Given the threat-dominating space we cannot escape, we need a game-changer that becomes the ultimate tool for protecting our Android app. Now, imagine your organisationβs application is used by hundreds and thousands of Android users, given that your flagship Android app is always running on it. How sure are you that your app security is [β¦]
[Ronan] likes 35mm film photography, but the world, of course, has gone digital. He picked up an Epson FilmScan 200 for about β¬10. This wonder device from 1997 promised to convert 35mm film to digital at 1200 DPI resolution. But there was a catch: it connects via SCSI. Worse, the drivers were forever locked to Windows 95/98 and Mac System 7/8.
In a surprise twist, though, [Ronan] recently resurrected a Mac SE/30 with the requisite SCSI port and the System 7 OS. Problem solved? Not quite. The official software is a plugin for Photoshop. So the obvious answer is to write new software to interact with the device.
First, of course, you have to figure out how the device works. A service manual provided clues that, as far as the SCSI bus knew, the device wasnβt a scanner at all, but a processor. The processor, though, used SCSI as a simple pipe to handle Epsonβs standard βESC/Iβ protocol.
Armed with that information and a knowledge of the Macβs SCSI Manager API, the rest is just coding. Well, that is until [Ronan] tried to scan the other five negatives in the six-negative film carrier. He was frustrated until he found an old patched SANE driver for the scanner from 2002. By looking at how it worked, he was able to figure out how to switch to the other negatives.
Color scanning also took a little coaxing. The scanner returns three monochrome images, one for each color channel. Some assembly, then, is required. In the end, though, the project was a complete success. Canβt find a FilmScan 200? Donβt have a SCSI port? Thereβs always the roll-your-own approach.
Visually inspect all of the regex matches (and their sexier, more cloak and dagger cousins, the YARA matches) found in binary data and/or text. See what happens when you force various character encodings upon those matched bytes. With colors.
Quick Start
pipx install yaralyzer
# Scan against YARA definitions in a file: yaralyze --yara-rules /secret/vault/sigmunds_malware_rules.yara lacan_buys_the_dip.pdf
# Scan against an arbitrary regular expression: yaralyze --regex-pattern 'good and evil.*of\s+\w+byte' the_crypto_archipelago.exe
See the actual bytes your YARA rules are matching. No more digging around copy/pasting the start positions reported by YARA into your favorite hex editor. Displays both the bytes matched by YARA as well as a configurable number of bytes before and after each match in hexadecimal and "raw" python string representation.
Do the same for byte patterns and regular expressions without writing a YARA file. If you're too lazy to write a YARA file but are trying to determine, say, whether there's a regular expression hidden somewhere in the file you could scan for the pattern '/.+/' and immediately get a window into all the bytes in the file that live between front slashes. Same story for quotes, BOMs, etc. Any regex YARA can handle is supported so the sky is the limit.
Detect the possible encodings of each set of matched bytes.The chardet library is a sophisticated library for guessing character encodings and it is leveraged here.
Display the result of forcing various character encodings upon the matched areas. Several default character encodings will be forcibly attempted in the region around the match. chardet will also be leveraged to see if the bytes fit the pattern of any known encoding. If chardet is confident enough (configurable), an attempt at decoding the bytes using that encoding will be displayed.
Export the matched regions/decodings to SVG, HTML, and colored text files. Show off your ASCII art.
Why It Do
The Yaralyzer's functionality was extracted from The Pdfalyzer when it became apparent that visualizing and decoding pattern matches in binaries had more utility than just in a PDF analysis tool.
YARA, for those who are unaware1, is branded as a malware analysis/alerting tool but it's actually both a lot more and a lot less than that. One way to think about it is that YARA is a regular expression matching engine on steroids. It can locate regex matches in binaries like any regex engine but it can also do far wilder things like combine regexes in logical groups, compare regexes against all 256 XORed versions of a binary, check for base64 and other encodings of the pattern, and more. Maybe most importantly of all YARA provides a standard text based format for people to share their 'roided regexes with the world. All these features are particularly useful when analyzing or reverse engineering malware, whose authors tend to invest a great deal of time into making stuff hard to find.
But... that's also all YARA does. Everything else is up to the user. YARA's just a match engine and if you don't know what to match (or even what character encoding you might be able to match in) it only gets you so far. I found myself a bit frustrated trying to use YARA to look at all the matches of a few critical patterns:
Bytes between escaped quotes (\".+\" and \'.+\')
Bytes between front slashes (/.+/). Front slashes demarcate a regular expression in many implementations and I was trying to see if any of the bytes matching this pattern were actually regexes.
YARA just tells you the byte position and the matched string but it can't tell you whether those bytes are UTF-8, UTF-16, Latin-1, etc. etc. (or none of the above). I also found myself wanting to understand what was going in the region of the matched bytes and not just in the matched bytes. In other words I wanted to scope the bytes immediately before and after whatever got matched.
Enter The Yaralyzer, which lets you quickly scan the regions around matches while also showing you what those regions would look like if they were forced into various character encodings.
It's important to note that The Yaralyzer isn't a full on malware reversing tool. It can't do all the things a tool like CyberChef does and it doesn't try to. It's more intended to give you a quick visual overview of suspect regions in the binary so you can hone in on the areas you might want to inspect with a more serious tool like CyberChef.
Installation
Install it with pipx or pip3. pipx is a marginally better solution as it guarantees any packages installed with it will be isolated from the rest of your local python environment. Of course if you don't really have a local python environment this is a moot point and you can feel free to install with pip/pip3.
pipx install yaralyzer
Usage
Run yaralyze -h to see the command line options (screenshot below).
For info on exporting SVG images, HTML, etc., see Example Output.
Configuration
If you place a filed called .yaralyzer in your home directory or the current working directory then environment variables specified in that .yaralyzer file will be added to the environment each time yaralyzer is invoked. This provides a mechanism for permanently configuring various command line options so you can avoid typing them over and over. See the example file .yaralyzer.example to see which options can be configured this way.
Only one .yaralyzer file will be loaded and the working directory's .yaralyzer takes precedence over the home directory's .yaralyzer.
As A Library
Yaralyzer is the main class. It has a variety of constructors supporting:
Precompiled YARA rules
Creating a YARA rule from a string
Loading YARA rules from files
Loading YARA rules from all .yara file in a directory
Scanning bytes
Scanning a file
Should you want to iterate over the BytesMatch (like a re.Match object for a YARA match) and BytesDecoder (tracks decoding attempt stats) objects returned by The Yaralyzer, you can do so like this:
for bytes_match, bytes_decoder in yaralyzer.match_iterator(): do_stuff()
Example Output
The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with Rich. SVGs can be turned into png format images with a tool like Inkscape or cairosvg. In our experience they both work though we've seen some glitchiness with cairosvg.
PyPi Users: If you are reading this document on PyPi be aware that it renders a lot better over on GitHub. Pretty pictures, footnotes that work, etc.
Raw YARA match result:
Display hex, raw python string, and various attempted decodings of both the match and the bytes before and after the match (configurable):
Bonus: see what chardet.detect() thinks about the likelihood your bytes are in a given encoding/language:
BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network It is a fork of NeoDash, reimagined, to make it suitable for defensive security purposes.
BlueHound supports presenting your data as tables, graphs, bar charts, line charts, maps and more. It contains a Cypher editor to directly write the Cypher queries that populate the reports. You can save dashboards to your database, and share them with others.
Main Features
Full Automation: The entire cycle of collection, analysis and reporting is basically done with a click of a button.
Community Driven: BlueHound configuration can be exported and imported by others. Sharing of knowledge, best practices, collection methodologies and more, built-into the tool itself.
Easy Reporting: Creating customized report can be done intuitively, without the need to write any code.
Easy Customization: Any custom collection method can be added into BlueHound. Users can even add their own custom parameters or even custom icons for their graphs.
Getting Started
ROST ISO
BlueHound can be used as part of the ROST image, which comes pre-configured with everything you need (BlueHound, Neo4j, BloodHound, and a sample dataset). To load ROST, create a new virtual machine, and install it from the ISO like you would for a new Windows host.
BlueHound Binary
If you already have a Neo4j instance running, you can download a pre-compiled version of BlueHound from our release page. Just download the zip file suitable to your OS version, extract it, and run the binary.
Use the Data Import section to collect & import data into your Neo4j database.
Once you have data loaded, you can use the Configurations tab to set up the basic information that is used by the queries (e.g. Domain Admins group, crown jewels servers).
Finally, the Queries section can be used to prepare the reports.
BlueHound How-To
Data Collection
The Data Import Tools section can be used to collect data in a click of a button. By default, BlueHound comes preconfigured with SharpHound, ShotHound, and the Vulnerability Scanners script. Additional tools can be added for more data collection. To get started:
Download the relevant tools using the globe icon
Configure the tool path & arguments for each tool
Run the tools
The built-in tools can be configured to automatically upload the results to your Neo4j instance.
Running & Viewing Queries
To get results for a chart, either use the Refresh icon to run a specific query, or use the Query Runner section to run queries in batches. The results will be cached even after closing BlueHound, and can be run again to get updated results. Some charts have an Info icon which explain the query and/or provide links to additional information.
Adding & Editing Queries
You can edit the query for new and/or existing charts by using the Settings icon on the top right section of the chart. Here you can use any parameters configured with a Param Select chart, and any Edge Filtering string (see section below).
Edge Filtering
Using the Edge Filtering section, you can filter out specific relationship types for all queries that use the relevant string in their query. For example, ":FILTERED_EDGES" can be used to filter by all the selection filters. You can also filter by a specific category (see the Info icon) or even define your own custom edge filters.
Import & Export Config
The Export Config and Import Config sections can be used to save & load your dashboard and configurations as a backup, and even shared between users to collaborate and contribute insightful queries to the security community. Donβt worry, your credentials and data wonβt be exported.
Note: any arguments for data import tools are also exported, so make sure you remove any secrets before sharing your configuration.
Settings
The Settings section allows you to set some global limits on query execution β maximum query time and a limit for returned results.
Technical Info
BlueHound is a fork of NeoDash, built with React and use-neo4j. It uses charts to power some of the visualizations. You can also extend NeoDash with your own visualizations. Check out the developer guide in the project repository.
Developer Guide
Run & Build using npm
BlueHound is built with React. You'll need npm installed to run the web app.
Use a recent version of npm and node to build BlueHound. The application has been tested with npm 8.3.1 & node v17.4.0.
To run the application in development mode:
clone this repository.
open a terminal and navigate to the directory you just cloned.
execute npm install to install the necessary dependencies.
execute npm run dev to run the app in development mode.
follow the steps above to clone the repository and install dependencies.
execute npm run build. This will create a build folder in your project directory.
deploy the contents of the build folder to a web server. You should then be able to run the web app.
Questions / Suggestions
We are always open to ideas, comments, and suggestions regarding future versions of BlueHound, so if you have ideas, donβt hesitate to reach out to us at support@zeronetworks.com or open an issue/pull request on GitHub.
0 Disclaimer (The author did not participate in the XX action, don't trace it)
This tool is only for legally authorized enterprise security construction behaviors and personal learning behaviors. If you need to test the usability of this tool, please build a target drone environment by yourself.
When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.
We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.
If you have any illegal behavior in the process of using this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.
Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.
Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.
Kscan is an asset mapping tool that can perform port scanning, TCP fingerprinting and banner capture for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute force cracking on scan results, and is the first open source RDP brute force cracking tool on the go platform.
2 Foreword
At present, there are actually many tools for asset scanning, fingerprint identification, and vulnerability detection, and there are many great tools, but Kscan actually has many different ideas.
Kscan hopes to accept a variety of input formats, and there is no need to classify the scanned objects before use, such as IP, or URL address, etc. This is undoubtedly an unnecessary workload for users, and all entries can be normal Input and identification. If it is a URL address, the path will be reserved for detection. If it is only IP:PORT, the port will be prioritized for protocol identification. Currently Kscan supports three input methods (-t,--target|-f,--fofa|--spy).
Kscan does not seek efficiency by comparing port numbers with common protocols to confirm port protocols, nor does it only detect WEB assets. In this regard, Kscan pays more attention to accuracy and comprehensiveness, and only high-accuracy protocol identification , in order to provide good detection conditions for subsequent application layer identification.
Kscan does not use a modular approach to do pure function stacking, such as a module obtains the title separately, a module obtains SMB information separately, etc., runs independently, and outputs independently, but outputs asset information in units of ports, such as ports If the protocol is HTTP, subsequent fingerprinting and title acquisition will be performed automatically. If the port protocol is RPC, it will try to obtain the host name, etc.
