hscan v0.1 - http scanner http://mastercj.net/hscan/ # Version: r3 # Date: 2009-09-10 ############## ### OVERVIEW ### ############## hscan is a multithreaded http scanner, written in perl by me, MasterCJ. It fingerprints web servers/devices, tries very simple dictionary password attacks and identifies some common web apps. It is designed to be easy to use, add data to and update. Note: this is still very much beta or even alpha software. It's far from being finished, but it's useful already. If you want to help out, say hi, send hate mail, etc. see below for contact details. The latest info on hscan can always be found at http://mastercj.net/hscan/ and the latest version can be obtained by either running the upgrade script or getting the full package from http://mastercj.net/hscan/hscan-current.tar.gz ################## ### REQUIREMENTS ### ################## hscan requires WWW::Curl and a recent version of the perl threads module. Both are available from CPAN. It should run on just about anything that supports perl, threads and curl. It's written and tested on Debian GNU/Linux, so I can say with relative certainty that it will run on Debian and it's derivatives. Yes, that means it will probably run on Ubuntu. ########### ### USAGE ### ########### ### hscan.pl ./hscan.pl (options) (hosts/file) Either an IP range or a file with a list of IPs can be specified. A range is specified as ip-ip e.g. 192.168.1.1-192.168.1.255. If a file is specified, the file must contain one ip:port combination on each line. Options: --port (port) e.g. 80 --timeout (seconds) e.g. 10. This controls how long curl will wait to connect to a host, -not- how long it will wait for all the data. (default 5) --threads (threads) e.g. 150. If you have the resources (cpu, ram), it can help to turn this and the timeout value up together sometimes, but often it's fine as-is. (default 50) --submit (0|1|2) How much data you'd like to submit for fingerprinting purposes. 0 is no data submission, 1 is only unidentified hosts and 2 is all data. Please submit at least the unidentified hosts so I can keep writing definitions for more devices. If you want to really help out, submit the regular data too, then I can check for false positives. (default 1) --help You're reading it! NOTE: All arguments are optional, with no arguments hscan will automatically pick hosts at random, set the timeout to 1s and submit unidentified host data. fscan will write to a log file, the name of which is based on the current date and time. The format is relatively self-explanatory, so just have a go with it. ### parse-dump.pl ./parse-dump.pl (dumpfile) (auths/servers) This is used when writing definitions. It runs the identification routines from hscan over the dump file and sorts all the still-unidentified auths/servers by frequency of occurance. It makes it much easier to see what needs to have defs written first. This needs DBI and DBD::SQLite to operate. ############## ### UPDATING ### ############## Simply run the "updater.pl" script. It will check for new files and update as necessary. ############# ### WARNING ### ############# Please ensure you know what you're doing before you use this tool, for it has the potential to get you in a lot of trouble if you're not careful. ############# ### CONTACT ### ############# If you'd like to contact me, send mail to "MasterCJ (at) MasterCJ (dot) net". ... Happy hacking!