Introduction:

Focus Scanner, one of the best security scanning software in China, uses multithreading to detect the security vulnerabilities of designated IP address segments (or stand-alone computers), supports plug-in functions, and provides two operating modes: graphical interface and command line. The scanning contents include: remote service type, operating system type and version, various weak password vulnerabilities, backdoors, application service vulnerabilities, network equipment vulnerabilities, denial of service vulnerabilities, etc. It supports online upgrade.

You can download the latest version from Security Focus.

Explain in more detail

X-Scan-v3. 1 user description

I. System requirements: Windows NT4/2000/XP/2003

Two. Function introduction:

Multi-thread method is used to detect the security vulnerabilities of the specified IP address segment (or single machine), supports plug-in function, and provides two operating modes: graphical interface and command line. The scanning contents include: remote service type, operating system type and version, various weak password vulnerabilities, backdoors, application service vulnerabilities, network device vulnerabilities, denial of service vulnerabilities, and so on. For most of the known vulnerabilities, we have given the corresponding vulnerability descriptions, solutions and detailed description links, and other vulnerability materials are being further sorted out and improved. You can also view the relevant descriptions through the "Security Summary" and "Security Vulnerabilities" sections of this website.

Version 3.0 provides a simple plug-in development kit, which is convenient for friends with programming foundation to write or modify other debugged codes into X-Scan plug-ins. In addition, the translation of Nessus attack scripts has begun, and all friends interested in network security are welcome to participate. Friends who need "Nessus attack script engine" source code, X-Scan plug-in SDK, sample plug-in source code or are willing to participate in script translation can get detailed information through the "X-Scan" project link of this site: "/projects/X-Scan/index.html".

Three. Required documents:

Xscan _ gui.exe-x-scan graphical interface main program

Xscan.exe-X-Scan command line main program

Checkhost. exe- Plug-in Dispatcher Main Program

Update. exe- Upgrade the main program online.

*.dll- the dynamic link library required by the main program

Instructions for use. Instructions for use of txt-x-scan

/dat/LANGUAGE. ini- A multi-language configuration file, which can be switched by setting "Language \ Selected".

/dat/ language. *-Multilingual data files

/dat/config.ini-user profile, which is used to save the list of ports to be detected, relevant settings for CGI vulnerability detection and the names of all dictionary files (including relative paths).

/dat/config. bak- Back up the configuration file to restore the original settings.

/dat/cgi.lst-CGI vulnerability list

/dat/IIS _ code. ini-IIS coding vulnerability list.

/dat/port. ini- Used to save the corresponding service names of known ports.

/dat/* _ user。 DIC- user name dictionary file, used to detect weak password users.

/dat/* _ pass。 DIC- password dictionary, which is used to detect users' weak passwords.

/dat/p0f *。 FP- Operating system signature profile required to identify the remote host operating system (passive identification)

/dat/nmap-OS-fingerprints- Operating system signature profile (active identification) required to identify the remote host operating system.

/dat/wry. dll-" IP- geographical location "address query database file

/dat/*。 Nsl sorted list of NASL scripts.

/plugins- Used to store all plug-ins (suffix. xpn)

/scripts- Used to store all nasl scripts (suffix. NASL)。

/scripts/desc- used to store multilingual descriptions (with suffixes) of all NASL scripts. desc)。

Note: xscan_gui.exe and xscan.exe*** use all plug-ins and data files, but there is no dependency between them and they can run independently.

Four. Preparatory work:

X-Scan is completely free software, and it does not need to be registered or installed (it can be run after decompression, and the WinPCap driver will be automatically checked and installed).

Verb (abbreviation of verb) Description of graphical interface settings:

Basic Settings Page:

Specify IP range-you can enter an independent IP address or domain name, or you can enter an IP range separated by "-"and ",",such as "192.168.0.1-192.168.

Get Host List from File-Select this check box to read the address of the host to be detected from the file. The file format should be plain text, and each line can contain independent IP or domain names, or IP ranges separated by "-"and ",".

Report File-The file name of the report generated after scanning, which is saved in the log directory.

"Report file type"-currently supports TXT and HTML formats.

"Automatically generate and display reports after scanning"-as described in the topic.

Save Host List-When this check box is selected, the hosts whose survival status is detected during scanning will be automatically recorded in the list file.

List File-The file name used to save the host list, which is saved in the log directory.

Advanced Settings Page:

Maximum concurrent threads-The maximum number of scanning threads that can be started during scanning.

Maximum number of concurrent hosts-The number of hosts that can be detected simultaneously. Every time a host is scanned, a CheckHost process is started.

