Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration


πŸ΄β€β˜ οΈ Information Gathering tool πŸ΄β€β˜ οΈ - DNS / Subdomains / Ports / Directories enumeration

go-report-card workflows ubuntu-build win10-build pr-welcome
Mainteinance yes ask me anything gobadge license-GPL3
Coded with πŸ’™ by edoardottt.
Share on Twitter!

Preview β€’ Install β€’ Get Started β€’ Examples β€’ Contributing

Preview πŸ“Š

asciicast

Installation πŸ“‘

  • First of all, clone the repo locally

    • git clone https://github.com/edoardottt/scilla.git
    • cd scilla

  • Scilla has external dependencies, so they need to be pulled in:

    • go get

  • Linux (Requires high perms, run with sudo)

    • make linux (to install)

    • make unlinux (to uninstall)

  • Windows (executable works only in scilla folder. Alias?)

    • make windows (to install) or .\make.bat windows (powershell)

    • make unwindows (to uninstall) or .\make.bat unwindows (powershell)

  • Other commands:

    • make fmt run the golang formatter.

    • make update Update.

    • make remod Remod.

    • make test runs the tests (empty now..)

Get Started πŸŽ‰

scilla help prints the help in the command line.

usage: scilla subcommand { options }

   Available subcommands:
       - dns [-o output-format]
             [-plain Print only results]
             -target  REQUIRED
       - port [-p  or ports divided by comma]
              [-o output-format]
              [-common scan common ports]
              [-plain Print only results]
              -target  REQUIRED
       - subdomain [-w wordlist]
                   [-o output-format]
                   [-i ignore status codes]
                   [-c use also a web crawler]
                   [-db use also a public database]
                   [-plain Print only results]
                   -target  REQUIRED
       - dir [-w wordlist]
             [-o output-format]
             [-i ignore status codes]
             [-c use also a web crawler]
             [-plain Print only results]
             -target  REQUIRED
       - report [-p  or ports divided by comma]
                [-ws subdomains wordlist]
                [-wd directories wordlist]
                [-o output-format]
                [-id ignore status codes in directories scanning]
                [-is ignore status codes in subdomains scanning]
                [-cd use also a web crawler for directories scanning]
                [-cs use also a web crawler for subdomains scanning]
                [-db use also a public database for subdomains scanning]
                [-common scan common ports]
                -target  REQUIRED
       - help
       - examples

Examples πŸ’‘

  • DNS enumeration:

    • scilla dns -target target.domain
    • scilla dns -o txt -target target.domain
    • scilla dns -o html -target target.domain
    • scilla dns -plain -target target.domain

  • Subdomains enumeration:

    • scilla subdomain -target target.domain
    • scilla subdomain -w wordlist.txt -target target.domain
    • scilla subdomain -o txt -target target.domain
    • scilla subdomain -o html -target target.domain
    • scilla subdomain -i 400 -target target.domain
    • scilla subdomain -i 4** -target target.domain
    • scilla subdomain -c -target target.domain
    • scilla subdomain -db -target target.domain
    • scilla subdomain -plain -target target.domain

  • Directories enumeration:

    • scilla dir -target target.domain
    • scilla dir -w wordlist.txt -target target.domain
    • scilla dir -o txt -target target.domain
    • scilla dir -o html -target target.domain
    • scilla dir -i 500,401 -target target.domain
    • scilla dir -i 5**,401 -target target.domain
    • scilla dir -c -target target.domain
    • scilla dir -plain -target target.domain

  • Ports enumeration:

    • Default (all ports, so 1-65635) scilla port -target target.domain
    • Specifying ports range scilla port -p 20-90 -target target.domain
    • Specifying starting port (until the last one) scilla port -p 20- -target target.domain
    • Specifying ending port (from the first one) scilla port -p -90 -target target.domain
    • Specifying single port scilla port -p 80 -target target.domain
    • Specifying output format (txt)scilla port -o txt -target target.domain
    • Specifying output format (html)scilla port -o html -target target.domain
    • Specifying multiple ports scilla port -p 21,25,80 -target target.domain
    • Specifying common ports scilla port -common -target target.domain
    • Print only results scilla port -plain -target target.domain

  • Full report:

    • Default (all ports, so 1-65635) scilla report -target target.domain
    • Specifying ports range scilla report -p 20-90 -target target.domain
    • Specifying starting port (until the last one) scilla report -p 20- -target target.domain
    • Specifying ending port (from the first one) scilla report -p -90 -target target.domain
    • Specifying single port scilla report -p 80 -target target.domain
    • Specifying output format (txt)scilla report -o txt -target target.domain
    • Specifying output format (html)scilla report -o html -target target.domain
    • Specifying directories wordlist scilla report -wd dirs.txt -target target.domain
    • Specifying subdomains wordlist scilla report -ws subdomains.txt -target target.domain
    • Specifying status codes to be ignored in directories scanning scilla report -id 500,501,502 -target target.domain
    • Specifying status codes to be ignored in subdomains scanning scilla report -is 500,501,502 -target target.domain
    • Specifying status codes classes to be ignored in directories scanning scilla report -id 5**,4** -target target.domain
    • Specifying status codes classes to be ignored in subdomains scanning scilla report -is 5**,4** -target target.domain
    • Use also a web crawler for directories enumeration scilla report -cd -target target.domain
    • Use also a web crawler for subdomains enumeration scilla report -cs -target target.domain
    • Use also a public database for subdomains enumeration scilla report -db -target target.domain
    • Specifying multiple ports scilla report -p 21,25,80 -target target.domain
    • Specifying common ports scilla report -common -target target.domain

Contributing πŸ› 

Just open an issue/pull request. See also CONTRIBUTING.md and CODE OF CONDUCT.md

Help me building this!

A special thanks to danielmiessler, using those lists; and to sonarSearch.

To do:

  • Tests ( πŸ˜‚ )

  • Tor support

  • Proxy support

  • JSON output

  • XML output

  • Plain output (print only results)

  • Scan only common ports

  • Add option to use a public database of known subdomains

  • Recursive Web crawling for subdomains and directories

  • Check input and if it's an IP try to change to hostname when dns or subdomain is active

  • Ignore responses by status codes (partially done, to do with *, e.g. -i 4**)

  • HTML output

  • Build an Input Struct and use it as parameter

  • Output color

  • Subdomains enumeration

  • DNS enumeration

  • Subdomains enumeration

  • Port enumeration

  • Directories enumeration

  • TXT output

If you liked it drop a ⭐

edoardoottavianelli.it for contact me.

                                                                Edoardo Ottavianelli
Owner
gilfoyle97
MSc Cybersecurity Student | @python | @golang | Linux | Bash
gilfoyle97
https://github.com/edoardottt/scilla https://edoardoottavianelli.it
Comments
  • Better protocol handling

    Better protocol handling

    When the user inputs a target, for example https://www.edoardoottavianelli.it, scilla should remember that the user inputted that protocol, and it doesn't try to use http or another protocol.
    The protocol handling now is way confusionary, as we can see in the main.go file.

  • Spyse implementation

    Spyse implementation

    Describe the solution you'd like We are suggesting you add Spyse as one of the data sources for: DNS, subdomain enumeration, retrieving web information, hosts, certificates, and ports. Potential is immense. Contact us if you need any help or a free subscription to make it free for users.

    Describe alternatives you've considered Alternatives could be shodan or censys.

    Additional context I'm offering Spyse because it has different scanning and analyzing systems that provide a more clear and sometimes larger amounts of data.

    Notice: I work for Spyse.

  • improvement: updated spyse module with rate-limiting support, added deep pagination

    improvement: updated spyse module with rate-limiting support, added deep pagination

    Hi there, I maid spyse integration update due to changes in go-spyse lib:

    • we added requests rate-limiting to avoid too_many_requests error.

    Also, I added deep pagination to increase the count of subdomains search results, but I made limiting to 20k results because there is can be more than 1 million results and we cannot currently limit their number in any way.

    Please get in touch with me if you need a free Spyse API token to test the PR. Best regards.

  • Ignore Responses by Status Code Option

    Ignore Responses by Status Code Option

    I would like to choose a status code (or maybe better an array of status codes) to be ignored. To be clear, If add:

    • -ignore 404 I would like to ignore all the responses having 404 as Status code.
    • -ignore 404,301 I would like to ignore all the responses having 404 or 301 as Status code.

    Myabe.. it would be useful to have something like this to ignore entire classes of status codes. -ignore 4**

  • Subdomain Enumeration Does not Working

    Subdomain Enumeration Does not Working

    Summary Scilla having a feature to enumerate the target subdomains. When you give the input target and run it returns a error like below:

    target: google.com
2020/12/22 17:29:57 failed to open /usr/bin/lists/subdomains.txt

    I am running scilla in WSL Ubuntu 20.04

    To Reproduce Steps to reproduce the behavior:

    1. git clone the repository
    2. go build
    3. cp scilla build file to /usr/local/bin
    4. run the following
    scilla subdomain -target google.com

    Expected behavior It should return Subdomains as output.

    Screenshots image

  • Writing results of only valid live subdomains to a txt file

    Writing results of only valid live subdomains to a txt file

    I don't know if this works or not or it does then writes outputs to somewhere else except the path I give if so then how to do this !!? writing output to a txt file in a specific path !!?

  • Windows batch installer doesn't work

    Windows batch installer doesn't work

    This batch installer doesn't work very well.

    On my machine (Windows 10 Home):

    set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\edoar\AppData\Local\go-build
set GOENV=C:\Users\edoar\AppData\Roaming\go\env
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\edoar\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\edoar\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=c:\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=c:\go\pkg\tool\windows_amd64
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\Users\edoar\Desktop\github\scilla\go.mod
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\edoar\AppData\Local\Temp\go-build007528046=/tmp/go-build -gno-record-gcc-switches

    there are some unidentified problems

  • Clean output when crawler is active

    Clean output when crawler is active

    Maybe it would be useful to clean the results from GET parameter.

    Example: Now :

    https://www.example.com/blog/2021/03/05/images/?id=sutb4wt73ct7q38tyqycbatb78cwytt73vwv7&page=3&auth=rgvtv7at4ithbitv4b4yiy4abqat4ht4ivuykcgt4ku3gctq

    Then: https://www.example.com/blog/2021/03/05/images

  • docker build an error occurs

    docker build an error occurs

    system:kali linux When I try docker build an error occurs

    git clone https://github.com/edoardottt/scilla.git
cd scilla
docker build -t scilla .

    ##Error message

    [4/5] RUN go install -v ./...: #6 3.564 go: golang.org/x/[email protected] requires #6 3.564 golang.org/x/[email protected]: missing go.sum entry; to add it: #6 3.564 go mod download golang.org/x/sys

    executor failed running [/bin/sh -c go install -v ./...]: exit code: 1 Snipaste_2022-08-18_15-36-36

    about Building from source

    How can I do the upgrade? Because I don't see any description of "update" :see_no_evil:

  • UDP Port scanning

    UDP Port scanning

    Now scilla can only perform tcp port scanning. (scilla port -target <TARGET> + other flags).

    Add a -u flag to the port subcommand to perform UDP port scanning.

  • Create an appropriate data structure for subs and dirs result

    Create an appropriate data structure for subs and dirs result

    Whenever scilla produces new results (dirs or subs) and it wants to print them, it looks into all the array of Assets to search if the Printed value is set to false. So, to speed up the performance we can do two things: Create a new data structure with two fields:

    type Result struct {
assets    []Asset,
?
}

    The second field can be a boolean, and this means that it can be changed to true (or false, it depends) when you have to print somethings, or a couple of integers telling us the printed values and the total value. In this second case we don't need the Printed item in Asset....

    Another thing we can do to speed up performance is to print the results in reverse order, starting from the last found and going up to the first, when we encounter a Printed == true, it means we don't have more values to print.

Related tags
Network security information-retrieval network hacking enumeration penetration-testing pentesting recon hacking-tool ctf-tools information-gathering portscanner security-tools reconnaissance subdomain-scanner port-enumeration dns-enumeration subdomains-enumeration directories-enumeration
Hetzner-dns-updater - A simple tool to update a DNS record via Hetzner DNS API. Used for simple HA together with Nomad

hetzner-dns-updater A small utility tool to update a single record via Hetzner D

Feb 12, 2022
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
 Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

Fast passive subdomain enumeration tool. Features β€’ Install β€’ Usage β€’ API Setup β€’ License β€’ Join Discord Subfinder is a subdomain discovery tool that

Jan 4, 2023
O365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365

O365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365 (now/soon Microsoft365). O365 uses a unique SOAP API endpoint on login.microsoftonline.com that most other tools do not use.

Dec 2, 2022
Argus is a subdomain enumeration tool

Argus Argus is a domain enumeration tool. Usage : LINUX : ./argus Windows : double click the executable or .\argus When you enter the domain name , pl

Apr 28, 2022
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources
 Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

Jan 1, 2023
Get related domains / subdomains by looking at Google Analytics IDs
 Get related domains / subdomains by looking at Google Analytics IDs

AnalyticsRelationships This script try to get related domains / subdomains by looking at Google Analytics IDs from a URL. First search for ID of Googl

Jan 2, 2023
User enumeration with Microsoft Teams API
 User enumeration with Microsoft Teams API

UserEnumTeams Description Sometimes user enumeration could be sometimes useful during the reconnaissance of an assessment. This tool will determine if

Jan 2, 2023
Generate wordlist from already collected subdomains for bruteforcing purposes.

goSubsWordlist Generate a wordlist from a list of already discovered subdomains. This list can be used for further bruteforcing for more subdomains. I

Sep 25, 2022
An OOB interaction gathering server and client library
 An OOB interaction gathering server and client library

Interactsh An OOB interaction gathering server and client library Features β€’ Usage β€’ Interactsh Client β€’ Interactsh Server β€’ Interactsh Integration β€’

Jan 2, 2023
DNS Ping: to check packet loss and latency issues with DNS servers

DNSping DNS Ping checks packet loss and latency issues with DNS servers Installation If you have golang, easiest install is go get -u fortio.org/dnspi

Nov 18, 2022
Verify IP addresses of respectful crawlers like Googlebot by reverse dns and forward dns lookups
 Verify IP addresses of respectful crawlers like Googlebot by reverse dns and forward dns lookups

goodbots - trust but verify goodbots verifies the IP addresses of respectful crawlers like Googlebot by performing reverse dns and forward dns lookups

Aug 16, 2022
The Dual-Stack Dynamic DNS client, the world's first dynamic DNS client built for IPv6.

dsddns DsDDNS is the Dual-Stack Dynamic DNS client. A dynamic DNS client keeps your DNS records in sync with the IP addresses associated with your hom

Sep 27, 2022
netcup DNS module for caddy: dns.providers.netcup

netcup DNS module for Caddy This package contains a DNS provider module for Caddy. It can be used to manage DNS records with the netcup DNS API using

Nov 9, 2022
A fork on miekg/dns (since I've already forked zmap/dns)

Alternative (more granular) approach to a DNS library Less is more. Complete and usable DNS library. All Resource Records are supported, including the

Jan 19, 2022
A simple DNS forwarder that forwards DNS queries to various upstreams

A simple DNS forwarder that forwards DNS queries to various upstreams. If an upstream returns NXDomain, the next upstream is tried.

Jul 8, 2022
Bee is a tool to scan ports by TCP and UDP protocols

Bee - Port scan tool ?? Bee is a tool to scan ports by TCP and UDP protocols Building from Source Code First, we compile the source code with the ligh

Oct 10, 2021
P2P Forwarder - a tool for farwarding tcp/udp ports. Made using libp2p.
 P2P Forwarder - a tool for farwarding tcp/udp ports. Made using libp2p.

P2P Forwarder A tool for farwarding ports. Made using libp2p. How it works A: opens desired ports ports inside P2P Forwarder A: shares it's id from P2

Nov 14, 2022
GoScan is a port-scanner made entirely in Go-lang. The purpose of the tool is to be fast, dynamic and simple so that a professional in the CyberSecurity area can make an optimized list of ports
 GoScan is a port-scanner made entirely in Go-lang. The purpose of the tool is to be fast, dynamic and simple so that a professional in the CyberSecurity area can make an optimized list of ports

?? GoScan GoScan is a port-scanner made entirely in Go-lang. The purpose of the tool is to be fast, dynamic and simple so that a professional in the C

Jul 19, 2022
netscanner - TCP/UDP scanner to find open or closed ports

netscanner netscanner - TCP/UDP scanner to find open or closed ports installation you have to run this command to install the program $ go get github.

Dec 19, 2022