X_scan

X-Scan-v3.02 User Manual 1. System requirement: Windows NT4/2000/XP/2003 2. Introduction: X-Scan is a general network vulnerabilities scanner for scanning network vulnerabilities for specific IP address scope or stand-alone computer by multi-threading method. Plug-ins are supportable and GUI or CUI programs are separately provided. The following items can be scanned: service type, remote OS type and version detection based on TCP/IP stack, weak user/password pair, and all of the nessus attack scripts combination. For the most known vulnerabilities, the corresponding descriptions and solutions are provided. As to other vulnerabilities, please refer to "Document" and "Vulnerability engine" in www.xfocus.org. We provided a simple SDK in X-Scan 3.0 for the purpose of friends can develop plug-ins expediently. Everyone can download the source code of "nasl for windows", X-Scan plug-in SDK and the sample plug-in code from this link: "http://www.xfocus.net/projects/X-Scan/index.html". 3. Components: xscan_gui.exe -- X-Scan GUI main program xscan.exe -- X-Scan CUI main program checkhost.exe -- plug-ins scheduler update.exe -- live update main program *.dll -- the indispensable library file readme.txt -- X-Scan help text /dat/language.ini -- multi-language config file, language can be switched by setting "LANGUAGE\SELECTED" /dat/language.* -- multi-language database /dat/config.ini -- user configuration file, being used for save scanning port list, scanning settings and the names of all dictionary files (including relative paths) /dat/config.bak -- backup file of "/dat/config.ini", being used for restore the default configuration /dat/cgi.lst -- CGI vulnerabilities list /dat/iis_code.ini -- "IIS encode/decode" vulnerabilities list /dat/port.ini -- being used for save all the known ports and their corresponding services /dat/*_user.dic -- username dictionary file, being used for searching weak-password user /dat/*_pass.dic -- password dictionary, being used for searching weak password /dat/p0f*.fp -- being used for identifing the target OS fingerprinter(passively) /dat/nmap-os-fingerprints -- being used for identifing the target OS fingerprinter /dat/*.nsl -- being used for saving the nessus attack scripts list /plugins -- being used for storing all plug-ins (whose suffix is .xpn). /scripts -- being used for storing all nessus attack scripts (whose suffix is .nasl) /scripts/desc -- being used for storing all muti-language description of nessus attack scripts (whose suffix is .desc) Note: xscan_gui.exe & xscan.exe use the same plug-in and data file, but each will run independently. 4. Preparation: X-Scan which is absolutely free can be executed immediately after being decompressed without registration and installation (install WinPCap driver automatically). 5. GUI program options description: General config: "IP address range" - You can input a single IP address or domain name, and you can input the range of IP address that be separated by "-" or "," also, for example: "192.168.0.1-192.168.0.20,192.168.1.10-192.168.1.254". "Load host list from file" - If you select this checkbox, X-Scan will read target address from a text file. The file should contain a single address or range of address like the "IP address range" in every line. "Report file" - The final report file what locates directory "\log". "Report type" - Support TXT and HTML format currently. "Build and open report automate when complete" - Such as the caption. "Save host list" - If you select this checkbox, X-Scan will save the address of alive hosts into a text file. "Host list file" - Being used for saving the address of alive hosts, this file locates directory "\log". "Advanced config": "Maximal number of thread" - The maximal number of concurrent threads when X-Scan is working. "Maximal number of host" - The maximal number of concurrent host when X-Scan is working, X-Scan will create sub-process for every host. "Display verbose information" - Such as the caption. "Skip host when failed to get response" - X-Scan will try to check the activity of target host by "TCP Ping" if it's running under Windows 2000/XP/2003 and has administrator permission, otherwise X-Scan will perform this job by "ICMP Ping". "Skip host when no open port has been found" - If X-Scan doesn't found any TCP port within the "Scan port", X-Scan will cancel the other detection to this host. "Scan always" - Such as the caption. "Port": "Scan port" - The range of TCP port that be separated by "-" or ",". "Scan mode" - X-Scan support "TCP full connection" and "SYN half connection" two kinds of methods currently. "Identify service by response" - Connect to open port to identify the service by it's response. "Identify OS version forwardly by TCP/IP stack fingerprinter" - Such as the caption. "Default port" - Such as the caption. "NASL config": "NASL scripts list" - You can customize nessus attack scripts to make scanning speed up. If you want to load all the scripts, you should clear this edit box. "Select" - In the selecting window, you can select scripts by their risk, category and family. "Script execute timeout(s)" - Specify the timeout of script executing. "Network read timeout(s)" - Specify the timeout of reading TCP socket. "Skip the destructive scripts for host" - Such as the caption. "Check the dependencies of scripts" - Many scripts are depend on each other, if you don't select this checkbox, you can make scanning speed up, but the result is incorrect probably. "Execute the destructive scripts for single service orderly" - If a script gather information from a service when another script is performming a DoS attack, the result is incorrect probably. But if you don't select this checkbox, you can make scanning speed up. "Network config": "Network adapter" - Select an appropriate adapter in order to capture network packets by WinPCap. You should select "\Device\Packet_NdisWanIp" if you have a dial-up connection. "HTTP": "Encode" - All are such as the caption. "Dictionary": Specify all the password dictionary file what being used for checking weak password. 6. CUI program parameter description: 1.command format: xscan -host <start IP>[-<end IP>] <scanning items> [other options] xscan -file <host list> < scanning items > [other options] Explanations of scanning items are as follow: -active : check if the target host is active -os : check target operate system by NETBIOS and SNMP protocol -port : scan the common port status (customizing scanning port list by modifying "PORT-SCAN-OPTIONS\PORT-LIST" in \dat\config.ini); -ftp : scan FTP weak password (setting user/password dictionary file by modifying \dat\config.ini); -pub : check anonymous pub write permission of FTP server -pop3 : scan POP3-Server weak password (setting user/password dictionary file by modifying \dat\config.ini); -smtp : scan SMTP-Server weak password (setting user/password dictionary file by modifying \dat\config.ini); -sql : scan SQL-Server weak password (setting user/password dictionary file by modifying \dat\config.ini); -smb : scan NT-Server weak password (setting user/password dict