Cyber security

Scan4All: A Next-Gen Automated Vulnerability Detection Security Tool

Scan4All is at the vanguard of modern cybersecurity solutions, offering a comprehensive suite of tools for automated vulnerability detection and threat analysis.

Built on a robust Golang framework, this cross-platform toolkit seamlessly integrates with various systems, elevating the standard for next-generation security measures.

Features

  • What Is Scan4all: integrated vscan, nuclei, ksubdomain, subfinder, etc., fully automated and intelligent team tools? Code-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects.
    • In principle, do not repeat the wheel unless there are bugs or problems
  • Cross-Platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.
  • Support [23] password blasting, support custom dictionary, open by “priorityNmap”: true
  • RDP
  • VNC
  • SSH
  • Socks5
  • rsh-spx
  • Mysql
  • MsSql
  • Oracle
  • Postgresql
  • Redis
  • FTP
  • Mongodb
  • SMB also detect MS17-010 (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148), and SmbGhost (CVE-2020-0796)
  • Telnet
  • Snmp
  • Wap-wsp (Elasticsearch)
  • RouterOs
  • HTTP BasicAuth (authorization) contains the WebdavSVN (Apache Subversion) crack
  • Weblogic, enable nuclei through enableNuclei=true at the same time, support T3, IIOP and other detection
  • Tomcat
  • Jboss
  • Winrm(wsman)
  • POP3/POP3S
  • By default, http password intelligent blasting is enabled, and it will be automatically activated when an HTTP password is required, without manual intervention
  • Detect whether there is nmap in the system and enable nmap for fast scanning through priorityNmap=true, which is enabled by default, and the optimized nmap parameters are faster than masscan.
  • Disadvantages of using nmap: Is the network bad because the traffic network packet is too large, which may lead to incomplete results? Using nmap additionally requires setting the root password to an environment variable
  export PPSSWWDD=yourRootPswd 

More references: config/doNmapScan.sh By default, naabu is used to complete port scanning. Use -stats=true to view the scanning progress Can I not scan Ports?

noScan=true ./scan4all -l list.txt -v
# nmap result default noScan=true 
./scan4all -l nmapRssuilt.xml -v
  • With fast 15000+ POC detection capabilities, PoCs include:
    • nuclei POC

Nuclei Templates: Top 10 Statistics

TAGCOUNTAUTHORCOUNTDIRECTORYCOUNTSEVERITYCOUNTTYPECOUNT
cve1430daffainfo631cves1407info1474http3858
panel655dhiyaneshdk584exposed-panels662high1009file76
edb563pikpikcu329vulnerabilities509medium818network51
lfi509pdteam269technologies282critical478dns17
xss491geeknik187exposures275low225
wordpress419dwisiswant0169misconfiguration237unknown11
exposure4070x_akoko165token-spray230
cve2021352princechaddha151workflows189
rce337ritikchaddha137default-logins103
wp-plugin316pussycat0x133file76

281 Directories, 3922 Files

  • vscan POC
    • vscan POC includes: xray 2.0 300+ POC, go POC, etc.
  • scan4all POC
  • Support 7000+ web fingerprint scanning and identification:
    • httpx fingerprint
      • vscan fingerprint
      • Vscan Fingerprint: including EHoleFinger, LocalFinger, etc.
    • scan4all fingerprint
  • Support 146 protocols and 90000+ rule port scanning
    • Depends on protocols and fingerprints supported by nmap
  • Fast HTTP-sensitive file detection, customizable dictionary
  • Landing page detection
  • Supports multiple types of input: STDIN, HOST, IP, CIDR, URL, and TXT
  • Supports multiple output types: JSON, TXT, CSV, and STDOUT
  • Highly Integratable: Configurable unified storage of results in Elasticsearch [strongly recommended]
  • Smart SSL Analysis:
    • In-depth analysis will automatically correlate the scanning of domain names in SSL information, such as *.xxx.com, and complete subdomain traversal according to the configuration, and the result will automatically add the target to the scanning list
    • Support the *.xx.com subdomain traversal function in smart SSL information, export EnableSubfinder=true, or adjust in the configuration file
  • Automatically identify the case of multiple IPs associated with a domain (DNS) and automatically scan the associated multiple IPs
  • Smart Processing:
    1. When the IPs of multiple domain names in the list are the same, merge port scans to improve efficiency
  • Automated supply chain identification, analysis and scanning
  • Link python3 log4j-scan
    • This version blocks the bug in which your target information is passed to the DNS Log Server to avoid exposing vulnerabilities
    • Added the ability to send results to Elasticsearch for batch, touch typing
    • There will be time in the future to implement the Golang version.
mkdir ~/MyWork/;cd ~/MyWork/;git clone https://github.com/hktalent/log4j-scan
  • Intelligently identify honeypots and skip Targets. By default, this feature is off. You can set EnableHoneyportDetection=true to enable
  • Highly Customizable: allow to define your own dictionary through config/config.json configuration, or control more details, including but not limited to: nuclei, httpx, naabu, etc.
  • Support HTTP Request Smuggling: CL-TETE-CLTE-TE、CL_CL、BaseErr


  • Support via parameter Cookie=’PHPSession=xxxx./scan4all -host xxxx.com, compatible with nuclei, httpx, go-poc, x-ray POC, filefuzz, http Smuggling

Work Process

How To Install

download from Releases

go install github.com/hktalent/scan4all@2.6.9
scan4all -h

How To Use

  1. Start Elasticsearch; of course, you can use the traditional way to output results
mkdir -p logs data
docker run --restart=always --ulimit nofile=65536:65536 -p 9200:9200 -p 9300:9300 -d --name es -v $PWD/logs:/usr/share/elasticsearch/logs -v $PWD /config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v $PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options -v $PWD/data:/ usr/share/elasticsearch/data hktalent/elasticsearch:7.16.2
# Initialize the es index, the result structure of each tool is different, and it is stored separately
./config/initEs.sh

# Search syntax, more query methods, learn Elasticsearch by yourself
http://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111
where 92.168.0.111 is the target to query

Please install nmap by yourself before use Using Help

go build
# Precise scan szUrl list UrlPrecise=true
UrlPrecise=true ./scan4all -l xx.txt
# Disable adaptation to nmap and use naabu port to scan its internally defined http-related Ports
priorityNmap=false ./scan4all -tp http -list allOut.txt -v

Work Plan

  • Integrate web-cache-vulnerability-scanner to realize HTTP smuggling smuggling and cache poisoning detection
  • Linkage with metasploit-framework, on the premise that the system has been installed, cooperate with tmux, and complete the linkage with the macos environment as the best practice
  • Integrate more fuzzers , such as linking sqlmap
  • Integrate chromedp to achieve screenshots of landing pages, detection of front-end landing pages with pure js and js architecture, and corresponding crawlers (sensitive information detection, page crawling)
  • Integrate nmap-go to improve execution efficiency, dynamically parse the result stream, and integrate it into the current task waterfall
  • Integrate ksubdomain to achieve faster subdomain blasting
  • Integrate spiders to find more bugs
  • Semi-automatic fingerprint learning to improve accuracy; specify fingerprint name, configure

Star

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

21 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

22 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago