Search the Community

Hello everyone just though I would say my JavaScript network scanner project here : https://github.com/DarrenRainey/JavaScript-Network-Scanner Currently I it will scan and fingerprint devices based upon what files exist or don't exist on the device and once it fingerprints or can connect to a device it sends a post request with the fingerprint such as the routers model, the internal ip address and the user-agent from the victims PC. This code could be embedded into any website and sent a victim for recon. Currently it only scans a few predefined ip address's in the test.html file but I plan to make it scan the local subnet automatically and report any found devices to the attacker web server. The scanning code is based of lan-js with some custom code for identifying and sending the data to the attacker.

Hey everyone, just wanted to show you a recently created service for automated web application and network security scan. If some of you are hosting you'r own web applications perhaps you could test it. If you actually do, please check if there is some vulnerability Metascan could not find. Features: 1. Scans all 65535 ports on target hosts. The scan might take a while but it makes sure that all running services are found. 2. All the services running on host are checked for available vulnerabilities using CVEdetails DB. 3. All input forms and HTTP parameters are tested for most common web application vulnerabilities (XSS, SQLi, XXE and other OWASP TOP 10 attacks). 4. 40 protocols can be brute forced with Metascan's unique password dictionary. The dictionary has quite a long history as it was made up of real user passwords from recent data leaks. Most pentesters i know are building their own dictionaries, the METASCAN's one is huge. 5. Wordpress is tested separately with multiple tools and dir listing dictionaries for Wordpress version,plugins, themes enumeration. After the versions of plugins and CMS itself are revealed, METASCAN automatically searches for public exploits. The key word in METASCAN is "automatically", id say it's like an automatic pentester. 6.METASCAN is capable of subdomains enumeration too, so in case you have left some subdomains/testing servers and beta version servers on public, there will be info about them in the end report too. In my experience it is a common problem, especially for ICO. The reason i created this post is to provide website administrators who are most likely to be hanging out here with a useful service for automated web application security assessment. The solution could be useful in case you are not a pentester/whitehat yourself, but need to get some sense of how secure you'r website is without paying for human work, which is much more expensive. Also the scan is performed with usage of all the tools attacker could use to attack you'r web application. Also METASCAN is probably the best solution in case you need to scan multiple hosts or huge network. The network scanner is capable of scanning huge subnets, like /80. Hope you like it, and any feedback is always appreciated. It took a lot of coding and time to roll out this project. English version for a scan submit: https://metascan.ru/en.html