Information Gathering tool - DNS / Subdomains / Ports / Directories enumeration

Overview


🏴‍☠️ Information Gathering tool 🏴‍☠️ - DNS / Subdomains / Ports / Directories enumeration

go-report-card workflows ubuntu-build win10-build pr-welcome
Mainteinance yes ask me anything gobadge license-GPL3
Coded with 💙 by edoardottt.
Share on Twitter!

PreviewInstallGet StartedExamplesContributing

Preview 📊

asciicast

Installation 📡

  • First of all, clone the repo locally

    • git clone https://github.com/edoardottt/scilla.git
    • cd scilla
  • Scilla has external dependencies, so they need to be pulled in:

    • go get
  • Linux (Requires high perms, run with sudo)

    • make linux (to install)

    • make unlinux (to uninstall)

  • Windows (executable works only in scilla folder. Alias?)

    • make windows (to install) or .\make.bat windows (powershell)

    • make unwindows (to uninstall) or .\make.bat unwindows (powershell)

  • Other commands:

    • make fmt run the golang formatter.

    • make update Update.

    • make remod Remod.

    • make test runs the tests (empty now..)

Get Started 🎉

scilla help prints the help in the command line.

usage: scilla subcommand { options }

   Available subcommands:
       - dns [-o output-format]
             [-plain Print only results]
             -target  REQUIRED
       - port [-p  or ports divided by comma]
              [-o output-format]
              [-common scan common ports]
              [-plain Print only results]
              -target  REQUIRED
       - subdomain [-w wordlist]
                   [-o output-format]
                   [-i ignore status codes]
                   [-c use also a web crawler]
                   [-db use also a public database]
                   [-plain Print only results]
                   -target  REQUIRED
       - dir [-w wordlist]
             [-o output-format]
             [-i ignore status codes]
             [-c use also a web crawler]
             [-plain Print only results]
             -target  REQUIRED
       - report [-p  or ports divided by comma]
                [-ws subdomains wordlist]
                [-wd directories wordlist]
                [-o output-format]
                [-id ignore status codes in directories scanning]
                [-is ignore status codes in subdomains scanning]
                [-cd use also a web crawler for directories scanning]
                [-cs use also a web crawler for subdomains scanning]
                [-db use also a public database for subdomains scanning]
                [-common scan common ports]
                -target  REQUIRED
       - help
       - examples

Examples 💡

  • DNS enumeration:

    • scilla dns -target target.domain
    • scilla dns -o txt -target target.domain
    • scilla dns -o html -target target.domain
    • scilla dns -plain -target target.domain
  • Subdomains enumeration:

    • scilla subdomain -target target.domain
    • scilla subdomain -w wordlist.txt -target target.domain
    • scilla subdomain -o txt -target target.domain
    • scilla subdomain -o html -target target.domain
    • scilla subdomain -i 400 -target target.domain
    • scilla subdomain -i 4** -target target.domain
    • scilla subdomain -c -target target.domain
    • scilla subdomain -db -target target.domain
    • scilla subdomain -plain -target target.domain
  • Directories enumeration:

    • scilla dir -target target.domain
    • scilla dir -w wordlist.txt -target target.domain
    • scilla dir -o txt -target target.domain
    • scilla dir -o html -target target.domain
    • scilla dir -i 500,401 -target target.domain
    • scilla dir -i 5**,401 -target target.domain
    • scilla dir -c -target target.domain
    • scilla dir -plain -target target.domain
  • Ports enumeration:

    • Default (all ports, so 1-65635) scilla port -target target.domain
    • Specifying ports range scilla port -p 20-90 -target target.domain
    • Specifying starting port (until the last one) scilla port -p 20- -target target.domain
    • Specifying ending port (from the first one) scilla port -p -90 -target target.domain
    • Specifying single port scilla port -p 80 -target target.domain
    • Specifying output format (txt)scilla port -o txt -target target.domain
    • Specifying output format (html)scilla port -o html -target target.domain
    • Specifying multiple ports scilla port -p 21,25,80 -target target.domain
    • Specifying common ports scilla port -common -target target.domain
    • Print only results scilla port -plain -target target.domain
  • Full report:

