{"id":15036658,"url":"https://github.com/p1-team/allin","last_synced_at":"2025-05-14T19:10:09.704Z","repository":{"id":37302911,"uuid":"347676434","full_name":"P1-Team/AlliN","owner":"P1-Team","description":"A flexible scanner","archived":false,"fork":false,"pushed_at":"2025-03-14T18:00:49.000Z","size":2823,"stargazers_count":1247,"open_issues_count":1,"forks_count":157,"subscribers_count":21,"default_branch":"main","last_synced_at":"2025-05-14T19:10:06.902Z","etag":null,"topics":["python","python3","scan","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/P1-Team.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-14T15:36:47.000Z","updated_at":"2025-04-26T09:50:38.000Z","dependencies_parsed_at":"2023-01-30T05:55:12.341Z","dependency_job_id":"cf5964f7-f7a4-4193-8dc7-6abcd24d8410","html_url":"https://github.com/P1-Team/AlliN","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1-Team%2FAlliN","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1-Team%2FAlliN/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1-Team%2FAlliN/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1-Team%2FAlliN/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/P1-Team","download_url":"https://codeload.github.com/P1-Team/AlliN/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254209859,"owners_count":22032897,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["python","python3","scan","security-tools"],"created_at":"2024-09-24T20:31:49.946Z","updated_at":"2025-05-14T19:10:08.478Z","avatar_url":"https://github.com/P1-Team.png","language":"Python","readme":"# ALLiN\n\nEnglish | [简体中文](README_zh.md)\n\n[![asciicast](https://asciinema.org/a/8P9RwnYreRrLFlnS1fHok4Soo.svg)](https://asciinema.org/a/8P9RwnYreRrLFlnS1fHok4Soo)\n\nA comprehensive tool that assists penetration testing projects. It is a flexible, compact and efficient scan tool mainly used for lateral penetration of the intranet. The format of targets can be written by most of the various forms of link or CIDR and add any ports and paths to it.\n\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eCore developers\u003c/b\u003e\u003c/summary\u003e\n\u003cli\u003e @Like0x \u003c/li\u003e\n\u003cli\u003e @Christasa \u003c/li\u003e\n\u003cli\u003e @CoColi \u003c/li\u003e\n\u003cli\u003e @MiluOWO \u003c/li\u003e\n\u003c/details\u003e\n\n**Penetration test only**\n\n## Features\n\n- python2.7 - python3.x support without and depend\n- Passively identify some frameworks, components of the site and over 1000 data of fingerprints\n- Passively identify whether the site is on the cloud\n- Almost support for import with the arbitrary format\n\n\n## Some tricks\n\n- Using across platforms after compiling by pyinstaller\n  - Compiling with low-level GLIBC in Linux to be compatible with more kernel versions\n  - Compiling with python2 on windows to reduce the error of lacking DLL\n- Use it in VPS for resolving network problems\n- Eliminate the account information when scanning on the intranet\n\n\n\nControl the file through `--project`\n\n- res_alivedomain.txt will save all the report automatically\n- folder tree\n  - result.txt\n  - focuson.txt\n\n\nUse the following script to scan if you have many tasks\n\ntarget.txt\n\n```\n\u003cname of a company\u003e xxx.com\n\u003cname of another company\u003e xxx.io\n```\n\n```bash\n\n#!/bin/bash\n\nwhile read line\ndo\n    project=`echo $line | awk -F \" \" '{print $1}'`\n    host=`echo $line | awk -F \" \" '{print $2}'`\n    echo $host,$project\n    python AlliN.py --host $host -q \"(domain=\\\"$host\\\" || cert=\\\"$host\\\"  || title=\\\"$project\\\") \u0026\u0026  country=\\\"CN\\\" \u0026\u0026 region!=\\\"HK\\\" \u0026\u0026 region!=\\\"TW\\\" \u0026\u0026 region!=\\\"MO\\\"\" -m sfscan --timeout 6 --project $project -t 100\ndone \u003c target.txt\n```\n\n\n\n## Parameters\n\n### --host\n\nDesignate the domains or hosts\n\nSamples:\n\n```\n--host 10.1.1.1\n--host 10.1.1.1-10.2.2.2\n--host 10.1.1.1/24 # any CIDR\n--host 10.1.1.1-255\n--host 2001:db8::/126 # any CIDR\n--host [2001:4860:4860::8888]\n--host 2001:db8::1-2001:db8::5\n--host \u003carbitrary format of the domain\u003e\n```\n\n### --timeout\n\nDefault is 3\n\n```\n--timeout 3\n```\n\n### --ctimeout\n\nTimeout of pscan, default is 0.5\n\n```\n--ctimeout 0.5\n```\n\n### --proxy\n\n```\n--proxy http://127.0.0.1:8081\n--proxy http://user:pass@127.0.0.1:8801\n--proxy socks5://127.0.0.1:1080\n--proxy socks5://user:pass@127.0.0.1:1080\n```\n\n`pip install PySocks` before using it\n\n\n### --project\n\nName of scan project, it will create a folder for saving results\n\n### -p\n\nDesignate the ports\n\nSamples:\n\n```\n-p 80\n-p 80,443\n-p 8000-9000\n-p 80,8000-9000\n-p-  all of ports\n```\n\n### -f \n\nName of the input file\n\nSamples:\n\n`-f  iplist.txt`\n\nThere are many formats of targets, such as\n\n\n```python\nhttp://www.baidu.com\n\n1.1.1.1/24\n\nwww.baidu.com/asd\n\nwww.baidu.com:80/123\n\n1.1.1.1/sads\n\n1.1.1.1:8080/123\n\n1.1.1.1-250\n\n1.1.1.1-1.1.1.250\n```\n\n\nalso can use with `-p`\n\n\n\n### -u\n\n**Need to use with --host or -f**\n\nSample:\n\n```shell\npython AlliN.py --host \"10.0.0.1-10.0.0.2\" -u '/login/index.jsp' -p 80\n\n# It will send the requests as\n10.0.0.1/login/index.jsp\n10.0.0.2/login/index.jsp\n\n```\n\n### -H\n\nIncluding a custom header\n\nSample:\n```\npython AlliN.py -f domain.txt -H \"Cookie: xxxxx; UxxxxxxxN=Sxxxxp\"\n```\n\n### --uf\n\n`-u` from the file\n\nSample:\n\n```python\npython AlliN.py --host \"10.0.0.1-10.0.0.2\" --uf urlpath.list -p 80\n\nurlpathlist:\nindex.php\nindex.jsp\n\n\n# It will send the requests as\n10.0.0.1/index.php =\u003e 10.0.0.1/index.jsp =\u003e10.0.0.2/index.php =\u003e 10.0.0.2/index.jsp\n\n```\n\n### -t\n\nNumber of threads, default is 200\n\nSample:\n\n`-t 200`\n\n\n\n### -o\n\nName of the report file\n\nSample:\n\n`-o answer.txt`\n\n\n### --oJ\n\nName of the report json file\n\nSample:\n\n`--oJ answer.json`\n\n\n### --nocert\n\nScanning without cert identification.\n\nSample:\n\n`python AlliN.py --host 192.168.1.1/24 -p 443 --nocert`\n\nReport with cert identification\n\n```bash\n[  https://1.1.1.1  | Server:Microsoft-HTTPAPI/2.0 |  400  | Size:334 |  Bad Request  | Certs URL: uat1.sandbox.operations.dynamics.cn | DigiCert Inc  ]\n```\n\n\n### --nobar\n\nClose the processing bar\n\n`python AlliN.py --host 192.168.1.1/24 --nobar`\n\n\n### --only-show\n\nOnly displays the status codes which are allowed.\n\nSample:\n\n`--only-show 200,301`\n\n\n### --hidden\n\nFilter specifies status code.\n\n\nSample:\n\n\n`--hidden 404,400`\n\n\n\n### --hiddensize\n\nFilter the length of response\n\nSample:\n\n`--hiddensize 27,5367`  # Filter the responses which length is 26 and 5367\n\n\n\n### --dd\n\nHeader scan model\n\n```python\npython AlliN.py --host 192.168.1.1/24 -p 443 --dd\n```\n\n### --tp\n\nAdd an extra url scan of favicon.ico\n\n```python\npython AlliN.py --host 192.168.1.1/24 --tp\n```\n\n### --fs\n\nSize of each result number by fofa scan, default is 10,000\n\n\n### --hts\nTotal results of hunter scan, default is 100\n\n### -m\n\nMethod of scan, default is tscan\n\n\n\n#### oxid\n\nObtain the address of the remote host network card\n\n`python AlliN.py -m oxid --host 192.168.129.130`\n\nPort is 135\n\n```python\n[*] 127.0.0.1\n        [-\u003e]hecs-xxxx0622130100\n        [-\u003e]192.168.0.57\n        [-\u003e]2001xxxxf57:ffc6\n{'127.0.0.1': ['hxx-x-medixx-2-win-2020xxxx', '192.168.0.57', '2001xxxx3f57:ffc6']}\n```\n\n\n\n#### bakscan\n\nScan the backup of a site\n\n`python AlliN.py --host 192.168.1.1/24 -p 443 -m bakscan`\n\n`python AlliN.py --host 192.168.1.1/24 -p 443 -m bakscan -f dic.txt`\n\nor use with the header model\n\n`python AlliN.py --host 192.168.1.1/24 -p 443 -m bakscan --dd`\n\n\n\n#### sfscan\n\nCombine with subscan and fofascan\n\n`python AlliN.py -q 'domain=\"xx.com\"' --host xxx.com -m sfscan`\n\n\nUse for several domains\n\n`python AlliN.py -q 'domain=\"xx.com\"' --host xxx.com,yyy.com -m sfscan`\n\n\n#### shscan\nBrute the key of shiro, only support CBC encryption currently\n\n`python AlliN.py --host example.com -m shscan`\n\n\n#### ddscan\n\nFuzz subdomain, it will replace the [fuzz] to host\n\nSample:\n\n```shell\npython AlliN.py --host \"www.[fuzz]baidu.top\" -f test.txt  -m ddscan\npython AlliN.py --host \"[fuzz].baidu.top\" -f test.txt  -m ddscan\npython AlliN.py --host \"[fuzz].baidu.top\" -f test.txt  -m ddscan --dd\n```\n\n\n\n#### hostscan\n\nFuzz the host of a request body\n\n```http\nGET /xxx.html HTTP/1.1\nHost: [fuzz].example.com\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36\nConnection: close\n\n```\n\nSample:\n\n```\npython AlliN.py -m hostscan --host https://1.1.1.1 --domain example.com -f dic.txt --nocert\n```\n\n#### vhostscan\n\nSimilary with `hostscan`, change the IP with a correct host\n\nSample:\n\n```\npython AlliN.py -m vhostscan -f dict.txt --domain example.com --nocert\n```\n\n\n#### fscan\n\nFofa scan, reference [https://fofa.info/api](https://fofa.info/api)\n\n\n```\n-q\n--fs # default is 10,000\n```\n\nSample:\n\n\n`python AlliN.py -q domain=\"baidu.com\" -m fscan --fs 200`\n\n#### htscan\n\nHunter scan, reference [https://hunter.qianxin.com/](https://hunter.qianxin.com/)\n\n```\n--hts # default is 100\n```\n\nSample:\n\n\n`python AlliN.py -q domain=\"baidu.com\" -m htscan --hts 150`\n\n\n#### pscan\n\nPort scan\n\nUse the `-p-` to include all of the ports\n\nSample:\n\n\n`python AlliN.py --host 10.1.1.1/24 -p 80 -m pscan`\n\n\n\n#### tscan\n\nTitle scan, the default scan method\n\nSample:\n\n\n`python AlliN.py --host 10.1.1.1/24 -p 80`\n\n\n\n#### 17scan\n\nMS17-010 vulnerable scan\n\nSample:\n\n`python AlliN.py --host 10.1.1.1/24 -m 17scan`\n\n\n#### dpscan\n\nDOUBLEPULSAR backdoor check\n\nSample:\n\n`python AlliN.py --host 10.1.1.1/24 -m dpscan --verbose`\n\n\n#### nbscan\n\nnbtscan\n\nSample:\n\n`python AlliN.py --host 10.1.1.1/24 -m nbscan`\n\n\n\n#### subscan\n\nSubdomain scan\n\nSample:\n\n`python AlliN.py --host \"xx.com\" -m subscan`\n\n\n#### sscan\n\n`tscan` without header of `rememberMe=xxx`\n\nSample:\n\n`python AlliN.py --host 10.1.1.1/24 -p 80 -m sscan`\n\n\n#### t3scan\n\n`t3scan` is a module of WebLogic information collection, it is based on the protocol of t3 and iiop\n\nSample:\n`python AlliN.py --host 10.1.1.1/24 -p 7001 -m t3scan`\n\nNotice: Port is necessary\n\n#### uncd\n\nDecode model\n\nInclude powershell encode 、bash encode 、 F5 decode\n\nSample:\n\n`python AlliN.py -m uncd -e f5 -s 185903296.21520.0000`\n\n```\n-e f5 f5decode\n-e pw powershell encode\n-e bh bash encode\n```\n\n\n\n#### 0708scan\n\nCVE-2019-0708 vulnerable scan\n\nSample:\n\n`python AlliN.py --host 192.168.1.1/24 -m 0708scan -p 3389`\n\n\n\n#### ICMPT\n\nNAT traversal\n\nNedd privileged of **icmp Ping**\n\nThere two steps to start it - server and client\n\nfirst step: type `python AlliN.py -m icmpt ` on your own VPS\n\nnext step: In client, type `python AlliN.py -m icmpt --sip vps --cip 127.0.0.1 --cport 80` \n\nIt will have the following content after you finish the second step\n\n```\nAccpet new client from : 14178 192.168.148.1\nYour server port is :33127\n```\n\nAnd the 33127 port of your VPS is the correct 80 port of the client\n\n\nSample:\n\n```\npython AlliN.py -m icmpt --sip vps --cip 127.0.0.1 --cport 80\n\nThen you can browse vps_ip:36267 to access target_ip:target_port\n```\n\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp1-team%2Fallin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fp1-team%2Fallin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp1-team%2Fallin/lists"}