From Syhunt Web Application Security Docs

SyhuntHybrid4: Syhunt Mini

SyMiniCS (formerly SandcatCS) is the console version of the Syhunt scanner and is included with the latest release of Syhunt Dynamic, Code or Hybrid.

Just run the program, which is located in the installation directory of the Syhunt Suite, with no parameters to see usage instructions. This page also contains specific information about the SyMiniCS command-line utility.


Download Information

SyMiniCS.exe is included with the latest release of Syhunt Suite. It is located in the installation directory of the suite.

Syhunt Suite is available for download at:

Please note that this version is only available for registered users.

System Requirements

  1. 512 MB of memory
  2. 200 MB of free disk space
  3. Internet connection (optional for remote scanning)
  4. Windows XP, 2003, 2008, Vista or 7.
  5. As a user of a more recent Windows version you may need to be logged in with full administration rights


Supported Commands (Version 4.5)

Note: If you are using Syhunt Mini (the free edition of SyMiniCS), some options listed on this page may not be available to you.

Usage: SyMiniCS [target] [optional params]
    SyMiniCS -hl:Hosts.lst
    (if a port is not specified, 80 will be assigned.)

Optional parameters:
-sn:[session name]  (if not used, "[unixtime]-[target]" will be assigned)
-hm:[method name]   Hunt Method (if not used, "compndos" will be assigned
    Available Methods:
    appscan   (or as)   Web Application Scan; Gray Box
    structbf  (or sbf)  Web Structure Brute Force; Black Box
    codescan  (or cs)   Source Code Scan; White Box
    phptop5             OWASP PHP Top 5; Gray Box
    faultinj  (or fi)   Fault Injection; Gray Box
    sqlinj    (or sqli) SQL & NoSQL Injection; Gray Box
    xss                 Cross-Site Scripting; Gray Box
    servscan  (or ss)   Common Web Server Scan; Black Box
    top20     (or t20)  SANS Top 20; Black Box
    spider    (or spd)  Spider Only
    complete  (or cmp)  Complete Scan; Gray Box
    compnodos (or cnd)  Complete Scan, No DoS; Gray Box
    comppnoid (or cpn)  Complete Scan, Paranoid; Gray box

-emu:[browser name] Browser Emulation Mode (default: msie)
    Available Modes:
    chrome    (or c)    Google Chrome
    firefox   (or ff)   Mozilla Firefox
    msie      (or ie)   Internet Explorer
    opera     (or o)    Opera
    safari    (or s)    Safari

-gr                 Generates a report after scanning
-rtpl:[name]        Sets the report template (default: Standard)
    Available Templates: Standard, Compliance, Complete
-rout:[filename]    Sets the report output filename and format (default: Report_[session name].html)
    Available Formats: html, pdf, doc, rtf, txt, xml

-hl:[filename]      Loads the target hosts from a text file
-hmax:[n]           Sets the maximum number of host threads (default: 10)
-hseq               Enables the sequential host scan mode (disables multi-threaded host scans)

-surl:[path]        Sets a Start URL (eg. /index.php, if not used "/" will be assigned)
-uf                 Ultra fast scan
-mnt:[n]            Sets the maximum number of HTTP threads/requests (default: 14, 4 when -hl is used)
-mnl:[n]            Sets the maximum number of links per server (default: 10000)
-mnr:[n]            Sets the maximum number of retries (default: 2)
-maxdepth:[n]       Sets the maximum crawling depth (default: unlimited)
-tmo:[ms]           Sets the timeout time (default: 8000)
-bb                 Enables the Sandcat WebDiver Browser Bot (Beta)
-def                Loads the default settings (ignores the settings from the current Syhunt installation)
-rls                Remembers the last web structure of the scanned host
-ver:[v]            Sets the HTTP Version (default: 1.1)
-srcdir:[local dir] Sets a Target Code Folder (eg. "C:\www\docs\")
-evid               Enables the IDS Evasion
-evaf               Enables the WAF Evasion

Other parameters:
-nomt               Disables multi-threaded requests
-nomc               Disables multi-core support
-nort               Disables request retries (in case of timeout)
-nojs               Disables JavaScript emulation and execution
-noea               Disables e-mail alerts
-nojava             Disables Java
-noplg              Disables plugins (such as Flash and Silverlight)
-nogz               Disables GZIP compression support
-noka               Disables Keep-Alive
-nodos              Disables Denial-of-Service tests
-noifa              Disables input filtering analysis during code scan
-noaxf              Disables advanced XSS false positive filters
-user:[username]    Sets a username for basic server authentication
-pass:[password]    Sets a password for basic server authentication
-wuser:[username]   Sets a username for web form authentication
-wpass:[password]   Sets a password for web form authentication
-clses              Clears all Syhunt sessions from the current Syhunt installation (asks confirmation)
-about              Displays information on the current version of Syhunt
-help (or /?)       Displays this list

For detailed information about scan methods, see the Hunt Methods page.

Scanning IPv6 addresses

SyMiniCS fully supports the scanning of IPv6 addresses. To scan an IPv6 target, enclose the address in square brackets, eg:

SyMiniCS [2001:4860:0:2001::68]


SyMiniCS now supports multi-process and multi-threaded host scans. Learn below how to use this functionality.

Multi-Threaded Scans

In order to perform a multi-threaded host scan you need to use the -hl parameter. Examples:

 SyMiniCS -hl:Hosts.lst
 SyMiniCS -hl:Hosts.lst -hm:xss -sn:AnyName

Host list files must have one target host per line. Example:

Optional: The -hmax parameter allows to set the maximum number of host threads (default is 10). Example:

 SyMiniCS -hl:Hosts.lst -hmax:5

In this example, 5 hosts will be scanned, hosts in excess will be on queue

Sequential Scans

The -hseq parameter enables the sequential host scan mode (disables multi-threaded host scans).

Session Management

Syhunt Suite includes a new utility (SesmanCS.exe) to pause/unpause, list and stop SyMiniCS sessions. The supported commands are listed below.

Supported Commands

Usage Examples:
    SesmanCS -pa
    SesmanCS -p:CustomerX

Available parameters:
-p:[session name]   Pauses a session
-u:[session name]   Unpauses a session
-s:[session name]   Stops a session
-lai                Lists all sessions (active and inactive)
-la                 Lists active sessions
-pa                 Pauses active sessions
-ua                 Unpauses active sessions
-sa                 Stops active sessions
-help (or /?)       Displays this list


SyMiniCS reports are automatically generated and saved if the -gr parameter is provided.

You can also open the session with the main Syhunt Suite UI by calling:

 SySuite.exe -s:[session name]

Or by launching Syhunt Suite, and using the menu File -> Load session... option.


What is the correct command line syntax to do a code scan?

Q: I'm using SyMiniCS -hm:cs -srcdir:"C:\Inetpub\wwwroot\aaa" to do code scan, but it is not working. What is the correct command line syntax to do a code scan?

It is still necessary to provide a host address as reference (no connections to the target host will be made). Example:

 SyMiniCS.exe -hm:cs -srcdir:"C:\Inetpub\wwwroot\aaa"
Retrieved from
Page last modified on December 06, 2013, at 02:30 AM