScan=true ./scan4all -l list.txt -v# nmap result default noScan=true./scan4all -l nmapRssuilt.xml -v

• Fast 15000+ POC detection capabilities, PoCs include:
  • nuclei POC

  Nuclei Templates Top 10 statistics

281 directories, 3922 files.

• vscan POC
  • vscan POC includes: xray 2.0 300+ POC, go POC, etc.
• scan4all POC

• Support 7000+ web fingerprint scanning, identification:

  • httpx fingerprint
    • vscan fingerprint
    • vscan fingerprint: including eHoleFinger, localFinger, etc.
  • scan4all fingerprint

• Support 146 protocols and 90000+ rule port scanning

  • Depends on protocols and fingerprints supported by nmap

• Fast HTTP sensitive file detection, can customize dictionary

• Landing page detection

• Supports multiple types of input - STDIN/HOST/IP/CIDR/URL/TXT

• Supports multiple output types - JSON/TXT/CSV/STDOUT

• Highly integratable: Configurable unified storage of results to Elasticsearch [strongly recommended]

• Smart SSL Analysis:

  • In-depth analysis, automatically correlate the scanning of domain names in SSL information, such as *.xxx.com, and complete subdomain traversal according to the configuration, and the result will automatically add the target to the scanning list
  • Support to enable *.xx.com subdomain traversal function in smart SSL information, export EnableSubfinder=true, or adjust in the configuration file

• Automatically identify the case of multiple IPs associated with a domain (DNS), and automatically scan the associated multiple IPs

• Smart processing:

  • 1. When the IPs of multiple domain names in the list are the same, merge port scans to improve efficiency
  • 2. Intelligently handle http abnormal pages, and fingerprint calculation and learning

• Automated supply chain identification, analysis and scanning

• Link python3log4j-scan

  • This version blocks the bug that your target information is passed to the DNS Log Server to avoid exposing vulnerabilities
  • Added the ability to send results to Elasticsearch for batch, touch typing
  • There will be time in the future to implement the golang versionhow to use?

mkdir~/MyWork/;cd~/MyWork/;git clone https://github.com/hktalent/log4j-scan

• Intelligently identify honeypots and skip Targets. This function is disabled by default. You can set EnableHoneyportDetection=true to enable

• Highly customizable: allow to define your own dictionary through config/config.json configuration, or control more details, including but not limited to: nuclei, httpx, naabu, etc.

• support HTTP Request Smuggling: CL-TE、TE-CL、TE-TE、CL_CL、BaseErr

• Support via parameter Cookie='PHPSession=xxxx' ./scan4all -host xxxx.com, compatible with nuclei, httpx, go-poc, x-ray POC, filefuzz, http Smuggling

download fromReleases

go install github.com/GhostTroops/scan4all@2.8.9scan4all -h

• 1. Start Elasticsearch, of course you can use the traditional way to output, results

mkdir -p logs datadocker run --restart=always --ulimit nofile=65536:65536 -p 9200:9200 -p 9300:9300 -d --name es -v$PWD/logs:/usr/share/elasticsearch/logs -v$PWD /config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v$PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options -v$PWD/data:/ usr/share/elasticsearch/data hktalent/elasticsearch:7.16.2# Initialize the es index, the result structure of each tool is different, and it is stored separately./config/initEs.sh# Search syntax, more query methods, learn Elasticsearch by yourselfhttp://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111where 92.168.0.111 is the target to query

• Please install nmap by yourself before useUsing Help

go build# Precise scan szUrl list UrlPrecise=trueUrlPrecise=true ./scan4all -l xx.txt# Disable adaptation to nmap and use naabu port to scan its internally defined http-related PortspriorityNmap=false ./scan4all -tp http -list allOut.txt -v

• Integrate web-cache-vulnerability-scanner to realize HTTP smuggling smuggling and cache poisoning detection
• Linkage with metasploit-framework, on the premise that the system has been installed, cooperate with tmux, and complete the linkage with the macos environment as the best practice
• Integrate more fuzzers , such as linking sqlmap
• Integrate chromedp to achieve screenshots of landing pages, detection of front-end landing pages with pure js and js architecture, and corresponding crawlers (sensitive information detection, page crawling)
• Integrate nmap-go to improve execution efficiency, dynamically parse the result stream, and integrate it into the current task waterfall
• Integrate ksubdomain to achieve faster subdomain blasting
• Integrate spider to find more bugs
• Semi-automatic fingerprint learning to improve accuracy; specify fingerprint name, configure

• how use Cookie?
• libpcap related question

more see:discussions

• https://www.77169.net/html/312916.html
• https://zhuanlan.zhihu.com/p/636131542
• https://github.com/GhostTroops/scan4all/blob/main/static/Installation.md
• https://github.com/GhostTroops/scan4all/blob/main/static/NicePwn.md
• https://github.com/GhostTroops/scan4all/blob/main/static/running.md
• https://www.google.com/search?client=safari&rls=en&q=%22hktalent%22+%22scan4all%22&ie=UTF-8&oe=UTF-8#ip=1

• @freeload101
• @b1win0y
• @BL4CKR4Y

https://github.com/GhostTroops/scan4all/graphs/contributors

• 2023-10-01 Optimize support for nuclei@latest
• 2022-07-28 Added substr and aes_cbc dsl helper by me nuclei v2.7.7
• 2022-07-20 fix and PR nuclei #2301 Concurrent multi-instance bug
• 2022-07-20 add web cache vulnerability scanner
• 2022-07-19 PR nuclei #2308 add dsl function: substr aes_cbc
• 2022-07-19 Add dcom Protocol enumeration network interfaces
• 2022-06-30 Embedded integrated private version nuclei-templates A total of 3744 YAML POC; 1. Integrate Elasticsearch to store intermediate results 2. Embed the entire config directory into the program
• 2022-06-27 Optimize fuzzy matching to improve accuracy and robustness; integrate ksubdomain progress
• 2022-06-24 Optimize fingerprint algorithm; add workflow chart
• 2022-06-23 Added parameter ParseSSl to control the default of not deeply analyzing DNS information in SSL and not scanning DNS in SSL by default; Optimization: nmap does not automatically add .exe bug; Optimize the bug of cache files under Windows not optimizing the size
• 2022-06-22 Integrated weak password detection and password blasting for 11 protocols: ftp, mongodb, mssql, mysql, oracle, postgresql, rdp, redis, smb, ssh, telnet, and optimized support for plug-in password dictionary
• 2022-06-20 Integrate Subfinder, domain name blasting, startup parameter export EnableSubfinder=true, note that it is very slow after startup; automatic deep drilling of domain name information in the ssl certificate allows you to define your own dictionary through config/config.json configuration, or set related switch
• 2022-06-17 Optimize the situation where one domain name has multiple IPs. All IPs will be port scanned, and then follow the subsequent scanning process.
• 2022-06-15 This version adds several weblogic password dictionaries and webshell dictionaries obtained in past actual combat
• 2022-06-10 Complete the integration of the core, including of course the integration of the core template
• 2022-06-07 Add similarity algorithm to detect 404
• 2022-06-07 Added http url list precision scanning parameters, turned on according to the environment variable UrlPrecise=true

Wechat	Or	QQchat	Or	Tg

Wechat Pay	AliPay	Paypal	BTC Pay	BCH Pay
		paypalmiracletalent@gmail.com