scilla – Information Gathering tool and Subdomains Enumeration

Information Gathering tool – DNS / Subdomains / Ports / Directories enumeration

---

Installation

Using Docker

docker build -t scilla .
docker run scilla help

Building from source

You need Go.

• Linux
  • git clone https://github.com/edoardottt/scilla.git
  • cd scilla
  • go get
  • make linux (to install)
  • make unlinux (to uninstall)
  Or in one line: git clone https://github.com/edoardottt/scilla.git; cd scilla; go get; make linux
• Windows (executable works only in scilla folder. Alias?)
  • git clone https://github.com/edoardottt/scilla.git
  • cd scilla
  • go get
  • .\make.bat windows (to install)
  • .\make.bat unwindows (to uninstall)

Get Started

scilla help prints the help in the command line.

usage: scilla subcommand { options }

   Available subcommands:
       - dns [-o output-format]
             [-plain Print only results]
             -target <target (URL/IP)> REQUIRED
       - port [-p <start-end> or ports divided by comma]
              [-o output-format]
              [-common scan common ports]
              [-plain Print only results]
              -target <target (URL/IP)> REQUIRED
       - subdomain [-w wordlist]
                   [-o output-format]
                   [-i ignore status codes]
                   [-c use also a web crawler]
                   [-db use also a public database]
                   [-plain Print only results]
                   [-db -no-check Don't check status codes for subdomains]
                   [-db -spyse API-KEY Use Spyse as subdomains source]
                   -target <target (URL)> REQUIRED
       - dir [-w wordlist]
             [-o output-format]
             [-i ignore status codes]
             [-c use also a web crawler]
             [-plain Print only results]
             [-nr No follow redirects]
             -target <target (URL)> REQUIRED
       - report [-p <start-end> or ports divided by comma]
                [-ws subdomains wordlist]
                [-wd directories wordlist]
                [-o output-format]
                [-id ignore status codes in directories scanning]
                [-is ignore status codes in subdomains scanning]
                [-cd use also a web crawler for directories scanning]
                [-cs use also a web crawler for subdomains scanning]
                [-db use also a public database for subdomains scanning]
                [-common scan common ports]
                [-nr No follow redirects]
                [-db -spyse API-KEY Use Spyse as subdomains source]
                -target <target (URL/IP)> REQUIRED
       - help
       - examples

Examples 

• DNS enumeration:
  • scilla dns -target target.domain
  • scilla dns -o txt -target target.domain
  • scilla dns -o html -target target.domain
  • scilla dns -plain -target target.domain
• Subdomains enumeration:
  • scilla subdomain -target target.domain
  • scilla subdomain -w wordlist.txt -target target.domain
  • scilla subdomain -o txt -target target.domain
  • scilla subdomain -o html -target target.domain
  • scilla subdomain -i 400 -target target.domain
  • scilla subdomain -i 4** -target target.domain
  • scilla subdomain -c -target target.domain
  • scilla subdomain -db -target target.domain
  • scilla subdomain -plain -target target.domain
  • scilla subdomain -db -no-check -target target.domain
  • scilla subdomain -db -spyse API-KEY -target target.domain
• Directories enumeration:
  • scilla dir -target target.domain
  • scilla dir -w wordlist.txt -target target.domain
  • scilla dir -o txt -target target.domain
  • scilla dir -o html -target target.domain
  • scilla dir -i 500,401 -target target.domain
  • scilla dir -i 5**,401 -target target.domain
  • scilla dir -c -target target.domain
  • scilla dir -plain -target target.domain
  • scilla dir -nr -target target.domain
• Ports enumeration:
  • Default (all ports, so 1-65635) scilla port -target target.domain
  • Specifying ports range scilla port -p 20-90 -target target.domain
  • Specifying starting port (until the last one) scilla port -p 20- -target target.domain
  • Specifying ending port (from the first one) scilla port -p -90 -target target.domain
  • Specifying single port scilla port -p 80 -target target.domain
  • Specifying output format (txt)scilla port -o txt -target target.domain
  • Specifying output format (html)scilla port -o html -target target.domain
  • Specifying multiple ports scilla port -p 21,25,80 -target target.domain
  • Specifying common ports scilla port -common -target target.domain
  • Print only results scilla port -plain -target target.domain
• Full report:
  • Default (all ports, so 1-65635) scilla report -target target.domain
  • Specifying ports range scilla report -p 20-90 -target target.domain
  • Specifying starting port (until the last one) scilla report -p 20- -target target.domain
  • Specifying ending port (from the first one) scilla report -p -90 -target target.domain
  • Specifying single port scilla report -p 80 -target target.domain
  • Specifying output format (txt)scilla report -o txt -target target.domain
  • Specifying output format (html)scilla report -o html -target target.domain
  • Specifying directories wordlist scilla report -wd dirs.txt -target target.domain
  • Specifying subdomains wordlist scilla report -ws subdomains.txt -target target.domain
  • Specifying status codes to be ignored in directories scanning scilla report -id 500,501,502 -target target.domain
  • Specifying status codes to be ignored in subdomains scanning scilla report -is 500,501,502 -target target.domain
  • Specifying status codes classes to be ignored in directories scanning scilla report -id 5**,4** -target target.domain
  • Specifying status codes classes to be ignored in subdomains scanning scilla report -is 5**,4** -target target.domain
  • Use also a web crawler for directories enumeration scilla report -cd -target target.domain
  • Use also a web crawler for subdomains enumeration scilla report -cs -target target.domain
  • Use also a public database for subdomains enumeration scilla report -db -target target.domain
  • Specifying multiple ports scilla report -p 21,25,80 -target target.domain
  • Specifying common ports scilla report -common -target target.domain
  • No follow redirects scilla report -nr -target target.domain
  • Use Spyse as subdomains source scilla report -db -spyse API-KEY -target target.domain

Contributing 

Just open an issue / pull request. See also CONTRIBUTING.md and CODE OF CONDUCT.md

Help me building this!

Special thanks to:

• danielmiessler
• sonarSearch
• HackerTarget
• BufferOverrun
• Threatcrowd
• Crt.sh
• Spyse
• tomnomnom

To do:

•  Tests (😂)
•  Tor support
•  Proxy support
•  XML output
•  JSON output
•  Dockerfile
•  Plain output (print only results)
•  Scan only common ports
•  Add option to use a public database of known subdomains
•  Recursive Web crawling for subdomains and directories
•  Check input and if it’s an IP try to change to hostname when dns or subdomain is active
•  Ignore responses by status codes (partially done, to do with *, e.g. -i 4**)
•  HTML output
•  Build an Input Struct and use it as parameter
•  Output color
•  Subdomains enumeration
•  DNS enumeration
•  Port enumeration
•  Directories enumeration
•  TXT output

License

This repository is under GNU General Public License v3.0.
edoardoottavianelli.it to contact me.

---