Information Gathering tool – DNS / Subdomains / Ports / Directories enumeration
Installation
Using Docker
docker build -t scilla .
docker run scilla help
Building from source
You need Go.
- Linux
git clone https://github.com/edoardottt/scilla.git
cd scilla
go get
make linux
(to install)make unlinux
(to uninstall)
git clone https://github.com/edoardottt/scilla.git; cd scilla; go get; make linux
- Windows (executable works only in scilla folder. Alias?)
git clone https://github.com/edoardottt/scilla.git
cd scilla
go get
.\make.bat windows
(to install).\make.bat unwindows
(to uninstall)
Get Started
scilla help
prints the help in the command line.
usage: scilla subcommand { options } Available subcommands: - dns [-o output-format] [-plain Print only results] -target <target (URL/IP)> REQUIRED - port [-p <start-end> or ports divided by comma] [-o output-format] [-common scan common ports] [-plain Print only results] -target <target (URL/IP)> REQUIRED - subdomain [-w wordlist] [-o output-format] [-i ignore status codes] [-c use also a web crawler] [-db use also a public database] [-plain Print only results] [-db -no-check Don't check status codes for subdomains] [-db -spyse API-KEY Use Spyse as subdomains source] -target <target (URL)> REQUIRED - dir [-w wordlist] [-o output-format] [-i ignore status codes] [-c use also a web crawler] [-plain Print only results] [-nr No follow redirects] -target <target (URL)> REQUIRED - report [-p <start-end> or ports divided by comma] [-ws subdomains wordlist] [-wd directories wordlist] [-o output-format] [-id ignore status codes in directories scanning] [-is ignore status codes in subdomains scanning] [-cd use also a web crawler for directories scanning] [-cs use also a web crawler for subdomains scanning] [-db use also a public database for subdomains scanning] [-common scan common ports] [-nr No follow redirects] [-db -spyse API-KEY Use Spyse as subdomains source] -target <target (URL/IP)> REQUIRED - help - examples
Examples
- DNS enumeration:
scilla dns -target target.domain
scilla dns -o txt -target target.domain
scilla dns -o html -target target.domain
scilla dns -plain -target target.domain
- Subdomains enumeration:
scilla subdomain -target target.domain
scilla subdomain -w wordlist.txt -target target.domain
scilla subdomain -o txt -target target.domain
scilla subdomain -o html -target target.domain
scilla subdomain -i 400 -target target.domain
scilla subdomain -i 4** -target target.domain
scilla subdomain -c -target target.domain
scilla subdomain -db -target target.domain
scilla subdomain -plain -target target.domain
scilla subdomain -db -no-check -target target.domain
scilla subdomain -db -spyse API-KEY -target target.domain
- Directories enumeration:
scilla dir -target target.domain
scilla dir -w wordlist.txt -target target.domain
scilla dir -o txt -target target.domain
scilla dir -o html -target target.domain
scilla dir -i 500,401 -target target.domain
scilla dir -i 5**,401 -target target.domain
scilla dir -c -target target.domain
scilla dir -plain -target target.domain
scilla dir -nr -target target.domain
- Ports enumeration:
- Default (all ports, so 1-65635)
scilla port -target target.domain
- Specifying ports range
scilla port -p 20-90 -target target.domain
- Specifying starting port (until the last one)
scilla port -p 20- -target target.domain
- Specifying ending port (from the first one)
scilla port -p -90 -target target.domain
- Specifying single port
scilla port -p 80 -target target.domain
- Specifying output format (txt)
scilla port -o txt -target target.domain
- Specifying output format (html)
scilla port -o html -target target.domain
- Specifying multiple ports
scilla port -p 21,25,80 -target target.domain
- Specifying common ports
scilla port -common -target target.domain
- Print only results
scilla port -plain -target target.domain
- Default (all ports, so 1-65635)
- Full report:
- Default (all ports, so 1-65635)
scilla report -target target.domain
- Specifying ports range
scilla report -p 20-90 -target target.domain
- Specifying starting port (until the last one)
scilla report -p 20- -target target.domain
- Specifying ending port (from the first one)
scilla report -p -90 -target target.domain
- Specifying single port
scilla report -p 80 -target target.domain
- Specifying output format (txt)
scilla report -o txt -target target.domain
- Specifying output format (html)
scilla report -o html -target target.domain
- Specifying directories wordlist
scilla report -wd dirs.txt -target target.domain
- Specifying subdomains wordlist
scilla report -ws subdomains.txt -target target.domain
- Specifying status codes to be ignored in directories scanning
scilla report -id 500,501,502 -target target.domain
- Specifying status codes to be ignored in subdomains scanning
scilla report -is 500,501,502 -target target.domain
- Specifying status codes classes to be ignored in directories scanning
scilla report -id 5**,4** -target target.domain
- Specifying status codes classes to be ignored in subdomains scanning
scilla report -is 5**,4** -target target.domain
- Use also a web crawler for directories enumeration
scilla report -cd -target target.domain
- Use also a web crawler for subdomains enumeration
scilla report -cs -target target.domain
- Use also a public database for subdomains enumeration
scilla report -db -target target.domain
- Specifying multiple ports
scilla report -p 21,25,80 -target target.domain
- Specifying common ports
scilla report -common -target target.domain
- No follow redirects
scilla report -nr -target target.domain
- Use Spyse as subdomains source
scilla report -db -spyse API-KEY -target target.domain
- Default (all ports, so 1-65635)
Contributing
Just open an issue / pull request. See also CONTRIBUTING.md and CODE OF CONDUCT.md
Help me building this!
Special thanks to:
To do:
- Tests (😂)
- Tor support
- Proxy support
- XML output
- JSON output
- Dockerfile
- Plain output (print only results)
- Scan only common ports
- Add option to use a public database of known subdomains
- Recursive Web crawling for subdomains and directories
- Check input and if it’s an IP try to change to hostname when dns or subdomain is active
- Ignore responses by status codes (partially done, to do with
*
, e.g.-i 4**
) - HTML output
- Build an Input Struct and use it as parameter
- Output color
- Subdomains enumeration
- DNS enumeration
- Port enumeration
- Directories enumeration
- TXT output
License
This repository is under GNU General Public License v3.0.
edoardoottavianelli.it to contact me.
Leave a Reply