    • Default (all ports, so 1-65635) scilla report -target target.domain
    • Specifying ports range scilla report -p 20-90 -target target.domain
    • Specifying starting port (until the last one) scilla report -p 20- -target target.domain
    • Specifying ending port (from the first one) scilla report -p -90 -target target.domain
    • Specifying single port scilla report -p 80 -target target.domain
    • Specifying output format (txt)scilla report -o txt -target target.domain
    • Specifying output format (html)scilla report -o html -target target.domain
    • Specifying directories wordlist scilla report -wd dirs.txt -target target.domain
    • Specifying subdomains wordlist scilla report -ws subdomains.txt -target target.domain
    • Specifying status codes to be ignored in directories scanning scilla report -id 500,501,502 -target target.domain
    • Specifying status codes to be ignored in subdomains scanning scilla report -is 500,501,502 -target target.domain
    • Specifying status codes classes to be ignored in directories scanning scilla report -id 5**,4** -target target.domain
    • Specifying status codes classes to be ignored in subdomains scanning scilla report -is 5**,4** -target target.domain
    • Use also a web crawler for directories enumeration scilla report -cd -target target.domain
    • Use also a web crawler for subdomains enumeration scilla report -cs -target target.domain
    • Use also a public database for subdomains enumeration scilla report -db -target target.domain
    • Specifying multiple ports scilla report -p 21,25,80 -target target.domain
    • Specifying common ports scilla report -common -target target.domain

Contributing 🛠

Just open an issue/pull request. See also CONTRIBUTING.md and CODE OF CONDUCT.md

Help me building this!

A special thanks to danielmiessler, using those lists; and to sonarSearch.

To do:

  • Tests ( 😂 )

  • Tor support

  • Proxy support

  • JSON output

  • XML output

  • Plain output (print only results)

  • Scan only common ports

  • Add option to use a public database of known subdomains

  • Recursive Web crawling for subdomains and directories

  • Check input and if it's an IP try to change to hostname when dns or subdomain is active

  • Ignore responses by status codes (partially done, to do with *, e.g. -i 4**)

  • HTML output

  • Build an Input Struct and use it as parameter

  • Output color

  • Subdomains enumeration

  • DNS enumeration

  • Subdomains enumeration

  • Port enumeration

  • Directories enumeration

  • TXT output

If you liked it drop a

edoardoottavianelli.it for contact me.

                                                                Edoardo Ottavianelli
Comments
  • Better protocol handling

    Better protocol handling

    When the user inputs a target, for example https://www.edoardoottavianelli.it, scilla should remember that the user inputted that protocol, and it doesn't try to use http or another protocol.
    The protocol handling now is way confusionary, as we can see in the main.go file.

    bug enhancement 
    opened by edoardottt 7
  • Spyse implementation

    Spyse implementation

    Describe the solution you'd like We are suggesting you add Spyse as one of the data sources for: DNS, subdomain enumeration, retrieving web information, hosts, certificates, and ports. Potential is immense. Contact us if you need any help or a free subscription to make it free for users.

    Describe alternatives you've considered Alternatives could be shodan or censys.

    Additional context I'm offering Spyse because it has different scanning and analyzing systems that provide a more clear and sometimes larger amounts of data.

    Notice: I work for Spyse.

    enhancement GopherZone 
    opened by Luci-d 7
  • improvement: updated spyse module with rate-limiting support, added deep pagination

    improvement: updated spyse module with rate-limiting support, added deep pagination

    Hi there, I maid spyse integration update due to changes in go-spyse lib:

    • we added requests rate-limiting to avoid too_many_requests error.

    Also, I added deep pagination to increase the count of subdomains search results, but I made limiting to 20k results because there is can be more than 1 million results and we cannot currently limit their number in any way.

    Please get in touch with me if you need a free Spyse API token to test the PR. Best regards.

    opened by pokerok 5
  • Ignore Responses by Status Code Option

    Ignore Responses by Status Code Option

    I would like to choose a status code (or maybe better an array of status codes) to be ignored. To be clear, If add:

    • -ignore 404 I would like to ignore all the responses having 404 as Status code.
    • -ignore 404,301 I would like to ignore all the responses having 404 or 301 as Status code.

    Myabe.. it would be useful to have something like this to ignore entire classes of status codes. -ignore 4**

    enhancement good first issue GopherZone 
    opened by edoardottt 4
  • Subdomain Enumeration Does not Working

    Subdomain Enumeration Does not Working

    Summary Scilla having a feature to enumerate the target subdomains. When you give the input target and run it returns a error like below:

    target: google.com
    2020/12/22 17:29:57 failed to open /usr/bin/lists/subdomains.txt
    

    I am running scilla in WSL Ubuntu 20.04

    To Reproduce Steps to reproduce the behavior:

    1. git clone the repository
    2. go build
    3. cp scilla build file to /usr/local/bin
    4. run the following
    scilla subdomain -target google.com
    

    Expected behavior It should return Subdomains as output.

