The Web Local
 

 

 

XScan

 

X-Scan is a basic network vulnerability scanner utilising a multi-threading scan approach. The scanner can be utilised both at the command line and has an easy to use GUI front-end.  The following items can be scanned:

 

  • Remote OS type and version detection,
  • Standard port status and banner information,
  • SNMP information,
  • CGI vulnerability detection,
  • IIS vulnerability detection,
  • RPC vulnerability detection,
  • SSL vulnerability detection,
  • SQL-server,
  • FTP-server,
  • SMTP-server,
  • POP3-server,
  • NT-server weak user/password pairs authentication module,
  • NT server NETBIOS information,
  • Remote Register information, etc.

 

The results of the scan are saved in /log directory,  and are title index_ip_address.htm (if you used the GUI) or ip_address if you used the command line option.  These can be directly browsed by any normal Web Browser.

 

Basic user and password lists are supplied to carry out a basic attack on certain services, (above), if found enabled on the host.

 

XScan is available here

 

Problems:  I have found that the basic port list in port.ini is less than accurate.  It does not quote a number of very well-known ports i.e. 1521 for Oracle listener, 5000-5002 for Sybase etc. so this may need amending manually to give better results.  The config.bak file needs to be amended if using the default as only 160 ports are checked.  The report format is also very basic.

 

Command-line usage:

xscan -host <startIP>[-<endIP>] <module> [option] 
xscan -file <host_list_file> <module> [option]


<module>:
 
  -tracert : trace route
   -port : check the status of standard service port
   -snmp : check SNMP information
   -ssl : check SSL vulnerability
   -rpc : check RPC vulnerability
   -sql : check SQL-Server weak password
   -ftp : check FTP-Server weak password
   -ntpass : check NT-Server weak password
   -netbios : check Netbios information
   -smtp : check SMTP-Server vulnerability
   -pop3 : check POP3-Server weak password
   -cgi : check HTTP vulnerability
   -iis : check IIS vulnerability
   -bind : check BIND service vulnerability
   -finger : check Finger service vulnerability
   -sygate : check Sygate vulnerability
   -all : check all vulnerability


[option]:
 
 -v: display verbose information
   -p: skip host when failed to ping
   -o: skip host when no opened port be found
   -t <thread_count[,host_count]>: specify max thread/host count, default is 100,10


Execution:

xscan -host 192.168.1.1 -all
xscan -host 192.168.1.1-192.168.254.254 -port -ntpass -p -t 100
xscan -file host.lst -port -cgi -t 100,5 -v -o

Example output (Fully patched Windows XP SP2 Host no servers running):

C:\Documents and Settings\user\Desktop\xscan>XSCAN -host 192.168.0.1 -all
X-Scan v2.3 - command line security scanner
http://www.xfocus.org, http://www.xfocus.net

Loading plug-in ....
Load plug-in succeed.
Checking "192.168.0.1" ...
[192.168.0.1]: Checking "Trace-Route" ...
[192.168.0.1]: Found "Trace-Route".
[192.168.0.1]: Checking "Port-Status" ...
[192.168.0.1]: Port 25 is opened: SMTP, Simple Mail Transfer Protocol
[192.168.0.1]: Port 80 is opened: HTTP, World Wide Web
[192.168.0.1]: Port 81 is opened: HOSTS2 Name Server
[192.168.0.1]: Port 82 is opened: XFER Utility
[192.168.0.1]: Port 110 is opened: Pop3, Post Office Protocol - Version 3
[192.168.0.1]: Port 83 is opened: MIT ML Device
[192.168.0.1]: Port 119 is opened: Network News Transfer Protocol
[192.168.0.1]: Port 1028 is opened: [Unknown service]
[192.168.0.1]: Port 1029 is opened: [Unknown service]
[192.168.0.1]: Port 1035 is opened: [Unknown service]
[192.168.0.1]: Port 1080 is opened: SOCKS
[192.168.0.1]: Port 1863 is opened: [Unknown service]
[192.168.0.1]: Port 1026 is opened: [Unknown service]
[192.168.0.1]: Port 1025 is opened: network blackjack
[192.168.0.1]: Port 1241 is opened: [Unknown service]
[192.168.0.1]: Port 5190 is opened: aol, America-Online
[192.168.0.1]: Port 8080 is opened: Proxy server
[192.168.0.1]: Port 8088 is opened: [Unknown service]
[192.168.0.1]: Port 11523 is opened: [Unknown service]
[192.168.0.1]: "Port-Status" scan complete, Found 19.
[192.168.0.1]: Checking "Snmp-Info" ...
[192.168.0.1]: "Snmp-Info" scan complete.
[192.168.0.1]: Checking "SSL-Vuln" ...
[192.168.0.1]: Failed to connect to host "192.168.0.1"
[192.168.0.1]: "SSL-Vuln" scan complete.
[192.168.0.1]: Checking "RPC-Vuln" ...
[192.168.0.1]: Failed to connect to host "192.168.0.1"
[192.168.0.1]: "RPC-Vuln" scan complete.
[192.168.0.1]: Checking "SQL-Server-Password" ...
[192.168.0.1]: Failed to connect to host "192.168.0.1"
[192.168.0.1]: "SQL-Server-Password" scan complete.
[192.168.0.1]: Checking "FTP-Password" ...
[192.168.0.1]: Failed to connect to host "192.168.0.1"
[192.168.0.1]: "FTP-Password" scan complete.
[192.168.0.1]: Checking "NT-Server-Password" ...
[192.168.0.1]: "NT-Server-Password" scan complete.
[192.168.0.1]: Checking "NetBios-Info" ...
[192.168.0.1]: Netbios "RemoteRegistryInfo" completed
[192.168.0.1]: NullSession establish fails
[192.168.0.1]: "NetBios-Info" scan complete.
[192.168.0.1]: Checking "SMTP-Vuln" ...
[192.168.0.1]: Failed to connect to host "192.168.0.1"
[192.168.0.1]: "SMTP-Vuln" scan complete.
[192.168.0.1]: Checking "POP3-Password" ...
[192.168.0.1]: "POP3-Password" scan complete.
[192.168.0.1]: Checking "HTTP-Vuln" ...
[192.168.0.1]: Checking "HTTP custom-built error pages" ...
[192.168.0.1]: Checking "HTTP-Vuln" ...
[192.168.0.1]: "HTTP-Vuln" scan complete.
[192.168.0.1]: Checking "IIS-Vuln" ...
[192.168.0.1]: Not MS-IIS server, skip
[192.168.0.1]: "IIS-Vuln" scan complete.
[192.168.0.1]: Checking "BIND-Vuln" ...
[192.168.0.1]: "BIND-Vuln" scan complete.
[192.168.0.1]: Checking "Finger-Vuln" ...
[192.168.0.1]: "Finger-Vuln" scan complete.
[192.168.0.1]: Checking "Sygate-Vuln" ...
[192.168.0.1]: "Sygate-Vuln" scan complete.
[192.168.0.1]: Complete.

All vulnerability scan complete.

 

The GUI version is basically point and click with the majority of modules enabled except for BIND, Finger, Sygate and Traceroute.  In addition, by default once the SNMP string is found Xscan will not try to gain SNMP information.  All these options need to be set in the Config section

 

 

 

IT Security News:

 

Pen Testing Framework:

 

Latest Tool Reviews: