A simple non-intrusive, large scale vulnerability scanner.
- To be able to run this application, you must have some dependencies installed and
on your
$PATHfor non-interactive shells. - This usually means that: To make your PATH entries available to /bin/sh scripts run by a specific user,
add the
$PATHentry to the~/.profilefile or~/.bash_profileor~/.bash_login. - Additionally, requirements must be installed for dependencies using Python, and Go must be installed for subjack to work.
The easiest way to do this is probably to follow the installation guide for each of the modules, and then make sure the binaries are on
$PATHfor vulnscan to use.
postgresql- install on eg. Ubuntu withsudo apt install postgresql postgresql-contrib, installed by default on Kali.- subjack
- meg
- nmap
- ripgrep
- s3scanner and an S3-account
- gittools
- SimplyEmail
- Shodan user/api key with query credit
- Google custom search engine, and api key to use it
If there are any of the scans that you don't want to run, you can set its flag to false in the config-file.
- Build with Maven, using Java 11
mvn clean install- Run with
java -jar vulnscan-1.0.jar- The application is configured using the file
vulnscan.config
Results will be written to files currently specified in the class VulnScan.
Output from searching for .env files will be in the out/ directory.
src
├── main
│ ├── java
│ │ └── no
│ │ └── uio
│ │ └── ifi
│ │ └── vulnscan
│ │ ├── Application.java
│ │ ├── tasks
│ │ │ ├── ScanEmail.java
│ │ │ ├── ScanForEnvFiles.java
│ │ │ ├── ScanGit.java
│ │ │ ├── ScanGoogle.java
│ │ │ ├── ScanHeartbleed.java
│ │ │ ├── ScanS3.java
│ │ │ ├── ScanShodan.java
│ │ │ ├── ScanSubdomains.java
│ │ │ └── ScanTask.java
│ │ ├── util
│ │ │ ├── BashCommand.java
│ │ │ └── io
│ │ │ ├── FileOverWriter.java
│ │ │ └── FileParser.java
│ │ └── VulnScan.java
│ └── resources
│ └── log4j2.xml
└── test
└── java
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent