VULNSCAN – AN ETHICAL HACKING TOOL

PROJECT REPORT
Submitted by

GOKUL KANNAN G 21DX05

Under the guidance of

Mrs. M. KRITHIKA

In partial fulfillment of the requirement for the award of

DIPLOMA IN COMPUTER ENGINEERING

STATE BOARD OF TECHNICAL EDUCATION
GOVERNMENT OF TAMILNADU

APRIL 2024

DEPARTMENT OF COMPUTER ENGINEERING

PSG POLYTECHNIC COLLEGE
(Autonomous and an ISO 9001 certified Institution)
COIMBATORE – 641 004
 PSG POLYTECHNIC COLLEGE
(Autonomous and an ISO 9001 certified Institution)

DEPARTMENT OF COMPUTER ENGINEERING

COIMBATORE – 641 004

CERTIFICATE

GOKUL KANNAN G 21DX05

This is to certify that the project report entitled

VULNSCAN – AN ETHICAL HACKING TOOL

has been submitted by

Mr. GOKUL KANNAN G
Mr. MADHUMITHRAN B V
Mr. NIRMAL KUMAR K
Mr. PRANESH K P

In partial fulfillment for the award of

DIPLOMA IN COMPUTER ENGINEERING
of the State Board of Technical Education,
Government of Tamil Nadu.
during the academic year 2023-2024

Mrs. M. KRITHIKA Mrs. P. RAJESWARI

Faculty guide Head In Charge

Certified that the candidate was examined by us in the Project work Viva - Voce
examination held o n

(Internal Examiner) (External Examiner)

 Acknowledgement

ACKNOWLEDGEMENT
We express our deep sense of gratitude and sincere thanks to beloved Principal
Dr. B. Giriraj, for keeping interest in this project work, which has been an Inspiration to
us.
We are grateful to express our performed thanks to our Head in-charge
Mrs. P. Rajeswari, Department of Computer Engineering who has been a source of
encouragement to do our project successfully.
We wish to express our sincere gratitude and heartfelt thanks to our project guide
Mrs. M. Krithika, lecturer, Department of Computer Engineering who has been a source
of encouragement and moral strength from the beginningto the end for the success of
our project.
We express our heartfelt thanks to our tutor Mrs. R. Uma, for her encouragement
throughout the project. We take this opportunity to thank her support.

I
 Abstract

ABSTRACT
Ethical hacking tools are pivotal assets in cyber security, enabling professionals to
assess the security of systems, networks, and applications. "VulnScan" is a versatile
ethical hacking tool designed for proactive security evaluation and vulnerability
assessment. This abstract provides a brief insight into the tool's capabilities and its role
in the realm of ethical hacking. VulnScan is a multifaceted utility that equips ethical
hackers with a range of functionalities. It encompasses network reconnaissance,
vulnerability scanning, and security testing. By leveraging VulnScan, cyber security
experts can identify potential weaknesses, exploits, and vulnerabilities in a target system
or network, thereby fortifying defenses and preventing potential threats.

II
 Table Of Contents

TABLE OF CONTENTS
CHAPTER PAGE NO
ACKNOWLEDGEMENT…………………………………………………………….……...I
ABSTRACT……………………………………………………………………… ..............II ..

TABLE OF CONTENTS…………….. …………………………………………………...III

.

LIST OF FIGURES………………………………………………………………………...V
LIST OF TABLES……………………………………...…………………….…………...VI
1. INTRODUCTION……………………………………………………...………………...1
1.1 OVERVIEW 1
1.2 INTRODUCTION 1
1.3 OBJECTIVES 2
1.4 INTRODUCTION TO EXISTING SYSTEM 2
1.5 DRAWBACKS OF THE EXISTING SYSTEM 2
1.6 PROPOSED METHODOLOGY 3
2. LITERATURE SURVEY……………………………………………………………….. 4
2.1 RELATED WORKS 4
2.2 PROPOSED METHODOLOGY 7
3. SYSTEM REQUIREMENTS…………………………………………………………... 9
3.1 SOFTWARE REQUIREMENTS 9
3.2 HARDWARE REQUIREMENTS 10
4. SYSTEM ANALYSIS AND DESIGN…………………………………………………11
4.1 FEASABILITY STUDY 11
4.2 UML DIAGRAMS 12
5. PROJECT MODULES AND ALGORITHMS….………………...…………………. 14
5.1 PORT SWEEPING, SUBDOMAIN TESTING 14
5.2 HEADER INFORMATION, DATABASE CRACKING 15
5.3 CLIENT SIDE SCRIPT CRACKING, IP INFORMATION GATHERING 16
5.4 CSRF DETECTION, CERTIFICATE DETECTION 17
5.5 LOCATION OF THE SERVER, REPORT GENERATION 19
5.6 ALGORITHM 21
6. TESTING AND IMPLEMENTATION………………………………………………... 23
6.1 INTRODUCTION \ 23
6.2 LEVELS OF TESTING 23
6.3 SYSTEM VERIFICATION 25
6.4 SYSTEM VALIDATION 26
6.5 EVALUATION 27

III
 Table Of Contents

CONCLUSION………………………..………………………………………………….. 28
BIBLIOGRAPHY…………………………………………………………………............ 29
APPENDICES…………………………………………...……………………………….. 30

IV
 List of Figures

LIST OF FIGURES
Figure No Figure Name Page No

2.1 HTTP request process flow of the web server 06

2.2 Flow Diagram of SSL / TLS Validation 07
3.1 Python 10
3.2 Firewall and Antivirus 10
3.3 Processor 11
3.4 RAM 11
4.1 Deployment Diagram 13
4.2 Use Case Diagram 14
4.3 Activity Diagram 14
5.1 Port Scan 15
5.2 Domain Enumeration 16
5.3 Domain Fingerprinting 16
5.4 SQL Injection Testing 17
5.5 XSS Testing 17
5.6 IP Address 17
5.7 (a) CSRF Detection 18
5.7 (b) CSRF Detection 19
5.8 Certificate Detection 20
5.9 Location of the Server 20
5.10 Report Generation 21
6.1 Levels of Testing 25

V
 List of Tables

LIST OF TABLES
Table No Table Name Page No

6.1 System Verification 26

6.2 System Validation 27

VI
Introduction Chapter 1

CHAPTER 1
INTRODUCTION
1.1 OVERVIEW
VulnScan serves as a valuable ally for ethical hackers and security experts,
aiding in the identification and assessment of vulnerabilities within targeted
networks or systems. This multifaceted tool provides an array of scanning and
probing functionalities, encompassing tasks such as port exploration, subdomain
discovery, domain profiling, and the evaluation of SQL injection risks and Cross
Site Scripting (XSS), CSRF vulnerabilities. As a command-line utility, VulnScan
boasts a user-friendly interface, simplifying the complex landscape of vulnerability
assessment and penetration testing.
1.2 INTRODUCTION
Embarking on a captivating voyage through the dynamic domain of cybersecurity,
"VulnScan - A Cybersecurity Companion" unveils the potent fusion of ethical hacking and
network defense, forming an impenetrable barrier against potential cyber threats. This
expedition ventures into the intricate realm of ethical hacking, highlighting its pivotal role
in fortifying and shielding digital networks from malicious intrusions. At the heart of this
exploration lies the versatile tool, "VulnScan," which stands as a formidable asset for
detecting and mitigating vulnerabilities, bolstering network security amidst the eve
revolving digital landscape.
In our pursuit of fortified network security, our team unravels the fundamental
tenets of ethical hacking, contrasting it with malevolent activities. Shedding light on the
ethical hacker's mission to unearth weaknesses, conduct penetration tests, and
collaborate with organizations to bolster the integrity, confidentiality, availability, and
performance of their networks.
Our journey navigates through an array of network management methodologies
and tools, empowering administrators to oversee, regulate, and optimize network
performance. These encompass network monitoring, configuration management, and
incident response, all underpinned by industry best practices and standards.
The expedition into ethical hacking methodologies unveils the strategies and
techniques employed by ethical hackers to expose vulnerabilities within network
infrastructures.
The crux of our exploration lies in the collaborative synergy between network
administrators and ethical hackers, establishing a proactive network security approach.
Emphasizing the significance of continuous monitoring, vulnerability assessments, and

1
Introduction Chapter 1

proactive patch management, we champion the ongoing protection of networks in an era

of relentless digital innovation.
Central to our exploration is the collaborative synergy between network
administrators and ethical hackers, forging a proactive approach to network security.
Emphasizing the importance of continuous monitoring, vulnerability assessments, and
proactive patch management, we champion the perpetual safeguarding of networks
amidst an era of relentless digital innovation. In essence, "VulnScan - A Cybersecurity
Companion" offers an enlightening odyssey celebrating the symbiotic relationship
between ethical hacking and network security
1.3 OBJECTIVES
The primary aim of VulnScan is to equip security professionals and penetration
testers with a dynamic and effective solution for pinpointing and assessing vulnerabilities
within designated systems and networks. Its specific goals encompass:
Vulnerability Detection - VulnScan strives to automatize the detection of security
vulnerabilities, encompassing areas such as exposed ports, subdomains, domain
profiling, SQL injection susceptibilities, and Cross-Site Scripting (XSS) vulnerabilities.
Efficient Testing - The tool enhances the efficiency and effectiveness of
vulnerability assessments and penetration tests by streamlining the process. It offers an
intuitive interface, facilitating seamless testing procedures for users.
Proactive Defense - VulnScan empowers security practitioners to take a proactive
stance in identifying and resolving security weaknesses preemptively, thwarting potential
exploitation by malicious actors and thereby bolstering the overall security stance of target
systems.
Adaptability - By incorporating a spectrum of scanning and testing methodologies,
VulnScan caters to diverse security assessment requirements, rendering it a versatile
asset in the realm of ethical hacking.
Continuous Enhancement - The project is committed to ongoing development and
enhancements to ensure that VulnScan remains aligned with emerging security standards
and demands. This dedication ensures its efficacy in navigating the everevolving
landscape of cybersecurity.
1.4 INTRODUCTION TO EXISTING SYSTEM
In the realm of ethical hacking and cybersecurity, various tools and systems exist to
aid security professionals in identifying vulnerabilities within target systems and networks.
One such tool is "SecuProbe," an established system that shares common objectives with
Vulnscan.
SecuProbe is a well-established ethical hacking system that has been widely used
by security professionals and penetration testers. Much like Vulnscan, it is designed with

2
Introduction Chapter 1

the aim of identifying and assessing vulnerabilities within target systems and networks.
1.5 DRAWBACKS OF THE EXISTING SYSTEM
Complexity- SecuProbe may have a steeper learning curve due to its
comprehensive feature set. Security professionals may require significant training to utilize
the system effectively.
Resource Intensive- Running SecuProbe may demand substantial computing
resources, making it less accessible for smaller organizations with limited hardware
capabilities.
Cost- Licensing or subscription costs associated with SecuProbe can be high,
making it less accessible to budget-constrained users or organizations
Limited Customization- The existing system may not offer as much flexibility for
customizing tests and scans, limiting the ability to adapt the tool to specific environments
or unique testing requirements
False Positives and Negatives- Like many security tools, SecuProbe may
generate false positives (incorrectly identifying vulnerabilities) and false negatives (failing
to detect actual vulnerabilities), which can impact the accuracy of assessments
Compatibility- The system may have compatibility issues with certain target
systems or networks, potentially leading to incomplete or inaccurate vulnerability
assessments
Scalability- For large-scale network assessments, the existing system might not
scale efficiently, which can impact the speed and effectiveness of scans.
Documentation- Inadequate or outdated documentation may hinder users' ability
to effectively navigate and utilize the system's features.
Community Support- The level of community support, such as forums and user-
contributed resources, may be limited, making it challenging for users to seek help or
share insights.
Updates and Maintenance- The existing system may have slower updates and
maintenance cycles, which can affect its ability to keep up with emerging threats and
vulnerabilities.
Reporting Flexibility- The system's reporting capabilities may lack customization
options, limiting users in tailoring reports to their specific needs or standards.
1.6 PROPOSED METHODOLOGY
The proposed methodology for Vulnscan, an ethical hacking tool, involves several
key phases. It begins with project initiation, defining goals and assembling a skilled team.
Requirements are analyzed, specifying the type of vulnerabilities and testing methods.
The tool's architecture and user interface are designed to be user-friendly and adaptable
for various scanning techniques. Development includes core functionalities such as port

3
Introduction Chapter 1

scanning, subdomain enumeration, and vulnerability testing. The tool features an intuitive
command-line interface and integration of third-party libraries. Extensive testing is
conducted, and a reporting module is for clear vulnerability reports.

4
Literature Survey Chapter 2

CHAPTER 2
LITERATURE SURVEY
2.1 RELATED WORKS

Historically, vulnerability scanning systems encountered obstacles in effectively

overseeing and monitoring security vulnerabilities across an organization's IT
infrastructure. Many enterprises relied on manual techniques and periodic evaluations,
often resulting in incomplete insight into vulnerability landscapes. An efficient vulnerability
scanning system must possess the ability to swiftly pinpoint, evaluate, and prioritize
vulnerabilities in real-time, empowering organizations to proactively tackle security threats.
The absence of such a system can heighten exposure to cyber risks and potential data
breaches.
Traditional vulnerability management methodologies typically involve labor-intensive
manual procedures, such as paper-based documentation and spreadsheet tracking. This
manual approach can be burdensome and susceptible to human errors, impeding the
maintenance of an accurate and current roster of vulnerabilities. Additionally, sans an
automated system, organizations may grapple with the analysis and interpretation of the
copious amounts of data associated with vulnerabilities, hindering their capacity to make
well-informed decisions concerning risk mitigation. Moreover, the lack of a centralized
vulnerability scanning system may breed disorganization and hindered communication
among security teams. This disarray can lead to delays in identifying and rectifying critical
vulnerabilities, leaving the organization vulnerable to exploitation.
Ineffective vulnerability management practices can also jeopardize compliance with
regulatory standards, exposing the organization to potential legal and financial
ramifications. The implementation of a robust vulnerability scanning system is imperative
for organizations aiming to bolster their cybersecurity stance. Such a system should offer
automated scanning, continuous monitoring, and comprehensive reporting functionalities.
Through the utilization of cutting-edge technologies, enterprises can streamline the
vulnerability management process, prioritize remediation endeavors, and ultimately fortify
their overall security postures. The emergence of Software as a Service (SaaS) solutions
within the realm of vulnerability management underscores the industry's dedication to
furnishing accessible and intuitive tools for organizations seeking to reinforce their
cybersecurity strategies.
2.1.1 Light-Weight CSRF Protection by Labeling User Created Contents
[1] Yin-Chang Sung, Michael Cheng Yi Cho, Chi-Wei Wang, Chia-Wei Hsu,
Shiuhpyng Winston Shieh developed Cross-site request forgery (CSRF/XSRF) is a serious
vulnerability in Web 2.0 environment. With CSRF, an adversary can spoof the

5
Literature Survey Chapter 2

payload of an HTTP request and entice the victim’s browser to transmit an HTTP request
to the web server. Consequently, the server cannot determine legitimacy of the HTTP
request. This paper presents a light-weight CSRF prevention method by introducing a
quarantine system to inspect suspicious scripts on the server-side. Instead of using script
filtering and rewriting approach, this scheme is based on a new labeling mechanism (we
called it Content Box) which enables the web server to distinguish the malicious requests
from the harmless requests without the need to modify the user created contents (UCCs).
Consequently, a malicious request can be blocked when it attempts to access critical web
services that was defined by the web administrator. To demonstrate the effectiveness of the
proposed scheme, the proposed scheme was implemented and the performance was
evaluated.

Fig 2.1 HTTP request process flow of the web server

2.1.2 RFC-Directed Differential Testing of Certificate Validation in SSL/TLS

Implementations
[2] Chu Chen, Cong Tian. Zhenhua Duan, Liang Zhao Certificate validation in
Secure Socket Layer or Transport Layer Security protocol (SSL/TLS) is critical to Internet
security. Thus, it is significant to check whether certificate validation in SSL/TLS is correctly
implemented. With this motivation, we propose a novel differential testing approach which
is directed by the standard Request For Comments (RFC). First, rules of certificates are
extracted automatically from RFCs. Second, low-level test cases are generated through
dynamic symbolic execution. Third, high-level test cases, i.e. certificates, are assembled
automatically. Finally, with the assembled certificates being test cases, certificate

6
Literature Survey Chapter 2

validations in SSL/TLS implementations are tested to reveal latent vulnerabilities or bugs.

Fig 2.2 Flow Diagram of SSL / TLS Validation

2.1.3 Server Location Method for Keeping Shorter Distance from Users to Servers
during Failures
[3] The Server Location Method for Keeping Shorter Distance from Users to Servers
during Failures was developed by Nao Maeda and Hiroyoshi Miwa. Recently, large contents
in the Internet have increased loads of contents servers, networks and data centers, which
may degrade the quality of services. To overcome this problem, some mirror servers
providing the same contents are located on a network and a request is navigated to one of
the mirror servers. A user must access to one of the servers and the hop length of a path
from a user to a server should be short even during link failure. As it affects the performance,
the location of the mirror servers is important.
In this paper, we address the server location problem, which determines the
location of the servers satisfying the following the constraint: any users can access servers
within a small hop count even if some links fail. First, we formulate this problem and prove
that it is NP-hard. Second, we present a polynomial-time algorithm for the case that the
number of simultaneously failed links is restricted to one and the increase of the distance
between a user node and servers during failure is restricted to be the number of nodes.
Furthermore, we also present an approximation algorithm to solve this problem when the
number of servers to be accessed is restricted to one and the number of simultaneously
failed links is a constant positive integer.

7
Literature Survey Chapter 2

2.1.4 NETWORK MONITORING AND ENUMERATING VULNERABILITIES IN LARGE

HETEROGENEOUS NETWORKS
[4] In this paper, the authors (Martin Laštovicka, Martin Husák, Lukáš Sadlek)
present an empirical study on vulnerability enumeration in computer networks using
common network probing and monitoring tools. The researchers conducted both active
network scans and passive network monitoring to enumerate software resources and their
versions present in the network. Additionally, they leveraged data from third-party sources,
including the Internet-wide scanner Shodan. The study involved correlating the
measurements with a list of recent vulnerabilities obtained from the National Vulnerability
Database (NVD) using the Common Platform Enumeration (CPE) as a common identifier
utilized in both domains. Subsequently, the authors compared the effectiveness of these
approaches in terms of network coverage and the precision of system identification. The
paper concludes by presenting a sample list of vulnerabilities observed in their campus
network. The research contributes to approximating the number of vulnerabilities and
vulnerable hosts in large networks, particularly in cases where performing vulnerability
scans using specialized tools is impractical or costly. It addresses scenarios where a quick
estimate holds greater importance than a thorough analysis.
2.2 PROPOSED METHODOLOGY
The proposed methodology for VulnScan has been meticulously crafted to meet the
precise security requisites of the power industry, culminating in the development of an
advanced and automated web application vulnerability scanning solution. Commencing with
a thorough delineation of the tool's scope, paramount importance is accorded to ensuring
its alignment with the distinct challenges and nuances characteristic of the power sector.
This inaugural phase entails an exhaustive scrutiny of industry-specific exigencies and
potential threat vectors. To effectively cater to these demands, the methodology places a
pronounced emphasis on deploying an automated scanning engine endowed with
sophisticated web crawling functionalities.
This scanning engine is adeptly engineered to intelligently traverse through web
applications, methodically uncovering vulnerabilities prevalent within the digital terrain of
the power industry. Integral to VulnScan are cuttingedge methodologies for discerning
common vulnerabilities like Cross-Site Scripting (XSS) and SQL injection, crucial for
identifying and remedying threats capable of compromising the sanctity and confidentiality
of sensitive data within the power sector.
Furthermore, the tool incorporates customizable scanning parameters, affording
security professionals within the power industry the flexibility to tailor scans according to
their unique requirements and risk profiles. This adaptability ensures the tool's resilience in
confronting evolving security challenges and regulatory mandates. Augmenting its utility are
real-time reporting functionalities and alerting mechanisms, facilitating prompt notifications
8
Literature Survey Chapter 2

of identified vulnerabilities and expediting mitigation endeavors. Notably, VulnScan is

meticulously engineered to align with regulatory benchmarks governing the power industry,
thereby ensuring compliance and adherence to industry best practices. A pivotal facet of
the methodology encompasses rigorous testing and validation procedures aimed at
corroborating the accuracy and efficacy of VulnScan. Stringent testing scenarios simulate
real-world conditions, enabling the identification of potential vulnerabilities and continual
refinement of the tool to preempt emerging threats.
Recognizing the paramount importance of user proficiency, the methodology
includes comprehensive training sessions and detailed documentation, empowering
security practitioners to leverage VulnScan effectively and harness its full potential in
identifying and remedying vulnerabilities within their web applications. In essence, the
overarching objective of this methodology is to significantly bolster web security within the
power industry through the provision of a robust, automated, and industry-specific
vulnerability scanning solution. VulnScan epitomizes a proactive defense mechanism,
adeptly identifying vulnerabilities to fortify the cyber resilience of the power sector's digital
infrastructure.
The methodology underscores a commitment to continuous enhancement,
incorporating feedback mechanisms to adapt to evolving cyber threats and technological
landscapes. Regular updates to VulnScan's vulnerability database ensure its currency and
efficacy in identifying nascent risks. By fostering a culture of proactive security, the
methodology endeavors to instill a resilient cybersecurity posture within the power industry,
safeguarding critical assets and data. Ultimately, VulnScan emerges as an indispensable
ally in fortifying web application security within the dynamic and critical sphere of power
infrastructure.

9
System Requirements Chapter 3

CHAPTER 3
SYSTEM REQUIRMENTS
3.1 SOFTWARE REQUIREMENTS
3.1.1 Operating System- VulnScan and similar ethical hacking tools are often
compatible with a variety of operating systems, including Windows, Linux, and Mac OS.
The specific OS support should be detailed in the tool's documentation.
3.1.2 Python- Many ethical hacking tools, including those built in Python, may require
a specific version of Python to run. Ensure you have the appropriate Python version
installed.

Fig 3.1 Python

3.1.3 Dependency Libraries- Ethical hacking tools often rely on various libraries and
modules for tasks such as network scanning, web requests, and data analysis. Check the
tool's documentation for a list of required dependencies and install them.
3.1.4 Networking Tools- Ethical hacking tools typically make use of standard
networking utilities, so ensure the user’s system has standard networking tools like ping,
netstat, and nmap.
3.1.5 Browser- If the tool has a web-based interface for reporting or interacting with
results, a modern web browser is often needed.
3.1.6 Firewall and Antivirus- Disable or configure the firewall and antivirus software to
avoid interfering with the tool's operations.

Fig 3.2 - Firewall and Antivirus

10
System Requirements Chapter 3

3.2 HARDWARE REQUIREMENTS

3.2.1 Processor (CPU) - The CPU requirements will depend on the tool's complexity
and the scale of your scans. A multi-core processor is often recommended for faster scans.

Fig 3.3 – Processor

3.2.2 Memory (RAM) - The amount of RAM required varies based on the size of the
network and the complexity of scans. In general, having at least 4 GB of RAM is advisable,
but more is beneficial for larger assessments.

Fig 3.4 – RAM

3.2.3 Storage Space- Sufficient storage is needed to save scan results and logs. Tools
with extensive databases may require more space.
3.2.4 Network Interface- A network card with both wired and wireless capabilities can
be useful for testing a variety of network configurations.
3.2.5 Screen Resolution- A monitor with a standard screen resolution is required for
displaying the tool's interface.
3.2.6 Internet Connectivity- An internet connection may be required for downloading
updates, libraries, and accessing online resources during assessments.

11
System Analysis and Design Chapter 4

CHAPTER 4
SYSTEM ANALYSIS AND DESIGN
4.1 FEASIBILITY STUDY
4.1.1 TECHNICAL FEASIBILITY
Resource Availability- VulnScan's technical feasibility relies on the availability of
skilled developers and security experts who can design and implement the tool effectively.
It also necessitates access to relevant programming languages and libraries for features
like port scanning, subdomain enumeration, and vulnerability testing.
Compatibility- The tool should be designed to be compatible with various
operating systems, including Windows, Linux, and Mac OS. Ensuring cross-platform
compatibility increases its accessibility and usability.
Tool Functionality- Technical feasibility depends on the tool's capability to
perform core functions accurately and efficiently. The development team needs to ensure
that it can effectively scan for vulnerabilities, identify open ports, and provide reliable
results.
4.1.2 OPERATIONAL FEASIBILITY
User Training- The tool should be user-friendly, minimizing the need for extensive
training. Ethical hackers and security professionals should be able to use VulnScan with
minimal effort and become productive quickly.
Integration- VulnScan should be designed to seamlessly integrate into existing
security assessment processes. It should be capable of working alongside other tools and
methodologies commonly used in ethical hacking and vulnerability testing.
User Acceptance- Gathering feedback from potential users during development
and conducting usability testing can help ensure that the tool meets operational needs and
user expectations. Continuous user feedback is vital for refining the tool.
4.1.3 ECONOMIC FEASIBILITY
Development Costs- Analyze the costs associated with the development of
VulnScan, including personnel salaries, hardware and software purchases, and third-party
tool licenses. It's important to maintain a budget that allows for efficient development
without unnecessary expenses
Maintenance Costs- Consider the ongoing costs of maintaining and updating the
tool, including security patches, bug fixes, and updates to keep it aligned with evolving
security standards. A well-defined maintenance plan is essential for long-term feasibility.
Return on Investment (ROI) - Determine whether the potential benefits of
VulnScan outweigh the development and maintenance costs. Benefits may include
enhanced security assessments, faster vulnerability identification, and time savings for

12
System Analysis and Design Chapter 4

security professionals. A positive ROI is a strong indicator of economic feasibility.

Balancing technical, operational, and economic feasibility is crucial for the
successful development and adoption of VulnScan. A well-executed feasibility analysis
can guide decision-making and ensure that the tool aligns with both user needs and
resource constraints.
4.2 UML DIAGRAMS
4.2.1 Deployment Diagram
Deployment Diagram (Fig 4.1) provides a visual representation of how the security
app is physically distributed across nodes, including servers and user devices. It
emphasizes the secure deployment of components to protect against potential threats and
vulnerabilities.

Fig 4.1 Deployment Diagram

4.2.2 Use Case Diagram
Use Case Diagram (Fig 4.2) provides a high-level overview of the security app's
functionality, focusing on key interactions and dependencies while incorporating security
considerations to safeguard the application and its users.

13
System Analysis and Design Chapter 4

Fig 4.2 Use Case Diagram

Fig 4.3 Activity Diagram

14
Project Modules and Algorithm Chapter 5

CHAPTER 5
PROJECT MODULES AND ALGORITHM
5.1 PORT SWEEPING, SUBDOMAIN TESTING
5.1.1 PORT SCAN
Port scanning is a fundamental part of network security assessment. VulnScan's
Port Scan module is designed to identify open and closed ports on a target system. Open
ports may indicate services or applications that could be potential attack vectors, while
closed ports are often considered more secure. By scanning ports, VulnScan helps
security professionals assess a system's exposure to potential vulnerabilities and threats.

Fig 5.1 Port Scan

15
Project Modules and Algorithm Chapter 5

5.1.2 DOMAIN ENUMERATION (SUBDOMAIN LISTING)

Domain Enumeration is the process of discovering subdomains associated with a

target domain. VulnScan's Domain Enumeration module helps security experts find
hidden or vulnerable subdomains that may not be immediately obvious. These
subdomains can be points of entry for attackers or may contain security vulnerabilities.
VulnScan's subdomain listing feature aids in comprehensive domain reconnaissance and
assessment.

Fig 5.2 Domain Enumeration

5.2. HEADER INFORMATION, DATABASE CRACKING

5.2.1 DOMAIN FINGERPRINTING (HTTP SERVER INFORMATION)
Domain Fingerprinting involves gathering information about a target domain,
specifically details related to the web server and associated technologies. VulnScan's
Domain Fingerprinting module extracts information from HTTP headers, including the type
and version of the web server software, and any headers like "X-Powered-By." This
information is valuable for security professionals as it can reveal potential vulnerabilities
and security risks associated with the server software in use.

Fig 5.3 Domain Fingerpriting

5.2.2 SQL INJECTION TESTING

SQL Injection is a common web application vulnerability that occurs when user
inputs are not properly sanitized, allowing malicious SQL queries to be executed.
VulnScan's SQL Injection Testing module helps ethical hackers and security testers
identify SQL injection vulnerabilities in web applications. By injecting specially crafted SQL

16
Project Modules and Algorithm Chapter 5

queries, the tool can assess whether a web application is susceptible to this type of attack.

Fig 5.4 SQL Injection Testing

5.3 CLIENT SIDE SCRIPT CRACKING, IP INFORMATION GATHERING

5.3.1 XSS TESTING (CROSS-SITE SCRIPTING)
Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject
malicious scripts into web pages viewed by other users. VulnScan's XSS Testing module
assists in detecting XSS vulnerabilities in web applications. By injecting various payloads
into web forms and input fields, the tool checks if the application is vulnerable to this kind
of attack, helping developers and security experts secure their web applications.

Fig 5.5 XSS Testing

5.3.2 IP OF DOMAIN

This module provides the capability to retrieve the IP address of a given domain.
It is a basic but essential function for understanding the network architecture and
connectivity of a target domain. Obtaining the IP address of a domain allows security
professionals to further analyze the domain's infrastructure and identify potential
vulnerabilities or misconfigurations.

Fig 5.6 IP Address

Each module in VulnScan serves a distinct purpose in the field of ethical hacking
and security assessment. The tool's capabilities cover a wide range of security testing,
from network-level port scanning to web application vulnerability testing, making it a
valuable asset for security professionals.

17
Project Modules and Algorithm Chapter 5

5.4 CSRF DETECTION, CERTIFICATE DETECTION

5.4.1 CSRF DETECTION
Cross-Site Request Forgery (CSRF) is a security vulnerability that occurs when a
malicious website or attacker tricks a user's browser into executing unauthorized actions on
another website where the user is authenticated. Essentially, CSRF attacks exploit the trust
that a website has in a user's browser by piggybacking on the user's authenticated session.

Fig 5.7 (a) CSRF Detection

18
 Project Modules and Algorithm Chapter 5

C
Fig 5.7 (b) CSRF Detection
5.4.2 CERTIFICATE DETECTION
SSL/TLS certificates are digital credentials that authenticate the identity of websites
and facilitate secure communication between users' browsers and servers. They play a
pivotal role in safeguarding data confidentiality and integrity across the internet. These
certificates verify a website's identity by containing information such as domain names,
organization details, and location, validated by trusted Certificate Authorities (CAs). By
encrypting data transmitted between users and websites, SSL/TLS certificates prevent
unauthorized access to sensitive information like login credentials and financial data. Trust
in SSL/TLS certificates is established through the inclusion of trusted CAs in web browsers
and operating systems, indicated by visual cues like padlock icons. Different types of
certificates offer varying levels of validation, ranging from domain ownership validation to
extensive organizational checks.

19
Project Modules and Algorithm Chapter 5

Fig 5.8 Certificate Detection

5.5 Location of the Server, Report Generation

5.5.1 Location of the Server

The code retrieves location information for a given IP address using the ipapi.co
API. The function attempts to fetch the location data, with the option to retry a specified
number of times in case of network errors. It utilizes the requests library to make HTTP
requests and handle responses. If the location data is successfully obtained, it is parsed
and stored in a dictionary format. Additionally, the function implements error handling to
manage scenarios such as rate limiting (status code 429) by applying exponential backoff
for retries. If the maximum number of retry attempts is reached without success, an
appropriate message is displayed, and the function returns None. Finally, the fetched
location data is appended to a list named locations_data for future use.

Fig 5.9 Location of the Server

20
Project Modules and Algorithm Chapter 5

5.5.2 Report Generation

This code defines a function called generate_report that creates a vulnerability

scan report in PDF format based on various input data. The function takes several
parameters such as the target domain name, IP address, scan options, and various scan
results. It utilizes the reportlab library to generate the PDF report.

Fig 5.10 Report Generation

21
Project Modules and Algorithm Chapter 5

5.6 – ALGORITHM

Step 1. Start the "VulnScan" tool.

Step 2. Initialize necessary libraries and dependencies, including requests, threading,

queue, optparse, nmap, time, socket, sys, BeautifulSoup, and colorama.

Step 3. Define a function `get_ip_address(target)` to resolve the IP address of a given

target domain

Step 4. Define a function `scan_single_port(target, port)` to scan a single port on a target

domain

Step 5. Define a function `scan_custom_ports(target, ports)` to scan a list of custom ports

on a target domain

Step 6. Define a function `scan_range_of_ports(target, start_port, end_port)` to scan a

range of ports on a target domain.

Step 7. Define a function to read subdomains from a file (`from_file(filename)`).

Step 8. Define a function to check if a subdomain is active (`check_subdomain(domain,

sub)`).

Step 9. Define a function to append active subdomains to a list if they exist

(`append_if_exists(host, sub)`).

Step 10. Define a thread worker function to get active subdomains (`get_active()`).

Step 11. Define a function to get command-line arguments (`get_args()`).

Step 12. Define a function to retrieve server information of a target domain

(`get_server_info(target_domain)`).

Step 13. Create a session with a User-Agent header and define a list of XSS payloads.

Step 14. Define a function to retrieve forms from a URL (`get_forms(url)`).

Step 15. Define a function to extract form details from a form element
(`form_details(form)`).

Step 16. Define a function to check for SQL injection vulnerabilities

(`is_vulnerable(response)`).

Step 17. Define a function to test for SQL injection vulnerabilities (`test_sql_injection(url)`).

Step 18. Define a function to retrieve all forms from a URL (`get_all_forms(url)`).

Step 19. Define a function to get form details (`get_form_details(form)`).

Step 20. Define a function to submit a form with a payload (`submit_form(form_details,

22
Project Modules and Algorithm Chapter 5

url, value)`).
Step 21. Define a function to scan for XSS vulnerabilities (`scan_xss(url)`).

Step 22. Start a main loop:

a. Prompt the user to enter a target domain.

b. Provide options for different features:

- Change Domain

- Port Scanning

- Domain Enumeration

- Domain Fingerprinting

- SQL Injection Testing

- XSS Testing

- CSRF Detection

- Location of the Server

- Report Generation

- Exit

c. Depending on the user's choice, execute the corresponding function or exit the tool.

Step 23. End the "VulnScan" tool.

23
Testing and Implementation Chapter 6

CHAPTER 6
TESTING AND IMPLEMENTATION
6.1 INTRODUCTION

This chapter consists of testing report of the project. It is done for evaluating the
functionality of this project to find any bugs and errors. It checks whether the developed
system met the specified requirements and identifies any defects in the system in order to
produce a quality product. It is basically executing a system to identify any gaps, errors,
or missing requirements in contrary to the actual requirements. In this Testing, the system
was tested by applying correct/incorrect data and see how the system reacts to it. This
also check the functionality of each module. Things that will test in this system,

• Verify there is no dead page and all redirects to correct page.

• Verify the request and response process.

• Check sending and receiving of emails.

• Certify face detection properly.

• Validate attendance entry in excel sheet in cloud.

• Verify database change according to admin data updates.

• Verify the workflow of the system.

6.2 LEVELS OF TESTING

Testing levels are the procedure for finding the missing areas and avoiding
overlapping and repetition between the development life cycle stages. The various phases
such as Requirement collection, designing, coding testing, deployment, and maintenance
of SDLC. In order to test any application, like SDLC. Testing is done in multiple level,
which help us maintain the quality of the software. The levels of software testing involve
the different methodologies, which can be used while performing the software testing. Fig
6.1 shows the levels of testing.

• Unit Testing

• Integration Testing

• System Testing

• Acceptance Testing

24
Testing and Implementation Chapter 6

6.2.1 UNIT TESTING

Unit testing is the first level of software testing, which is used to test if software
modules are satisfying the given requirement or not. The first level of testing involves
analyzing each unit or an individual component of the software application. Unit testing is
also the first level of functional testing. The primary purpose of executing unit testing is to
validate unit components with their performance. The reason of performing the unit testing
is to test the correctness of inaccessible code. Unit testing will help the test engineer and
developers in order to understand the base of code that makes them able to change defect
causing code quickly.
6.2.2 INTEGRATION TESTING
The second level of software testing is the integration testing. The integration
testing process comes after unit testing. It is mainly used to test the data flow from one
module or component to other modules. In integration testing, the test engineer tests the
units or separate components or modules of the software in a group. The primary purpose
of executing the integration testing is to identify the defects at the interaction between
integrated components or units. When each component or module works separately, the
data flow between the dependent modules should be checked, and this process is known
as integration testing. Only the integration testing when the functional testing has been
completed successfully on each application module. In simple words, integration testing
aims to evaluate the accuracy of communication among all the modules.
6.2.3 SYSTEM TESTING
The third level of software testing is system testing, which is used to test the

25
Testing and Implementation Chapter 6

software's functional and non-functional requirements. It is end-to-end testing where the

testing environment is parallel to the production environment. In the third level of software
testing, the testing for this application is done as a whole system. To check the end-to-end
flow of an application or the software as a user is known as System testing. In system
testing, this process will go through all the necessary modules of an application and test if
the end features or the end business works fine, and test the product as a complete system.
In simple words, system testing is a sequence of different types of tests to implement and
examine the entire working of an integrated software computer system against
requirements.
6.2.4 ACCEPTANCE TESTING
The last and fourth level of software testing is acceptance testing, which is used to
evaluate whether a specification or the requirements are met as per its delivery. The
software has passed through three testing levels Unit Testing, Integration Testing, System
Testing. Some minor errors can still be identified when the end-user uses the system in
the actual scenario. In simple words, Acceptance testing is the squeezing of all the testing
processes that are previously done. The acceptance testing is also known as UAT and is
done by the customer before accepting the final product. Usually, UAT is done by the
domain expert for their satisfaction and checks whether the application is working
according to given business scenarios and real-time scenarios. Table 6.1 shows the
system verification.
6.3 SYSTEM VERIFICATION
Table 6.1 System Verification
Test Case Required Output Actual Output Test Status

List out the required ports

The Open ports and
Verification of that have been scanned
Closed ports will be Pass
Port Scanning according to the command
displayed to the user
entered

Verification of Lists out the associated

The sub-domains will be
Domain sub-domains with the Pass
displayed to the user
Enumeration Target Domain

Lists out the data The data associated

Verification of
associated with the HTTP with the HTTP header
Domain Pass
header of the Target will be displayed to the
Fingerprinting
Domain user

26
Testing and Implementation Chapter 6

Proper registration of
Verification of Carry out the commands
keystrokes and
Command Line given by the User and Pass
execution of the entered
Interface display the options
commands by the User
The command may or
Verification of
Logging in to a database may not bypass the
SQL and XSS Pass
using injection commands system’s database due
attacks
to strong security

Checking for tokens and The command will be

Verification of
executing a long step by executed when a token Pass
CSRF Detection
step process has been detected

Checks whether the

Verification of The command will
website has the
Certificate check for the availability Pass
appropriate certificates or
Detection of CA Certificates
not

Verification of Locates the nearest Nearest Coordinates for

Location of the destination of the server’s the location will be Pass
Server location displayed

Verification of Generates an informative Generates a PDF of the

Report PDF report of all the commands carried out Pass
Generation commands executed by the user

6.4 SYSTEM VALIDATION

Table 6.2 System Validation
Test Case Input Description Expected Output Test Status
TC_01 Domain: "google.com" IP: 142.250.183.238 Pass
TC_02 Single Port Scan Port: 80 Port 80 is open Pass
Custom Ports Scan Ports:
TC_03 Open Ports: [80, 8080] Pass
80, 443, 8080
Range of Ports Scan
TC_04 Open Ports: [22, 80] Pass
Range: 1100
Active Subdomains:
Domain Enumeration admin.google.com
TC_05 Pass
Threads: 12
slides.google.com
Domain Fingerprinting Server: Apache,
TC_06 Pass
Domain: "google.com" XPoweredBy: PHP
SQL Injection Testing
No SQL injection
TC_07 URL: Pass
detected
"http://psgpolytech.ac.in"

27
Testing and Implementation Chapter 6

XSS Testing URL: "http://

TC_08 No XSS detected Pass
psgptolytech.ac.in"

CSRF Detection: No CSRF Token

TC_09 Pass
“www.psgpolytech.ac.in’’ detected
Certificate Detection:
TC_10 SSL Certificate is valid Pass
“www.google.com”

Location of the server: Location Coordinates

TC_11 Pass
“www.psgpolytech.ac.in” obtained
TC_12 Report Generation Report PDF generated Pass

6.5 EVALUATION
• An Ethical hacking tool that provides a command line interface and helps new
users to understand and learn about the processes that take place.
• Users can choose from the options provided after entering a command which
has sub-options available for execution.
• Makes the process of learning and execution of the available modules more
easier to learn and adapt.
Software testing is a process where every unit or component of a software or
system is tested. The main reason for implementing the levels of testing is to make the
software testing process efficient and easy to find all possible test cases at a specific level.
To check the behavior or performance of software testing, various testing levels have been
performed. The above-described software testing levels are developed to identify missing
areas and understanding between the development life cycle conditions.

28
 Conclusion

CONCLUSION
In the journey of developing and testing the "VulnScan" ethical hacking tool, we
have reached a significant milestone. This section summarizes the key takeaways and
reflections from our testing and implementation process.
The "VulnScan" tool has been rigorously tested across multiple levels, ensuring
that it operates effectively and ethically. Our testing encompassed various aspects,
including port scanning, subdomain enumeration, domain fingerprinting, SQL injection
testing, and XSS testing. This tool has proven to be a valuable addition to the arsenal of
ethical hackers and security professionals.
As we move forward, continuous updates and refinements will be made to address
emerging threats and improve the tool's functionality. User feedback and collaboration
with the security community will be invaluable in this ongoing development.
Future scope of this project
• Future versions of VulnScan could focus on integrating advanced vulnerability
detection techniques, leveraging machine learning and artificial intelligence for
more accurate identification of emerging and complex vulnerabilities.
• Enhancing VulnScan's capabilities to address vulnerabilities specific to cloud
environments and containerized applications, ensuring compatibility with modern
DevSecOps practices.
• Adapting the tool to address vulnerabilities specific to cloud environments and
containerized applications.
• Future development could prioritize the improvement of reporting and analytics
features in VulnScan, providing more detailed insights into vulnerability trends,
risk assessments, and real-time updates based on the latest threat intelligence.

28
 Bibliography

BIBLIOGRAPHY
REFERENCE PAPER

[1]. Bandung, Y., Subekti, L. B., & Gondokaryono, Y. S. (2015). "A Comprehensive
Literature Review of Penetration Testing & Its Applications." In Proceedings of the
International Conference on Electrical Engineering and Informatics (ICEEI).
[2]. Kocher, J.E.; Gilliam, D.P., “Self port scanning tool: providing a more secure
computing environment through the use of proactive port scanning”, 14th IEEE
International Workshops on Enabling Technologies: Infrastructure for Collaborative
Enterprise, 13-15 June 2005.
[3]. Y. Makino and V. Klyuev, “Evaluation of web vulnerability scanners,” in IEEE 8th
International Conference on Intelligent Data Acquisition and Advanced Computing
Systems: Technology and Applications, IDAACS 2015, Warsaw, Poland, September
24-26, 2015. IEEE, 2015, pp. 399– 402.

REFERENCE BOOKS

[1]. Johnson, C., & Skoudis, E. “The Basics of Hacking and Penetration Testing-
Ethical Hacking and Penetration Testing Made Easy”, 2015
[2]. Engebretson, P.“The Basics of Hacking and Penetration Testing- Ethical
Hacking and Penetration Testing Made Easy (2nd ed.)”, 2016
[3]. Regalado, B. “The Web Application Hacker's Handbook- Finding andExploiting
Security Flaws (2nd ed.)”, 2016
[4]. Pouget, E., Prevost, C., & Heitz, J. “Hands-On Ethical Hacking and Network
Defense”, 2019
[5]. Oriyano, S., & Wiles, J. CEH v10- “EC-Council Certified Ethical Hacker
Complete Training Guide with Practice Labs- Exam 312-50”, 2019
[6]. EC-Council. “Certified Ethical Hacker (CEH) Certification Guide”.
[7]. Dhanjani, N., Rios, B., & Hardin, B. (2011). “Hacking- The Next Generation”,2020

WEB LINKS

• https-//whois.domaintools.com/
• https-//digital.com/who-is-hosting-this/
• https-//builtwith.com/
• https-//www.virustotal.com/gui/home/search

29
 Appendices

APPENDICES
Python code
from urllib.parse import urlparse
from reportlab.lib.pagesizes import letter
from reportlab.pdfgen import canvas
from reportlab.lib.pagesizes import letter
from reportlab.pdfgen import canvas
from reportlab.lib import colors
from reportlab.lib.pagesizes import letter
from reportlab.lib.styles import getSampleStyleSheet, ParagraphStyle
from reportlab.platypus import SimpleDocTemplate, Paragraph, Spacer
from core.utils import extractHeaders, strength, isProtected, stringToBinary,
longestCommonSubstring
from core.requester import requester
from core.zetanize import zetanize
from core.ranger import ranger
from core.evaluate import evaluate
from core.tweaker import tweaker
from core.photon import photon
from core.prompt import prompt
from core.datanize import datanize
from core.entropy import isRandom
from cryptography import x509
from cryptography.hazmat.backends import default_backend
import statistics
import re
import random
import json
import argparse
from core.colors import green, yellow, end, run, good, info, bad, white, red
import requests
import threading
import queue
import optparse
import nmap
import time
30
 Appendices
import socket
import ssl
import time
import sys
from progress.bar import Bar
from bs4 import BeautifulSoup
from urllib.parse import urljoin
import os
from pprint import pprint
import colorama
from core.config import headers
import concurrent.futures
from pathlib import Path
from fuzzywuzzy import fuzz, process
import html

def get_ip_address(domain_name):
if not domain_name.startswith(("http://", "https://")):
domain_name = "http://" + domain_name

parsed_url = urlparse(domain_name)
domain_name = parsed_url.netloc # Extracting domain name from the URL

ip_address = socket.gethostbyname(domain_name)
print(f"\nIP Address: {ip_address}")

def get_ip_address(target):
ip_address = socket.gethostbyname(target)
return ip_address

def scan_single_port(target, port):

ip_address = get_ip_address(target)
scanner = nmap.PortScanner()
result = scanner.scan(ip_address, arguments=f'-p {port}')
if result['scan'][ip_address]['tcp'][int(port)]['state'] == 'open':
31
 Appendices
print('\033[32m' + f"Port {port} is open" + '\033[0m')
port_scan_results.append(f"\n\tPort {port} is open")
else:
print('\033[31m' + f"Port {port} is closed" + '\033[0m')
port_scan_results.append(f"\n\tPort {port} is closed")
return port_scan_results

def scan_custom_ports(target, ports):

ip_address = get_ip_address(target)
scanner = nmap.PortScanner()
scanner.scan(
ip_address, arguments=f'-p {",".join(str(port) for port in ports)} -sT')
open_ports = []
closed_ports = []
port_scan_results = [] # Initialize port_scan_results list

for port in ports:

port_state = scanner[ip_address]['tcp'][port]['state']
if port_state == 'open':
open_ports.append(port)
else:
closed_ports.append(port)

print('\033[33m' + "Open Ports:" + '\033[0m')

if open_ports:
for port in open_ports:
print('\033[32m' + f"\tPort {port} is open" + '\033[0m')
port_scan_results.append(f"\n\tPort {port} is open")
else:
print("\tNo open ports found in the specified range.")
port_scan_results.append(
f"\n\tNo open ports found in the specified range.")

print('\033[33m' + "Closed Ports:" + '\033[0m')

if closed_ports:
for port in closed_ports:
print('\033[31m' + f"\tPort {port} is closed" + '\033[0m')
32
 Appendices
port_scan_results.append(f"\n\tPort {port} is open")
else:
print("\tNo closed ports found in the specified range.")
port_scan_results.append(
f"\n\tNo open ports found in the specified range.")
return port_scan_results

def scan_range_of_ports(target, start_port, end_port):

ip_address = get_ip_address(target)
scanner = nmap.PortScanner()
port_range = f"{start_port}-{end_port}"
result = scanner.scan(ip_address, arguments=f'-p {port_range}')

port_scan_results = []
if ip_address in result['scan']:
port_data = result['scan'][ip_address]

if 'tcp' in port_data:
for port, port_info in port_data['tcp'].items():
if port_info['state'] == 'open':
print('\033[32m' + f"\tPort {port} is open" + '\033[0m')
port_scan_results.append(f"\n\tPort {port} is open")
else:
print(
'\033[31m' + f"\tNo open ports found in the specified range." + '\033[0m')
port_scan_results.append(
"\n\tNo open ports found in the specified range.")
else:
print("No scan results found for the target IP.")
port_scan_results.append(
"\n\tNo scan results found for the target IP.")

return port_scan_results

# Function to read subdomains from a file

def from_file(filename):
33
 Appendices
with open(filename, 'r') as f:
subdomains = f.read().split('\n')
return subdomains

# Function to check if a subdomain is active

def check_subdomain(domain, sub):

subdomain = f"http://{sub.strip()}.{domain}"
try:
response = requests.get(subdomain, timeout=5)
# Print response code
print(f" Response code for {sub}.{domain}: {response.status_code}")
if response.status_code == 200:
return True
except (requests.exceptions.ConnectionError, requests.exceptions.ReadTimeout):
return False
return False

# Function to append active subdomains to a list if they exist

def append_if_exists(host, sub):

if check_subdomain(host, sub):
with lock:
active_domains.append(f"{sub}.{host}")

# Function for thread worker to get active subdomains

def get_active():
while True:
try:
i = q.get_nowait()
except queue.Empty:
break
append_if_exists(domain_name, i)
bar.next()
34
 Appendices
q.task_done()

# Function to get command-line arguments

def get_args():
parser = optparse.OptionParser()
parser.add_option("-i", "--input", dest="input_list", default="subdomains.txt",
help="read the list from INPUT_FILE", metavar="INPUT_FILE")
parser.add_option("-t", "--threads", type=int, dest="n_threads", help="Set the number
of threads",
metavar="N_THREADS", default=12)
return parser.parse_args()

def get_server_info(target_domain):
url = f"http://{target_domain}"
try:
response = requests.get(url)
if response.status_code == 200:
server_header = response.headers.get("Server", "N/A")
x_powered_by_header = response.headers.get("X-Powered-By", "N/A")

print(f"\nServer header: {server_header}")

server_info.append(f"\n\tServer header: {server_header}")
print(f"X-Powered-By header: {x_powered_by_header}")
server_info.append(
f"\n\tX-Powered-By header: {x_powered_by_header}")
else:
print(
f"\nFailed to retrieve data from {url}. Status Code: {response.status_code}")
server_info.append(
f"\n\tFailed to retrieve data from {url}. Status Code: {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"\nFailed to connect to {url}: {str(e)}")
server_info.append(f"\n\tFailed to connect to {url}: {str(e)}")

35
 Appendices
# Create a session with a User-Agent header
s = requests.Session()
s.headers["User-Agent"] = "Mozilla/5.0 (Win64; x64) AppleWebKit/537.36
Chrome/87.0.4280.88"

# List of XSS payloads to test

xss_payloads = [
"<script>alert('XSS')</script>",
"<img src='x' onerror=\"alert('XSS')\">",
# Add more payloads here as needed
]

# Function to retrieve forms from a URL

def get_forms(url):
response = s.get(url)
soup = BeautifulSoup(response.content, "html.parser")
return soup.find_all("form")

# Function to extract form details

def form_details(form):
details = {}
action = form.attrs.get("action", "").lower()
method = form.attrs.get("method", "get").lower()
inputs = []

# Extract input fields

for input_tag in form.find_all("input"):
input_type = input_tag.attrs.get("type", "text")
input_name = input_tag.attrs.get("name")
input_value = input_tag.attrs.get("value", "")
inputs.append(
{"type": input_type, "name": input_name, "value": input_value}
)

details["action"] = action
36
 Appendices
details["method"] = method
details["inputs"] = inputs
return details

# Function to check for SQL injection vulnerability

def is_vulnerable(response):
# Customize this function to detect SQL injection vulnerabilities in your application's
context
# You may want to check for specific error messages or behaviors indicative of SQL
injection
return False

# Function to perform SQL injection testing

def test_sql_injection(url):
# Ensure the URL starts with "http://" or "https://"
if not url.startswith("http://") and not url.startswith("https://"):
url = "http://" + url

forms = get_forms(url)
print(f"\n[+] {len(forms)} forms found on {url}.")
sql_test_results.append(f"\n\t[+] {len(forms)} forms found on {url}.")
if (len(forms) == '0'):
print("\n No SQL Injection detected")

for form in forms:

form_details_dict = form_details(form)

# Initialize variables to track detection for each payload

single_quote_detected = False
double_quote_detected = False

for payload in ["'", "\""]:

data = {}

37
 Appendices
# Create payloads for each input field
for input_tag in form_details_dict["inputs"]:
input_name = input_tag["name"]
input_value = input_tag["value"]
if input_value:
data[input_name] = input_value + payload
elif input_tag["type"] != "submit":
data[input_name] = "test" + payload

# Construct the URL and make the request

target_url = urljoin(url, form_details_dict["action"])
if form_details_dict["method"] == "post":
response = s.post(target_url, data=data)
elif form_details_dict["method"] == "get":
response = s.get(target_url, params=data)

# Check for SQL injection vulnerability and update detection status

if is_vulnerable(response):
if payload == "'":
single_quote_detected = True
elif payload == "\"":
double_quote_detected = True
else:
print('\nNo SQL Injection Detected')

# Print detection status for each payload

if single_quote_detected:
print("\nSingle quote SQL injection detected:", target_url)
sql_test_results.append(
"\n\tSingle quote SQL injection detected:", target_url)
else:
print("\nNo single quote SQL injection detected")
sql_test_results.append(
"\n\tNo single quote SQL injection detected")

if double_quote_detected:
print("\nDouble quote SQL injection detected:", target_url)
sql_test_results.append(
38
 Appendices
"\n\tDouble quote SQL injection detected:", target_url)
else:
print("\nNo double quote SQL injection detected")
sql_test_results.append(
"\n\tNo double quote SQL injection detected")

def get_all_forms(url):
soup = BeautifulSoup(requests.get(url).content, "html.parser")
return soup.find_all("form")

def get_form_details(form):
details = {}
action = form.attrs.get("action").lower()
method = form.attrs.get("method", "get").lower()
inputs = []
for input_tag in form.find_all("input"):
input_type = input_tag.attrs.get("type", "text")
input_name = input_tag.attrs.get("name")
inputs.append({"type": input_type, "name": input_name})
details["action"] = action
details["method"] = method
details["inputs"] = inputs
return details

def submit_form(form_details, url, value):

target_url = urljoin(url, form_details["action"])
inputs = form_details["inputs"]
data = {}
for input in inputs:
if input["type"] == "text" or input["type"] == "search":
input["value"] = value
input_name = input.get("name")
input_value = input.get("value")
if input_name and input_value:
data[input_name] = input_value
39
 Appendices
if form_details["method"] == "post":
return requests.post(target_url, data=data)
return requests.get(target_url, params=data)

def scan_xss(url):
# Ensure the URL starts with "http://" or "https://"
if not url.startswith("http://") and not url.startswith("https://"):
url = "http://" + url

forms = get_all_forms(url)
print(f"\n[+] Detected {len(forms)} forms on {url}.")
xss_test_results.append(f"\n\t[+] Detected {len(forms)} forms on {url}.")

# Initialize a flag to track if any payload is detected

any_payload_detected = False

for form in forms:

form_details = get_form_details(form)

# Initialize variables to track detection for each payload

xss_detected = {}

for payload in xss_payloads:

response = submit_form(form_details, url, payload)
if payload in response.content.decode():
xss_detected[payload] = True
any_payload_detected = True
else:
xss_detected[payload] = False

# Print detection status for each payload

for payload, detected in xss_detected.items():
if detected:
print(colorama.Fore.RED +
f"[!]XSS detected for payload '{payload}': {url}")
xss_test_results.append(
f"\n\t[!]XSS detected for payload '{payload}': {url}")
40
 Appendices
print(colorama.Fore.YELLOW + f"[*] Form details:")
xss_test_results.append(f"\n\t[*] Form details:")
print(form_details)
xss_test_results.append("\n\t"+form_details)
else:
print(f"\nNo XSS detected for payload '{xss_payloads}'")
xss_test_results.append(
f"\n\tNo XSS detected for payload '{xss_payloads}'")

def banner():
yellow = "\033[93m"
white = "\033[0m"
end = "\033[0m"
print('''
%s %sVuln Scan%s %s
''' % (yellow, white, yellow, end))

def sanitize_url(url):
if not url.startswith("http://") and not url.startswith("https://"):
url = "https://" + url
return url

banner()

def csrf(domain_name):
lightning = '\033[93;5m \033[0m'

try:
import concurrent.futures
from pathlib import Path
except ImportError:
print('%s Vulnscan is not compatible with python 2. Please run it with python 3.' %
bad)

41
 Appendices
try:
from fuzzywuzzy import fuzz, process

except ImportError:
import os
print('%s fuzzywuzzy library is not installed, installing now.' % info)
os.system('pip3 install fuzzywuzzy')
print('%s fuzzywuzzy has been installed, please restart Vulnscan.' % info)
quit()

# Interactive input for the target domain

target = domain_name
target = sanitize_url(target)

# Additional interactive input for other parameters (you can customize this part)
delay = int(
input('%s Enter the delay between requests (default is 0): ' % info) or 0)
level = int(
input('%s Enter the number of levels to crawl (default is 2): ' % info) or 2)
timeout = int(
input('%s Enter the HTTP request timeout (default is 20): ' % info) or 20)
threadCount = int(
input('%s Enter the number of threads (default is 2): ' % info) or 2)

delay_desc = 'Delay between requests'

level_desc = 'Number of levels to crawl'
timeout_desc = 'HTTP request timeout'
threadCount_desc = 'Number of threads'

csrf_results.append((delay_desc, delay))
csrf_results.append((level_desc, level))
csrf_results.append((timeout_desc, timeout))
csrf_results.append((threadCount_desc, threadCount))

# Prompt for headers interactively

headers_input = input(
'%s Do you want to enter custom HTTP headers? (y/n): ' % info).lower()
if headers_input == 'y':
42
 Appendices
headers = extractHeaders(prompt())
else:
from core.config import headers

allTokens = []
weakTokens = []
tokenDatabase = []
insecureForms = []

print(' %s \n Phase: Crawling %s[%s1/6%s]%s' %

(lightning, green, end, green, end))
csrf_results.append('Phase: Crawling [1/6]')
dataset = photon(target, headers, level, threadCount)
allForms = dataset[0]
for url_dict in allForms:
for url, _ in url_dict.items():
print(url)
csrf_results.append(url)
print('\r%s Crawled %i URL(s) and found %i form(s).%-10s' %
(info, dataset[1], len(allForms), ' '))
csrf_results.append('\r%s Crawled %i URL(s) and found %i form(s).%-10s' %
(info, dataset[1], len(allForms), ' '))
print(' %s \n Phase: Evaluating %s[%s2/6%s]%s' %
(lightning, green, end, green, end))
csrf_results.append('Phase: Evaluating [2/6]')

evaluate(allForms, weakTokens, tokenDatabase, allTokens, insecureForms)

if weakTokens:
print('%s Weak token(s) found' % good)
csrf_results.append('%s Weak token(s) found' % good)
for weakToken in weakTokens:
url = list(weakToken.keys())[0]
token = list(weakToken.values())[0]
print('%s %s %s' % (info, url, token))
csrf_results.append('%s %s %s' % (info, url, token))

if insecureForms:
43
 Appendices
print('%s Insecure form(s) found' % good)
csrf_results.append('%s Insecure form(s) found' % good)
for insecureForm in insecureForms:
url = list(insecureForm.keys())[0]
action = list(insecureForm.values())[0]['action']
form = action.replace(target, '')
if form:
print('%s %s %s[%s%s%s]%s' %
(bad, url, green, end, form, green, end))
csrf_results.append('%s %s %s[%s%s%s]%s' %
(bad, url, green, end, form, green, end))

print(' %s \n Phase: Comparing %s[%s3/6%s]%s' %

(lightning, green, end, green, end))
csrf_results.append('Phase: Comparing [3/6]')

uniqueTokens = set(allTokens)
if len(uniqueTokens) < len(allTokens):
print('%s Potential Replay Attack condition found' % good)
csrf_results.append(
'%s Potential Replay Attack condition found' % good)
print('%s Verifying and looking for the cause' % run)
csrf_results.append('%s Verifying and looking for the cause' % run)
replay = False
for each in tokenDatabase:
url, token = next(iter(each.keys())), next(iter(each.values()))
for each2 in tokenDatabase:
url2, token2 = next(iter(each2.keys())), next(
iter(each2.values()))
if token == token2 and url != url2:
print('%s The same token was used on %s%s%s and %s%s%s' %
(good, green, url, end, green, url2, end))
csrf_results.append('%s The same token was used on %s%s%s and
%s%s%s' %
(good, green, url, end, green, url2, end))
replay = True
if not replay:
print('%s Further investigation shows that it was a false positive.')
44
 Appendices
csrf_results.append(
'%s Further investigation shows that it was a false positive.')

p = Path(__file__).parent.joinpath('db/hashes.json')
with p.open('r') as f:
hashPatterns = json.load(f)

if not allTokens:
print('%s No CSRF protection to test, NO CSRF TOKENS AVAILABLE' % bad)
csrf_results.append(
'%s No CSRF protection to test, NO CSRF TOKENS AVAILABLE' % bad)
return

print("Length of allTokens:", len(allTokens))

csrf_results.append(["Length of allTokens", len(allTokens)])

if len(allTokens) > 0:
print("Length of first sublist in allTokens:", len(allTokens[0]))
csrf_results.append([
"Length of first sublist in allTokens:", len(allTokens[0])])
else:
print("Error: allTokens is empty.")
csrf_results.append("Error: allTokens is empty.")
return

if len(allTokens[0]) == 0:
print("Error: First sublist in allTokens is empty.")
csrf_results.append("Error: First sublist in allTokens is empty.")
return

if allTokens and len(allTokens) > 0:

aToken = allTokens[0]
if aToken:
matches = []
for element in hashPatterns:
pattern = element['regex']
if re.match(pattern, aToken):
for name in element['matches']:
45
 Appendices
matches.append(name)
if matches:
print(
'%s Token matches the pattern of the following hash type(s):' % info)
csrf_results.append(
'%s Token matches the pattern of the following hash type(s):' % info)
for name in matches:
print(' %s>%s %s' % (yellow, end, name))
csrf_results.append(' %s>%s %s' % (yellow, end, name))

def fuzzy(tokens):
averages = []
for token in tokens:
sameTokenRemoved = False
result = process.extract(
token, tokens, scorer=fuzz.partial_ratio)
scores = []
for each in result:
score = each[1]
if score == 100 and not sameTokenRemoved:
sameTokenRemoved = True
continue
scores.append(score)
average = statistics.mean(scores)
averages.append(average)
return statistics.mean(averages)

try:
similarity = fuzzy(allTokens)
print('%s Tokens are %s%i%%%s similar to each other on average' %
(info, green, similarity, end))
csrf_results.append('%s Tokens are %s%i%%%s similar to each other on
average' %
(info, green, similarity, end))
except statistics.StatisticsError:
print(
'%s No CSRF protection to test, CSRF vulnerability not found' % bad)
csrf_results.append(
46
 Appendices
'%s No CSRF protection to test, CSRF vulnerability not found' % bad)
else:
print("The first element of allTokens is an empty list.")
csrf_results.append(
"The first element of allTokens is an empty list.")
else:
print("No CSRF tokens available.")
csrf_results.append("No CSRF tokens available.")

def staticParts(allTokens):
strings = list(set(allTokens.copy()))
commonSubstrings = {}
for theString in strings:
strings.remove(theString)
for string in strings:
commonSubstring = longestCommonSubstring(theString, string)
if commonSubstring not in commonSubstrings:
commonSubstrings[commonSubstring] = []
if len(commonSubstring) > 2:
if theString not in commonSubstrings[commonSubstring]:
commonSubstrings[commonSubstring].append(theString)
if string not in commonSubstrings[commonSubstring]:
commonSubstrings[commonSubstring].append(string)
return commonSubstrings

result = {k: v for k, v in staticParts(allTokens).items() if v}

if result:
print('%s Common substring found' % info)
csrf_results.append('%s Common substring found' % info)
print(json.dumps(result, indent=4))
csrf_results.append(json.dumps(result, indent=4))

simTokens = []
print(' %s \n Phase: Observing %s[%s4/6%s]%s' %
(lightning, green, end, green, end))
csrf_results.append('Phase: Observing [4/6]')
print('%s 100 simultaneous requests are being made, please wait.' % info)
47
 Appendices
csrf_results.append(
'%s 100 simultaneous requests are being made, please wait.' % info)

def extractForms(url):
response = requester(url, {}, headers, True, 0).text
forms = zetanize(url, response)
for each in forms.values():
localTokens = set()
inputs = each['inputs']
for inp in inputs:
value = inp['value']
if value and re.match(r'^[\w\-_]+$', value):
if strength(value) > 10:
simTokens.append(value)

# Define goodCandidate before the loop

goodCandidate = None

# Limit the number of iterations to 100

for _ in range(100):
sample = random.choice(tokenDatabase)
goodToken = list(sample.values())[0]
if len(goodToken) > 0:
goodCandidate = list(sample.keys())[0]
break

# Check if a valid goodCandidate was found

if goodCandidate is not None:
threadpool = concurrent.futures.ThreadPoolExecutor(max_workers=30)
futures = (threadpool.submit(extractForms, goodCandidate)
for _ in range(30))

# Introduce a timeout for completion

try:
# Set a reasonable timeout value
for i in concurrent.futures.as_completed(futures, timeout=60):
pass
except concurrent.futures.TimeoutError:
48
 Appendices
print("Timeout reached. Exiting the loop.")
csrf_results.append("Timeout reached. Exiting the loop.")
else:
print("No valid goodCandidate found.")
csrf_results.append("No valid goodCandidate found.")

if simTokens:
if len(set(simTokens)) < len(simTokens):
print('%s Same tokens were issued for simultaneous requests.' % good)
csrf_results.append(
'%s Same tokens were issued for simultaneous requests.' % good)
else:
print(simTokens)
csrf_results.append(simTokens)
else:
print('%s Different tokens were issued for simultaneous requests.' % info)
csrf_results.append(
'%s Different tokens were issued for simultaneous requests.' % info)

print(' %s \n Phase: Testing %s[%s5/6%s]%s' %

(lightning, green, end, green, end))
csrf_results.append('Phase: Testing [5/6]')

parsed = ''
found = False
print('%s Finding a suitable form for further testing. It may take a while.' % run)
csrf_results.append(
'%s Finding a suitable form for further testing. It may take a while.' % run)
for form_dict in allForms:
for url, forms in form_dict.items():
parsed = datanize(forms, tolerate=True)
if parsed:
found = True
break
if found:
break

if not parsed:
49
 Appendices
quit('%s No suitable form found for testing.' % bad)

origGET = parsed[0]
origUrl = parsed[1]
origData = parsed[2]

print('%s Making a request with CSRF token for comparison.' % run)

csrf_results.append(
'%s Making a request with CSRF token for comparison.' % run)
response = requester(origUrl, origData, headers, origGET, 0)
originalCode = response.status_code
originalLength = len(response.text)
print('%s Status Code: %s' % (info, originalCode))
csrf_results.append('%s Status Code: %s' % (info, originalCode))
print('%s Content Length: %i' % (info, originalLength))
csrf_results.append('%s Content Length: %i' % (info, originalLength))
print('%s Checking if the resonse is dynamic.' % run)
csrf_results.append('%s Checking if the resonse is dynamic.' % run)
response = requester(origUrl, origData, headers, origGET, 0)
secondLength = len(response.text)
if originalLength != secondLength:
print('%s Response is dynamic.' % info)
csrf_results.append('%s Response is dynamic.' % info)
tolerableDifference = abs(originalLength - secondLength)
else:
print('%s Response isn\'t dynamic.' % info)
csrf_results.append('%s Response isn\'t dynamic.' % info)
tolerableDifference = 0

print('%s Emulating a mobile browser' % run)

csrf_results.append('%s Emulating a mobile browser' % run)
print('%s Making a request with mobile browser' % run)
csrf_results.append('%s Making a request with mobile browser' % run)
headers['User-Agent'] = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows CE; PPC;
240x320)'
response = requester(origUrl, {}, headers, True, 0).text
parsed = zetanize(origUrl, response)
if isProtected(parsed):
50
 Appendices
print('%s CSRF protection is enabled for mobile browsers as well.' % bad)
csrf_results.append(
'%s CSRF protection is enabled for mobile browsers as well.' % bad)
else:
print('%s CSRF protection isn\'t enabled for mobile browsers.' % good)
csrf_results.append(
'%s CSRF protection isn\'t enabled for mobile browsers.' % good)

print('%s Making a request without CSRF token parameter.' % run)

csrf_results.append(
'%s Making a request without CSRF token parameter.' % run)

data = tweaker(origData, 'remove')

response = requester(origUrl, data, headers, origGET, 0)
if response.status_code == originalCode:
if str(originalCode)[0] in ['4', '5']:
print('%s It didn\'t work' % bad)
csrf_results.append('%s It didn\'t work' % bad)
else:
difference = abs(originalLength - len(response.text))
if difference <= tolerableDifference:
print('%s It worked!' % good)
csrf_results.append('%s It worked!' % good)
else:
print('%s It didn\'t work' % bad)
csrf_results.append('%s It didn\'t work' % bad)

print('%s Making a request without CSRF token parameter value.' % run)

csrf_results.append(
'%s Making a request without CSRF token parameter value.' % run)
data = tweaker(origData, 'clear')

response = requester(origUrl, data, headers, origGET, 0)

if response.status_code == originalCode:
if str(originalCode)[0] in ['4', '5']:
print('%s It didn\'t work' % bad)
csrf_results.append('%s It didn\'t work' % bad)
else:
51
 Appendices
difference = abs(originalLength - len(response.text))
if difference <= tolerableDifference:
print('%s It worked!' % good)
csrf_results.append('%s It worked!' % good)
else:
print('%s It didn\'t work' % bad)
csrf_results.append('%s It didn\'t work' % bad)

seeds = ranger(allTokens)

print('%s Checking if tokens are checked to a specific length' % run)

csrf_results.append(
'%s Checking if tokens are checked to a specific length' % run)

for index in range(len(allTokens[0])):

data = tweaker(origData, 'replace', index=index, seeds=seeds)
response = requester(origUrl, data, headers, origGET, 0)
if response.status_code == originalCode:
if str(originalCode)[0] in ['4', '5']:
break
else:
difference = abs(originalLength - len(response.text))
if difference <= tolerableDifference:
print('%s Last %i chars of token aren\'t being checked' %
(good, index + 1))
csrf_results.append('%s Last %i chars of token aren\'t being checked' %
(good, index + 1))
else:
break

print('%s Generating a fake token.' % run)

csrf_results.append('%s Generating a fake token.' % run)

data = tweaker(origData, 'generate', seeds=seeds)

print('%s Making a request with the self generated token.' % run)
csrf_results.append(
'%s Making a request with the self generated token.' % run)

52
 Appendices
response = requester(origUrl, data, headers, origGET, 0)
if response.status_code == originalCode:
if str(originalCode)[0] in ['4', '5']:
print('%s It didn\'t work' % bad)
csrf_results.append('%s It didn\'t work' % bad)
else:
difference = abs(originalLength - len(response.text))
if difference <= tolerableDifference:
print('%s It worked!' % good)
csrf_results.append('%s It worked!' % good)
else:
print('%s It didn\'t work' % bad)
csrf_results.append('%s It didn\'t work' % bad)

print(' %s \n Phase: Analysing %s[%s6/6%s]%s' %

(lightning, green, end, green, end))
csrf_results.append('Phase: Analysing [6/6]')

binary = stringToBinary(''.join(allTokens))
result = isRandom(binary)
for name, result in result.items():
if not result:
print('%s %s : %s%s%s' % (good, name, green, 'non-random', end))
csrf_results.append('%s %s : %s%s%s' %
(good, name, green, 'non-random', end))
else:
print('%s %s : %s%s%s' % (bad, name, red, 'random', end))
csrf_results.append('%s %s : %s%s%s' %
(bad, name, red, 'random', end))

def certificate(url):
try:
hostname = domain_name
context = ssl.create_default_context()
with socket.create_connection((hostname, 443)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
chain = ssock.getpeercert()
53
 Appendices
print(chain)
print("\n")
print(f"SSL certificate for {domain_name} is valid.")

except ssl.SSLError as e:
# The certificate validation failed
print(f"SSL certificate validation for {domain_name} failed: {e}")
return False
except socket.error as e:
# Failed to connect to the specified domain
print(f"Failed to connect to {domain_name}: {e}")
return False

def analyze_certificate(domain, port):

try:
# Create a socket object
with socket.create_connection((domain, port)) as sock:
# Wrap the socket with SSL/TLS context
with ssl.create_default_context().wrap_socket(sock, server_hostname=domain)
as ssock:
# Get the certificate information
cert = ssock.getpeercert(binary_form=True)
x509_cert = x509.load_der_x509_certificate(
cert, default_backend())

# Extract and display certificate details

print(f"[+] SSL/TLS Certificate Analysis for {domain}:{port}")
print(
f"Common Name (CN): {x509_cert.subject.rfc4514_string()}")
print(f"Issuer: {x509_cert.issuer.rfc4514_string()}")
print(f"Serial Number: {x509_cert.serial_number}")
print(f"Not Valid Before: {x509_cert.not_valid_before}")
print(f"Not Valid After: {x509_cert.not_valid_after}")
print(
f"Signature Algorithm: {x509_cert.signature_algorithm_oid._name}")
print(f"Version: {x509_cert.version.name}")

54
 Appendices
certificate_results.append(
f"[+] SSL/TLS Certificate Analysis for {domain}:{port}")
certificate_results.append(
f"Common Name (CN): {x509_cert.subject.rfc4514_string()}")
certificate_results.append(
f"Issuer: {x509_cert.issuer.rfc4514_string()}")
certificate_results.append(
f"Serial Number: {x509_cert.serial_number}")
certificate_results.append(
f"Not Valid Before: {x509_cert.not_valid_before}")
certificate_results.append(
f"Not Valid After: {x509_cert.not_valid_after}")
certificate_results.append(
f"Signature Algorithm: {x509_cert.signature_algorithm_oid._name}")
certificate_results.append(
f"Version: {x509_cert.version.name}")

# Display more detailed information as needed

# You can access additional certificate properties here

except socket.timeout:
print(f"[-] Connection to {domain}:{port} timed out.")
certificate_results(f"[-] Connection to {domain}:{port} timed out.")
except socket.error as e:
print(
f"[-] Error occurred while connecting to {domain}:{port}: {str(e)}")
certificate_results(
f"[-] Error occurred while connecting to {domain}:{port}: {str(e)}")
except ssl.SSLError as e:
print(f"[-] SSL/TLS Error occurred: {str(e)}")
certificate_results(f"[-] SSL/TLS Error occurred: {str(e)}")
except x509.CertificateError as e:
print(f"[-] Certificate Error occurred: {str(e)}")
certificate_results(f"[-] Certificate Error occurred: {str(e)}")
except Exception as e:
print(f"[-] An unexpected error occurred: {str(e)}")
certificate_results(f"[-] An unexpected error occurred: {str(e)}")

55
 Appendices

location_cache = {}
location_cache = {}

def get_location(ip_address, retry_attempts=1, delay_seconds=3):

if ip_address in location_cache:
return location_cache[ip_address]
for attempt in range(retry_attempts):
try:
response = requests.get(f'https://ipapi.co/{ip_address}/json/')
# Raise an exception for HTTP errors (e.g., 404, 500, etc.)
response.raise_for_status()
data = response.json()
print(response)
location_data = {
"ip": ip_address,
"network": data.get("network"),
"version": data.get("version"),
"city": data.get("city"),
"region": data.get("region"),
"region_code": data.get("region_code"),
"country": data.get("country_name"),
"country_code": data.get("country_code"),
"country_code_iso3": data.get("country_code_iso3"),
"country_capital": data.get("country_capital"),
"country_tld": data.get("country_tld"),
"continent_code": data.get("continent_code"),
"in_eu": data.get("in_eu"),
"postal": data.get("postal"),
"latitude": data.get("latitude"),
"longitude": data.get("longitude"),
"timezone": data.get("timezone"),
"utc_offset": data.get("utc_offset"),
"country_calling_code": data.get("country_calling_code"),
"currency": data.get("currency"),
"currency_name": data.get("currency_name"),
"languages": data.get("languages"),
56
 Appendices
"country_area": data.get("country_area"),
"country_population": data.get("country_population"),
"asn": data.get("asn"),
"org": data.get("org")
}
# Cache the result for future use
print(data)
locations_data.append(location_data)

except requests.exceptions.RequestException as e:
print(f"Error fetching location data for {ip_address}: {e}")
if response.status_code == 200:
# Parse the JSON data
json_data = response.json()
# Print the JSON data
print(json_data)
elif response.status_code == 429:
print("Too many requests. Retrying after waiting...")
time.sleep(2 ** attempt) # Exponential backoff
else:
print("Unknown error. Exiting...")
break
except requests.exceptions.HTTPError as err:
print(f"HTTP error occurred: {err}")
except requests.exceptions.RequestException as err:
print(f"An error occurred: {err}")

def sanitize_html(html_content):
# Remove HTML tags
stripped_content = html_content.replace("<", "").replace(">", "")

# Escape special characters

escaped_content = html.escape(stripped_content)

return escaped_content

57
 Appendices
active_domains = []
location_cache = []
port_scan_results = []
server_info = []
sql_test_results = []
xss_test_results = []
csrf_results = []
certificate_results = []
locations_data = []

def generate_report(domain_name, ip_address, options, args, active_domains=None,

location_data=None, server_info=None, port_scan_results=None,
sql_test_results=None, xss_test_results=None, csrf_results=None,
certificate_results=None, locations_data=None):
report_filename = f"VulnScan_Report_{time.strftime('%Y%m%d%H%M%S')}.pdf"

doc = SimpleDocTemplate(report_filename, pagesize=letter)

styles = getSampleStyleSheet()
content = []

content.append(Paragraph(
f"<u>VulnScan Report - {time.strftime('%Y-%m-%d %H:%M:%S')}</u>",
styles['Title']))
content.append(Spacer(1, 12))
content.append(
Paragraph(f"<b>Target Domain:</b> {domain_name}", styles['Normal']))
content.append(
Paragraph(f"<b>IP Address:</b> {ip_address}", styles['Normal']))
content.append(Paragraph(f"<b>Scan Options:</b> {args}", styles['Normal']))
content.append(Spacer(1, 12))

if port_scan_results:
content.append(
Paragraph("<b>Port Scanning Results:</b>", styles['Heading2']))
port_scan_results.extend([
"<br />"+"<b>Suggestions for Open Ports :</b><br/>"
""
58
 Appendices
"<br />"+"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Evaluate Each Open Port :</b>
Determine whether each open port is necessary for the functioning of your website or if
it's potentially a security risk.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Close Unnecessary Ports :</b> For any open
ports that aren't needed for your website's operation, consider closing them through
your server's firewall configuration or network settings.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Secure Necessary Ports :</b> For ports that
are required for your website to function (such as port 80 for HTTP or port 443 for
HTTPS), ensure they are properly secured with strong encryption protocols, secure
configurations, and up-to-date software."
])
for result in port_scan_results:
content.append(Paragraph(result, styles['Normal']))
content.append(Spacer(1, 12))

if active_domains:
content.append(
Paragraph("<b>Active Subdomains:</b>", styles['Heading2']))
active_domains.extend([
"<br />"+"<b>Suggestions for Domain Enumeration and Active Sub Domains
:</b><br/>"
""
"<br />"+"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Remove DNS Entries :</b> If you
want to completely disable access to certain subdomains, you can remove or modify
the DNS records for those subdomains. This prevents users from resolving the IP
address associated with those subdomains.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Redirect Subdomains :</b> Instead of
completely removing the subdomains, you can set up redirection rules on your server
to redirect requests from certain subdomains to the main domain or to a specific page.
This way, users won't see the content of the subdomains, but they will be redirected to
another location.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Configure Virtual Hosts :</b> If you're using a
web server like Apache or Nginx, you can configure virtual hosts to only serve content
for specific domains and subdomains. By configuring the virtual hosts appropriately,
you can prevent access to certain subdomains.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Use Robots.txt :</b> You can use a robots.txt
file to instruct search engines not to index certain subdomains or to exclude them from
search results. This won't prevent direct access to the subdomains, but it can help
59
 Appendices
prevent them from appearing in search engine results.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Authentication and Authorization :</b>
Implement authentication and authorization mechanisms to restrict access to certain
subdomains. This way, even if users know the URL of a subdomain, they won't be able
to access it without proper credentials.",
])
for subdomain in active_domains:
content.append(Paragraph(subdomain, styles['Normal']))
content.append(Spacer(1, 12))

if server_info:
content.append(
Paragraph("<b>Domain Fingerprinting:</b>", styles['Heading2']))
server_info.extend([
"<br />"+"<b>Suggestions for Domain Fingerprinting :</b><br/>"
""
"<br />" +
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Apache :</b> Edit your Apache configuration
file (httpd.conf) and ensure that the following directives are set <b>{ 'ServerSignature
Off' , 'ServerTokens Prod' }</b> for hiding your apache information",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Nginx :</b> In your Nginx configuration file
(nginx.conf), make sure the following directives are set" +
"<br/>" +
"<b>{ 'server_tokens off;' }</b> for hiding your HTTP Header information",
"<b> &nbsp;&nbsp;&nbsp;&nbsp;- PHP :</b> To hide the PHP version
information, you can adjust the expose_php directive in your PHP configuration file
(php.ini). Set it to Off using <b>{ 'expose_php = Off' }</b>",
])
for info in server_info: # Iterate over the elements of server_info list
content.append(Paragraph(str(info), styles['Normal']))
content.append(Spacer(1, 12))

if sql_test_results:
content.append(
Paragraph("<b>SQL Injection Test Results:</b>", styles['Heading2']))
sql_test_results.extend([
"<br />"+"<b>Suggestions for SQL Injection :</b><br/>"
""
60
 Appendices
"<br />"+"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Don't Use HTML forms :</b> HTMl
forms is directly linked with database so use some other options for survey or form
related uses ",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Use modern languages :</b> Instead of
using normal HTML, CSS, JS use react, php and use NO SQL for Database "])
for info in sql_test_results: # Iterate over the elements of sql_test_results list
content.append(Paragraph(str(info), styles['Normal']))
content.append(Spacer(1, 12))

if xss_test_results:
content.append(
Paragraph("<b>XSS Testing Results:</b>", styles['Heading2']))
xss_test_results.extend([
"<br />"+"<b>Suggestions for SQL Injection :</b><br/>"
""
"<br />"+"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Don't Trust User Input :</b> Always
validate and sanitize user input to prevent malicious scripts from executing.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Use Content Security Policy (CSP) :</b>
Implement CSP headers to restrict the sources from which content can be loaded,
mitigating XSS attacks.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Encode Output :</b> Encode output data
using appropriate encoding methods (such as HTML escaping) to prevent script
injection.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Educate Developers :</b> Train developers
on secure coding practices to reduce the likelihood of introducing XSS vulnerabilities."
])
for info in xss_test_results:
sanitized_info = sanitize_html(info)
content.append(Paragraph(str(sanitized_info), styles['Normal']))
content.append(Spacer(1, 12))

if csrf_results:
content.append(
Paragraph("<b>CSRF Test Results:</b>", styles['Heading2']))
csrf_results.extend([
"<br />"+"<b>Suggestions for CSRF Protection :</b><br/>"
""
"<br />"+"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Secure Configuration :</b> You can
61
 Appendices
enable or disable this protection in the central-wrapper.conf file.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- 1. </b> Stop the Central server.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- 2. </b> Open the
<installation_folder>/central/conf/central-wrapper.conf file.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- 3. </b> Locate the Dcsrf.enabled property
and change it to true, to enable CSRF protection.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- 4. </b> Start the Central server."
])
for info in csrf_results:
# Ensure info is converted to strings
content.append(Paragraph(str(info), styles['Normal']))
content.append(Spacer(1, 12))

if certificate_results:
content.append(
Paragraph("<b>Certificate Detection Results:</b>", styles['Heading2']))
certificate_results.extend([
"<br /><b>Suggestions for SSL/TLS Configuration :</b>",
"<br/>"+"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Disable Certificate Transparency
(CT) :</b> Certificate Transparency is a mechanism for publicly logging SSL
certificates. If you have control over your certificate issuance process, you may be able
to disable CT logging for your certificates. However, note that this may not be feasible
for all certificate authorities (CAs) or certificate types.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Limit OCSP Stapling :</b> Online Certificate
Status Protocol (OCSP) stapling is a feature that allows the web server to provide the
OCSP response along with the SSL certificate during the SSL handshake. By limiting
OCSP stapling, you may reduce the amount of certificate-related information exposed
during the handshake.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Custom Error Pages :</b> Customize error
pages for SSL/TLS handshake failures. Instead of displaying detailed error messages
that may expose certificate details, provide generic error messages to users.<br />",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Web Application Firewall (WAF) :</b> Use a
WAF to filter and sanitize HTTP responses from your web server. This can help
prevent leaking sensitive certificate details in error messages or responses.<br />",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Load Balancer Configuration :</b> If your
website is behind a load balancer or reverse proxy, ensure that the load balancer does
not expose sensitive SSL certificate details in headers or error responses.",
"<b>&nbsp;&nbsp;&nbsp;&nbsp;- Security Headers: </b> Implement security
62
 Appendices
headers such as Content Security Policy (CSP) to mitigate the impact of successful
attacks that may expose certificate details."
])

for info in certificate_results: # Iterate over the elements of certificate_results list

content.append(Paragraph(str(info), styles['Normal']))
content.append(Spacer(1, 12))

if locations_data:
content.append(
Paragraph("<b>Location Information:</b>", styles['Heading2']))
for info in locations_data:
content.append(Paragraph(str(info), styles['Normal']))
content.append(Spacer(1, 12))

doc.build(content)
print(f"\nReport generated: {report_filename}")

if __name__ == "__main__":
while True:
domain_name = input("\nEnter the target domain : ")
options, args = get_args() # Ensure get_args is defined properly in your script
# Call get_ip_address function to get IP address
ip_address = get_ip_address(domain_name)
get_ip_address(domain_name)
print('IP Address : ', ip_address)
while True:
print("\n1. Change Domain")
print("2. Port Scan")
print("3. Domain enumeration")
print("4. Domain Fingerprinting")
print("5. SQL Injection Testing")
print("6. XSS Testing")
print("7. CSRF Detection")
print("8. SSL / TLS Certificate Detection")
print("9. Location of the Server")
print("10. Report Generation")
63
 Appendices
print("11. Exit\n")
choice = input(
"Enter a choice from the given options (1, 2, 3, 4, 5, 6, 7 , 8 , 9 , 10 or 11): ")

if choice == '1':
break # Change Domain

elif choice == '2':

while True:
print("\nPort Scanning Options:")
print("\n1. Scan a single port")
print("2. Scan custom ports")
print("3. Scan a range of ports")
print("4. Exit Port Scan\n")
try:
port_option = int(
input("\nEnter your choice (1, 2, 3, or 4): "))
if port_option == 1:
port = input(
"\nEnter the port number to scan: ")
start_time = time.time()
scan_single_port(domain_name, port)
elapsed_time = time.time() - start_time
print(
f"Elapsed time: {elapsed_time:.2f} seconds")
elif port_option == 2:
ports_input = input(
"\nEnter the port numbers to scan (comma-separated): ")
ports = [int(port.strip())
for port in ports_input.split(",")]
start_time = time.time()
scan_custom_ports(domain_name, ports)
elapsed_time = time.time() - start_time
print(
f"Elapsed time: {elapsed_time:.2f} seconds")
elif port_option == 3:
start_port, end_port = map(int, input(
"\nEnter the port range to scan (e.g., 1-65535): ").split("-"))
64
 Appendices
start_time = time.time()
scan_range_of_ports(
domain_name, start_port, end_port)
elapsed_time = time.time() - start_time
print(
f"Elapsed time: {elapsed_time:.2f} seconds")
elif port_option == 4:
print("\nExiting Port Scan...\n")
break # Break out of the port scanning loop
else:
print(
"\nInvalid option. Please enter a valid option (1, 2, 3, or 4)")
except ValueError:
print(
"\nInvalid input. Please enter a valid option (1, 2, 3, or 4)")

elif choice == '3':

q = queue.Queue() # Create the queue before using it
for subdomain in from_file(options.input_list):
q.put(subdomain)
bar = Bar("Subdomain scanning...", max=q.qsize())

# Use a session for making requests

session = requests.Session()

# Specify the User-Agent header

session.headers["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"

# Set up threading for concurrent subdomain scanning

active_domains = []
lock = threading.Lock()
q = queue.Queue()

for subdomain in from_file(options.input_list):

q.put(subdomain)

threads = []
65
 Appendices
for i in range(options.n_threads):
t = threading.Thread(target=get_active)
t.daemon = True
t.start()
threads.append(t)

for t in threads:
t.join()

# Print the results

if active_domains:
print("\n\nActive subdomains:")
for e in active_domains:
print(e)
else:
print("No active subdomains found.")
pass

elif choice == '4':

get_server_info(domain_name)
elif choice == '5':
test_sql_injection(domain_name)
elif choice == '6':
colorama.init()
scan_xss(domain_name)
colorama.deinit()
elif choice == '7':
csrf(domain_name)
elif choice == '8':
domain = domain_name
port = 443
certificate(domain_name)
analyze_certificate(domain, port)
if choice == '9':
location_data = get_location(ip_address)
if location_data:
print("\nLocation Information:")
for key, value in location_data.items():
66
 Appendices
print(f"{key}: {value}")
elif choice == '10':
generate_report(
domain_name, ip_address, options, args, active_domains, location_cache,
server_info, port_scan_results, sql_test_results, xss_test_results, csrf_results,
certificate_results, locations_data)
elif choice == '11':
print("Thank you for using VulnScan \n Exiting the script...")
sys.exit()
else:
print(
"\nInvalid option. Please enter a valid option (1, 2, 3, 4, 5, 6, 7 , 8 , 9 , 10
or 11)")

67
 Appendices

Sub Domains: av cart

a ayuda cas
acceptati b catalog
e b2b catalogo
access backup catalogue
accountin backups cc
g banner cctv
accounts barracud cdn
ad a cdn1
adm bb cdn2
admin bbs chat
administr beta chimera
ator biblioteca chronos
ads billing ci
adserver blackboar cisco
affiliate d citrix
affiliates blog classroo
agenda blogs m
alpha board client
alumni book clientes
analytics booking clients
ann bookings cloud
api broadcas cloudflare
apollo t-ip -resolve-
app bsd to
apps bt club
ar bug cms
archive bugs cn
art business co
assets c communit
atlas ca y
auth cache conferen
auto cacti ce
autoconfi cal config
g calendar connect
autodisco cam contact
ver careers contacts
68
 Appendices

content s domainm
control design anageme
controller desktop nt
controlp dev domains
controlpa dev01 download
nel dev1 download
corp dev2 s
corporate devel drupal
correo develope e
correowe rs eaccess
b developm echo
cp ent ecommer
cpanel dialin ce
crm diana edu
cs direct ektron
css directory elearning
customer dl email
s dmz en
cvs dns eng
d dns1 english
da dns2 enterpris
data dns3 eenrollm
database dns4 ent
db doc enterpris
db1 docs eregistrat
db2 domain ion
dbadmin domain- erp
dbs controller es
dc domaina event
de dmin events
default domainco ex
demo ntrol example
demo2 domainco examples
demon ntroller exchange
demostra domainco external
tion ntrolpane extranet
descarga l f
69
 Appendices

facebook git images4

faq gmail images5
fax go images6
fb google images7
feedback groups images8
feeds groupwis imail
file e imap
files gu imap3
fileserver guest imap3d
finance guia imapd
firewall guide imaps
folders gw img
forms health img1
foro help img2
foros helpdesk img3
forum hera imgs
forums heracles imogen
foto hercules in
fr hermes incoming
free home info
freebsd homer inmueble
fs host s
ftp host2 internal
ftp1 hosting interno
ftp2 hotspot intra
ftpadmin hr intranet
ftpd hypernov io
fw a ip
g i ip6
galeria id ipfixe
gallery idp iphone
game im ipmi
games image ipsec
gate images ipv4
gateway images1 ipv6
gilford images2 irc
gis mages3 ircd
70
 Appendices

is live mailserve
isa lms r
it local main
j localhost manage
ja log manager
jabber loghost mantis
jboss login map
jboss2 logon maps
jira logs market
job london marketin
jobs loopback g
jp love mars
js lp master
jupiter lync math
k lyncdisco mb
kb ver mc
kerberos m mdm
l m1 media
la m2 meet
lab magento member
laboratori mail members
es mail01 mercury
laboratori mail1 meta
o mail2 meta01
laborator mail3 meta02
y mail4 meta03
labs mail5 meta1
ldap mailadmi meta2
legacy n meta3
lib mailback miembro
library up s
link mailbox mijn
links mailer minerva
linux mailgate mirror
lisa mailhost ml
list mailing mm
lists mailman mob
71
 Appendices

mobil ip oldmail
mobile networks oldsite
monitor new oldwww
monitorin newmail on
g news online
moodle newsgrou op
movil ps openbsd
mrtg newsite operation
ms newslette operation
msoid r s
mssql nl ops
munin noc ora
music novell oracle
mx ns origin
mx-a ns0 orion
mx-b ns01 os
mx0 ns02 osx
mx01 ns03 ou
mx02 ns1 outgoing
mx03 ns10 outlook
mx1 ns11 owa
mx2 ns12 ox
mx3 ns2 p
my ns3 painel
mysql ns4 panel
mysql2 ns5 partner
n ns6 partners
nagios ns7 pay
nas ns8 payment
nat nt payments
nelson ntp pbx
neon ntp1 pcanywh
net o ere
netmail oa pda
netscaler office pegasus
network office2 pendrell
network- old personal
72
 Appendices

pgsql projects rtmp

phoenix promo ru
photo proxy s
photos prueba s1
php pruebas s2
phpmyad pt s3
min pub s4
pm public sa
pma q sales
poczta qa sample
pop r samples
pop3 ra sandbox
portal radio sc
portfolio radius search
post ras secure
postgres rdp security
postgres redirect seo
ql redmine server
postman register server1
postmast relay server2
er remote service
pp remote2 services
ppp repo sftp
pr report share
pre-prod reports sharepoi
pre- repos nt
productio research shell
n resource shop
preprod s shopping
press restricted signup
preview reviews sip
private robinhoo site
pro d siteadmin
prod root sitebuilde
productio router r
n rss sites
project rt skype
73
 Appendices

sms stream tunnel

smtp streamin tutorials
smtp1 g tv
smtp2 student tw
smtp3 sun u
snmp support uat
social survey uk
software sv unix
solaris svn up
soporte t update
sp team upload
spam tech uploads
speedtest telewerk us
sport telework user
sports temp users
sql test v
sqlserver test1 v2
squirrel test2 vc
squirrelm test3 ventas
ail testing video
ssh testsite videos
ssl testweb vip
sslvpn tfs virtual
sso tftp vista
st thumbs vle
staff ticket vm
stage tickets vms
staging time vmware
start tools vnc
stat trac vod
static track voip
static1 tracker vpn
static2 tracking vpn1
stats train vpn2
status training vpn3
storage travel vps
store ts vps1
74
 Appendices

vps2 windows
w wordpres
w3 s
wap work
wc wp
web ws
web0 wsus
web01 ww
web02 ww0
web03 ww01
web1 ww02
web2 ww03
web3 ww1
web4 ww2
web5 ww3
webadmi www
n www-test
webcam www0
webconf www01
webct www02
webdb www03
webdisk www1
weblog www2
webmail www3
webmail2 www4
webmast www5
er www6
webmin www7
webservi wwwm
ces wwwold
webstats wwww
webstore x
whm xml
wifi zabbix
wiki zeus
win zimbra
win32
75