stackscan 2.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- stackscan-2.1.0/.gitignore +135 -0
- stackscan-2.1.0/LICENSE +18 -0
- stackscan-2.1.0/PKG-INFO +341 -0
- stackscan-2.1.0/README.md +303 -0
- stackscan-2.1.0/pyproject.toml +174 -0
- stackscan-2.1.0/scripts/build_cve_db.py +203 -0
- stackscan-2.1.0/src/stackscan/__init__.py +5 -0
- stackscan-2.1.0/src/stackscan/__main__.py +4 -0
- stackscan-2.1.0/src/stackscan/analyzers/__init__.py +29 -0
- stackscan-2.1.0/src/stackscan/analyzers/creds.py +218 -0
- stackscan-2.1.0/src/stackscan/analyzers/cve.py +458 -0
- stackscan-2.1.0/src/stackscan/analyzers/exposure.py +73 -0
- stackscan-2.1.0/src/stackscan/analyzers/infra.py +114 -0
- stackscan-2.1.0/src/stackscan/analyzers/security.py +26 -0
- stackscan-2.1.0/src/stackscan/analyzers/services.py +285 -0
- stackscan-2.1.0/src/stackscan/analyzers/tech.py +178 -0
- stackscan-2.1.0/src/stackscan/cli.py +750 -0
- stackscan-2.1.0/src/stackscan/config/__init__.py +19 -0
- stackscan-2.1.0/src/stackscan/config/sigdb_loader.py +74 -0
- stackscan-2.1.0/src/stackscan/config/sources.py +238 -0
- stackscan-2.1.0/src/stackscan/core/__init__.py +3 -0
- stackscan-2.1.0/src/stackscan/core/core.py +60 -0
- stackscan-2.1.0/src/stackscan/data/builtin.sigdb +0 -0
- stackscan-2.1.0/src/stackscan/data/cve.json.gz +0 -0
- stackscan-2.1.0/src/stackscan/data/reekeer-logo.png +0 -0
- stackscan-2.1.0/src/stackscan/data/subdomains.txt +522 -0
- stackscan-2.1.0/src/stackscan/export.py +574 -0
- stackscan-2.1.0/src/stackscan/net/__init__.py +22 -0
- stackscan-2.1.0/src/stackscan/net/dns.py +168 -0
- stackscan-2.1.0/src/stackscan/net/fingerprint.py +41 -0
- stackscan-2.1.0/src/stackscan/net/geo.py +70 -0
- stackscan-2.1.0/src/stackscan/net/ipinfo.py +94 -0
- stackscan-2.1.0/src/stackscan/net/ports.py +219 -0
- stackscan-2.1.0/src/stackscan/net/resolver.py +54 -0
- stackscan-2.1.0/src/stackscan/net/subdomains.py +457 -0
- stackscan-2.1.0/src/stackscan/net/tld.py +126 -0
- stackscan-2.1.0/src/stackscan/net/tls.py +78 -0
- stackscan-2.1.0/src/stackscan/render.py +541 -0
- stackscan-2.1.0/src/stackscan/scan.py +545 -0
- stackscan-2.1.0/src/stackscan/theme.py +23 -0
- stackscan-2.1.0/src/stackscan/types/__init__.py +43 -0
- stackscan-2.1.0/src/stackscan/types/models.py +18 -0
- stackscan-2.1.0/src/stackscan/types/output.py +367 -0
- stackscan-2.1.0/src/stackscan/utils/__init__.py +4 -0
- stackscan-2.1.0/src/stackscan/utils/paths.py +10 -0
- stackscan-2.1.0/src/stackscan/utils/urls.py +39 -0
- stackscan-2.1.0/tests/test_builtin_sigdb.py +15 -0
- stackscan-2.1.0/tests/test_cli_helpers.py +47 -0
- stackscan-2.1.0/tests/test_creds.py +41 -0
- stackscan-2.1.0/tests/test_cve.py +73 -0
- stackscan-2.1.0/tests/test_dns_records.py +25 -0
- stackscan-2.1.0/tests/test_export.py +77 -0
- stackscan-2.1.0/tests/test_extra.py +38 -0
- stackscan-2.1.0/tests/test_infra.py +34 -0
- stackscan-2.1.0/tests/test_ports.py +41 -0
- stackscan-2.1.0/tests/test_services.py +44 -0
- stackscan-2.1.0/tests/test_sources.py +43 -0
- stackscan-2.1.0/tests/test_subdomains.py +47 -0
- stackscan-2.1.0/tests/test_tech.py +47 -0
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
# Byte-compiled / optimized / DLL files
|
|
2
|
+
__pycache__/
|
|
3
|
+
*.py[cod]
|
|
4
|
+
*$py.class
|
|
5
|
+
|
|
6
|
+
# C extensions
|
|
7
|
+
*.so
|
|
8
|
+
|
|
9
|
+
# Distribution / packaging
|
|
10
|
+
.Python
|
|
11
|
+
build/
|
|
12
|
+
develop-eggs/
|
|
13
|
+
dist/
|
|
14
|
+
downloads/
|
|
15
|
+
eggs/
|
|
16
|
+
.eggs/
|
|
17
|
+
lib/
|
|
18
|
+
lib64/
|
|
19
|
+
parts/
|
|
20
|
+
sdist/
|
|
21
|
+
var/
|
|
22
|
+
wheels/
|
|
23
|
+
wheelhouse/
|
|
24
|
+
*.egg-info/
|
|
25
|
+
.installed.cfg
|
|
26
|
+
*.egg
|
|
27
|
+
MANIFEST
|
|
28
|
+
|
|
29
|
+
# PyInstaller
|
|
30
|
+
# Usually these files are written by a python script from a template
|
|
31
|
+
# before PyInstaller builds the exe, so as to inject date/other infos into it.
|
|
32
|
+
*.manifest
|
|
33
|
+
*.spec
|
|
34
|
+
|
|
35
|
+
# Installer logs
|
|
36
|
+
pip-log.txt
|
|
37
|
+
pip-delete-this-directory.txt
|
|
38
|
+
|
|
39
|
+
# Unit test / coverage reports
|
|
40
|
+
htmlcov/
|
|
41
|
+
.tox/
|
|
42
|
+
.nox/
|
|
43
|
+
.coverage
|
|
44
|
+
.coverage.*
|
|
45
|
+
.cache
|
|
46
|
+
nosetests.xml
|
|
47
|
+
coverage.xml
|
|
48
|
+
*.cover
|
|
49
|
+
.hypothesis/
|
|
50
|
+
.pytest_cache/
|
|
51
|
+
|
|
52
|
+
# Translations
|
|
53
|
+
*.mo
|
|
54
|
+
*.pot
|
|
55
|
+
|
|
56
|
+
# Django stuff:
|
|
57
|
+
*.log
|
|
58
|
+
local_settings.py
|
|
59
|
+
db.sqlite3
|
|
60
|
+
|
|
61
|
+
# Flask stuff:
|
|
62
|
+
instance/
|
|
63
|
+
.webassets-cache
|
|
64
|
+
|
|
65
|
+
# Scrapy stuff:
|
|
66
|
+
.scrapy
|
|
67
|
+
|
|
68
|
+
# Sphinx documentation
|
|
69
|
+
docs/_build/
|
|
70
|
+
|
|
71
|
+
# PyBuilder
|
|
72
|
+
target/
|
|
73
|
+
|
|
74
|
+
# Jupyter Notebook
|
|
75
|
+
.ipynb_checkpoints
|
|
76
|
+
|
|
77
|
+
# IPython
|
|
78
|
+
profile_default/
|
|
79
|
+
ipython_config.py
|
|
80
|
+
|
|
81
|
+
# pyenv
|
|
82
|
+
.python-version
|
|
83
|
+
|
|
84
|
+
# celery beat schedule file
|
|
85
|
+
celerybeat-schedule
|
|
86
|
+
|
|
87
|
+
# SageMath parsed files
|
|
88
|
+
*.sage.py
|
|
89
|
+
|
|
90
|
+
# Environments
|
|
91
|
+
.env
|
|
92
|
+
.venv
|
|
93
|
+
env/
|
|
94
|
+
venv/
|
|
95
|
+
ENV/
|
|
96
|
+
env.bak/
|
|
97
|
+
venv.bak/
|
|
98
|
+
|
|
99
|
+
# Spyder project settings
|
|
100
|
+
.spyderproject
|
|
101
|
+
.spyproject
|
|
102
|
+
|
|
103
|
+
# Rope project settings
|
|
104
|
+
.ropeproject
|
|
105
|
+
|
|
106
|
+
# mkdocs documentation
|
|
107
|
+
/site
|
|
108
|
+
|
|
109
|
+
# mypy
|
|
110
|
+
.mypy_cache/
|
|
111
|
+
.dmypy.json
|
|
112
|
+
dmypy.json
|
|
113
|
+
|
|
114
|
+
# IDEs
|
|
115
|
+
.vscode/
|
|
116
|
+
.idea/
|
|
117
|
+
*.swp
|
|
118
|
+
*.swo
|
|
119
|
+
*~
|
|
120
|
+
|
|
121
|
+
# Codex / Claude
|
|
122
|
+
AGENTS.md
|
|
123
|
+
|
|
124
|
+
# Local frameworks
|
|
125
|
+
frameworks.json
|
|
126
|
+
frameworks.schema.json
|
|
127
|
+
|
|
128
|
+
# OS generated files
|
|
129
|
+
.DS_Store
|
|
130
|
+
.DS_Store?
|
|
131
|
+
._*
|
|
132
|
+
.Spotlight-V100
|
|
133
|
+
.Trashes
|
|
134
|
+
ehthumbs.db
|
|
135
|
+
Thumbs.db
|
stackscan-2.1.0/LICENSE
ADDED
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
Copyright 2026 reekeer
|
|
2
|
+
|
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
4
|
+
this software and associated documentation files (the “Software”), to deal in the
|
|
5
|
+
Software without restriction, including without limitation the rights to use, copy,
|
|
6
|
+
modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
|
|
7
|
+
and to permit persons to whom the Software is furnished to do so, subject to the
|
|
8
|
+
following conditions:
|
|
9
|
+
|
|
10
|
+
The above copyright notice and this permission notice shall be included in all
|
|
11
|
+
copies or substantial portions of the Software.
|
|
12
|
+
|
|
13
|
+
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
|
|
14
|
+
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
|
|
15
|
+
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
|
16
|
+
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
17
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
|
18
|
+
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
stackscan-2.1.0/PKG-INFO
ADDED
|
@@ -0,0 +1,341 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: stackscan
|
|
3
|
+
Version: 2.1.0
|
|
4
|
+
Summary: Full web stack, infrastructure, DNS, port, subdomain and CVE analyzer.
|
|
5
|
+
Project-URL: Source, https://github.com/reekeer/stackscan
|
|
6
|
+
Project-URL: Issues, https://github.com/reekeer/stackscan/issues
|
|
7
|
+
Author: reekeer team
|
|
8
|
+
Maintainer-email: delewer <del@reekeer.hidden>
|
|
9
|
+
License: MIT
|
|
10
|
+
License-File: LICENSE
|
|
11
|
+
Keywords: cli,fingerprinting,osint,stack,tech,wappalyzer
|
|
12
|
+
Classifier: Development Status :: 4 - Beta
|
|
13
|
+
Classifier: Environment :: Console
|
|
14
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
15
|
+
Classifier: Operating System :: OS Independent
|
|
16
|
+
Classifier: Programming Language :: Python :: 3
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
18
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
19
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
20
|
+
Requires-Python: >=3.11
|
|
21
|
+
Requires-Dist: aiohttp>=3.9
|
|
22
|
+
Requires-Dist: dnspython>=2.6
|
|
23
|
+
Requires-Dist: python-nmap>=0.7
|
|
24
|
+
Requires-Dist: rich>=13.7
|
|
25
|
+
Requires-Dist: sigdb>=1.0.2
|
|
26
|
+
Provides-Extra: dev
|
|
27
|
+
Requires-Dist: black>=24.0; extra == 'dev'
|
|
28
|
+
Requires-Dist: build>=1.0; extra == 'dev'
|
|
29
|
+
Requires-Dist: cibuildwheel>=2.16; extra == 'dev'
|
|
30
|
+
Requires-Dist: geoip2>=4.8; extra == 'dev'
|
|
31
|
+
Requires-Dist: pyright>=1.1; extra == 'dev'
|
|
32
|
+
Requires-Dist: pytest>=8.0; extra == 'dev'
|
|
33
|
+
Requires-Dist: ruff>=0.5; extra == 'dev'
|
|
34
|
+
Requires-Dist: twine>=5.0; extra == 'dev'
|
|
35
|
+
Provides-Extra: geo
|
|
36
|
+
Requires-Dist: geoip2>=4.8; extra == 'geo'
|
|
37
|
+
Description-Content-Type: text/markdown
|
|
38
|
+
|
|
39
|
+
<h1 align="center">stackscan</h1>
|
|
40
|
+
|
|
41
|
+
<h4 align="center">Full web stack, infrastructure, DNS, port, subdomain and CVE analyzer — one command, one colorized report.</h4>
|
|
42
|
+
|
|
43
|
+
<p align="center">
|
|
44
|
+
<a href="LICENSE"><img src="https://img.shields.io/badge/License-MIT-green?style=for-the-badge&logo=opensourceinitiative&logoColor=FFFFFF" alt="License"></a>
|
|
45
|
+
<img src="https://img.shields.io/badge/Python-3.11%2B-blue?style=for-the-badge&logo=python&logoColor=white" alt="Python">
|
|
46
|
+
<img src="https://img.shields.io/badge/Platform-Linux%20%7C%20macOS%20%7C%20Windows-lightgrey?style=for-the-badge&logo=linux&logoColor=FCC624" alt="Platform">
|
|
47
|
+
<img src="https://img.shields.io/badge/code%20style-black-000000?style=for-the-badge" alt="black">
|
|
48
|
+
<img src="https://img.shields.io/badge/linting-ruff-orange?style=for-the-badge" alt="ruff">
|
|
49
|
+
<img src="https://img.shields.io/badge/type%20checked-pyright-4B8BBE?style=for-the-badge" alt="pyright">
|
|
50
|
+
<img src="https://img.shields.io/github/stars/reekeer/stackscan?style=for-the-badge&logo=github&logoColor=white" alt="Stars">
|
|
51
|
+
<img src="https://img.shields.io/github/last-commit/reekeer/stackscan?style=for-the-badge&logo=github&logoColor=white" alt="Last Commit">
|
|
52
|
+
</p>
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
**stackscan** takes one or more targets, fetches them over HTTP(S), and prints a
|
|
57
|
+
single colorized panel report covering the technology stack, the edge and
|
|
58
|
+
network infrastructure, full DNS, IP ownership, open ports, subdomains, and
|
|
59
|
+
known CVEs. A signature database and a compressed CVE database ship inside the
|
|
60
|
+
package, so it works out of the box.
|
|
61
|
+
|
|
62
|
+
Every default pass only reads what a server voluntarily returns. The **active**
|
|
63
|
+
passes — `--ports` and `--default-creds` — open connections the target did not
|
|
64
|
+
solicit and are opt-in. **Only scan systems you are authorized to test.**
|
|
65
|
+
|
|
66
|
+
---
|
|
67
|
+
|
|
68
|
+
## 📦 Installation
|
|
69
|
+
|
|
70
|
+
```bash
|
|
71
|
+
pip install "stackscan @ git+https://github.com/reekeer/stackscan.git"
|
|
72
|
+
|
|
73
|
+
# optional extra
|
|
74
|
+
pip install "stackscan[geo]" # offline IP geolocation via geoip2 + a MaxMind .mmdb
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
`nmap` is used for port scans when present; without it a pure-Python scanner is
|
|
78
|
+
used automatically.
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
## ✨ Features
|
|
83
|
+
|
|
84
|
+
### 🧩 Stack & infrastructure
|
|
85
|
+
- **Technologies** — 7.5k-technology bundled [sigdb](https://github.com/reekeer/sigdb), classified by category.
|
|
86
|
+
- **Edge** — CDN, WAF, reverse proxy and server software from response metadata.
|
|
87
|
+
- **TLS** — certificate issuer, SANs, validity window, protocol and cipher.
|
|
88
|
+
|
|
89
|
+
### 🌐 Network & DNS
|
|
90
|
+
- **Full DNS** — `A`/`AAAA`, reverse DNS, `CNAME`, `MX`, `NS`, `TXT`, `SOA`, `CAA`.
|
|
91
|
+
- **IP intelligence** — hosting org / ISP / ASN / location for non-CDN origins via [ipwho.is](https://ipwho.is).
|
|
92
|
+
- **Subdomains** — AXFR + the popularity-ranked [SecLists](https://github.com/danielmiessler/SecLists) DNS list over a fast async resolver pool, with wildcard filtering + TLS SANs.
|
|
93
|
+
|
|
94
|
+
### 🔎 Ports & vulnerabilities
|
|
95
|
+
- **Ports** — `nmap -sV` via `python-nmap`, or a built-in async connect scan with banner/HTTP/RTSP fingerprinting.
|
|
96
|
+
- **CVEs** — offline NVD-sourced database with per-match **confidence %** and CVSS **severity**; `--cve-online` adds a live lookup.
|
|
97
|
+
- **Default creds / open devices** — a bounded, authorized-only check for cameras / routers / panels reachable without a password or with factory-default logins (SecLists default-credentials).
|
|
98
|
+
|
|
99
|
+
### 🎛 Output
|
|
100
|
+
- Colorized per-target panels, a `--compact` table, or `--json`.
|
|
101
|
+
- Every run prints the banner and the total scan time.
|
|
102
|
+
|
|
103
|
+
---
|
|
104
|
+
|
|
105
|
+
## 🚀 Usage
|
|
106
|
+
|
|
107
|
+
```bash
|
|
108
|
+
# Scan one or more targets
|
|
109
|
+
stackscan example.com https://another.example
|
|
110
|
+
|
|
111
|
+
# Everything at once: ports, subdomains, online CVEs, IP info, default-cred check
|
|
112
|
+
stackscan --full example.com
|
|
113
|
+
|
|
114
|
+
# Individual deep passes
|
|
115
|
+
stackscan --ports --subdomains example.com
|
|
116
|
+
stackscan --cve-online example.com
|
|
117
|
+
|
|
118
|
+
# Speed / coverage knobs
|
|
119
|
+
stackscan --full --workers 500 --subdomain-limit 10000 example.com
|
|
120
|
+
stackscan --full --site-limit 10 --workers 200 example.com
|
|
121
|
+
|
|
122
|
+
# JSON (full detail, includes timing) or a compact table
|
|
123
|
+
stackscan --json example.com
|
|
124
|
+
stackscan --compact a.example b.example
|
|
125
|
+
```
|
|
126
|
+
|
|
127
|
+
Bare hostnames are normalized to `https://`.
|
|
128
|
+
|
|
129
|
+
## ⚡ Benchmark
|
|
130
|
+
|
|
131
|
+
Below are performance benchmarks conducted on two production targets using different scanning options (tested on Python 3.12 / macOS).
|
|
132
|
+
|
|
133
|
+
### 1. `github.com` Scan Performance
|
|
134
|
+
|
|
135
|
+
| Scan Mode | Command / Arguments | Execution Time (s) | Execution Time (ms) | Speed vs. Default (Baseline) |
|
|
136
|
+
| :--- | :--- | :---: | :---: | :---: |
|
|
137
|
+
| **Minimal Scan** | `--no-dns --no-tls --no-geo --no-ip-info --no-cve --no-probe` | **0.69s** | `690 ms` | **+86.09% faster** (7.2x) |
|
|
138
|
+
| **Default Scan** | *None (baseline)* | **4.96s** | `4960 ms` | *Baseline* |
|
|
139
|
+
| **Port Scan** | `--ports` | **6.10s** | `6100 ms` | **-22.98% slower** |
|
|
140
|
+
| **Full Active Scan** | `--full` | **64.99s** | `64990 ms` | **-1210.28% slower** |
|
|
141
|
+
|
|
142
|
+
### 2. `kmtn.ru` Deep Scan Performance
|
|
143
|
+
|
|
144
|
+
| Scan Mode | Command / Arguments | Execution Time | Findings |
|
|
145
|
+
| :--- | :--- | :---: | :--- |
|
|
146
|
+
| **Full Active Scan** | `--full --subdomain-limit 50 --site-limit 20` | **1m 8.4s (68s)** | 269 CVE(s), 64 critical, 29 port(s), 41 subdomain(s), 11 site(s) |
|
|
147
|
+
| **Fast Full Scan** | `--full --subdomain-limit 50 --workers 400 --site-limit 20` | **~32s** | 247 CVE(s), 63 critical, 15 port(s), 41 subdomain(s), 9 site(s) |
|
|
148
|
+
|
|
149
|
+
### 3. `microsoft.com` Scan Performance
|
|
150
|
+
|
|
151
|
+
| Scan Mode | Command / Arguments | Execution Time (s) | Execution Time (ms) | Speed vs. Default (Baseline) |
|
|
152
|
+
| :--- | :--- | :---: | :---: | :---: |
|
|
153
|
+
| **Minimal Scan** | `--no-dns --no-tls --no-geo --no-ip-info --no-cve --no-probe` | **0.98s** | `980 ms` | **+83.39% faster** (6.0x) |
|
|
154
|
+
| **Default Scan** | *None (baseline)* | **5.90s** | `5900 ms` | *Baseline* |
|
|
155
|
+
| **Port Scan** | `--ports` | **6.95s** | `6950 ms` | **-17.80% slower** |
|
|
156
|
+
|
|
157
|
+
> [!NOTE]
|
|
158
|
+
> * **Minimal Scan** only fetches the HTTP response and runs the offline technology matcher.
|
|
159
|
+
> * **Default Scan** resolves DNS (including CNAME/MX/NS/SOA), performs TLS handshake analysis, resolves GeoIP info, and queries IPWHOIS.
|
|
160
|
+
> * **Full Scan** triggers active subdomain enumeration (AXFR + wordlist), parallel smart port scanning of all resolved endpoints, vulnerability matching, and default credential brute-forcing.
|
|
161
|
+
|
|
162
|
+
---
|
|
163
|
+
|
|
164
|
+
## 🧭 Options
|
|
165
|
+
|
|
166
|
+
| Option | Default | Description |
|
|
167
|
+
| :--- | :---: | :--- |
|
|
168
|
+
| `--full` | off | Enable ports, subdomains, online CVEs, IP info, default-cred check. |
|
|
169
|
+
| `--ports` / `--no-nmap` | off | Active port scan (nmap, else Python) / force the Python scanner. |
|
|
170
|
+
| `--subdomains` | off | Enumerate subdomains (AXFR + wordlist + TLS SANs). |
|
|
171
|
+
| `--subdomain-limit` | `5000` | Max ranked labels to resolve (`0` = full list). |
|
|
172
|
+
| `--site-limit` | `20` | Max derived sites to analyze from discovered open ports (`0` = unlimited). |
|
|
173
|
+
| `--default-creds` | off | Bounded default-credential / open-device check. |
|
|
174
|
+
| `--cred-limit` | `50` | Max default-credential pairs per device (`0` = full SecLists list). |
|
|
175
|
+
| `--cve-online` | off | Also query NVD live for detected products. |
|
|
176
|
+
| `--workers` | `350` | Parallel workers for ports/subdomains/creds. |
|
|
177
|
+
| `--concurrency` | `10` | Concurrent targets. |
|
|
178
|
+
| `--sigdb` / `--no-builtin` / `--no-sources` | – | Signature database selection. |
|
|
179
|
+
| `--geoip-db` | – | MaxMind `.mmdb` for offline IP geolocation. |
|
|
180
|
+
| `--no-dns` / `--no-tls` / `--no-geo` / `--no-probe` / `--no-cve` / `--no-ip-info` | off | Skip a pass. |
|
|
181
|
+
| `--json` / `--compact` / `--no-banner` / `--show-empty` | off | Output control. |
|
|
182
|
+
| `-f`, `--file` / `--timeout` / `--port-timeout` / `--version` | – | Misc. |
|
|
183
|
+
|
|
184
|
+
---
|
|
185
|
+
|
|
186
|
+
## ⚙️ Configuration
|
|
187
|
+
|
|
188
|
+
- **Signature sources**: `stackscan sigdb add|list|update|remove …` (recorded under `$XDG_CONFIG_HOME/stackscan/`).
|
|
189
|
+
- **Downloaded wordlists** (SecLists DNS list, default-credential list): cached under `~/.local/stackscan/db/`.
|
|
190
|
+
- **Refresh the CVE database**: `python scripts/build_cve_db.py`.
|
|
191
|
+
|
|
192
|
+
---
|
|
193
|
+
|
|
194
|
+
## 🚀 Smart Scan Pipeline
|
|
195
|
+
|
|
196
|
+
The Smart Scan engine performs multiple analysis stages to collect infrastructure, technology, and security information about the target before generating the final report.
|
|
197
|
+
|
|
198
|
+
```mermaid
|
|
199
|
+
flowchart TD
|
|
200
|
+
|
|
201
|
+
A["🎯 Target<br/>Domain / URL"]
|
|
202
|
+
|
|
203
|
+
subgraph S1["1. Target Resolution"]
|
|
204
|
+
B["Normalize Target"]
|
|
205
|
+
C["DNS Resolution"]
|
|
206
|
+
C1["IPv4 / IPv6"]
|
|
207
|
+
C2["DNS Records<br/>MX • NS • TXT • CNAME • SOA • CAA"]
|
|
208
|
+
C3["Reverse PTR"]
|
|
209
|
+
B --> C
|
|
210
|
+
C --> C1
|
|
211
|
+
C --> C2
|
|
212
|
+
C --> C3
|
|
213
|
+
end
|
|
214
|
+
|
|
215
|
+
subgraph S2["2. HTTP Discovery"]
|
|
216
|
+
D["HTTPS Request"]
|
|
217
|
+
D1{"TLS Error?"}
|
|
218
|
+
D2["HTTP Fallback"]
|
|
219
|
+
D3["Headers • Body • Cookies"]
|
|
220
|
+
D --> D1
|
|
221
|
+
D1 -->|Yes| D2
|
|
222
|
+
D1 -->|No| D3
|
|
223
|
+
D2 --> D3
|
|
224
|
+
end
|
|
225
|
+
|
|
226
|
+
subgraph S3["3. Infrastructure Detection"]
|
|
227
|
+
E["Header & Cookie Analysis"]
|
|
228
|
+
F["IP Intelligence"]
|
|
229
|
+
G{"CDN / WAF / Proxy"}
|
|
230
|
+
E --> G
|
|
231
|
+
F --> G
|
|
232
|
+
end
|
|
233
|
+
|
|
234
|
+
subgraph S4["4. Port Discovery"]
|
|
235
|
+
H{"Smart Scan"}
|
|
236
|
+
I["Target Scan"]
|
|
237
|
+
J["Enumerate Subdomains<br/>Collect All IPs"]
|
|
238
|
+
K["Nmap / Async Connect"]
|
|
239
|
+
L["Banner & HTTP Fingerprinting"]
|
|
240
|
+
H -->|Disabled| I
|
|
241
|
+
H -->|Enabled| J
|
|
242
|
+
I --> K
|
|
243
|
+
J --> K
|
|
244
|
+
K --> L
|
|
245
|
+
end
|
|
246
|
+
|
|
247
|
+
subgraph S5["5. Technology Detection"]
|
|
248
|
+
M["Headers"]
|
|
249
|
+
N["Cookies"]
|
|
250
|
+
O["HTML & Meta"]
|
|
251
|
+
P["JavaScript"]
|
|
252
|
+
Q["URL Patterns"]
|
|
253
|
+
R["SigDB (7500+ Signatures)"]
|
|
254
|
+
end
|
|
255
|
+
|
|
256
|
+
subgraph S6["6. Advanced Analysis"]
|
|
257
|
+
S["Subdomain Enumeration"]
|
|
258
|
+
T["CVE Matching"]
|
|
259
|
+
U["Default Credentials"]
|
|
260
|
+
end
|
|
261
|
+
|
|
262
|
+
subgraph S7["7. Report"]
|
|
263
|
+
V["Security Report"]
|
|
264
|
+
end
|
|
265
|
+
|
|
266
|
+
A --> B
|
|
267
|
+
C --> D
|
|
268
|
+
D3 --> E
|
|
269
|
+
C1 --> F
|
|
270
|
+
G --> H
|
|
271
|
+
|
|
272
|
+
L --> M
|
|
273
|
+
L --> N
|
|
274
|
+
L --> O
|
|
275
|
+
L --> P
|
|
276
|
+
L --> Q
|
|
277
|
+
L --> R
|
|
278
|
+
|
|
279
|
+
M --> S
|
|
280
|
+
N --> S
|
|
281
|
+
O --> T
|
|
282
|
+
P --> T
|
|
283
|
+
Q --> U
|
|
284
|
+
R --> U
|
|
285
|
+
|
|
286
|
+
S --> V
|
|
287
|
+
T --> V
|
|
288
|
+
U --> V
|
|
289
|
+
|
|
290
|
+
classDef start fill:#2563eb,color:#fff,stroke:#1d4ed8,stroke-width:2px;
|
|
291
|
+
classDef phase fill:#7c3aed,color:#fff,stroke:#6d28d9,stroke-width:2px;
|
|
292
|
+
classDef decision fill:#f59e0b,color:#fff,stroke:#b45309,stroke-width:2px;
|
|
293
|
+
classDef finish fill:#16a34a,color:#fff,stroke:#166534,stroke-width:2px;
|
|
294
|
+
|
|
295
|
+
class A start;
|
|
296
|
+
class B,C,C1,C2,C3,D,D2,D3,E,F,I,J,K,L,M,N,O,P,Q,R,S,T,U phase;
|
|
297
|
+
class D1,G,H decision;
|
|
298
|
+
class V finish;
|
|
299
|
+
```
|
|
300
|
+
|
|
301
|
+
### Pipeline Stages
|
|
302
|
+
|
|
303
|
+
| Stage | Description |
|
|
304
|
+
| :--- | :--- |
|
|
305
|
+
| **1. Target Resolution** | Normalize the input target, resolve IPv4/IPv6 addresses, collect DNS records, and perform reverse PTR lookups. |
|
|
306
|
+
| **2. HTTP Discovery** | Send an initial HTTPS request with automatic HTTP fallback and collect response headers, cookies, redirects, and HTML. |
|
|
307
|
+
| **3. Infrastructure Detection** | Detect CDN, WAF, reverse proxies, and hosting providers using HTTP fingerprints and IP intelligence. |
|
|
308
|
+
| **4. Port Discovery** | Scan services using **Nmap** or the built-in asynchronous scanner. Smart Scan expands the scan across all discovered IP addresses. |
|
|
309
|
+
| **5. Technology Detection** | Fingerprint web technologies using headers, cookies, HTML, JavaScript, URL patterns, and the **7500+ signature** database. |
|
|
310
|
+
| **6. Advanced Analysis** | Enumerate subdomains, correlate detected software with CVEs, and test common default credentials. |
|
|
311
|
+
| **7. Report Generation** | Merge all collected information into a comprehensive security report. |
|
|
312
|
+
|
|
313
|
+
---
|
|
314
|
+
|
|
315
|
+
## 🗂 Structure
|
|
316
|
+
|
|
317
|
+
```
|
|
318
|
+
stackscan/
|
|
319
|
+
├── src/stackscan/
|
|
320
|
+
│ ├── analyzers/ ← tech, infra, security, exposure, cve, creds
|
|
321
|
+
│ ├── net/ ← dns, tls, geo, ipinfo, ports, fingerprint, subdomains
|
|
322
|
+
│ ├── config/ ← bundled + sourced sigdb loading
|
|
323
|
+
│ ├── data/ ← builtin.sigdb, cve.json.gz, subdomains.txt
|
|
324
|
+
│ ├── render.py ← the colorized panel report
|
|
325
|
+
│ ├── scan.py ← per-target orchestration
|
|
326
|
+
│ └── cli.py ← argument parsing and entry point
|
|
327
|
+
├── scripts/ ← build_cve_db.py (NVD → offline dataset)
|
|
328
|
+
└── tests/
|
|
329
|
+
```
|
|
330
|
+
|
|
331
|
+
---
|
|
332
|
+
|
|
333
|
+
## 🛠 Development
|
|
334
|
+
|
|
335
|
+
```bash
|
|
336
|
+
ruff check . && black --check . && pyright && pytest
|
|
337
|
+
```
|
|
338
|
+
|
|
339
|
+
---
|
|
340
|
+
|
|
341
|
+
<p align="center"><sub><a href="LICENSE">MIT</a> © reekeer</sub></p>
|