Differences between Hunt Methods
Hunt Method | CLI name | Type | Brute | Injection | DoS | Time-Con. | Target | Triple Chk. |
Web Application Scan | appscan (AKA normal) | ![]() | N | Y | P(***) | N | A,AS,SS | N |
Web Structure Brute Force | structbf | ![]() | Y (Deep) | N | N | Y (Very) | SS | N |
Old & Backup Files | fileold | ![]() | Y | N | N | Y | SS | N |
Fault Injection | faultinj | ![]() | N | Y | P(***) | N | A,AS,SS | N |
OWASP PHP Top 5 | top5 | ![]() | N | P(*) | N | N | A,AS,SS | N |
Cross-Site Scripting | xss | ![]() | N | P (XSS) | N | N | A,AS,SS | N |
SQL Injection | sqlinj | ![]() | N | P (SQL) | N | N | A,AS,SS | N |
File Inclusion | fileinc | ![]() | N | P (FI) | N | N | A,AS,SS | N |
Unvalidated Redirects | unvredir | ![]() | N | P (UR) | N | N | A,AS,SS | N |
Malware Content | passive | ![]() | P (Mal) | P (Mal) | N | N | SS | N |
Passive | passive | ![]() | N | N | N | N | SS | N |
Spider Only | spider | ![]() | N | N | N | N | SS | N |
Complete Scan, Paranoid | comppnoid | ![]() | Y (Deep) | Y | Y | Y (Very) | E | Y |
Complete Scan | complete | ![]() | Y | Y | Y | Y | E | N |
Complete Scan, No DoS | compnodos | ![]() | Y | Y | N | Y | E | N |
Letters: Yes/No/Partial (Y/N/P)
(*) PHP Top 5 scan will only scan for Remote Command Execution, XSS, SQL Injection and File Inclusion flaws
(**) Brute Force will target mainly the root of the web site
(***) Restricted to Buffer Overflows only
Type of Testing
- Gray Box
- White Box
- Black Box
Target
- A - Web Applications
- AS - Web Application's Source
- SS - Entire Site Structure (including Root; Spidering Enabled)
- SR - Site Root (No Spidering, targets mainly the root of the web site)
- SW - Server Software (flaws affecting the HTTPD)
- E - Everything
Time-Consuming
A Yes means that the number of checks will be influenced by the number of directories found during the spidering stage.
Triple Checking
Applies to case-sensitive servers. If enabled, Syhunt will try all file name possibilities (all uppercase, all lowercase, all leading capitals, etc).
Description
The Complete Scan (No DoS) method is the default scan method in Syhunt. All available scan methods are described below. If you want to use a different scan method, click the Hunt Method button in the standard toolbar. You will be able to select one of the following options:
Common Web Server Scan
Scans for outdated server software, common web server vulnerabilities and exposures. This scan method will not crawl the web site, but look for vulnerabilities in a very similar way to classic (CGI) scanners
SANS Top 20
Scans specifically for the SANS Top Twenty List of Critical Network Vulnerabilities.
Web Application Scan
Identifies flaws in custom web applications. This scan method crawls the web site and performs attacks against the web site structure and the web applications. This includes looking for fault injection vulnerabilities such as XSS, SQL Injection, File Inclusion, and more.
Web Structure Brute Force
A structure brute force will check for:
- Common Vulnerable Scripts
- Common File Checks
- Custom File Checks (User File Checks)
- Database Disclosure
- Web-Based Backdoors
The number of checks is influenced by the number of directories found during the spidering stage.
OWASP PHP Top 5
Scans specifically for the OWASP Top Five List of PHP Vulnerabilities.
Fault Injection
Scans specifically for fault injection vulnerabilities. If this scan method is selected, all other checks that does not require injection are disabled and Syhunt will then specifically check for SQL injection, XSS, file inclusion, and similar flaws.
Cross-Site Scripting (XSS)
Scans specifically for XSS vulnerabilities.
SQL Injection
Scans specifically for SQL & NoSQL Injection vulnerabilities.
Complete Scan
Scans for both common web server vulnerabilities and web application vulnerabilities. This is the combination of the common web server scan and the web application scan methods plus some additional checks. A Complete Scan can sometimes be very time-consuming when performed against a web server that has a large quantity of web folders (eg: 200 or more web folders).
Complete Scan (No DoS)
Same as before, but with denial-of-service tests disabled.
Complete Scan (Paranoid)
Scans for both common web server vulnerabilities, web application vulnerabilities and common vulnerable scripts around the site structure. This scan method can be very time-consuming, specially when executed against large web sites.
Important: Syhunt's web application scan is only activated when one of these scan methods are selected: Web Application Scan, PHP Top 5, Fault Injection, SQL Injection, XSS or Complete Scan. All other scan methods does not include application checks/spidering.