VXScan : Python3 Comprehensive Scanning Tool

VXScan is a Python3 comprehensive scanning tool, mainly used for sensitive file detection (directory scanning and js leak interface), WAF/CDN identification, port scanning, fingerprint/service identification, operating system identification, weak password detection, POC scanning, SQL injection, winding Pass CDN, check the next station.

Version 1.0 Update

  • 2019.6.18
  • Fixed the problem of fingerprint recognition iis website error, modified apps.json
  • Removed some third-party libraries and scripts that are prone to errors
  • Scanning is completed if it flashes, it is because the program first detects dns parsing and ping operation.
  • The first time you use Vxscan, fake_useragent will load the ua list of, and a load timeout error may occur.

Also Read – WhatBreach : OSINT Tool To Find Breached Emails & Databases



  • Generate a dictionary list using Cartesian product method, support custom dictionary list
  • Random UserAgent, XFF, X-Real-IP
  • Customize 404 page recognition, access random pages and then compare the similarities through difflib to identify custom 302 jumps
  • When scanning the directory, first detect the http port and add multiple http ports of one host to the scan target.
  • Filter invalid Content-Type, invalid status?
  • WAF/CDN detection
  • Use the socket to send packets to detect common ports and send different payload detection port service fingerprints.
  • Hosts that encounter full port open (portspoof) automatically skip
  • Call wappalyzer.json and WebEye to determine the website fingerprint
  • It is detected that the CDN or WAF website automatically skips
  • Call nmap to identify the operating system fingerprint
  • Call weak password detection script based on port open (FTP/SSH/TELNET/Mysql/MSSQL…)
  • Call POC scan based on fingerprint identification or port, or click on the open WEB port of IP
  • Analyze sensitive asset information (domain name, mailbox, apikey, password, etc.) in the js file
  • Grab website connections, test SQL injection, LFI, etc.
  • Call some online interfaces to obtain information such as VT, and other websites, determine the real IP through VT pdns, and query the website by and


python3 -h

optional arguments:
-h, –help show this help message and exit
-u URL, –url URL Start scanning this url -u
-i INET, –inet INET cidr eg. or
-f FILE, –file FILE read the url from the file
-t THREADS, –threads THREADS
Set scan thread, default 150
-e EXT, –ext EXT Set scan suffix, -e php,asp
-w WORD, –word WORD Read the dict from the file

  • Scan a website

python3 -u

  • Scan a website from a file list

python3 -f hosts.txt

  • cidr eg. or

python3 -i

  • Set thread 100, combine only php suffix, use custom dictionary

python3 -u -e php -t 100 -w ../dict.txt


Waf/CDN list

  • 360
  • 360wzws
  • Anquanbao
  • Armor
  • BaiduYunjiasu
  • AdNovum
  • Airee CDN
  • Art of Defence HyperGuard
  • ArvanCloud
  • Barracuda NG
  • Beluga CDN
  • BinarySEC
  • BlockDoS
  • Bluedon IST
  • CacheFly CDN
  • ChinaCache CDN
  • Cisco ACE XML Gateway
  • CloudFlare CDN
  • Cloudfront CDN
  • Comodo
  • CompState
  • DenyALL WAF
  • DenyAll
  • Distil Firewall
  • DoSArrest Internet Security
  • F5-TrafficShield
  • Fastly CDN
  • FortiWeb
  • FortiWeb Firewall
  • GoDaddy
  • GreyWizard Firewall
  • HuaweiCloudWAF
  • HyperGuard Firewall
  • IBM DataPower
  • ISAServer
  • Immunify360
  • Imperva SecureSphere
  • Incapsula CDN
  • Jiasule
  • KONA
  • KeyCDN
  • ModSecurity
  • Naxsi
  • NetContinuum
  • NetContinuum WAF
  • Neusoft SEnginx
  • Newdefend
  • Palo Alto Firewall
  • PerimeterX Firewall
  • PowerCDN
  • Profense
  • Qiniu CDN
  • Reblaze Firewall
  • Safe3
  • Safedog
  • SiteLock TrueShield
  • SonicWALL
  • SonicWall
  • Sophos UTM Firewall
  • Stingray
  • Sucuri
  • Teros WAF
  • Usp-Sec
  • Varnish
  • Wallarm
  • WatchGuard
  • WebKnight
  • West263CDN
  • Yundun
  • Yunsuo
  • ZenEdge Firewall
  • aesecure
  • aliyun
  • azion CDN
  • cloudflare CDN
  • dotDefender
  • limelight CDN
  • maxcdn CDN
  • mod_security
  • yunsuo


The following is the AWVS scanner test website results