scilla – Information Gathering tool and Subdomains Enumeration

superior_hosting_service

Information Gathering tool – DNS / Subdomains / Ports / Directories enumeration


scilla

Installation

Using Docker

docker build -t scilla .
docker run scilla help

Building from source

You need Go.

  • Linux
    • git clone https://github.com/edoardottt/scilla.git
    • cd scilla
    • go get
    • make linux (to install)
    • make unlinux (to uninstall)
    Or in one line: git clone https://github.com/edoardottt/scilla.git; cd scilla; go get; make linux
  • Windows (executable works only in scilla folder. Alias?)
    • git clone https://github.com/edoardottt/scilla.git
    • cd scilla
    • go get
    • .\make.bat windows (to install)
    • .\make.bat unwindows (to uninstall)

Get Started

scilla help prints the help in the command line.

usage: scilla subcommand { options }

   Available subcommands:
       - dns [-o output-format]
             [-plain Print only results]
             -target <target (URL/IP)> REQUIRED
       - port [-p <start-end> or ports divided by comma]
              [-o output-format]
              [-common scan common ports]
              [-plain Print only results]
              -target <target (URL/IP)> REQUIRED
       - subdomain [-w wordlist]
                   [-o output-format]
                   [-i ignore status codes]
                   [-c use also a web crawler]
                   [-db use also a public database]
                   [-plain Print only results]
                   [-db -no-check Don't check status codes for subdomains]
                   [-db -spyse API-KEY Use Spyse as subdomains source]
                   -target <target (URL)> REQUIRED
       - dir [-w wordlist]
             [-o output-format]
             [-i ignore status codes]
             [-c use also a web crawler]
             [-plain Print only results]
             [-nr No follow redirects]
             -target <target (URL)> REQUIRED
       - report [-p <start-end> or ports divided by comma]
                [-ws subdomains wordlist]
                [-wd directories wordlist]
                [-o output-format]
                [-id ignore status codes in directories scanning]
                [-is ignore status codes in subdomains scanning]
                [-cd use also a web crawler for directories scanning]
                [-cs use also a web crawler for subdomains scanning]
                [-db use also a public database for subdomains scanning]
                [-common scan common ports]
                [-nr No follow redirects]
                [-db -spyse API-KEY Use Spyse as subdomains source]
                -target <target (URL/IP)> REQUIRED
       - help
       - examples

Examples 

  • DNS enumeration:
    • scilla dns -target target.domain
    • scilla dns -o txt -target target.domain
    • scilla dns -o html -target target.domain
    • scilla dns -plain -target target.domain
  • Subdomains enumeration:
    • scilla subdomain -target target.domain
    • scilla subdomain -w wordlist.txt -target target.domain
    • scilla subdomain -o txt -target target.domain
    • scilla subdomain -o html -target target.domain
    • scilla subdomain -i 400 -target target.domain
    • scilla subdomain -i 4** -target target.domain
    • scilla subdomain -c -target target.domain
    • scilla subdomain -db -target target.domain
    • scilla subdomain -plain -target target.domain
    • scilla subdomain -db -no-check -target target.domain
    • scilla subdomain -db -spyse API-KEY -target target.domain
  • Directories enumeration:
    • scilla dir -target target.domain
    • scilla dir -w wordlist.txt -target target.domain
    • scilla dir -o txt -target target.domain
    • scilla dir -o html -target target.domain
    • scilla dir -i 500,401 -target target.domain
    • scilla dir -i 5**,401 -target target.domain
    • scilla dir -c -target target.domain
    • scilla dir -plain -target target.domain
    • scilla dir -nr -target target.domain
  • Ports enumeration:
    • Default (all ports, so 1-65635) scilla port -target target.domain
    • Specifying ports range scilla port -p 20-90 -target target.domain
    • Specifying starting port (until the last one) scilla port -p 20- -target target.domain
    • Specifying ending port (from the first one) scilla port -p -90 -target target.domain
    • Specifying single port scilla port -p 80 -target target.domain
    • Specifying output format (txt)scilla port -o txt -target target.domain
    • Specifying output format (html)scilla port -o html -target target.domain
    • Specifying multiple ports scilla port -p 21,25,80 -target target.domain
    • Specifying common ports scilla port -common -target target.domain
    • Print only results scilla port -plain -target target.domain
  • Full report:
    • Default (all ports, so 1-65635) scilla report -target target.domain
    • Specifying ports range scilla report -p 20-90 -target target.domain
    • Specifying starting port (until the last one) scilla report -p 20- -target target.domain
    • Specifying ending port (from the first one) scilla report -p -90 -target target.domain
    • Specifying single port scilla report -p 80 -target target.domain
    • Specifying output format (txt)scilla report -o txt -target target.domain
    • Specifying output format (html)scilla report -o html -target target.domain
    • Specifying directories wordlist scilla report -wd dirs.txt -target target.domain
    • Specifying subdomains wordlist scilla report -ws subdomains.txt -target target.domain
    • Specifying status codes to be ignored in directories scanning scilla report -id 500,501,502 -target target.domain
    • Specifying status codes to be ignored in subdomains scanning scilla report -is 500,501,502 -target target.domain
    • Specifying status codes classes to be ignored in directories scanning scilla report -id 5**,4** -target target.domain
    • Specifying status codes classes to be ignored in subdomains scanning scilla report -is 5**,4** -target target.domain
    • Use also a web crawler for directories enumeration scilla report -cd -target target.domain
    • Use also a web crawler for subdomains enumeration scilla report -cs -target target.domain
    • Use also a public database for subdomains enumeration scilla report -db -target target.domain
    • Specifying multiple ports scilla report -p 21,25,80 -target target.domain
    • Specifying common ports scilla report -common -target target.domain
    • No follow redirects scilla report -nr -target target.domain
    • Use Spyse as subdomains source scilla report -db -spyse API-KEY -target target.domain

Contributing 

Just open an issue / pull request. See also CONTRIBUTING.md and CODE OF CONDUCT.md

Help me building this!

Special thanks to:

To do:

  •  Tests (😂)
  •  Tor support
  •  Proxy support
  •  XML output
  •  JSON output
  •  Dockerfile
  •  Plain output (print only results)
  •  Scan only common ports
  •  Add option to use a public database of known subdomains
  •  Recursive Web crawling for subdomains and directories
  •  Check input and if it’s an IP try to change to hostname when dns or subdomain is active
  •  Ignore responses by status codes (partially done, to do with *, e.g. -i 4**)
  •  HTML output
  •  Build an Input Struct and use it as parameter
  •  Output color
  •  Subdomains enumeration
  •  DNS enumeration
  •  Port enumeration
  •  Directories enumeration
  •  TXT output

License

This repository is under GNU General Public License v3.0.
edoardoottavianelli.it to contact me.