Below is a fairly comprehensive passive penetration testing script with vulnerability scanning, API testing, and detailed reporting.
Features
- DNS & SSL/TLS Analysis – Complete DNS enumeration, certificate inspection, cipher analysis
- Port & Vulnerability Scanning – Service detection, NMAP vuln scripts, outdated software detection
- Subdomain Discovery – Certificate transparency log mining
- API Security Testing – Endpoint discovery, permission testing, CORS analysis
- Asset Discovery – Web technology detection, CMS identification
- Firewall Testing – hping3 TCP/ICMP tests (if available)
- Network Bypass – Uses en0 interface to bypass Zscaler
- Debug Mode – Comprehensive logging enabled by default
Installation
Required Dependencies
# macOS
brew install nmap openssl bind curl jq
# Linux
sudo apt-get install nmap openssl dnsutils curl jq
Optional Dependencies
# macOS
brew install hping
# Linux
sudo apt-get install hping3 nikto
Usage
Basic Syntax
./security_scanner_enhanced.sh -d DOMAIN [OPTIONS]
Options
-d DOMAIN– Target domain (required)-s– Enable subdomain scanning-m NUM– Max subdomains to scan (default: 10)-v– Enable vulnerability scanning-a– Enable API discovery and testing-h– Show help
Examples:
# Basic scan
./security_scanner_enhanced.sh -d example.com
# Full scan with all features
./security_scanner_enhanced.sh -d example.com -s -m 20 -v -a
# Vulnerability assessment only
./security_scanner_enhanced.sh -d example.com -v
# API security testing
./security_scanner_enhanced.sh -d example.com -a
Network Configuration
Default Interface: en0 (bypasses Zscaler)
To change the interface, edit line 24:
NETWORK_INTERFACE="en0" # Change to your interface
The script automatically falls back to default routing if the interface is unavailable.
Debug Mode
Debug mode is enabled by default and shows:
- Dependency checks
- Network interface status
- Command execution details
- Scan progress
- File operations
Debug messages appear in cyan with [DEBUG] prefix.
To disable, edit line 27:
DEBUG=false
Output
Each scan creates a timestamped directory: scan_example.com_20251016_191806/
Key Files
executive_summary.md– High-level findingstechnical_report.md– Detailed technical analysisvulnerability_report.md– Vulnerability assessment (if-vused)api_security_report.md– API security findings (if-aused)dns_*.txt– DNS recordsssl_*.txt– SSL/TLS analysisport_scan_*.txt– Port scan resultssubdomains_discovered.txt– Found subdomains (if-sused)
Scan Duration
| Scan Type | Duration |
|---|---|
| Basic | 2-5 min |
| With subdomains | +1-2 min/subdomain |
| With vulnerabilities | +10-20 min |
| Full scan | 15-30 min |
Troubleshooting
Missing dependencies
# Install required tools
brew install nmap openssl bind curl jq # macOS
sudo apt-get install nmap openssl dnsutils curl jq # Linux
Interface not found
# Check available interfaces
ifconfig
# Script will automatically fall back to default routing
Permission errors
# Some scans may require elevated privileges
sudo ./security_scanner_enhanced.sh -d example.com
Configuration
Change scan ports (line 325)
# Default: top 1000 ports
--top-ports 1000
# Custom ports
-p 80,443,8080,8443
# All ports (slow)
-p-
Adjust subdomain limit (line 1162)
MAX_SUBDOMAINS=10 # Change as needed
Add custom API paths (line 567)
API_PATHS=(
"/api"
"/api/v1"
"/custom/endpoint" # Add yours
)
Security & Legal
⚠️ WARNING: Only scan domains you own or have explicit permission to test. Unauthorized scanning may be illegal.
This tool performs passive reconnaissance only:
- ✅ DNS queries, certificate logs, public web requests
- ❌ No exploitation, brute force, or denial of service
Best Practices
- Obtain proper authorization before scanning
- Monitor progress via debug output
- Review all generated reports
- Prioritize findings by risk
- Schedule follow-up scans after remediation
Disclaimer: This tool is for authorized security testing only. The authors assume no liability for misuse or damage.
The Script:
cat > ./security_scanner_enhanced.sh << 'EOF'
#!/bin/zsh
################################################################################
# Enhanced Security Scanner Script v2.0
# Comprehensive security assessment with vulnerability scanning
# Includes: NMAP vuln scripts, hping3, asset discovery, API testing
# Network Interface: en0 (bypasses Zscaler)
# Debug Mode: Enabled
################################################################################
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
MAGENTA='\033[0;35m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# Script version
VERSION="2.0.1"
# Network interface to use (bypasses Zscaler)
NETWORK_INTERFACE="en0"
# Debug mode flag
DEBUG=true
################################################################################
# Usage Information
################################################################################
usage() {
cat << EOF
Enhanced Security Scanner v${VERSION}
Usage: $0 -d DOMAIN [-s] [-m MAX_SUBDOMAINS] [-v] [-a]
Options:
-d DOMAIN Target domain to scan (required)
-s Scan subdomains (optional)
-m MAX_SUBDOMAINS Maximum number of subdomains to scan (default: 10)
-v Enable vulnerability scanning (NMAP vuln scripts)
-a Enable API discovery and testing
-h Show this help message
Network Configuration:
Interface: $NETWORK_INTERFACE (bypasses Zscaler)
Debug Mode: Enabled
Examples:
$0 -d example.com
$0 -d example.com -s -m 20 -v
$0 -d example.com -s -v -a
EOF
exit 1
}
################################################################################
# Logging Functions
################################################################################
log_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
log_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
log_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
log_vuln() {
echo -e "${MAGENTA}[VULN]${NC} $1"
}
log_debug() {
if [ "$DEBUG" = true ]; then
echo -e "${CYAN}[DEBUG]${NC} $1"
fi
}
################################################################################
# Check Dependencies
################################################################################
check_dependencies() {
log_info "Checking dependencies..."
log_debug "Starting dependency check"
local missing_deps=()
local optional_deps=()
# Required dependencies
log_debug "Checking for nmap..."
command -v nmap >/dev/null 2>&1 || missing_deps+=("nmap")
log_debug "Checking for openssl..."
command -v openssl >/dev/null 2>&1 || missing_deps+=("openssl")
log_debug "Checking for dig..."
command -v dig >/dev/null 2>&1 || missing_deps+=("dig")
log_debug "Checking for curl..."
command -v curl >/dev/null 2>&1 || missing_deps+=("curl")
log_debug "Checking for jq..."
command -v jq >/dev/null 2>&1 || missing_deps+=("jq")
# Optional dependencies
log_debug "Checking for hping3..."
command -v hping3 >/dev/null 2>&1 || optional_deps+=("hping3")
log_debug "Checking for nikto..."
command -v nikto >/dev/null 2>&1 || optional_deps+=("nikto")
if [ ${#missing_deps[@]} -ne 0 ]; then
log_error "Missing required dependencies: ${missing_deps[*]}"
log_info "Install missing dependencies and try again"
exit 1
fi
if [ ${#optional_deps[@]} -ne 0 ]; then
log_warning "Missing optional dependencies: ${optional_deps[*]}"
log_info "Some features may be limited"
fi
# Check network interface
log_debug "Checking network interface: $NETWORK_INTERFACE"
if ifconfig "$NETWORK_INTERFACE" >/dev/null 2>&1; then
log_success "Network interface $NETWORK_INTERFACE is available"
local interface_ip=$(ifconfig "$NETWORK_INTERFACE" | grep 'inet ' | awk '{print $2}')
log_debug "Interface IP: $interface_ip"
else
log_warning "Network interface $NETWORK_INTERFACE not found, using default routing"
NETWORK_INTERFACE=""
fi
log_success "All required dependencies found"
}
################################################################################
# Initialize Scan
################################################################################
initialize_scan() {
log_debug "Initializing scan for domain: $DOMAIN"
SCAN_DATE=$(date +"%Y-%m-%d %H:%M:%S")
SCAN_DIR="scan_${DOMAIN}_$(date +%Y%m%d_%H%M%S)"
log_debug "Creating scan directory: $SCAN_DIR"
mkdir -p "$SCAN_DIR"
cd "$SCAN_DIR" || exit 1
log_success "Created scan directory: $SCAN_DIR"
log_debug "Current working directory: $(pwd)"
# Initialize report files
EXEC_REPORT="executive_summary.md"
TECH_REPORT="technical_report.md"
VULN_REPORT="vulnerability_report.md"
API_REPORT="api_security_report.md"
log_debug "Initializing report files"
> "$EXEC_REPORT"
> "$TECH_REPORT"
> "$VULN_REPORT"
> "$API_REPORT"
log_debug "Scan configuration:"
log_debug " - Domain: $DOMAIN"
log_debug " - Subdomain scanning: $SCAN_SUBDOMAINS"
log_debug " - Max subdomains: $MAX_SUBDOMAINS"
log_debug " - Vulnerability scanning: $VULN_SCAN"
log_debug " - API scanning: $API_SCAN"
log_debug " - Network interface: $NETWORK_INTERFACE"
}
################################################################################
# DNS Reconnaissance
################################################################################
dns_reconnaissance() {
log_info "Performing DNS reconnaissance..."
log_debug "Resolving domain: $DOMAIN"
# Resolve domain to IP
IP_ADDRESS=$(dig +short "$DOMAIN" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -n1)
if [ -z "$IP_ADDRESS" ]; then
log_error "Could not resolve domain: $DOMAIN"
log_debug "DNS resolution failed for $DOMAIN"
exit 1
fi
log_success "Resolved $DOMAIN to $IP_ADDRESS"
log_debug "Target IP address: $IP_ADDRESS"
# Get comprehensive DNS records
log_debug "Querying DNS records (ANY)..."
dig "$DOMAIN" ANY > dns_records.txt 2>&1
log_debug "Querying A records..."
dig "$DOMAIN" A > dns_a_records.txt 2>&1
log_debug "Querying MX records..."
dig "$DOMAIN" MX > dns_mx_records.txt 2>&1
log_debug "Querying NS records..."
dig "$DOMAIN" NS > dns_ns_records.txt 2>&1
log_debug "Querying TXT records..."
dig "$DOMAIN" TXT > dns_txt_records.txt 2>&1
# Reverse DNS lookup
log_debug "Performing reverse DNS lookup for $IP_ADDRESS..."
dig -x "$IP_ADDRESS" > reverse_dns.txt 2>&1
echo "$IP_ADDRESS" > ip_address.txt
log_debug "DNS reconnaissance complete"
}
################################################################################
# Subdomain Discovery
################################################################################
discover_subdomains() {
if [ "$SCAN_SUBDOMAINS" = false ]; then
log_info "Subdomain scanning disabled"
log_debug "Skipping subdomain discovery"
echo "0" > subdomain_count.txt
return
fi
log_info "Discovering subdomains via certificate transparency..."
log_debug "Querying crt.sh for subdomains of $DOMAIN"
log_debug "Maximum subdomains to discover: $MAX_SUBDOMAINS"
# Query crt.sh for subdomains
curl -s "https://crt.sh/?q=%25.${DOMAIN}&output=json" | \
jq -r '.[].name_value' | \
sed 's/\*\.//g' | \
sort -u | \
grep -E "^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.${DOMAIN}$" | \
head -n "$MAX_SUBDOMAINS" > subdomains_discovered.txt
SUBDOMAIN_COUNT=$(wc -l < subdomains_discovered.txt)
echo "$SUBDOMAIN_COUNT" > subdomain_count.txt
log_success "Discovered $SUBDOMAIN_COUNT subdomains (limited to $MAX_SUBDOMAINS)"
log_debug "Subdomains saved to: subdomains_discovered.txt"
}
################################################################################
# SSL/TLS Analysis
################################################################################
ssl_tls_analysis() {
log_info "Analyzing SSL/TLS configuration..."
log_debug "Connecting to ${DOMAIN}:443 for certificate analysis"
# Get certificate details
log_debug "Extracting certificate details..."
echo | openssl s_client -connect "${DOMAIN}:443" -servername "$DOMAIN" 2>/dev/null | \
openssl x509 -noout -text > certificate_details.txt 2>&1
# Extract key information
log_debug "Extracting certificate issuer..."
CERT_ISSUER=$(echo | openssl s_client -connect "${DOMAIN}:443" -servername "$DOMAIN" 2>/dev/null | \
openssl x509 -noout -issuer | sed 's/issuer=//')
log_debug "Extracting certificate subject..."
CERT_SUBJECT=$(echo | openssl s_client -connect "${DOMAIN}:443" -servername "$DOMAIN" 2>/dev/null | \
openssl x509 -noout -subject | sed 's/subject=//')
log_debug "Extracting certificate dates..."
CERT_DATES=$(echo | openssl s_client -connect "${DOMAIN}:443" -servername "$DOMAIN" 2>/dev/null | \
openssl x509 -noout -dates)
echo "$CERT_ISSUER" > cert_issuer.txt
echo "$CERT_SUBJECT" > cert_subject.txt
echo "$CERT_DATES" > cert_dates.txt
log_debug "Certificate issuer: $CERT_ISSUER"
log_debug "Certificate subject: $CERT_SUBJECT"
# Enumerate SSL/TLS ciphers
log_info "Enumerating SSL/TLS ciphers..."
log_debug "Running nmap ssl-enum-ciphers script on port 443"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap --script ssl-enum-ciphers -p 443 "$DOMAIN" -e "$NETWORK_INTERFACE" -oN ssl_ciphers.txt > /dev/null 2>&1
else
nmap --script ssl-enum-ciphers -p 443 "$DOMAIN" -oN ssl_ciphers.txt > /dev/null 2>&1
fi
# Check for TLS versions
log_debug "Analyzing TLS protocol versions..."
TLS_12=$(grep -c "TLSv1.2" ssl_ciphers.txt || echo "0")
TLS_13=$(grep -c "TLSv1.3" ssl_ciphers.txt || echo "0")
TLS_10=$(grep -c "TLSv1.0" ssl_ciphers.txt || echo "0")
TLS_11=$(grep -c "TLSv1.1" ssl_ciphers.txt || echo "0")
echo "TLSv1.0: $TLS_10" > tls_versions.txt
echo "TLSv1.1: $TLS_11" >> tls_versions.txt
echo "TLSv1.2: $TLS_12" >> tls_versions.txt
echo "TLSv1.3: $TLS_13" >> tls_versions.txt
log_debug "TLS versions found - 1.0:$TLS_10 1.1:$TLS_11 1.2:$TLS_12 1.3:$TLS_13"
# Check for SSL vulnerabilities
log_info "Checking for SSL/TLS vulnerabilities..."
log_debug "Running SSL vulnerability scripts (heartbleed, poodle, dh-params)"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap --script ssl-heartbleed,ssl-poodle,ssl-dh-params -p 443 "$DOMAIN" -e "$NETWORK_INTERFACE" -oN ssl_vulnerabilities.txt > /dev/null 2>&1
else
nmap --script ssl-heartbleed,ssl-poodle,ssl-dh-params -p 443 "$DOMAIN" -oN ssl_vulnerabilities.txt > /dev/null 2>&1
fi
log_success "SSL/TLS analysis complete"
}
################################################################################
# Port Scanning with Service Detection
################################################################################
port_scanning() {
log_info "Performing comprehensive port scan..."
log_debug "Target IP: $IP_ADDRESS"
log_debug "Using network interface: $NETWORK_INTERFACE"
# Quick scan of top 1000 ports
log_info "Scanning top 1000 ports..."
log_debug "Running nmap with service version detection (-sV) and default scripts (-sC)"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap -sV -sC --top-ports 1000 "$IP_ADDRESS" -e "$NETWORK_INTERFACE" -oN port_scan_top1000.txt > /dev/null 2>&1
else
nmap -sV -sC --top-ports 1000 "$IP_ADDRESS" -oN port_scan_top1000.txt > /dev/null 2>&1
fi
# Count open ports
OPEN_PORTS=$(grep -c "^[0-9]*/tcp.*open" port_scan_top1000.txt || echo "0")
echo "$OPEN_PORTS" > open_ports_count.txt
log_debug "Found $OPEN_PORTS open ports"
# Extract open ports list with versions
log_debug "Extracting open ports list with service information"
grep "^[0-9]*/tcp.*open" port_scan_top1000.txt | awk '{print $1, $3, $4, $5, $6}' > open_ports_list.txt
# Detect service versions for old software
log_info "Detecting service versions..."
log_debug "Filtering service version information"
grep "^[0-9]*/tcp.*open" port_scan_top1000.txt | grep -E "version|product" > service_versions.txt
log_success "Port scan complete: $OPEN_PORTS open ports found"
}
################################################################################
# Vulnerability Scanning
################################################################################
vulnerability_scanning() {
if [ "$VULN_SCAN" = false ]; then
log_info "Vulnerability scanning disabled"
log_debug "Skipping vulnerability scanning"
return
fi
log_info "Performing vulnerability scanning (this may take 10-20 minutes)..."
log_debug "Target: $IP_ADDRESS"
log_debug "Using network interface: $NETWORK_INTERFACE"
# NMAP vulnerability scripts
log_info "Running NMAP vulnerability scripts..."
log_debug "Starting comprehensive vulnerability scan on all ports (-p-)"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap --script vuln -p- "$IP_ADDRESS" -e "$NETWORK_INTERFACE" -oN nmap_vuln_scan.txt > /dev/null 2>&1 &
else
nmap --script vuln -p- "$IP_ADDRESS" -oN nmap_vuln_scan.txt > /dev/null 2>&1 &
fi
VULN_PID=$!
log_debug "Vulnerability scan PID: $VULN_PID"
# Wait with progress indicator
log_debug "Waiting for vulnerability scan to complete..."
while kill -0 $VULN_PID 2>/dev/null; do
echo -n "."
sleep 5
done
echo
# Parse vulnerability results
if [ -f nmap_vuln_scan.txt ]; then
log_debug "Parsing vulnerability scan results"
grep -i "VULNERABLE" nmap_vuln_scan.txt > vulnerabilities_found.txt || echo "No vulnerabilities found" > vulnerabilities_found.txt
VULN_COUNT=$(grep -c "VULNERABLE" nmap_vuln_scan.txt || echo "0")
echo "$VULN_COUNT" > vulnerability_count.txt
log_success "Vulnerability scan complete: $VULN_COUNT vulnerabilities found"
log_debug "Vulnerability details saved to: vulnerabilities_found.txt"
fi
# Check for specific vulnerabilities
log_info "Checking for common HTTP vulnerabilities..."
log_debug "Running HTTP vulnerability scripts on ports 80,443,8080,8443"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap --script http-vuln-* -p 80,443,8080,8443 "$IP_ADDRESS" -e "$NETWORK_INTERFACE" -oN http_vulnerabilities.txt > /dev/null 2>&1
else
nmap --script http-vuln-* -p 80,443,8080,8443 "$IP_ADDRESS" -oN http_vulnerabilities.txt > /dev/null 2>&1
fi
log_debug "HTTP vulnerability scan complete"
}
################################################################################
# hping3 Testing
################################################################################
hping3_testing() {
if ! command -v hping3 >/dev/null 2>&1; then
log_warning "hping3 not installed, skipping firewall tests"
log_debug "hping3 command not found in PATH"
return
fi
log_info "Performing hping3 firewall tests..."
log_debug "Target: $IP_ADDRESS"
log_debug "Using network interface: $NETWORK_INTERFACE"
# TCP SYN scan
log_info "Testing TCP SYN response..."
log_debug "Sending 5 TCP SYN packets to port 80"
if [ -n "$NETWORK_INTERFACE" ]; then
timeout 10 hping3 -S -p 80 -c 5 -I "$NETWORK_INTERFACE" "$IP_ADDRESS" > hping3_syn.txt 2>&1 || true
else
timeout 10 hping3 -S -p 80 -c 5 "$IP_ADDRESS" > hping3_syn.txt 2>&1 || true
fi
log_debug "TCP SYN test complete"
# TCP ACK scan (firewall detection)
log_info "Testing firewall with TCP ACK..."
log_debug "Sending 5 TCP ACK packets to port 80 for firewall detection"
if [ -n "$NETWORK_INTERFACE" ]; then
timeout 10 hping3 -A -p 80 -c 5 -I "$NETWORK_INTERFACE" "$IP_ADDRESS" > hping3_ack.txt 2>&1 || true
else
timeout 10 hping3 -A -p 80 -c 5 "$IP_ADDRESS" > hping3_ack.txt 2>&1 || true
fi
log_debug "TCP ACK test complete"
# ICMP test
log_info "Testing ICMP response..."
log_debug "Sending 5 ICMP echo requests"
if [ -n "$NETWORK_INTERFACE" ]; then
timeout 10 hping3 -1 -c 5 -I "$NETWORK_INTERFACE" "$IP_ADDRESS" > hping3_icmp.txt 2>&1 || true
else
timeout 10 hping3 -1 -c 5 "$IP_ADDRESS" > hping3_icmp.txt 2>&1 || true
fi
log_debug "ICMP test complete"
log_success "hping3 tests complete"
}
################################################################################
# Asset Discovery
################################################################################
asset_discovery() {
log_info "Performing detailed asset discovery..."
log_debug "Creating assets directory"
mkdir -p assets
# Web technology detection
log_info "Detecting web technologies..."
log_debug "Fetching HTTP headers from https://${DOMAIN}"
curl -s -I "https://${DOMAIN}" | grep -i "server\|x-powered-by\|x-aspnet-version" > assets/web_technologies.txt
log_debug "Web technologies saved to: assets/web_technologies.txt"
# Detect CMS
log_info "Detecting CMS and frameworks..."
log_debug "Analyzing page content for CMS signatures"
curl -s "https://${DOMAIN}" | grep -iE "wordpress|joomla|drupal|magento|shopify" > assets/cms_detection.txt || echo "No CMS detected" > assets/cms_detection.txt
log_debug "CMS detection complete"
# JavaScript libraries
log_info "Detecting JavaScript libraries..."
log_debug "Searching for common JavaScript libraries"
curl -s "https://${DOMAIN}" | grep -oE "jquery|angular|react|vue|bootstrap" | sort -u > assets/js_libraries.txt || echo "None detected" > assets/js_libraries.txt
log_debug "JavaScript libraries saved to: assets/js_libraries.txt"
# Check for common files
log_info "Checking for common files..."
log_debug "Testing for robots.txt, sitemap.xml, security.txt, etc."
for file in robots.txt sitemap.xml security.txt .well-known/security.txt humans.txt; do
log_debug "Checking for: $file"
if curl -s -o /dev/null -w "%{http_code}" "https://${DOMAIN}/${file}" | grep -q "200"; then
echo "$file: Found" >> assets/common_files.txt
log_debug "Found: $file"
curl -s "https://${DOMAIN}/${file}" > "assets/${file//\//_}"
fi
done
# Server fingerprinting
log_info "Fingerprinting server..."
log_debug "Running nmap HTTP server header and title scripts"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap -sV --script http-server-header,http-title -p 80,443 "$IP_ADDRESS" -e "$NETWORK_INTERFACE" -oN assets/server_fingerprint.txt > /dev/null 2>&1
else
nmap -sV --script http-server-header,http-title -p 80,443 "$IP_ADDRESS" -oN assets/server_fingerprint.txt > /dev/null 2>&1
fi
log_success "Asset discovery complete"
}
################################################################################
# Old Software Detection
################################################################################
detect_old_software() {
log_info "Detecting outdated software versions..."
log_debug "Creating old_software directory"
mkdir -p old_software
# Parse service versions from port scan
if [ -f service_versions.txt ]; then
log_debug "Analyzing service versions for outdated software"
# Check for old Apache versions
log_debug "Checking for old Apache versions..."
grep -i "apache" service_versions.txt | grep -E "1\.|2\.0|2\.2" > old_software/apache_old.txt || true
# Check for old OpenSSH versions
log_debug "Checking for old OpenSSH versions..."
grep -i "openssh" service_versions.txt | grep -E "[1-6]\." > old_software/openssh_old.txt || true
# Check for old PHP versions
log_debug "Checking for old PHP versions..."
grep -i "php" service_versions.txt | grep -E "[1-5]\." > old_software/php_old.txt || true
# Check for old MySQL versions
log_debug "Checking for old MySQL versions..."
grep -i "mysql" service_versions.txt | grep -E "[1-4]\." > old_software/mysql_old.txt || true
# Check for old nginx versions
log_debug "Checking for old nginx versions..."
grep -i "nginx" service_versions.txt | grep -E "0\.|1\.0|1\.1[0-5]" > old_software/nginx_old.txt || true
fi
# Check SSL/TLS for old versions
if [ "$TLS_10" -gt 0 ] || [ "$TLS_11" -gt 0 ]; then
log_debug "Outdated TLS protocols detected"
echo "Outdated TLS protocols detected: TLSv1.0 or TLSv1.1" > old_software/tls_old.txt
fi
# Count old software findings
OLD_SOFTWARE_COUNT=$(find old_software -type f ! -empty | wc -l)
echo "$OLD_SOFTWARE_COUNT" > old_software_count.txt
if [ "$OLD_SOFTWARE_COUNT" -gt 0 ]; then
log_warning "Found $OLD_SOFTWARE_COUNT outdated software components"
log_debug "Outdated software details saved in old_software/ directory"
else
log_success "No obviously outdated software detected"
fi
}
################################################################################
# API Discovery
################################################################################
api_discovery() {
if [ "$API_SCAN" = false ]; then
log_info "API scanning disabled"
log_debug "Skipping API discovery"
return
fi
log_info "Discovering APIs..."
log_debug "Creating api_discovery directory"
mkdir -p api_discovery
# Common API paths
API_PATHS=(
"/api"
"/api/v1"
"/api/v2"
"/rest"
"/graphql"
"/swagger"
"/swagger.json"
"/api-docs"
"/openapi.json"
"/.well-known/openapi"
)
log_debug "Testing ${#API_PATHS[@]} common API endpoints"
for path in "${API_PATHS[@]}"; do
log_debug "Testing: $path"
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://${DOMAIN}${path}")
if [ "$HTTP_CODE" != "404" ]; then
echo "$path: HTTP $HTTP_CODE" >> api_discovery/endpoints_found.txt
log_debug "Found API endpoint: $path (HTTP $HTTP_CODE)"
curl -s "https://${DOMAIN}${path}" > "api_discovery/${path//\//_}.txt" 2>/dev/null || true
fi
done
# Check for API documentation
log_info "Checking for API documentation..."
log_debug "Testing for Swagger UI and API docs"
curl -s "https://${DOMAIN}/swagger-ui" > api_discovery/swagger_ui.txt 2>/dev/null || true
curl -s "https://${DOMAIN}/api/docs" > api_discovery/api_docs.txt 2>/dev/null || true
log_success "API discovery complete"
}
################################################################################
# API Permission Testing
################################################################################
api_permission_testing() {
if [ "$API_SCAN" = false ]; then
log_debug "API scanning disabled, skipping permission testing"
return
fi
log_info "Testing API permissions..."
log_debug "Creating api_permissions directory"
mkdir -p api_permissions
# Test common API endpoints without authentication
if [ -f api_discovery/endpoints_found.txt ]; then
log_debug "Testing discovered API endpoints for authentication issues"
while IFS= read -r endpoint; do
API_PATH=$(echo "$endpoint" | cut -d: -f1)
# Test GET without auth
log_info "Testing $API_PATH without authentication..."
log_debug "Sending unauthenticated GET request to $API_PATH"
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://${DOMAIN}${API_PATH}")
echo "$API_PATH: $HTTP_CODE" >> api_permissions/unauth_access.txt
log_debug "Response: HTTP $HTTP_CODE"
# Test common HTTP methods
log_debug "Testing HTTP methods on $API_PATH"
for method in GET POST PUT DELETE PATCH; do
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X "$method" "https://${DOMAIN}${API_PATH}")
if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "201" ]; then
log_warning "$API_PATH allows $method without authentication (HTTP $HTTP_CODE)"
echo "$API_PATH: $method - HTTP $HTTP_CODE" >> api_permissions/method_issues.txt
fi
done
done < api_discovery/endpoints_found.txt
fi
# Check for CORS misconfigurations
log_info "Checking CORS configuration..."
log_debug "Testing CORS headers with evil.com origin"
curl -s -H "Origin: https://evil.com" -I "https://${DOMAIN}/api" | grep -i "access-control" > api_permissions/cors_headers.txt || true
log_success "API permission testing complete"
}
################################################################################
# HTTP Security Headers
################################################################################
http_security_headers() {
log_info "Analyzing HTTP security headers..."
log_debug "Fetching headers from https://${DOMAIN}"
# Get headers from main domain
curl -I "https://${DOMAIN}" 2>/dev/null > http_headers.txt
# Check for specific security headers
declare -A HEADERS=(
["x-frame-options"]="X-Frame-Options"
["x-content-type-options"]="X-Content-Type-Options"
["strict-transport-security"]="Strict-Transport-Security"
["content-security-policy"]="Content-Security-Policy"
["referrer-policy"]="Referrer-Policy"
["permissions-policy"]="Permissions-Policy"
["x-xss-protection"]="X-XSS-Protection"
)
log_debug "Checking for security headers"
> security_headers_status.txt
for header in "${!HEADERS[@]}"; do
if grep -qi "^${header}:" http_headers.txt; then
security_headers_status.txt
else
echo "${HEADERS[$header]}: Missing" >> security_headers_status.txt
fi
done
log_success "HTTP security headers analysis complete"
}
################################################################################
# Subdomain Scanning
################################################################################
scan_subdomains() {
if [ "$SCAN_SUBDOMAINS" = false ] || [ ! -f subdomains_discovered.txt ]; then
log_debug "Subdomain scanning disabled or no subdomains discovered"
return
fi
log_info "Scanning discovered subdomains..."
log_debug "Creating subdomain_scans directory"
mkdir -p subdomain_scans
local count=0
while IFS= read -r subdomain; do
count=$((count + 1))
log_info "Scanning subdomain $count/$SUBDOMAIN_COUNT: $subdomain"
log_debug "Testing accessibility of $subdomain"
# Quick check if subdomain is accessible
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://${subdomain}" --max-time 5)
if echo "$HTTP_CODE" | grep -q "^[2-4]"; then
log_debug "$subdomain is accessible (HTTP $HTTP_CODE)"
# Get headers
log_debug "Fetching headers from $subdomain"
curl -I "https://${subdomain}" 2>/dev/null > "subdomain_scans/${subdomain}_headers.txt"
# Quick port check (top 100 ports)
log_debug "Scanning top 100 ports on $subdomain"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap --top-ports 100 "$subdomain" -e "$NETWORK_INTERFACE" -oN "subdomain_scans/${subdomain}_ports.txt" > /dev/null 2>&1
else
nmap --top-ports 100 "$subdomain" -oN "subdomain_scans/${subdomain}_ports.txt" > /dev/null 2>&1
fi
# Check for old software
log_debug "Checking service versions on $subdomain"
if [ -n "$NETWORK_INTERFACE" ]; then
nmap -sV --top-ports 10 "$subdomain" -e "$NETWORK_INTERFACE" -oN "subdomain_scans/${subdomain}_versions.txt" > /dev/null 2>&1
else
nmap -sV --top-ports 10 "$subdomain" -oN "subdomain_scans/${subdomain}_versions.txt" > /dev/null 2>&1
fi
log_success "Scanned: $subdomain (HTTP $HTTP_CODE)"
else
log_warning "Subdomain not accessible: $subdomain (HTTP $HTTP_CODE)"
fi
done < subdomains_discovered.txt
log_success "Subdomain scanning complete"
}
################################################################################
# Generate Executive Summary
################################################################################
generate_executive_summary() {
log_info "Generating executive summary..."
log_debug "Creating executive summary report"
cat > "$EXEC_REPORT" << EOF
# Executive Summary
## Enhanced Security Assessment Report
**Target Domain:** $DOMAIN
**Target IP:** $IP_ADDRESS
**Scan Date:** $SCAN_DATE
**Scanner Version:** $VERSION
**Network Interface:** $NETWORK_INTERFACE
---
## Overview
This report summarizes the comprehensive security assessment findings for $DOMAIN. The assessment included passive reconnaissance, vulnerability scanning, asset discovery, and API security testing.
---
## Key Findings
### 1. Domain Information
- **Primary Domain:** $DOMAIN
- **IP Address:** $IP_ADDRESS
- **Subdomains Discovered:** $(cat subdomain_count.txt)
### 2. SSL/TLS Configuration
**Certificate Information:**
\`\`\`
Issuer: $(cat cert_issuer.txt)
Subject: $(cat cert_subject.txt)
$(cat cert_dates.txt)
\`\`\`
**TLS Protocol Support:**
\`\`\`
$(cat tls_versions.txt)
\`\`\`
**Assessment:**
EOF
# Add TLS assessment
if [ "$TLS_10" -gt 0 ] || [ "$TLS_11" -gt 0 ]; then
echo "⚠️ **Warning:** Outdated TLS protocols detected (TLSv1.0/1.1)" >> "$EXEC_REPORT"
else
echo "✅ **Good:** Only modern TLS protocols detected (TLSv1.2/1.3)" >> "$EXEC_REPORT"
fi
cat >> "$EXEC_REPORT" << EOF
### 3. Port Exposure
- **Open Ports (Top 1000):** $(cat open_ports_count.txt)
**Open Ports List:**
\`\`\`
$(cat open_ports_list.txt)
\`\`\`
### 4. Vulnerability Assessment
EOF
if [ "$VULN_SCAN" = true ] && [ -f vulnerability_count.txt ]; then
cat >> "$EXEC_REPORT" << EOF
- **Vulnerabilities Found:** $(cat vulnerability_count.txt)
**Critical Vulnerabilities:**
\`\`\`
$(head -20 vulnerabilities_found.txt)
\`\`\`
EOF
else
echo "Vulnerability scanning was not performed." >> "$EXEC_REPORT"
fi
cat >> "$EXEC_REPORT" << EOF
### 5. Outdated Software
- **Outdated Components Found:** $(cat old_software_count.txt)
EOF
if [ -d old_software ] && [ "$(ls -A old_software)" ]; then
echo "**Outdated Software Detected:**" >> "$EXEC_REPORT"
echo "\`\`\`" >> "$EXEC_REPORT"
find old_software -type f ! -empty -exec basename {} \; >> "$EXEC_REPORT"
echo "\`\`\`" >> "$EXEC_REPORT"
fi
cat >> "$EXEC_REPORT" << EOF
### 6. API Security
EOF
if [ "$API_SCAN" = true ]; then
if [ -f api_discovery/endpoints_found.txt ]; then
cat >> "$EXEC_REPORT" << EOF
**API Endpoints Discovered:**
\`\`\`
$(cat api_discovery/endpoints_found.txt)
\`\`\`
EOF
fi
if [ -f api_permissions/method_issues.txt ]; then
cat >> "$EXEC_REPORT" << EOF
**API Permission Issues:**
\`\`\`
$(cat api_permissions/method_issues.txt)
\`\`\`
EOF
fi
else
echo "API scanning was not performed." >> "$EXEC_REPORT"
fi
cat >> "$EXEC_REPORT" << EOF
### 7. HTTP Security Headers
\`\`\`
$(cat security_headers_status.txt)
\`\`\`
---
## Priority Recommendations
### Immediate Actions (Priority 1)
EOF
# Add specific recommendations
if [ "$TLS_10" -gt 0 ] || [ "$TLS_11" -gt 0 ]; then
echo "1. **Disable TLSv1.0/1.1:** Update TLS configuration immediately" >> "$EXEC_REPORT"
fi
if [ -f vulnerability_count.txt ] && [ "$(cat vulnerability_count.txt)" -gt 0 ]; then
echo "2. **Patch Vulnerabilities:** Address $(cat vulnerability_count.txt) identified vulnerabilities" >> "$EXEC_REPORT"
fi
if [ -f old_software_count.txt ] && [ "$(cat old_software_count.txt)" -gt 0 ]; then
echo "3. **Update Software:** Upgrade $(cat old_software_count.txt) outdated components" >> "$EXEC_REPORT"
fi
if grep -q "Missing" security_headers_status.txt; then
echo "4. **Implement Security Headers:** Add missing HTTP security headers" >> "$EXEC_REPORT"
fi
if [ -f api_permissions/method_issues.txt ]; then
echo "5. **Fix API Permissions:** Implement proper authentication on exposed APIs" >> "$EXEC_REPORT"
fi
cat >> "$EXEC_REPORT" << EOF
### Review Actions (Priority 2)
1. Review all open ports and close unnecessary services
2. Audit subdomain inventory and decommission unused subdomains
3. Implement API authentication and authorization
4. Regular vulnerability scanning schedule
5. Software update policy and procedures
---
## Next Steps
1. Review detailed technical and vulnerability reports
2. Prioritize remediation based on risk assessment
3. Implement security improvements
4. Schedule follow-up assessment after remediation
---
**Report Generated:** $(date)
**Scan Directory:** $SCAN_DIR
**Additional Reports:**
- Technical Report: technical_report.md
- Vulnerability Report: vulnerability_report.md
- API Security Report: api_security_report.md
EOF
log_success "Executive summary generated: $EXEC_REPORT"
log_debug "Executive summary saved to: $SCAN_DIR/$EXEC_REPORT"
}
################################################################################
# Generate Technical Report
################################################################################
generate_technical_report() {
log_info "Generating detailed technical report..."
log_debug "Creating technical report"
cat > "$TECH_REPORT" << EOF
# Technical Security Assessment Report
## Target: $DOMAIN
**Assessment Date:** $SCAN_DATE
**Target IP:** $IP_ADDRESS
**Scanner Version:** $VERSION
**Network Interface:** $NETWORK_INTERFACE
**Classification:** CONFIDENTIAL
---
## 1. Scope
**Primary Target:** $DOMAIN
**IP Address:** $IP_ADDRESS
**Subdomain Scanning:** $([ "$SCAN_SUBDOMAINS" = true ] && echo "Enabled" || echo "Disabled")
**Vulnerability Scanning:** $([ "$VULN_SCAN" = true ] && echo "Enabled" || echo "Disabled")
**API Testing:** $([ "$API_SCAN" = true ] && echo "Enabled" || echo "Disabled")
---
## 2. DNS Configuration
\`\`\`
$(cat dns_records.txt)
\`\`\`
---
## 3. SSL/TLS Configuration
\`\`\`
$(cat certificate_details.txt)
\`\`\`
---
## 4. Port Scan Results
\`\`\`
$(cat port_scan_top1000.txt)
\`\`\`
---
## 5. Vulnerability Assessment
EOF
if [ "$VULN_SCAN" = true ]; then
cat >> "$TECH_REPORT" << EOF
### 5.1 NMAP Vulnerability Scan
\`\`\`
$(cat nmap_vuln_scan.txt)
\`\`\`
### 5.2 HTTP Vulnerabilities
\`\`\`
$(cat http_vulnerabilities.txt)
\`\`\`
### 5.3 SSL/TLS Vulnerabilities
\`\`\`
$(cat ssl_vulnerabilities.txt)
\`\`\`
EOF
fi
cat >> "$TECH_REPORT" << EOF
---
## 6. Asset Discovery
### 6.1 Web Technologies
\`\`\`
$(cat assets/web_technologies.txt)
\`\`\`
### 6.2 CMS Detection
\`\`\`
$(cat assets/cms_detection.txt)
\`\`\`
### 6.3 JavaScript Libraries
\`\`\`
$(cat assets/js_libraries.txt)
\`\`\`
### 6.4 Common Files
\`\`\`
$(cat assets/common_files.txt 2>/dev/null || echo "No common files found")
\`\`\`
---
## 7. Outdated Software
EOF
if [ -d old_software ] && [ "$(ls -A old_software)" ]; then
for file in old_software/*.txt; do
if [ -f "$file" ] && [ -s "$file" ]; then
echo "### $(basename "$file" .txt)" >> "$TECH_REPORT"
echo "\`\`\`" >> "$TECH_REPORT"
cat "$file" >> "$TECH_REPORT"
echo "\`\`\`" >> "$TECH_REPORT"
echo >> "$TECH_REPORT"
fi
done
else
echo "No outdated software detected." >> "$TECH_REPORT"
fi
cat >> "$TECH_REPORT" << EOF
---
## 8. API Security
EOF
if [ "$API_SCAN" = true ]; then
cat >> "$TECH_REPORT" << EOF
### 8.1 API Endpoints
\`\`\`
$(cat api_discovery/endpoints_found.txt 2>/dev/null || echo "No API endpoints found")
\`\`\`
### 8.2 API Permissions
\`\`\`
$(cat api_permissions/unauth_access.txt 2>/dev/null || echo "No permission issues found")
\`\`\`
### 8.3 CORS Configuration
\`\`\`
$(cat api_permissions/cors_headers.txt 2>/dev/null || echo "No CORS headers found")
\`\`\`
EOF
fi
cat >> "$TECH_REPORT" << EOF
---
## 9. HTTP Security Headers
\`\`\`
$(cat http_headers.txt)
\`\`\`
**Security Headers Status:**
\`\`\`
$(cat security_headers_status.txt)
\`\`\`
---
## 10. Recommendations
### 10.1 Immediate Actions
EOF
# Add recommendations
if [ "$TLS_10" -gt 0 ] || [ "$TLS_11" -gt 0 ]; then
echo "1. Disable TLSv1.0 and TLSv1.1 protocols" >> "$TECH_REPORT"
fi
if [ -f vulnerability_count.txt ] && [ "$(cat vulnerability_count.txt)" -gt 0 ]; then
echo "2. Patch identified vulnerabilities" >> "$TECH_REPORT"
fi
if [ -f old_software_count.txt ] && [ "$(cat old_software_count.txt)" -gt 0 ]; then
echo "3. Update outdated software components" >> "$TECH_REPORT"
fi
cat >> "$TECH_REPORT" << EOF
### 10.2 Review Actions
1. Review all open ports and services
2. Audit subdomain inventory
3. Implement missing security headers
4. Review API authentication
5. Regular security assessments
---
## 11. Document Control
**Classification:** CONFIDENTIAL
**Distribution:** Security Team, Infrastructure Team
**Prepared By:** Enhanced Security Scanner v$VERSION
**Date:** $(date)
---
**END OF TECHNICAL REPORT**
EOF
log_success "Technical report generated: $TECH_REPORT"
log_debug "Technical report saved to: $SCAN_DIR/$TECH_REPORT"
}
################################################################################
# Generate Vulnerability Report
################################################################################
generate_vulnerability_report() {
if [ "$VULN_SCAN" = false ]; then
log_debug "Vulnerability scanning disabled, skipping vulnerability report"
return
fi
log_info "Generating vulnerability report..."
log_debug "Creating vulnerability report"
cat > "$VULN_REPORT" << EOF
# Vulnerability Assessment Report
## Target: $DOMAIN
**Assessment Date:** $SCAN_DATE
**Target IP:** $IP_ADDRESS
**Scanner Version:** $VERSION
---
## Executive Summary
**Total Vulnerabilities Found:** $(cat vulnerability_count.txt)
---
## 1. NMAP Vulnerability Scan
\`\`\`
$(cat nmap_vuln_scan.txt)
\`\`\`
---
## 2. HTTP Vulnerabilities
\`\`\`
$(cat http_vulnerabilities.txt)
\`\`\`
---
## 3. SSL/TLS Vulnerabilities
\`\`\`
$(cat ssl_vulnerabilities.txt)
\`\`\`
---
## 4. Detailed Findings
\`\`\`
$(cat vulnerabilities_found.txt)
\`\`\`
---
**END OF VULNERABILITY REPORT**
EOF
log_success "Vulnerability report generated: $VULN_REPORT"
log_debug "Vulnerability report saved to: $SCAN_DIR/$VULN_REPORT"
}
################################################################################
# Generate API Security Report
################################################################################
generate_api_report() {
if [ "$API_SCAN" = false ]; then
log_debug "API scanning disabled, skipping API report"
return
fi
log_info "Generating API security report..."
log_debug "Creating API security report"
cat > "$API_REPORT" << EOF
# API Security Assessment Report
## Target: $DOMAIN
**Assessment Date:** $SCAN_DATE
**Scanner Version:** $VERSION
---
## 1. API Discovery
### 1.1 Endpoints Found
\`\`\`
$(cat api_discovery/endpoints_found.txt 2>/dev/null || echo "No API endpoints found")
\`\`\`
---
## 2. Permission Testing
### 2.1 Unauthenticated Access
\`\`\`
$(cat api_permissions/unauth_access.txt 2>/dev/null || echo "No unauthenticated access issues")
\`\`\`
### 2.2 HTTP Method Issues
\`\`\`
$(cat api_permissions/method_issues.txt 2>/dev/null || echo "No method issues found")
\`\`\`
---
## 3. CORS Configuration
\`\`\`
$(cat api_permissions/cors_headers.txt 2>/dev/null || echo "No CORS issues found")
\`\`\`
---
**END OF API SECURITY REPORT**
EOF
log_success "API security report generated: $API_REPORT"
log_debug "API security report saved to: $SCAN_DIR/$API_REPORT"
}
################################################################################
# Main Execution
################################################################################
main() {
echo "========================================"
echo "Enhanced Security Scanner v${VERSION}"
echo "========================================"
echo
log_debug "Script started at $(date)"
log_debug "Network interface: $NETWORK_INTERFACE"
log_debug "Debug mode: $DEBUG"
echo
# Check dependencies
check_dependencies
# Initialize scan
initialize_scan
# Run scans
log_debug "Starting DNS reconnaissance phase"
dns_reconnaissance
log_debug "Starting subdomain discovery phase"
discover_subdomains
log_debug "Starting SSL/TLS analysis phase"
ssl_tls_analysis
log_debug "Starting port scanning phase"
port_scanning
if [ "$VULN_SCAN" = true ]; then
log_debug "Starting vulnerability scanning phase"
vulnerability_scanning
fi
log_debug "Starting hping3 testing phase"
hping3_testing
log_debug "Starting asset discovery phase"
asset_discovery
log_debug "Starting old software detection phase"
detect_old_software
if [ "$API_SCAN" = true ]; then
log_debug "Starting API discovery phase"
api_discovery
log_debug "Starting API permission testing phase"
api_permission_testing
fi
log_debug "Starting HTTP security headers analysis phase"
http_security_headers
log_debug "Starting subdomain scanning phase"
scan_subdomains
# Generate reports
log_debug "Starting report generation phase"
generate_executive_summary
generate_technical_report
generate_vulnerability_report
generate_api_report
# Summary
echo
echo "========================================"
log_success "Scan Complete!"
echo "========================================"
echo
log_info "Scan directory: $SCAN_DIR"
log_info "Executive summary: $SCAN_DIR/$EXEC_REPORT"
log_info "Technical report: $SCAN_DIR/$TECH_REPORT"
if [ "$VULN_SCAN" = true ]; then
log_info "Vulnerability report: $SCAN_DIR/$VULN_REPORT"
fi
if [ "$API_SCAN" = true ]; then
log_info "API security report: $SCAN_DIR/$API_REPORT"
fi
echo
log_info "Review the reports for detailed findings"
log_debug "Script completed at $(date)"
}
################################################################################
# Parse Command Line Arguments
################################################################################
DOMAIN=""
SCAN_SUBDOMAINS=false
MAX_SUBDOMAINS=10
VULN_SCAN=false
API_SCAN=false
while getopts "d:sm:vah" opt; do
case $opt in
d)
DOMAIN="$OPTARG"
;;
s)
SCAN_SUBDOMAINS=true
;;
m)
MAX_SUBDOMAINS="$OPTARG"
;;
v)
VULN_SCAN=true
;;
a)
API_SCAN=true
;;
h)
usage
;;
\?)
log_error "Invalid option: -$OPTARG"
usage
;;
esac
done
# Validate required arguments
if [ -z "$DOMAIN" ]; then
log_error "Domain is required"
usage
fi
# Run main function
main
echo "${HEADERS[$header]}: Present" >>
EOF
chmod +x ./security_scanner_enhanced.sh