IP address: 114.114.114.114
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located
[all]: All private network addresses (192.168/172.32/10, etc.) will be probed
IP address: will detect the B segment where the specified IP address is located
fofa search keywords: will directly return fofa search results
usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--spy) [-p,--port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [-Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]
optional arguments:
-h , --help show this help message and exit
-f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
-t , --target Specify the detection target:
IP address: 114.114.114.114
IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
--spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
(empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
--check Fingerprinting the target address, only port detection will not be performed
--scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
-p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
-eP, --excluded-port skip scanning specified ports,support:80,8080,8088-8090
-o , --output save scan results to file
-oJ save the scan results to a file in json format
-Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
-Cn With this parameter, the console output will not be colored.
-sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
--top Scan the filtered common ports TopX, up to 1000, the default is TOP400
--proxy set proxy (socks5|socks4|https|http)://IP:Port
--threads thread parameter, the default thread is 100, the maximum value is 2048
--path specifies the directory to request access, only a single directory is supported
--host specifies the header Host value for all requests
--timeout set timeout
--encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
--match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
--hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
--hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
--hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
If there is a comma in the password, use , to escape, other symbols do not need to be escaped
--hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
--hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
--fofa-syntax will get fofa search syntax description
--fofa-size will set the number of entries returned by fofa, the default is 100
--fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter
