bscan: Asynchronous Target Enumeration Tool


bscan: Asynchronous Target Enumeration Tool

Introduction

bscan is a command-line tool which allows you to perform service enumeration and active information gathering tasks. This enumeration tool asynchronously spawns processes of well-known scanning utilities (such as nmap and unicornscan) repurposing scan results into highlighted console output and a well-defined directory structure.

Bscan Logo
Disclaimer: bscan is intended for educational purposes and events such as CTFs only and should never be run on machines and/or networks without explicit prior consent. 

bscan: Asynchronous Target Enumeration Tool

bscan was primary written to be run on Kali Linux, but should work on any OS (different dependencies/tools may be required depending on the OS). It ships with two utility programs (use --help for both to list available options):

  • bscan-wordlists (designed for finding wordlist files on Kali Linux)
  • bscan-shells (for generating a variety of reverse shell one-liners with target and port fields; pulls the commands from reverse-shells.toml conf file)

Besides default ones (located at bscan/configuration), bscan also relies on some additional conf files. Purposes of the default files:

  • patterns.txt: regex pattern for highlighting matches in the scan output,
  • required-programs.txt: installed programs that bscan plans on using,
  • port-scans.toml: port-discovering scans to be run on the target(s), regular expressions used to parse port numbers and service names from scan output,
  • service-scans.toml: defines scans which will be run on the target(s) on a per-service basis.

Install

Linux

Clone the bscan repo:

$ git clone https://github.com/welchbj/bscan.git

or download:

$ wget -O bscan https://releases.brianwel.ch/bscan/linux

To install via pip, Python 3.6+ is required:

$ pip install bscan

To download specific version, use the following pattern:

$ wget -O bscan https://releases.brianwel.ch/github/bscan/linux/0.1.4

Windows

$ powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; wget 'https://releases.brianwel.ch/bscan/windows' -OutFile 'bscan.exe'"

Usage

To get a list of available options, use --help:

usage: bscan [OPTIONS] targets
 _
| |__ ___ ___ __ _ _ __
| '_ \/ __|/ __/ _` | '_ \
| |_) \__ \ (__ (_| | | | |
|_.__/|___/\___\__,_|_| |_|

an asynchronous service enumeration tool

positional arguments:
targets the targets and/or networks on which to perform enumeration

optional arguments:
-h, --help show this help message and exit
--brute-pass-list F filename of password list to use for brute-forcing
--brute-user-list F filename of user list to use for brute-forcing
--cmd-print-width I the maximum integer number of characters allowed when printing
the command used to spawn a running subprocess (defaults to 80)
--config-dir D the base directory from which to load the configuration files;
required configuration files missing from this directory will
instead be loaded from the default files shipped with this
program
--hard force overwrite of existing directories
--max-concurrency I maximum integer number of subprocesses permitted to be running
concurrently (defaults to 20)
--no-program-check disable checking the presence of required system programs
--no-file-check disable checking the presence of files such as configured
wordlists
--no-service-scans disable running scans on discovered services
--output-dir D the base directory in which to write output files
--patterns [ [ …]] regex patterns to highlight in output text
--ping-sweep enable ping sweep filtering of hosts from a network range
before running more intensive scans
--quick-only whether to only run the quick scan (and not include the
thorough scan over all ports)
--qs-method S the method for performing the initial TCP port scan; must
correspond to a configured port scan
--status-interval I integer number of seconds to pause in between printing status
updates; a non-positive value disables updates (defaults to 30)
--ts-method S the method for performing the thorough TCP port scan; must
correspond to a configured port scan
--udp whether to run UDP scans
--udp-method S the method for performing the UDP port scan; must correspond
to a configured port scan
--verbose-status whether to print verbose runtime status updates, based on
frequency specified by --status-interval flag
--version program version
--web-word-list F the wordlist to use for scans

Basic Example

$ bscan \ 
> --max-concurrency 3 \
> --patterns [Mm]icrosoft \
> --status-interval 10 \
> --verbose-status \
> scanme.nmap.org
  • --max-concurrency 3: max 3 concurrent scan subprocesses will be run at a time;
  • --patterns [Mm]icrosoft: custom regex pattern for highlighting matches in the scan output;
  • --status-interval 10: print runtime status updates every 10 seconds;
  • --verbose-status : each status will update print details of all currently-running scan subprocesses;
  • scanme.nmap.org: host for enumeration.
Download Box