-t/--target can add the --check parameter to fingerprint only the specified target port, otherwise the target will be port scanned and fingerprinted
IP address: 114.114.114.114 IP address range: 114.114.114.114-115.115.115.115 URL address: https://www.baidu.com File address: file:/tmp/target.txt
--spy can add the --scan parameter to perform port scanning and fingerprinting on the surviving C segment, otherwise only the surviving network segment will be detected
[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located [all]: All private network addresses (192.168/172.32/10, etc.) will be probed IP address: will detect the B segment where the specified IP address is located
-f/--fofa can add --check to verify the survivability of the retrieval results, and add the --scan parameter to perform port scanning and fingerprint identification on the retrieval results, otherwise only the fofa retrieval results will be returned
fofa search keywords: will directly return fofa search results
optional arguments: -h , --help show this help message and exit -f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY -t , --target Specify the detection target: IP address: 114.114.114.114 IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended IP address range: 114.114.114.114-115.115.115.115 URL address: https://www.baidu.com File address: file:/tmp/target.txt --spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are: (empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway) --check Fingerprinting the target address, only port detection will not be performed --scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy -p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090 -eP, --excluded-port skip scanning specified portsοΌsupportοΌ80,8080,8088-8090 -o , --output save scan results to file -oJ save the scan results to a file in json format -Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency. -Cn With this parameter, the console output will not be colored. -sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution! --top Scan the filtered common ports TopX, up to 1000, the default is TOP400 --proxy set proxy (socks5|socks4|https|http)://IP:Port --threads thread parameter, the default thread is 100, the maximum value is 2048 --path specifies the directory to request access, only a single directory is supported --host specifies the header Host value for all requests --timeout set timeout --encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8 --match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed --hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default hydra options: --hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt --hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt If there is a comma in the password, use \, to escape, other symbols do not need to be escaped --hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced. --hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb fofa options: --fofa-syntax will get fofa search syntax description --fofa-size will set the number of entries returned by fofa, the default is 100 --fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter
The function is not complicated, the others are explored by themselves
BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network It is a fork of NeoDash, reimagined, to make it suitable for defensive security purposes.
BlueHound supports presenting your data as tables, graphs, bar charts, line charts, maps and more. It contains a Cypher editor to directly write the Cypher queries that populate the reports. You can save dashboards to your database, and share them with others.
Main Features
Full Automation: The entire cycle of collection, analysis and reporting is basically done with a click of a button.
Community Driven: BlueHound configuration can be exported and imported by others. Sharing of knowledge, best practices, collection methodologies and more, built-into the tool itself.
Easy Reporting: Creating customized report can be done intuitively, without the need to write any code.
Easy Customization: Any custom collection method can be added into BlueHound. Users can even add their own custom parameters or even custom icons for their graphs.
Getting Started
ROST ISO
BlueHound can be used as part of the ROST image, which comes pre-configured with everything you need (BlueHound, Neo4j, BloodHound, and a sample dataset). To load ROST, create a new virtual machine, and install it from the ISO like you would for a new Windows host.
BlueHound Binary
If you already have a Neo4j instance running, you can download a pre-compiled version of BlueHound from our release page. Just download the zip file suitable to your OS version, extract it, and run the binary.
Use the Data Import section to collect & import data into your Neo4j database.
Once you have data loaded, you can use the Configurations tab to set up the basic information that is used by the queries (e.g. Domain Admins group, crown jewels servers).
Finally, the Queries section can be used to prepare the reports.
BlueHound How-To
Data Collection
The Data Import Tools section can be used to collect data in a click of a button. By default, BlueHound comes preconfigured with SharpHound, ShotHound, and the Vulnerability Scanners script. Additional tools can be added for more data collection. To get started:
Download the relevant tools using the globe icon
Configure the tool path & arguments for each tool
Run the tools
The built-in tools can be configured to automatically upload the results to your Neo4j instance.
Running & Viewing Queries
To get results for a chart, either use the Refresh icon to run a specific query, or use the Query Runner section to run queries in batches. The results will be cached even after closing BlueHound, and can be run again to get updated results. Some charts have an Info icon which explain the query and/or provide links to additional information.
Adding & Editing Queries
You can edit the query for new and/or existing charts by using the Settings icon on the top right section of the chart. Here you can use any parameters configured with a Param Select chart, and any Edge Filtering string (see section below).
Edge Filtering
Using the Edge Filtering section, you can filter out specific relationship types for all queries that use the relevant string in their query. For example, ":FILTERED_EDGES" can be used to filter by all the selection filters. You can also filter by a specific category (see the Info icon) or even define your own custom edge filters.
Import & Export Config
The Export Config and Import Config sections can be used to save & load your dashboard and configurations as a backup, and even shared between users to collaborate and contribute insightful queries to the security community. Donβt worry, your credentials and data wonβt be exported.
Note: any arguments for data import tools are also exported, so make sure you remove any secrets before sharing your configuration.
Settings
The Settings section allows you to set some global limits on query execution β maximum query time and a limit for returned results.
Technical Info
BlueHound is a fork of NeoDash, built with React and use-neo4j. It uses charts to power some of the visualizations. You can also extend NeoDash with your own visualizations. Check out the developer guide in the project repository.
Developer Guide
Run & Build using npm
BlueHound is built with React. You'll need npm installed to run the web app.
Use a recent version of npm and node to build BlueHound. The application has been tested with npm 8.3.1 & node v17.4.0.
To run the application in development mode:
clone this repository.
open a terminal and navigate to the directory you just cloned.
execute npm install to install the necessary dependencies.
execute npm run dev to run the app in development mode.
follow the steps above to clone the repository and install dependencies.
execute npm run build. This will create a build folder in your project directory.
deploy the contents of the build folder to a web server. You should then be able to run the web app.
Questions / Suggestions
We are always open to ideas, comments, and suggestions regarding future versions of BlueHound, so if you have ideas, donβt hesitate to reach out to us at support@zeronetworks.com or open an issue/pull request on GitHub.
CMS (Content Management System) is very popular, easy to install and mostly setup once and forget by βadminsβ.
In general, there are quite serious vulnerabilities in popular CMS, as is the case with any software. Bugs are patched fairly quickly. Responsible companies
0 Disclaimer (The author did not participate in the XX action, don't trace it)
This tool is only for legally authorized enterprise security construction behaviors and personal learning behaviors. If you need to test the usability of this tool, please build a target drone environment by yourself.
When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.
We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.
If you have any illegal behavior in the process of using this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.
Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.
Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.
Kscan is an asset mapping tool that can perform port scanning, TCP fingerprinting and banner capture for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute force cracking on scan results, and is the first open source RDP brute force cracking tool on the go platform.
2 Foreword
At present, there are actually many tools for asset scanning, fingerprint identification, and vulnerability detection, and there are many great tools, but Kscan actually has many different ideas.
Kscan hopes to accept a variety of input formats, and there is no need to classify the scanned objects before use, such as IP, or URL address, etc. This is undoubtedly an unnecessary workload for users, and all entries can be normal Input and identification. If it is a URL address, the path will be reserved for detection. If it is only IP:PORT, the port will be prioritized for protocol identification. Currently Kscan supports three input methods (-t,--target|-f,--fofa|--spy).
Kscan does not seek efficiency by comparing port numbers with common protocols to confirm port protocols, nor does it only detect WEB assets. In this regard, Kscan pays more attention to accuracy and comprehensiveness, and only high-accuracy protocol identification , in order to provide good detection conditions for subsequent application layer identification.
Kscan does not use a modular approach to do pure function stacking, such as a module obtains the title separately, a module obtains SMB information separately, etc., runs independently, and outputs independently, but outputs asset information in units of ports, such as ports If the protocol is HTTP, subsequent fingerprinting and title acquisition will be performed automatically. If the port protocol is RPC, it will try to obtain the host name, etc.
-t/--target can add the --check parameter to fingerprint only the specified target port, otherwise the target will be port scanned and fingerprinted
IP address: 114.114.114.114 IP address range: 114.114.114.114-115.115.115.115 URL address: https://www.baidu.com File address: file:/tmp/target.txt
--spy can add the --scan parameter to perform port scanning and fingerprinting on the surviving C segment, otherwise only the surviving network segment will be detected
[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located [all]: All private network addresses (192.168/172.32/10, etc.) will be probed IP address: will detect the B segment where the specified IP address is located
-f/--fofa can add --check to verify the survivability of the retrieval results, and add the --scan parameter to perform port scanning and fingerprint identification on the retrieval results, otherwise only the fofa retrieval results will be returned
fofa search keywords: will directly return fofa search results
optional arguments: -h , --help show this help message and exit -f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY -t , --target Specify the detection target: IP address: 114.114.114.114 IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended IP address range: 114.114.114.114-115.115.115.115 URL address: https://www.baidu.com File address: file:/tmp/target.txt --spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are: (empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway) --check Fingerprinting the target address, only port detection will not be performed --scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy -p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090 -eP, --excluded-port skip scanning specified portsοΌsupportοΌ80,8080,8088-8090 -o , --output save scan results to file -oJ save the scan results to a file in json format -Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency. -Cn With this parameter, the console output will not be colored. -sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution! --top Scan the filtered common ports TopX, up to 1000, the default is TOP400 --proxy set proxy (socks5|socks4|https|http)://IP:Port --threads thread parameter, the default thread is 100, the maximum value is 2048 --path specifies the directory to request access, only a single directory is supported --host specifies the header Host value for all requests --timeout set timeout --encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8 --match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed --hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default hydra options: --hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt --hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt If there is a comma in the password, use \, to escape, other symbols do not need to be escaped --hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced. --hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb fofa options: --fofa-syntax will get fofa search syntax description --fofa-size will set the number of entries returned by fofa, the default is 100 --fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter
The function is not complicated, the others are explored by themselves
Login
