Scan4All: A Next-Gen Automated Vulnerability Detection Security Tool
Scan4All is at the vanguard of modern cybersecurity solutions, offering a comprehensive suite of tools for automated vulnerability detection and threat analysis.
Built on a robust Golang framework, this cross-platform toolkit seamlessly integrates with various systems, elevating the standard for next-generation security measures.
Features
What Is Scan4all: integrated vscan, nuclei, ksubdomain, subfinder, etc., fully automated and intelligent team tools? Code-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects.
In principle, do not repeat the wheel unless there are bugs or problems
Cross-Platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.
Support [23] password blasting, support custom dictionary, open by “priorityNmap”: true
RDP
VNC
SSH
Socks5
rsh-spx
Mysql
MsSql
Oracle
Postgresql
Redis
FTP
Mongodb
SMB also detect MS17-010 (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148), and SmbGhost (CVE-2020-0796)
Telnet
Snmp
Wap-wsp (Elasticsearch)
RouterOs
HTTP BasicAuth (authorization) contains the WebdavSVN (Apache Subversion) crack
Weblogic, enable nuclei through enableNuclei=true at the same time, support T3, IIOP and other detection
Tomcat
Jboss
Winrm(wsman)
POP3/POP3S
By default, http password intelligent blasting is enabled, and it will be automatically activated when an HTTP password is required, without manual intervention
Detect whether there is nmap in the system and enable nmap for fast scanning through priorityNmap=true, which is enabled by default, and the optimized nmap parameters are faster than masscan.
Disadvantages of using nmap: Is the network bad because the traffic network packet is too large, which may lead to incomplete results? Using nmap additionally requires setting the root password to an environment variable
export PPSSWWDD=yourRootPswd
More references: config/doNmapScan.sh By default, naabu is used to complete port scanning. Use -stats=true to view the scanning progress Can I not scan Ports?
With fast 15000+ POC detection capabilities, PoCs include:
nuclei POC
Nuclei Templates: Top 10 Statistics
TAG
COUNT
AUTHOR
COUNT
DIRECTORY
COUNT
SEVERITY
COUNT
TYPE
COUNT
cve
1430
daffainfo
631
cves
1407
info
1474
http
3858
panel
655
dhiyaneshdk
584
exposed-panels
662
high
1009
file
76
edb
563
pikpikcu
329
vulnerabilities
509
medium
818
network
51
lfi
509
pdteam
269
technologies
282
critical
478
dns
17
xss
491
geeknik
187
exposures
275
low
225
wordpress
419
dwisiswant0
169
misconfiguration
237
unknown
11
exposure
407
0x_akoko
165
token-spray
230
cve2021
352
princechaddha
151
workflows
189
rce
337
ritikchaddha
137
default-logins
103
wp-plugin
316
pussycat0x
133
file
76
281 Directories, 3922 Files
vscan POC
vscan POC includes: xray 2.0 300+ POC, go POC, etc.
scan4all POC
Support 7000+ web fingerprint scanning and identification:
httpx fingerprint
vscan fingerprint
Vscan Fingerprint: including EHoleFinger, LocalFinger, etc.
scan4all fingerprint
Support 146 protocols and 90000+ rule port scanning
Depends on protocols and fingerprints supported by nmap
Fast HTTP-sensitive file detection, customizable dictionary
Landing page detection
Supports multiple types of input: STDIN, HOST, IP, CIDR, URL, and TXT
Supports multiple output types: JSON, TXT, CSV, and STDOUT
Highly Integratable: Configurable unified storage of results in Elasticsearch [strongly recommended]
Smart SSL Analysis:
In-depth analysis will automatically correlate the scanning of domain names in SSL information, such as *.xxx.com, and complete subdomain traversal according to the configuration, and the result will automatically add the target to the scanning list
Support the *.xx.com subdomain traversal function in smart SSL information, export EnableSubfinder=true, or adjust in the configuration file
Automatically identify the case of multiple IPs associated with a domain (DNS) and automatically scan the associated multiple IPs
Smart Processing:
When the IPs of multiple domain names in the list are the same, merge port scans to improve efficiency
Automated supply chain identification, analysis and scanning
Intelligently identify honeypots and skip Targets. By default, this feature is off. You can set EnableHoneyportDetection=true to enable
Highly Customizable: allow to define your own dictionary through config/config.json configuration, or control more details, including but not limited to: nuclei, httpx, naabu, etc.
Support HTTP Request Smuggling: CL-TETE-CLTE-TE、CL_CL、BaseErr
Support via parameter Cookie=’PHPSession=xxxx./scan4all -host xxxx.com, compatible with nuclei, httpx, go-poc, x-ray POC, filefuzz, http Smuggling
go install github.com/hktalent/scan4all@2.6.9
scan4all -h
How To Use
Start Elasticsearch; of course, you can use the traditional way to output results
mkdir -p logs data
docker run --restart=always --ulimit nofile=65536:65536 -p 9200:9200 -p 9300:9300 -d --name es -v $PWD/logs:/usr/share/elasticsearch/logs -v $PWD /config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v $PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options -v $PWD/data:/ usr/share/elasticsearch/data hktalent/elasticsearch:7.16.2
# Initialize the es index, the result structure of each tool is different, and it is stored separately
./config/initEs.sh
# Search syntax, more query methods, learn Elasticsearch by yourself
http://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111
where 92.168.0.111 is the target to query
Please install nmap by yourself before use Using Help
go build
# Precise scan szUrl list UrlPrecise=true
UrlPrecise=true ./scan4all -l xx.txt
# Disable adaptation to nmap and use naabu port to scan its internally defined http-related Ports
priorityNmap=false ./scan4all -tp http -list allOut.txt -v
Work Plan
Integrate web-cache-vulnerability-scanner to realize HTTP smuggling smuggling and cache poisoning detection
Linkage with metasploit-framework, on the premise that the system has been installed, cooperate with tmux, and complete the linkage with the macos environment as the best practice
Integrate more fuzzers , such as linking sqlmap
Integrate chromedp to achieve screenshots of landing pages, detection of front-end landing pages with pure js and js architecture, and corresponding crawlers (sensitive information detection, page crawling)
Integrate nmap-go to improve execution efficiency, dynamically parse the result stream, and integrate it into the current task waterfall
Integrate ksubdomain to achieve faster subdomain blasting
Integrate spiders to find more bugs
Semi-automatic fingerprint learning to improve accuracy; specify fingerprint name, configure
Star
Varshini
Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.