    Screenshots image

    opened by thevillagehacker 4
  • Writing results of only valid live  subdomains to a txt file

    Writing results of only valid live subdomains to a txt file

    I don't know if this works or not or it does then writes outputs to somewhere else except the path I give if so then how to do this !!? writing output to a txt file in a specific path !!?

    enhancement 
    opened by excep 3
  • Windows batch installer doesn't work

    Windows batch installer doesn't work

    This batch installer doesn't work very well.

    On my machine (Windows 10 Home):

    set GO111MODULE=
    set GOARCH=amd64
    set GOBIN=
    set GOCACHE=C:\Users\edoar\AppData\Local\go-build
    set GOENV=C:\Users\edoar\AppData\Roaming\go\env
    set GOEXE=.exe
    set GOFLAGS=
    set GOHOSTARCH=amd64
    set GOHOSTOS=windows
    set GOINSECURE=
    set GOMODCACHE=C:\Users\edoar\go\pkg\mod
    set GONOPROXY=
    set GONOSUMDB=
    set GOOS=windows
    set GOPATH=C:\Users\edoar\go
    set GOPRIVATE=
    set GOPROXY=https://proxy.golang.org,direct
    set GOROOT=c:\go
    set GOSUMDB=sum.golang.org
    set GOTMPDIR=
    set GOTOOLDIR=c:\go\pkg\tool\windows_amd64
    set GCCGO=gccgo
    set AR=ar
    set CC=gcc
    set CXX=g++
    set CGO_ENABLED=1
    set GOMOD=C:\Users\edoar\Desktop\github\scilla\go.mod
    set CGO_CFLAGS=-g -O2
    set CGO_CPPFLAGS=
    set CGO_CXXFLAGS=-g -O2
    set CGO_FFLAGS=-g -O2
    set CGO_LDFLAGS=-g -O2
    set PKG_CONFIG=pkg-config
    set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\edoar\AppData\Local\Temp\go-build007528046=/tmp/go-build -gno-record-gcc-switches
    

    there are some unidentified problems

    bug help wanted good first issue invalid hacktoberfest hacktoberfest2020 
    opened by edoardottt 3
  • Clean output when crawler is active

    Clean output when crawler is active

    Maybe it would be useful to clean the results from GET parameter.

    Example: Now :

    https://www.example.com/blog/2021/03/05/images/?id=sutb4wt73ct7q38tyqycbatb78cwytt73vwv7&page=3&auth=rgvtv7at4ithbitv4b4yiy4abqat4ht4ivuykcgt4ku3gctq
    

    Then: https://www.example.com/blog/2021/03/05/images

    opened by edoardottt 2
  • UDP Port scanning

    UDP Port scanning

    Now scilla can only perform tcp port scanning. (scilla port -target <TARGET> + other flags).

    Add a -u flag to the port subcommand to perform UDP port scanning.

    opened by edoardottt 1
  • Create an appropriate data structure for subs and dirs result

    Create an appropriate data structure for subs and dirs result

    Whenever scilla produces new results (dirs or subs) and it wants to print them, it looks into all the array of Assets to search if the Printed value is set to false. So, to speed up the performance we can do two things: Create a new data structure with two fields:

    type Result struct {
    assets    []Asset,
    ?
    }
    

    The second field can be a boolean, and this means that it can be changed to true (or false, it depends) when you have to print somethings, or a couple of integers telling us the printed values and the total value. In this second case we don't need the Printed item in Asset....

    Another thing we can do to speed up performance is to print the results in reverse order, starting from the last found and going up to the first, when we encounter a Printed == true, it means we don't have more values to print.

    opened by edoardottt 1
  • Add new option

    Add new option

    Add new option -q or -quiet to print only results and no banner and no other output to put scilla in a chain.

    Example:

    scilla subdomain -quiet -target target.domain | other-command

    enhancement good first issue GopherZone 
    opened by edoardottt 1
  • docker build an error occurs

    docker build an error occurs

    system:kali linux When I try docker build an error occurs

    git clone https://github.com/edoardottt/scilla.git
    cd scilla
    docker build -t scilla .
    

