X-Scan-v2.3-cn扫描器

X-Scan-v2.3 User Manual 1. System requirement: Windows 9x/NT4/2000 2. Introduction: X-Scan is a general network vulnerabilities scanner for scanning network vulnerabilities for specific IP address scope or stand-alone computer by multi-threading method. Plug-ins are supportable and GUI or CUI programs are separately provided. The following items can be scanned: remote OS type and version detection based on TCP/IP stack(like nmap), standard port status and port BANNER information, SNMP information, CGI vulnerability, IIS vulnerability, RPC vulnerability, SSL vulnerability, SQL-SERVER, FTP-SERVER, SMTP-SERVER, POP3-SERVER, NT-SERVER weak user/password pair prob, NT server NETBIOS information, Register information, etc. The result will be saved in /log/ directory, whose index can be found in index_*.htm which can be browsed by a Web Browser. For the known vulnerabilities, the corresponding descriptions and solutions are provided. As to other vulnerabilities, please refer to "Document" and "Vulnerability engine" in www.xfocus.org. 3. Components: xscan_gui.exe -- X-Scan for Windows 9x/NT4/2000 GUI main program xscan.exe -- X-Scan for Windows 9x/NT4/2000 CUI main program readme.txt -- X-Scan help text oncrpc.dll -- OncRpc dynamic link library for RPC-plug-in libeay32.dll -- SSL implementation dynamic link library for SSL-plug-in /dat/language.ini -- multi-language database, language can be switched by setting "LANGUAGE\SELECTED" /dat/config.ini -- user configuration file, being used to save scanning port list, scanning settings and the names of all dictionary files (including relative paths) /dat/config.bak -- backup file of "/dat/config.ini", used to restore the default configuration /dat/cgi.lst -- CGI vulnerabilities list /dat/rpc.ini -- used to save RPC program name and vulnerabilities list /dat/port.ini -- used to save all the known ports and their corresponding services /dat/*_user.dic -- username dictionary file, used to search weak-password user /dat/*_pass.dic -- password dictionary, used to search weak password /dat/os.finger -- used to distinguish the OS fingerprinter utilized by remote computer OS detection /plugin -- used to save all plug-ins (whose suffix is .xpn). Plug-ins can also be saved in other subdirectories which are in the same directory as xscan.exe, and the program will search them automatically. Note: xscan_gui.exe & xscan.exe use the same plug-in and data file, but each will run independently. 4. Preparation: X-Scan which is absolutely free can be executed immediately after being decompressed without registration and installation. Under Windows 98/NT 4.0, it's impossible to distinguish remote OS by TCP/IP stack fingerprinter. Under Windows 98, it has restricted Netbios and SNMP scanning function due to the OS limitation. 5. Attention: 1.When there's a too slow network connection, multithread scanning may bring local network block, resulting in connecting to network failure. Please adjust the corresponding thread number, or stop scanning CGI vulnerability at the time being. We suggest no cgi detection in large scope scanning, for there are so many cgi vulnerabilities, which would take you a lot of time. 2.Only under Windows 2000, SYN of port scan and the identification ability of passive host OS are available, simultaneously, the perview of administrator is required. 3.Dictionary shipped with X-Scan is a simple demo. To enhance cracking, you should improve the dictionary. 4.In the scanning process, press "<space>" to view the lines and scanning schedule, press "q" to save current data and exit, press "<ctrl+c>" to close the program compulsively. 6. Command line parameter description: 1.command format: xscan -host <start IP>[-<end IP>] <scanning items> [other options] xscan -file <host list> < scanning items > [other options] Explanations of scanning items are as follow: -tracert : track path information; -port : scan the common port status (customizing scanning port list by modifying "PORT-SCAN-OPTIONS\PORT-LIST" in \dat\config.ini); -snmp : scan SNMP information; -rpc : scan RPC vulnerability; -sql : scan SQL-Server weak password (setting user/password dictionary file by modifying \dat\config.ini); -ftp : scan FTP weak (setting user/password dictionary file by modifying \dat\config.ini); -ntpass : scan NT-Server weak password(setting user/password dictionary file by modifying \dat\config.ini); -netbios : scan Netbios information; -smtp : scan SMTP-Server vulnerability(setting user/password dictionary file by modifying \dat\config.ini); -pop3 : scan POP3-Server weak password (setting user/password dictionary file by modifying \dat\config.ini); -cgi : scan CGI vulnerability(setting coding scheme by modifying "CGI-ENCODE\encode_type" in \dat\config.ini); -iis : scan IIS vulnerability(setting coding scheme by modifying "CGI-ENCODE\encode_type" in \dat\config.ini); -bind : scan BIND vulnerability; -finger : scan Finger vulnerability; -sygate : scan sygate vulnerability; -all : scan all the above items; [other options] explanations: -v: display verbose information; -p: skip host when failed to ping; -o: skip host when no opened port be found; -t <thread_count[,host_count]>: specify the maximal thread count and host count, default is 100,10 * Meaning of coding scheme in HTTP requests: 1. Replace "GET" with "HEAD" 2. Replace "GET" with "POST" 3. Replace "GET" with "GET / HTTP/1.0\r\nHeader:" 4. Replace "GET" with "GET /[filename]?param=" (setting [filename] by modifying "CGI-ENCODE\encode4_index_file" in \dat\config.ini) 5. Replace "GET" with "GET %00" 6. Several "/" or "\" 7. Exchange of "/" and "\" 8. Replace "<space>" with "<Tab>" Notes: the parameters can be used simultaneously when there's no confliction. 2.Exapmles: xscan -host xxx.xxx.1.1-xxx.xxx.255.255 -all -p Meaning: scan the vulnerabilities of all the hosts whose IP is between xxx.xxx.1.1-xxx.xxx.255.255, skip host when failed to ping; xscan -host xxx.xxx.1.1-xxx.xxx.255.255 -port -ntpass -t 150 -o Meaning: scan the standard port status and NT weak password user of all hosts whose IP is between xxx.xxx.1.1-xxx.xxx.255.255, skip host when no opened port be found. The max number of concurrent threads is 150; xscan -file host.lst -port -cgi -t 200,5 -v -o Meaning: scan the standard port status and CGI vulnerabilities of the hosts which is listed in "host.lst". The max number of concurrent threads is 200, and up to 5 hosts can be scanned simultaneously. Skip host when no opened port be found. 7. Plug-in Interface: #define PLUGIN_PARAMS_0 0 #define PLUGIN_PARAMS_1 1 #define PLUGIN_PARAMS_101 101 #define PLUGIN_PARAMS_102 102 #define PLUGIN_PARAMS_103 103 #define PLUGIN_PARAMS_201 201 /* - AlertUser() - * Function: * form of string output: * "[szHostName]: find [szVulnName] vulmerabilities-[szLine]" * when szVlunName==NULL, form is as following: * "[szHostName]: [szLine]" * * Parameters: * IN szHostName - file name * IN szVulnName - vulnerabilities name * IN szLine - strings which will be inserted files * * Returned data: * [nothing] * */ typedef VOID (CALLBACK *PALERT_USER) ( char *szHostName, char *szVulnName, char *szL