🏴☠️ Information Gathering tool 🏴☠️ - DNS / Subdomains / Ports / Directories enumeration
Coded with 💙 by edoardottt
Share on Twitter!
Preview • Install • Get Started • Examples • Contributing • License
docker build -t scilla .
docker run scilla help
You need Go.
-
Linux
git clone https://github.com/edoardottt/scilla.git
cd scilla
go get
make linux
(to install)- Edit the
~/.config/scilla/keys.yaml
file if you want to use api keys make unlinux
(to uninstall)
-
Windows (executable works only in scilla folder. Alias?)
git clone https://github.com/edoardottt/scilla.git
cd scilla
go get
.\make.bat windows
(to install)- Create a
keys.yaml
file if you want to use api keys .\make.bat unwindows
(to uninstall)
scilla help
prints the help in the command line.
usage: scilla subcommand { options }
Available subcommands:
- dns [-o output-format]
[-plain Print only results]
-target <target (URL/IP)> REQUIRED
- port [-p <start-end> or ports divided by comma]
[-o output-format]
[-common scan common ports]
[-plain Print only results]
-target <target (URL/IP)> REQUIRED
- subdomain [-w wordlist]
[-o output-format]
[-i ignore status codes]
[-c use also a web crawler]
[-db use also a public database]
[-plain Print only results]
[-db -no-check Don't check status codes for subdomains]
[-db -spyse Use Spyse as subdomains source]
[-db -vt Use VirusTotal as subdomains source]
-target <target (URL)> REQUIRED
- dir [-w wordlist]
[-o output-format]
[-i ignore status codes]
[-c use also a web crawler]
[-plain Print only results]
[-nr No follow redirects]
-target <target (URL)> REQUIRED
- report [-p <start-end> or ports divided by comma]
[-ws subdomains wordlist]
[-wd directories wordlist]
[-o output-format]
[-id ignore status codes in directories scanning]
[-is ignore status codes in subdomains scanning]
[-cd use also a web crawler for directories scanning]
[-cs use also a web crawler for subdomains scanning]
[-db use also a public database for subdomains scanning]
[-common scan common ports]
[-nr No follow redirects]
[-db -spyse Use Spyse as subdomains source]
[-db -vt Use VirusTotal as subdomains source]
-target <target (URL/IP)> REQUIRED
- help
- examples
-
DNS enumeration:
scilla dns -target target.domain
scilla dns -o txt -target target.domain
scilla dns -o html -target target.domain
scilla dns -plain -target target.domain
-
Subdomains enumeration:
scilla subdomain -target target.domain
scilla subdomain -w wordlist.txt -target target.domain
scilla subdomain -o txt -target target.domain
scilla subdomain -o html -target target.domain
scilla subdomain -i 400 -target target.domain
scilla subdomain -i 4** -target target.domain
scilla subdomain -c -target target.domain
scilla subdomain -db -target target.domain
scilla subdomain -plain -target target.domain
scilla subdomain -db -no-check -target target.domain
scilla subdomain -db -spyse -target target.domain
scilla subdomain -db -vt -target target.domain
-
Directories enumeration:
scilla dir -target target.domain
scilla dir -w wordlist.txt -target target.domain
scilla dir -o txt -target target.domain
scilla dir -o html -target target.domain
scilla dir -i 500,401 -target target.domain
scilla dir -i 5**,401 -target target.domain
scilla dir -c -target target.domain
scilla dir -plain -target target.domain
scilla dir -nr -target target.domain
-
Ports enumeration:
- Default (all ports, so 1-65635)
scilla port -target target.domain
- Specifying ports range
scilla port -p 20-90 -target target.domain
- Specifying starting port (until the last one)
scilla port -p 20- -target target.domain
- Specifying ending port (from the first one)
scilla port -p -90 -target target.domain
- Specifying single port
scilla port -p 80 -target target.domain
- Specifying output format (txt)
scilla port -o txt -target target.domain
- Specifying output format (html)
scilla port -o html -target target.domain
- Specifying multiple ports
scilla port -p 21,25,80 -target target.domain
- Specifying common ports
scilla port -common -target target.domain
- Print only results
scilla port -plain -target target.domain
- Default (all ports, so 1-65635)
-
Full report:
- Default (all ports, so 1-65635)
scilla report -target target.domain
- Specifying ports range
scilla report -p 20-90 -target target.domain
- Specifying starting port (until the last one)
scilla report -p 20- -target target.domain
- Specifying ending port (from the first one)
scilla report -p -90 -target target.domain
- Specifying single port
scilla report -p 80 -target target.domain
- Specifying output format (txt)
scilla report -o txt -target target.domain
- Specifying output format (html)
scilla report -o html -target target.domain
- Specifying directories wordlist
scilla report -wd dirs.txt -target target.domain
- Specifying subdomains wordlist
scilla report -ws subdomains.txt -target target.domain
- Specifying status codes to be ignored in directories scanning
scilla report -id 500,501,502 -target target.domain
- Specifying status codes to be ignored in subdomains scanning
scilla report -is 500,501,502 -target target.domain
- Specifying status codes classes to be ignored in directories scanning
scilla report -id 5**,4** -target target.domain
- Specifying status codes classes to be ignored in subdomains scanning
scilla report -is 5**,4** -target target.domain
- Use also a web crawler for directories enumeration
scilla report -cd -target target.domain
- Use also a web crawler for subdomains enumeration
scilla report -cs -target target.domain
- Use also a public database for subdomains enumeration
scilla report -db -target target.domain
- Specifying multiple ports
scilla report -p 21,25,80 -target target.domain
- Specifying common ports
scilla report -common -target target.domain
- No follow redirects
scilla report -nr -target target.domain
- Use Spyse as subdomains source
scilla report -db -spyse -target target.domain
- Use VirusTotal as subdomains source
scilla report -db -vt -target target.domain
- Default (all ports, so 1-65635)
Just open an issue / pull request. See also CONTRIBUTING.md and CODE OF CONDUCT.md
Help me building this!
Special thanks to: danielmiessler, sonarSearch, HackerTarget, BufferOverrun, Threatcrowd, Crt.sh, Spyse, VirusTotal, tomnomnom.
To do:
-
Tests (😂)
-
Tor support
-
Proxy support
-
JSON output
-
Dockerfile
-
Plain output (print only results)
-
Scan only common ports
-
Add option to use a public database of known subdomains
-
Recursive Web crawling for subdomains and directories
-
Check input and if it's an IP try to change to hostname when dns or subdomain is active
-
Ignore responses by status codes (partially done, to do with
*
, e.g.-i 4**
) -
HTML output
-
Build an Input Struct and use it as parameter
-
Output color
-
Subdomains enumeration
-
DNS enumeration
-
Port enumeration
-
Directories enumeration
-
TXT output
This repository is under GNU General Public License v3.0.
edoardoottavianelli.it to contact me.