Show detailed progress-The detailed scanning process will be displayed in the general information bar of the main interface.

"Skip unresponsive host"-If X-Scan runs under NT4.0 system, it can only detect the target host through ICMP Ping, while under Windows system of WIN2K or above, if it has administrator rights, it can detect the survivability through TCP Ping.

Skip hosts with no open ports detected-If no open ports are found within the TCP port range specified by the user, the subsequent detection of hosts will be skipped.

"Unconditional scanning"-as mentioned in the title.

Port related settings page:

Ports to Detect-Enter a range of TCP ports separated by "-"and ","

"detection mode"-currently supports two modes: TCP full connection and SYN half-open scanning.

"Identify the service according to the response"-intelligently judge the service corresponding to the port according to the information returned by the port.

"Active identification of operating system type"-after port scanning, identify the target operating system through the TCP/IP protocol stack fingerprint of NMAP.

"Preset well-known service ports"-as mentioned in the topic.

SNMP related settings page:

Everything is as stated in the title.

NETBIOS related settings page:

Everything is as stated in the title.

NASL related settings page:

"Attack Script List"-Since the number of scripts in the script directory has exceeded 3,000 at present, you can customize the script list, and only select high-risk vulnerabilities for detection in batch scanning to speed up the scanning.

Select All-Select this check box if you need to select all NASL scripts.

Select Script-Opens the script selection window, and customizes the script list according to classification methods such as risk level, detection method and vulnerability type.

"Script Run Timeout (seconds)"-Sets the maximum time that the script can run, after which the script will be forced to terminate.

"Network Read Timeout (seconds)"-Sets the maximum time for a TCP connection to read data at a time, and overtime data will be ignored.

"Skip the destructive script of the host"-as described in the title.

"Detect the dependencies between scripts"-NASL scripts are interrelated, for example, one script obtains the service version first, and the other script performs other tests according to the service version. If the execution order of scripts is disturbed, it may affect the scanning results, but it will also save scanning time, because scripts do not need to wait for each other.

Destructive scripts of services are executed in sequence-if one script is trying a service in D.O.S, another script is getting information about the service at the same time, or other scripts are trying to overflow the service at the same time, the scanning result will be incorrect. But if scripts don't have to wait for each other, it will save scanning time.

Network Settings Page:

"Network Adapter"-Select an appropriate network adapter so that the WinPCap driver can filter the corresponding datagram, otherwise the detection result of the NASL script of the data received by the WinPCap driver may be lost, and the result of the NMAP method identifying the target operating system may also be affected. For dial-up users, you should select \ Device \ Packet _NdisWanIp.

CGI related settings page:

"CGI coding scheme"-as mentioned in the title.

Dictionary file settings page:

Set the password dictionary file corresponding to each service.

Description of operation parameters of intransitive verbs in command line mode;

1. command format: xscan-host[ other options]

xscan-file & lt； Host list file name > < test item > [other options]

The meaning is as follows:

-active: Detects whether the target host is alive.

-os: detect the remote operating system type (via NETBIOS and SNMP protocols)

-port: detects the port status of common services.

-ftp: detect ftp weak passwords.

-pub: Check the write permission of anonymous users of FTP service.

-pop3: detect the weak password of pop 3- server.

-smtp: detecting smtp server vulnerabilities

-sql: detect weak passwords of SQL-Server.

-smb: detecting weak passwords of NT-Server

-iis: detect iis encoding/decoding vulnerability

-cgi: Detecting cgi vulnerabilities

-nasl: load Nessus attack script

-all: detect all the above items.

[Other options] has the following meanings:

-I < adapter number >: set the network adapter, which can be obtained by the "-l" parameter.

-l: Show all network adapters.

-v: Displays the detailed scanning progress.

-p: Skip unresponsive hosts.

-o: Skip hosts with no open ports detected.

-t & lt； Number of concurrent threads [,number of concurrent hosts] > : Specify the maximum number of concurrent threads and the number of concurrent hosts. The default numbers are 100 and 10.

-log & lt； File name >: specifies the file name, TXT or HTML suffix of the scan report.

* The meaning of "coding scheme" in CGI and iis parameters:

1. Replace "get" with "head"

2. Replace "obtain" with "publish"

3. Replace "GET" with "GET/HTTP/ 1.0\r\nHeader:"

4. Use "GET/[ file name]? Param= "replace" GET "(you can set [filename] by" CGI-ENCODE\encode4_index_file "in the \dat\config.ini file).

5. Replace "Get" with "Get %00"

6. Multiple "/"or "\"

7. Interchange of "/"and "\"

8. Use "

Note: If there is no conflict, all deformation schemes can be used simultaneously. For example, "-cgi 1, 6,8" means that the HTTP request is deformed together with theNo. 1, 6,8 scheme.

2. Example:

xscan-host XXX . XXX . 1. 1-XXX . XXX . 255.255-all-active-p

Meaning: detect all vulnerabilities of hosts in XXX. XXX.1.1-XXX. XXX.255.255, and skip unresponsive hosts;

xscan-host XXX . XXX . 1. 1-XXX . XXX . 255.255-port-sm B- t 150-o

Meaning: Detect the standard port status of hosts in XXX. XXX.1.1-xxx.xxx.255.255 network segment, nt users with weak passwords, and the maximum number of concurrent threads is 150, and skip hosts that have not detected open ports;

xscan-file hostlist . txt-port-CGI-t 200，5 -v -o

Meaning: Detect the standard port status and CGI vulnerabilities of all hosts listed in the "hostlist.txt" file. The maximum number of concurrent threads is 200, and up to 5 hosts can be detected at the same time, showing the detailed detection progress, and skipping hosts that have not detected open ports;

Seven. Frequently asked questions:

Q: If the WinPCap driver is not installed, can I scan with X-Scan normally?

Answer: If the WinPCap driver is not installed in the system, WinPCap 2.3 will be installed automatically after X-Scan is started; If a later version of WinPCap is installed on the system, X-Scan will use the existing version. There is a BUG in "WinPCap 3. 1 beta", which may cause the X-Scan scanning process to be abnormal. It is recommended to use "WinPCap 2.3".

Q: Why do 10 checkhost.exe processes appear in a subnet at the same time?

A: Each host will start a Checkhost.exe process independently after detection, and will automatically quit after detection. The number of concurrent hosts can be set through the setting window of the graphical interface, and the command line program can be set through the "-t" parameter.

Q: What is the reason for the sudden blue screen restart of the machine during scanning?

A: The system may have a blue screen during scanning. Drivers of AtGuard, Skynet and other firewalls may make mistakes when handling special packages, which may lead to system crash. In addition, many firewall drivers themselves conflict with WinPCap drivers. It is recommended to disable or uninstall the firewall program before trying.

Q: What is the reason for the incorrect recognition of the operating system?

A: Operating system identification cannot guarantee the accuracy of 100%. At present, the identification is based on fingerprint database of NMAP and P0F, NETBIOS information and SNMP information. If the target machine does not have open NETBIOS and SNMP protocols, and the TCP/IP stack fingerprint is not in the database, users need to comprehensively analyze it according to other information.

Q: Why did I choose "SYN" mode for port scanning in one scan, while X-Scan actually adopted "TCP" mode and did not passively identify the target operating system?

Answer: SYN mode and passive host operating system identification function in port scanning cannot be used under NT4 system. When it is used in windows 2000 and other systems, it must have administrator rights, otherwise it will automatically switch to TCP mode for port scanning.

Q: Is the new version compatible with the plug-in version 2.3?

A: The plug-in interface of X-Scan 3.0 has been modified a little, which is not compatible with the plug-in before 2.3, and the original author needs to make corresponding modifications. Version 3.0 provides a simple development library, and plug-in development is much simpler than version 2.3.

Q: What is the specific meaning of "skipping unresponsive hosts" in X-Scan 3.0?

A: Detecting surviving hosts is done by the CheckActive plug-in. If X-Scan runs under NT4.0 system, it can only detect the target host through ICMP Ping, while under WIN2K or above Windows system, if it has administrator rights, it can detect the survivability through TCP Ping.

Q: I see many nessus scripts in the script directory. Can you download the latest plug-ins from nessus's website and extract them into scripts directory to scan the latest vulnerabilities?

A: X-scan has transplanted the nasl engine of nessus, which currently corresponds to nessus2.0. 10a. Therefore, as long as the scripts supported by this version of nessus can be copied to the script directory and loaded, you need to clear the "Attack Script List" box on the "NASL Related Settings" page of the configuration interface, or add a new script to the list through "Select Script".

Q: The detection range of weak password plug-ins by X-Scan is very limited. Can I add other accounts or passwords that need to be tested?

A: The password dictionary built in "X-Scan" is just a simple demonstration. If users want the software to have stronger password guessing ability, they can edit the password dictionary file by themselves.

Q: Why is there a lot of English in nasl script scanning results, and is it possible to translate these English information into Chinese in the future?

A: At present, there are nearly 2,000 NASL scripts, most of which are in English. What needs to be translated can be seen under the X-Scan of the "Focus Project" of this website. Everyone is welcome to help translate. After passing the review, we will directly join the online upgrade library for everyone to download.

Q: How do I pause or terminate xscan.exe Scan when I use it in command line mode?

Answer: In the process of command line detection, press [space] to check the status and scanning progress of each thread, press [Enter] to pause or continue scanning, press "Q" to save the current data and exit the program early, and press "< CTRL+C >". Force the program to shut down.

Q: What's the use of wry.dll in the dat directory?

A: wry.dll is the address query database of Zhui software. With the permission of the author, it is used to query the physical address of the Chinese version of X-Scan. I would like to express my gratitude to the author of Chasing Software and all the friends who have contributed to the establishment of this database. Because the compatibility with the future Chase database is not considered, there is no guarantee that the future version of Chase database can be used correctly. Under the condition that the file format of Zhui database has not changed, the new version of the database file "wry.dll" can be copied to the dat directory to replace the old version, but it is recommended to back up the old file before overwriting.

Q: How do I install X-Scan? Do I need to register?

A: X-Scan is completely free software, and it does not need to be registered or installed (it can be run after decompression, and the WinPCap driver is automatically installed).

Eight. Version release:

X-scan v 3. 1- release date: 03/25/2004, modify the "surviving host" plug-in, add SNMP and NETBIOS plug-ins in version 2.3, and optimize the main program and NASL library.

X-scan v 3.02- release date: 03/08/2004, there is a BUG in "WinPCap 3. 1 beta", which may cause CheckHost.exe exception. X-Scan is changed to "WinPCap 2.3", and it is suggested to uninstall "WinPCap 3. 1 beta" before scanning with X-Scan.

X-scan v 3.0- release date: 03/0 1/2004, fix known bugs in beta, optimize main program and all plug-ins, upgrade NASL library, and support all NASL scripts before version 2.0. 10a; Provide a simple development package to facilitate other friends to develop plug-ins; Other plug-ins are under development.

Thanks to Wu Xiu and Gaga for helping to select the nasl script list, and thanks to san for writing relevant page programs to support the X-Scan project. Thanks again to all the friends on the Safety Focus Forum who provided excellent ideas and assisted in the test.

X-X-Scan v3.0(beta)-Release date: 12/30/2003, adjust the main program structure, add transplanted NASL plug-ins and support all NASL scripts before version 2.0.9; Make several modifications to the plug-in interface to facilitate other friends to develop plug-ins; The recognition function of remote operating system is strengthened, and some plug-ins that can be completed by scripts are removed.

Thanks to isno and Enfis for providing excellent plug-ins, to Wu Xiu and Gaga for helping to select the nasl script list, and to other friends who provided excellent ideas and assisted in testing.

X-scan v 2.3- release date: 09/29/2002, adding SSL plug-ins to detect SSL vulnerabilities; Upgrade ports, HTTP and IIS plug-ins; Upgrade the graphical interface and make minor adjustments to the interface style.

Thanks to ilsy for providing excellent plug-ins.

X-scan v 2.2- release date: 09/ 12/2002, fixing thread synchronization BUG in port plug-in; Fixed the RPC plug-in character display BUG；; Expand the RPC vulnerability database; Adjust the scan result index file style.

Thanks to Xundi, Guagua and Stardust for collecting and sorting out the vulnerability database.

X-scan v 2. 1- Release date: 09/08/2002, changing the scanning item of SNMP plug-in to optional; Link the "vulnerability description" in HTTP, IIS and RPC plug-ins to the vulnerability library compiled by Xundi; Fix known errors in pre-2.0 versions.

X-Scan v 2.0- Release date: 08/07/2002, adding plug-ins for routing information detection and SNMP information detection; Upgrade NETBIOS plug-in and add remote registry information detection; Upgrade IIS plug-in and increase IIS.ASP vulnerability detection; Make minor modifications to the plug-in interface; Update the graphical interface and add the function of "online upgrade"; Expand CGI vulnerability database; Fix known bugs before 1.3.

Thanks to Gaga, Stardust, Sinister, Ilsey, Santa, Bingel and kasper for providing valuable information or excellent plug-ins, thanks to Xundi and e4gle for assisting in the test, and thanks to all enthusiastic friends who wrote back and made suggestions.

X-Scan v 1.3- release date:12/1/2001,which fixes the BUG about remote operating system identification in the port plug-in.

X-scan v 1.2- Release date: 12/02/200 1, upgrade HTTP and IIS plug-ins and add the function of identifying HTTP redirection error pages; Upgrade the port plug-in and use the standard TCP connection method to detect the open port when the original socket cannot be created.

X-Scan v 1. 1- Release date:11/25/2001,all detection functions are moved into the plug-in, making the main program completely a "container"; Provide multilingual support; Update the graphical interface program; Modify the multithreading mode so that all plug-ins can enjoy the maximum number of threads and improve the speed of concurrency detection; Adding SMTP and POP3 user detection to weak passwords; Added IIS UTF code vulnerability detection; Expand the CGI vulnerability list.

Thanks to Xundi, Gaga, kasper, Wolff, Cheng Huang and other friends for their valuable information, and thanks to Echo, Lily and other friends for assisting in the test. Thanks again to Xundi and Guagua, who have paid heavy physical labor, tears streaming down their faces. .....

X-scan v 1.0(beta)- release date: 07/ 12/200 1, adding the function of identifying the type and version of remote operating system; Increase the function of querying the geographical location of remote hosts; In the "-iis" option, add a scan for iis ". IDA/。 Idq "vulnerability and update the vulnerability description; In the "-port" parameter, it is allowed to specify the scanning port range (by modifying "[port-list] \ port =" in the "dat\config.ini" file); In the "-ntpass" parameter, users are allowed to use all user names through the "%"wildcard when editing the password dictionary; Update CGI vulnerability list, classify CGI vulnerabilities, and scan specific CGI vulnerabilities according to the type of remote host system to speed up scanning.

Thanks to Shuiyun, the author of Tianyan software, for providing the module of "Passive Identification of Remote Operating System"; Thanks to Feng Zhihong, the author of "Chasing" software, for providing the "IP- Geographical Location" database; Thank Gaga for providing vulnerability information, program information, countless valuable suggestions, feelings and ......

X-scanner v 0.6 1- release date: 05/ 17/200 1, and the detection of the second decoding vulnerability of IIS CGI file name was added in the "-iis" option.

X-scanner v 0.6- release date: 05/ 15/200 1, adding "-iis" parameter, which is specially used for scanning unicode and remote. "Printer overflow" vulnerability of IIS server; Update vulnerability description; Adjust the timeout of CGI scanning to avoid "incomplete scanning" caused by timeout; In order to prevent the "RedV" plug-in from being used maliciously, the function of automatically changing the home page is changed to automatically upload a text file containing warning information to the "C:\" directory.

X-scanner v 0.5- release date: 04/30/200 1, which modified the command line parameters to make them more intuitive; Expand CGI vulnerability database; Expand NT weak password scanning function-allow users to use user name and password dictionary; Add plug-in functions and publish plug-in interfaces.

Thanks to "Santa Claus" and "Colossus" for providing plug-ins.

X-scanner v 0.42 b- release date: 03/07/200 1, which fixed the BUG that the "-b" option caused system overflow under certain circumstances.

X-scanner v 0.42- release date: 03/02/200 1, allowing users to expand SQL-SERVER accounts instead of just scanning "sa" empty passwords.

X-scanner v 0.4 1- release date: 02/ 19/200 1, which revised the previous version of BUGFTP weak password detection; Re-optimize the code and combine xscan.exe with xscan98.

X-scanner v 0.4- release date: 02/ 15/200 1, adding the scanning of the default "sa" account of SQL-SERVER; After fully understanding the inertia of some people, I temporarily made a fool-like graphical interface (all operations can be clicked according to the serial number).

X-scanner v 0.3 1- release date: 0117/2001,slightly adjusting the port scanning mode and output file format; The vulnerability of Unicode decoding has expanded. Provide a version and a simple CGI list maintenance tool for win98.

X-scanner v 0.3- release date: 12/27/2000, increasing thread timeout limit; Increase the agency function; Expand CGI vulnerability library and increase the detection and description of Unicode decoding vulnerabilities; Fixed a memory leak problem. Internal beta version.

X-scanner v 0.2- Release date: 65438+February 2, 2000, internal beta.

Nine. Foreword:

X-Scan is a completely free software, in which there are serious deficiencies in vulnerability data and overall functions, and due to the limitation of time and environment, the testing of various functions is not comprehensive enough. Only when friends actively provide relevant information or put forward their own suggestions and ideas can X-Scan do better. Welcome to write or visit our website to participate in the exchange.

Thanks to all the members of the Security Focus and uid0 teams and some former members of DarkSun for their support, and I also apologize for my personal qualifications. -Glacier _at_xfocus_dot_org

_____________________________________________________________________

If you have any questions, suggestions or mistakes during the use, please send an email to: xscan_at_xfocus_dot_org.

Copyright: Security Focus (http://www.xfocus.org)