{"id":15037395,"url":"https://github.com/ghosttroops/scan4all","last_synced_at":"2025-05-14T14:09:38.808Z","repository":{"id":36980555,"uuid":"505278571","full_name":"GhostTroops/scan4all","owner":"GhostTroops","description":"Official repository  vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty( ͡° ͜ʖ ͡°)...","archived":false,"fork":false,"pushed_at":"2024-07-12T13:23:48.000Z","size":86677,"stargazers_count":5503,"open_issues_count":14,"forks_count":660,"subscribers_count":65,"default_branch":"main","last_synced_at":"2024-10-29T15:39:49.941Z","etag":null,"topics":["0day","attack","auto","brute-force","bugbounty","bugbounty-tools","golang","hacker","hacktools","nmap","nuclei","pentest-tool","recon","security-scanner","security-tools","ssh","tools","vulnerabilities-scan","vulnerability-detection","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://scan4all.51pwn.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GhostTroops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-20T03:11:08.000Z","updated_at":"2024-10-28T18:14:27.000Z","dependencies_parsed_at":"2024-01-13T16:22:19.807Z","dependency_job_id":"b0f4aa14-b8b7-4b84-9030-aec6966f55a7","html_url":"https://github.com/GhostTroops/scan4all","commit_stats":null,"previous_names":["ghosttroops/scan4all","hktalent/scan4all"],"tags_count":48,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostTroops%2Fscan4all","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostTroops%2Fscan4all/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostTroops%2Fscan4all/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostTroops%2Fscan4all/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GhostTroops","download_url":"https://codeload.github.com/GhostTroops/scan4all/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254160557,"owners_count":22024571,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["0day","attack","auto","brute-force","bugbounty","bugbounty-tools","golang","hacker","hacktools","nmap","nuclei","pentest-tool","recon","security-scanner","security-tools","ssh","tools","vulnerabilities-scan","vulnerability-detection","vulnerability-scanners"],"created_at":"2024-09-24T20:34:31.706Z","updated_at":"2025-05-14T14:09:33.800Z","avatar_url":"https://github.com/GhostTroops.png","language":"Go","funding_links":["https://www.paypal.me/pwned2019"],"categories":[],"sub_categories":[],"readme":"[![Twitter](https://img.shields.io/twitter/url/http/Hktalent3135773.svg?style=social)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![Follow on Twitter](https://img.shields.io/twitter/follow/Hktalent3135773.svg?style=social\u0026label=Follow)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![GitHub Followers](https://img.shields.io/github/followers/hktalent.svg?style=social\u0026label=Follow)](https://github.com/hktalent/) \u003ca target=_blank href=\"https://chat.51pwn.com:2083/?cnId=51pwn\u0026atRd=true\u0026stChat=1\"\u003e💬\u003c/a\u003e\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"/README_CN.md\"\u003eREADME_中文\u003c/a\u003e •\n   \u003ca href=\"/static/Installation.md\"\u003eCompile/Install/Run\u003c/a\u003e •\n   \u003ca href=\"/static/usage.md\"\u003eParameter Description\u003c/a\u003e •\n   \u003ca href=\"/static/running.md\"\u003eHow to use\u003c/a\u003e •\n   \u003ca href=\"/static/scenario.md\"\u003eScenario\u003c/a\u003e •\n   \u003ca href=\"/static/pocs.md\"\u003ePOC List\u003c/a\u003e •\n   \u003ca href=\"/static/development.md\"\u003eCustom Scan\u003c/a\u003e •\n   \u003ca href=\"/static/NicePwn.md\"\u003eBest Practices\u003c/a\u003e\n\u003c/p\u003e\n\n# Features\n\n\u003ch1 align=\"center\"\u003e\n\u003cimg width=\"928\" alt=\"image\" src=\"https://user-images.githubusercontent.com/18223385/175768227-098c779b-6c5f-48ee-91b1-c56e3daa9c87.png\"\u003e\n\u003c/h1\u003e\n\n- \u003ca href=https://github.com/hktalent/51Pwn-Platform/blob/main/README.md\u003eFree one id Multi-target web netcat for reverse shell\u003c/a\u003e\n- What is scan4all: integrated vscan, nuclei, ksubdomain, subfinder, etc., fully automated and intelligent。red team tools\n  Code-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects.\n  In principle, do not repeat the wheel, unless there are bugs, problems\n- Cross-platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.\n- Support [23] password blasting, support custom dictionary, open by \"priorityNmap\": true\n  * RDP\n  * VNC\n  * SSH\n  * Socks5\n  * rsh-spx\n  * Mysql\n  * MsSql\n  * Oracle\n  * Postgresql\n  * Redis\n  * FTP\n  * Mongodb\n  * SMB, also detect MS17-010 (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148), SmbGhost (CVE- 2020-0796)\n  * Telnet\n  * Snmp\n  * Wap-wsp (Elasticsearch)\n  * RouterOs\n  * HTTP BasicAuth(Authorization), contains Webdav、SVN（Apache Subversion） crack\n  * Weblogic, enable nuclei through enableNuclei=true at the same time, support T3, IIOP and other detection\n  * Tomcat\n  * Jboss\n  * Winrm(wsman)\n  * POP3/POP3S\n- By default, http password intelligent blasting is enabled, and it will be automatically activated when an HTTP password is required, without manual intervention\n- Detect whether there is nmap in the system, and enable nmap for fast scanning through priorityNmap=true, which is enabled by default, and the optimized nmap parameters are faster than masscan\n  Disadvantages of using nmap: Is the network bad, because the traffic network packet is too large, which may lead to incomplete results\n  Using nmap additionally requires setting the root password to an environment variable\n\n```bash  \n  export PPSSWWDD=yourRootPswd \n```\n\n  More references: config/doNmapScan.sh\n  By default, naabu is used to complete port scanning -stats=true to view the scanning progress\n  Can I not scan Ports?\n```bash\nnoScan=true ./scan4all -l list.txt -v\n# nmap result default noScan=true \n./scan4all -l nmapRssuilt.xml -v\n```\n\n\u003cimg src=\"/static/nmap.gif\" width=\"400\"\u003e\n\n- Fast 15000+ POC detection capabilities, PoCs include: \n  * nuclei POC\n  ## Nuclei Templates Top 10 statistics\n\n|    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |\n|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|\n| cve       |  1430 | daffainfo     |   631 | cves             |  1407 | info     |  1474 | http    |  3858 |\n| panel     |   655 | dhiyaneshdk   |   584 | exposed-panels   |   662 | high     |  1009 | file    |    76 |\n| edb       |   563 | pikpikcu      |   329 | vulnerabilities  |   509 | medium   |   818 | network |    51 |\n| lfi       |   509 | pdteam        |   269 | technologies     |   282 | critical |   478 | dns     |    17 |\n| xss       |   491 | geeknik       |   187 | exposures        |   275 | low      |   225 |         |       |\n| wordpress |   419 | dwisiswant0   |   169 | misconfiguration |   237 | unknown  |    11 |         |       |\n| exposure  |   407 | 0x_akoko      |   165 | token-spray      |   230 |          |       |         |       |\n| cve2021   |   352 | princechaddha |   151 | workflows        |   189 |          |       |         |       |\n| rce       |   337 | ritikchaddha  |   137 | default-logins   |   103 |          |       |         |       |\n| wp-plugin |   316 | pussycat0x    |   133 | file             |    76 |          |       |         |       |\n\n**281 directories, 3922 files**.\n* vscan POC\n  * vscan POC includes: xray 2.0 300+ POC, go POC, etc.\n* scan4all POC\n\n- Support 7000+ web fingerprint scanning, identification:\n  * httpx fingerprint\n    * vscan fingerprint\n    * vscan fingerprint: including eHoleFinger, localFinger, etc.\n  * scan4all fingerprint\n\n- Support 146 protocols and 90000+ rule port scanning\n  * Depends on protocols and fingerprints supported by nmap\n- Fast HTTP sensitive file detection, can customize dictionary\n- Landing page detection\n- Supports multiple types of input - STDIN/HOST/IP/CIDR/URL/TXT\n- Supports multiple output types - JSON/TXT/CSV/STDOUT\n- Highly integratable: Configurable unified storage of results to Elasticsearch [strongly recommended]\n- Smart SSL Analysis:\n  * In-depth analysis, automatically correlate the scanning of domain names in SSL information, such as *.xxx.com, and complete subdomain traversal according to the configuration, and the result will automatically add the target to the scanning list\n  * Support to enable *.xx.com subdomain traversal function in smart SSL information, export EnableSubfinder=true, or adjust in the configuration file\n- Automatically identify the case of multiple IPs associated with a domain (DNS), and automatically scan the associated multiple IPs\n- Smart processing:\n  * 1. When the IPs of multiple domain names in the list are the same, merge port scans to improve efficiency\n  * 2. Intelligently handle http abnormal pages, and fingerprint calculation and learning\n- Automated supply chain identification, analysis and scanning\n- Link python3 \u003ca href=https://github.com/hktalent/log4j-scan\u003elog4j-scan\u003c/a\u003e\n  * This version blocks the bug that your target information is passed to the DNS Log Server to avoid exposing vulnerabilities\n  * Added the ability to send results to Elasticsearch for batch, touch typing\n  * There will be time in the future to implement the golang version\n    how to use?\n```bash\nmkdir ~/MyWork/;cd ~/MyWork/;git clone https://github.com/hktalent/log4j-scan\n````\n- Intelligently identify honeypots and skip Targets. This function is disabled by default. You can set EnableHoneyportDetection=true to enable\n- Highly customizable: allow to define your own dictionary through config/config.json configuration, or control more details, including but not limited to: nuclei, httpx, naabu, etc.\n- support HTTP Request Smuggling: CL-TE、TE-CL、TE-TE、CL_CL、BaseErr\n  \u003cimg width=\"968\" alt=\"image\" src=\"https://user-images.githubusercontent.com/18223385/182503765-1307a634-61b2-4f7e-9631-a4184ec7ac25.png\"\u003e\n\n- Support via parameter Cookie='PHPSession=xxxx' ./scan4all -host xxxx.com, compatible with nuclei, httpx, go-poc, x-ray POC, filefuzz, http Smuggling\n# work process\n\n\u003cimg src=\"static/workflow.jpg\"\u003e\n\n# how to install\ndownload from\n\u003ca href=https://github.com/GhostTroops/scan4all/releases\u003eReleases\u003c/a\u003e\n```bash\ngo install github.com/GhostTroops/scan4all@2.8.9\nscan4all -h\n````\n# how to use\n- 1. Start Elasticsearch, of course you can use the traditional way to output, results\n```bash\nmkdir -p logs data\ndocker run --restart=always --ulimit nofile=65536:65536 -p 9200:9200 -p 9300:9300 -d --name es -v $PWD/logs:/usr/share/elasticsearch/logs -v $PWD /config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v $PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options -v $PWD/data:/ usr/share/elasticsearch/data hktalent/elasticsearch:7.16.2\n# Initialize the es index, the result structure of each tool is different, and it is stored separately\n./config/initEs.sh\n\n# Search syntax, more query methods, learn Elasticsearch by yourself\nhttp://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111\nwhere 92.168.0.111 is the target to query\n\n````\n- Please install nmap by yourself before use\n  \u003ca href=https://github.com/GhostTroops/scan4all/discussions\u003eUsing Help\u003c/a\u003e\n```bash\ngo build\n# Precise scan szUrl list UrlPrecise=true\nUrlPrecise=true ./scan4all -l xx.txt\n# Disable adaptation to nmap and use naabu port to scan its internally defined http-related Ports\npriorityNmap=false ./scan4all -tp http -list allOut.txt -v\n````\n\n# Work Plan\n- Integrate web-cache-vulnerability-scanner to realize HTTP smuggling smuggling and cache poisoning detection\n- Linkage with metasploit-framework, on the premise that the system has been installed, cooperate with tmux, and complete the linkage with the macos environment as the best practice\n- Integrate more fuzzers \u003c!-- gryffin --\u003e, such as linking sqlmap\n- Integrate chromedp to achieve screenshots of landing pages, detection of front-end landing pages with pure js and js architecture, and corresponding crawlers (sensitive information detection, page crawling)\n- Integrate nmap-go to improve execution efficiency, dynamically parse the result stream, and integrate it into the current task waterfall\n- Integrate ksubdomain to achieve faster subdomain blasting\n- Integrate spider to find more bugs\n- Semi-automatic fingerprint learning to improve accuracy; specify fingerprint name, configure\n\n# Q \u0026 A\n- how use Cookie?\n- libpcap related question\n\nmore see: \u003ca href=https://github.com/GhostTroops/scan4all/discussions\u003ediscussions\u003c/a\u003e\n\n# References \n- https://www.77169.net/html/312916.html\n- https://zhuanlan.zhihu.com/p/636131542\n- https://github.com/GhostTroops/scan4all/blob/main/static/Installation.md\n- https://github.com/GhostTroops/scan4all/blob/main/static/NicePwn.md\n- https://github.com/GhostTroops/scan4all/blob/main/static/running.md\n- https://www.google.com/search?client=safari\u0026rls=en\u0026q=%22hktalent%22+%22scan4all%22\u0026ie=UTF-8\u0026oe=UTF-8#ip=1\n\n# Thanks Donors\n- \u003ca href=https://github.com/freeload101 target=_blank\u003e@freeload101\u003c/a\u003e\n- \u003ca href=https://github.com/b1win0y target=_blank\u003e@b1win0y\u003c/a\u003e\n- \u003ca href=https://github.com/BL4CKR4Y target=_blank\u003e@BL4CKR4Y\u003c/a\u003e\n\n# Contributors\nhttps://github.com/GhostTroops/scan4all/graphs/contributors\n\n# Changelog\n- 2023-10-01 Optimize support for nuclei@latest\n- 2022-07-28 Added substr and aes_cbc dsl helper by me nuclei v2.7.7\n- 2022-07-20 fix and PR nuclei #2301 Concurrent multi-instance bug\n- 2022-07-20 add web cache vulnerability scanner\n- 2022-07-19 PR nuclei #2308 add dsl function: substr aes_cbc\n- 2022-07-19 Add dcom Protocol enumeration network interfaces\n- 2022-06-30 Embedded integrated private version nuclei-templates A total of 3744 YAML POC; 1. Integrate Elasticsearch to store intermediate results 2. Embed the entire config directory into the program\n- 2022-06-27 Optimize fuzzy matching to improve accuracy and robustness; integrate ksubdomain progress\n- 2022-06-24 Optimize fingerprint algorithm; add workflow chart\n- 2022-06-23 Added parameter ParseSSl to control the default of not deeply analyzing DNS information in SSL and not scanning DNS in SSL by default; Optimization: nmap does not automatically add .exe bug; Optimize the bug of cache files under Windows not optimizing the size\n- 2022-06-22 Integrated weak password detection and password blasting for 11 protocols: ftp, mongodb, mssql, mysql, oracle, postgresql, rdp, redis, smb, ssh, telnet, and optimized support for plug-in password dictionary\n- 2022-06-20 Integrate Subfinder, domain name blasting, startup parameter export EnableSubfinder=true, note that it is very slow after startup; automatic deep drilling of domain name information in the ssl certificate allows you to define your own dictionary through config/config.json configuration, or set related switch\n- 2022-06-17 Optimize the situation where one domain name has multiple IPs. All IPs will be port scanned, and then follow the subsequent scanning process.\n- 2022-06-15 This version adds several weblogic password dictionaries and webshell dictionaries obtained in past actual combat\n- 2022-06-10 Complete the integration of the core, including of course the integration of the core template\n- 2022-06-07 Add similarity algorithm to detect 404\n- 2022-06-07 Added http url list precision scanning parameters, turned on according to the environment variable UrlPrecise=true\n\n# Communication group (WeChat, QQ，Tg)\n| Wechat | Or | QQchat | Or | Tg |\n| --- |--- |--- |--- |--- |\n|\u003cimg width=166 src=https://github.com/hktalent/scan4all/blob/main/static/wcq.JPG\u003e||\u003cimg width=166 src=https://github.com/hktalent/scan4all/blob/main/static/qqc.jpg\u003e||\u003cimg width=166 src=https://github.com/hktalent/scan4all/blob/main/static/tg.jpg\u003e|\n\n\n## 💖Star\n[![Stargazers over time](https://starchart.cc/hktalent/scan4all.svg)](https://starchart.cc/hktalent/scan4all)\n\n# Donation\n| Wechat Pay | AliPay | Paypal | BTC Pay |BCH Pay |\n| --- | --- | --- | --- | --- |\n|\u003cimg src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/wc.png\u003e|\u003cimg width=166 src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/zfb.png\u003e|[paypal](https://www.paypal.me/pwned2019) **miracletalent@gmail.com**|\u003cimg width=166 src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/BTC.png\u003e|\u003cimg width=166 src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/BCH.jpg\u003e|\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghosttroops%2Fscan4all","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghosttroops%2Fscan4all","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghosttroops%2Fscan4all/lists"}