    ##Error message

    [4/5] RUN go install -v ./...: #6 3.564 go: golang.org/x/[email protected] requires #6 3.564 golang.org/x/[email protected]: missing go.sum entry; to add it: #6 3.564 go mod download golang.org/x/sys


    executor failed running [/bin/sh -c go install -v ./...]: exit code: 1 Snipaste_2022-08-18_15-36-36

    about Building from source

    How can I do the upgrade? Because I don't see any description of "update" :see_no_evil:

    opened by Trapshell 1
Releases(v1.2.3)
Owner
gilfoyle97
MSc Cybersecurity Student | @python | @golang | Linux | Bash
gilfoyle97
Subdomain scanner, asynchronous dns packets, use pcap to scan 1600,000 subdomains in 1 second

ksubdomain是一款基于无状态的子域名爆破工具,类似无状态端口扫描,支持在Windows/Linux/Mac上进行快速的DNS爆破,在Mac和Windows上理论最大发包速度在30w/s,linux上为160w/s。 hacking8信息流的src资产收集 https://i.hacking8

boyhack 487 Sep 22, 2022
Argus is a subdomain enumeration tool

Argus Argus is a domain enumeration tool. Usage : LINUX : ./argus Windows : double click the executable or .\argus When you enter the domain name , pl

Surya Poojary 2 Apr 28, 2022
O365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365

O365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365 (now/soon Microsoft365). O365 uses a unique SOAP API endpoint on login.microsoftonline.com that most other tools do not use.

Trewis [work] Scotch 6 Aug 17, 2022
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

Fast passive subdomain enumeration tool. Features • Install • Usage • API Setup • License • Join Discord Subfinder is a subdomain discovery tool that

ProjectDiscovery 6.2k Sep 25, 2022
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

ProjectDiscovery 6.2k Sep 24, 2022
User enumeration with Microsoft Teams API

UserEnumTeams Description Sometimes user enumeration could be sometimes useful during the reconnaissance of an assessment. This tool will determine if

immunIT 152 Sep 26, 2022
An OOB interaction gathering server and client library

Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •

ProjectDiscovery 1.9k Sep 26, 2022
Get related domains / subdomains by looking at Google Analytics IDs

AnalyticsRelationships This script try to get related domains / subdomains by looking at Google Analytics IDs from a URL. First search for ID of Googl

Josué Encinar 133 Sep 24, 2022
Generate wordlist from already collected subdomains for bruteforcing purposes.

goSubsWordlist Generate a wordlist from a list of already discovered subdomains. This list can be used for further bruteforcing for more subdomains. I

kenjoe41 4 Sep 25, 2022
DNS Ping: to check packet loss and latency issues with DNS servers

DNSping DNS Ping checks packet loss and latency issues with DNS servers Installation If you have golang, easiest install is go get -u fortio.org/dnspi

Fortio (Φορτίο) 60 Aug 5, 2022
Verify IP addresses of respectful crawlers like Googlebot by reverse dns and forward dns lookups

goodbots - trust but verify goodbots verifies the IP addresses of respectful crawlers like Googlebot by performing reverse dns and forward dns lookups

Eric Wu 30 Aug 16, 2022
The Dual-Stack Dynamic DNS client, the world's first dynamic DNS client built for IPv6.

dsddns DsDDNS is the Dual-Stack Dynamic DNS client. A dynamic DNS client keeps your DNS records in sync with the IP addresses associated with your hom

Ryan Young 14 Sep 7, 2022
netcup DNS module for caddy: dns.providers.netcup

netcup DNS module for Caddy This package contains a DNS provider module for Caddy. It can be used to manage DNS records with the netcup DNS API using

null 7 Sep 12, 2022
A fork on miekg/dns (since I've already forked zmap/dns)

Alternative (more granular) approach to a DNS library Less is more. Complete and usable DNS library. All Resource Records are supported, including the

null 0 Jan 19, 2022
A simple DNS forwarder that forwards DNS queries to various upstreams

A simple DNS forwarder that forwards DNS queries to various upstreams. If an upstream returns NXDomain, the next upstream is tried.

null 1 Jul 8, 2022
Bee is a tool to scan ports by TCP and UDP protocols

Bee - Port scan tool ?? Bee is a tool to scan ports by TCP and UDP protocols Building from Source Code First, we compile the source code with the ligh

kraken 2 Oct 10, 2021
P2P Forwarder - a tool for farwarding tcp/udp ports. Made using libp2p.

P2P Forwarder A tool for farwarding ports. Made using libp2p. How it works A: opens desired ports ports inside P2P Forwarder A: shares it's id from P2

null 30 Sep 24, 2022
GoScan is a port-scanner made entirely in Go-lang. The purpose of the tool is to be fast, dynamic and simple so that a professional in the CyberSecurity area can make an optimized list of ports

?? GoScan GoScan is a port-scanner made entirely in Go-lang. The purpose of the tool is to be fast, dynamic and simple so that a professional in the C

Ottoni 4 Jul 19, 2022
netscanner - TCP/UDP scanner to find open or closed ports

netscanner netscanner - TCP/UDP scanner to find open or closed ports installation you have to run this command to install the program $ go get github.

R4yan 200 Sep 24, 2022