bscan: Asynchronous Target Enumeration Tool

CyberPunk Information Gathering
Last Release: 02/09/2019    
bscan: Asynchronous Target Enumeration Tool

Introduction

bscan is a command-line tool which allows you to perform service enumeration and active information gathering tasks. This enumeration tool asynchronously spawns processes of well-known scanning utilities (such as nmap and unicornscan) repurposing scan results into highlighted console output and a well-defined directory structure.

Bscan Logo
Disclaimer: bscan is intended for educational purposes and events such as CTFs only and should never be run on machines and/or networks without explicit prior consent. 

bscan: Asynchronous Target Enumeration Tool

bscan was primary written to be run on Kali Linux, but should work on any OS (different dependencies/tools may be required depending on the OS). It ships with two utility programs (use --help for both to list available options):

  • bscan-wordlists (designed for finding wordlist files on Kali Linux)
  • bscan-shells (for generating a variety of reverse shell one-liners with target and port fields; pulls the commands from reverse-shells.toml conf file)

Besides default ones (located at bscan/configuration), bscan also relies on some additional conf files. Purposes of the default files:

  • patterns.txt: regex pattern for highlighting matches in the scan output,
  • required-programs.txt: installed programs that bscan plans on using,
  • port-scans.toml: port-discovering scans to be run on the target(s), regular expressions used to parse port numbers and service names from scan output,
  • service-scans.toml: defines scans which will be run on the target(s) on a per-service basis.

Install

Linux

Clone the bscan repo:

$ git clone https://github.com/welchbj/bscan.git

or download:

$ wget -O bscan https://releases.brianwel.ch/bscan/linux

To install via pip, Python 3.6+ is required:

$ pip install bscan

To download specific version, use the following pattern:

$ wget -O bscan https://releases.brianwel.ch/github/bscan/linux/0.1.4

Windows

$ powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; wget 'https://releases.brianwel.ch/bscan/windows' -OutFile 'bscan.exe'"

Usage

To get a list of available options, use --help:

usage: bscan [OPTIONS] targets
 _ 
| |__  ___  ___ __ _ _ __ 
| '_ \/ __|/ __/ _` | '_ \ 
| |_) \__ \ (__ (_| | | | | 
|_.__/|___/\___\__,_|_| |_| 
 
an asynchronous service enumeration tool

positional arguments:
   targets               the targets and/or networks on which to perform enumeration

 optional arguments:
   -h, --help            show this help message and exit
   --brute-pass-list F   filename of password list to use for brute-forcing
   --brute-user-list F   filename of user list to use for brute-forcing
   --cmd-print-width I   the maximum integer number of characters allowed when printing
                         the command used to spawn a running subprocess (defaults to 80)
   --config-dir D        the base directory from which to load the configuration files;
                         required configuration files missing from this directory will
                         instead be loaded from the default files shipped with this
                         program
   --hard                force overwrite of existing directories
   --max-concurrency I   maximum integer number of subprocesses permitted to be running
                         concurrently (defaults to 20)
   --no-program-check    disable checking the presence of required system programs
   --no-file-check       disable checking the presence of files such as configured
                         wordlists
   --no-service-scans    disable running scans on discovered services
   --output-dir D        the base directory in which to write output files
   --patterns [ [ …]]    regex patterns to highlight in output text
   --ping-sweep          enable ping sweep filtering of hosts from a network range
                         before running more intensive scans
   --quick-only          whether to only run the quick scan (and not include the
                         thorough scan over all ports)
   --qs-method S         the method for performing the initial TCP port scan; must
                         correspond to a configured port scan
   --status-interval I   integer number of seconds to pause in between printing status
                         updates; a non-positive value disables updates (defaults to 30)
   --ts-method S         the method for performing the thorough TCP port scan; must
                         correspond to a configured port scan
   --udp                 whether to run UDP scans
   --udp-method S        the method for performing the UDP port scan; must correspond
                         to a configured port scan
   --verbose-status      whether to print verbose runtime status updates, based on
                         frequency specified by --status-interval flag
--version program version
--web-word-list F the wordlist to use for scans

Basic Example

$ bscan \ 
> --max-concurrency 3 \ 
> --patterns [Mm]icrosoft \ 
> --status-interval 10 \ 
> --verbose-status \ 
> scanme.nmap.org
  • --max-concurrency 3: max 3 concurrent scan subprocesses will be run at a time;
  • --patterns [Mm]icrosoft: custom regex pattern for highlighting matches in the scan output;
  • --status-interval 10: print runtime status updates every 10 seconds;
  • --verbose-status : each status will update print details of all currently-running scan subprocesses;
  • scanme.nmap.org: host for enumeration.
Download Box
linuxNetwork ScannerPentestingPort Scanner