Syhunt Hybrid: CLI Scan Tools

The information in this document applies to version 7.0.11.7 of Syhunt Hybrid.

Introduction

Follow along with this guide to learn how to perform a dynamic or code scan and generate a vulnerability report via command-line.

Syhunt's CLI scan tools location depends on the Syhunt version and your OS:

OSDefault Location
WindowsC:\Program Files\Syhunt Hybrid\
C:\Program Files (x86)\Syhunt Hybrid\
C:\Program Files\Syhunt Community Core\
Linux/home/[user]/syhunt-hybrid/carbon/
/home/[user]/syhunt-community/carbon/
macOS/Applications/Syhunt Hybrid Core/carbon
/Applications/Syhunt Community Core/carbon

How to perform a dynamic scan via command-line

  1. Go to the directory Syhunt Hybrid is installed using the command prompt.
  2. Use the following command-line:
 scanurl [starturl] -hm:[a huntmethod]]

 Example:
 scanurl http://www.somehost.com -hm:appscan

Syhunt scanurl tool reports are automatically generated and saved unless the -nr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

The following parameters can be provided when calling the scanurl tool, all of which are optional:

ParameterDescriptionDefault Value
sn:[name]A session name that must be unique. If omitted, an unique ID will be generated and assignedauto generated ID
hm:[name]the Hunt Method to be used during the scan. If omitted, the default method will be usedappscan
emu:[mode]Browser Emulation Mode. Available modes include: chrome, edge, firefox, msie, safarichrome
srcdir:[local dir]Sets a Target Code Folder for a Hybrid Scan (eg. "C:\www\docs\" or "/home/user/www/") 
tk:[trackername]Sends vulnerabilities to a tracker after scanning. Can be combined with the -pfcond parameter 
tk2:[trackername]Same as above 
tk3:[trackername]Same as above 
nrDisables the report generation after scanning 
orOpens report after generation 
rout:[filename]Sets the report output filename and report formatReport_[session name].html
rtpl:[name]Sets the report templateStandard
xout:[filename]Sets the export output filename and report formatExport_[session name].xml
xout2:[filename]Sets a second export output filename and report formatExport_[session name].xml
pfcond:[condition]Sets a pass/fail condition to be reported 
nvTurn off verbose. Error and basic info still gets printed 
inc:[mode]Sets the incremental scan modetargetpref
inctag:[name]Optionally stores the incremental scan data within a tag 
mnl:[n]Sets the maximum number of links per server10000
mnr:[n]Sets the maximum number of retries2
tmo:[ms]Sets the request timeout time8000
tml:[time]Sets the maximum scan time limit (eg: 1d, 3h, 2h30m, 50m)No limit
ver:[v]Sets the HTTP Version1.1
nofrisDisables auto follow off-domain redirect in Start URL 
nodosDisables Denial-of-Service tests 
nojsDisables JavaScript emulation and execution 
atype:[type]Sets the auth type; Basic, Form and Manual 
auser:[username]Sets a username for authentication 
apass:[password]Sets a password for authentication 
aboutDisplays information on the current version of Syhunt 
help (or /?)Displays the list of available parameters 

Scanning IPv6 addresses

Syhunt Dynamic fully supports the scanning of IPv6 addresses. To scan an IPv6 target, remember to enclose the address in square brackets, eg:

http://[2001:4860:0:2001::68]/index.php

How to perform a code scan via command-line

  1. Go to the directory Syhunt is installed using the command prompt.
  2. Use the following command-line:
 scancode [target] -hm:[a huntmethod]]

// Examples:
scancode git://sub.domain.com/repo.git
scancode https://github.com/user/repo.git -rb:master
scancode /source/www/

TFS repositories and local Windows path:


// Local path
scancode c:\source\www\
scancode c:\source\www\file.php
scancode c:\mobile\myapp.apk
scancode "c:\source code\www\"

// TFS repositories
scancode https://dev.azure.com/user/project
scancode https://myserver/tfs/project
scancode collection:https://dev.azure.com/user$/project

Syhunt scancode tool reports are automatically generated and saved unless -nr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

The following parameters can be provided when calling the scancode tool, all of which are optional:

ParameterDescriptionDefault Value
sn:[name]A session name that must be unique. If omitted, an unique ID will be generated and assignedauto generated ID
hm:[name]the Hunt Method to be used during the scan. If omitted, the default method will be usedappscan
rb:[branch]Sets a GIT repository branch 
tfsv:[version]Sets a TFS versiondefault
tk:[trackername]Sends vulnerabilities to a tracker after scanning. Can be combined with the -pfcond parameter 
tk2:[trackername]Same as above 
tk3:[trackername]Same as above 
nrDisables the report generation after scanning 
orOpens report after generation 
rout:[filename]Sets the report output filename and report formatReport_[session name].html
rtpl:[name]Sets the report templateStandard
xout:[filename]Sets the export output filename and report formatExport_[session name].xml
xout2:[filename]Sets a second export output filename and report formatExport_[session name].xml
pfcond:[condition]Sets a pass/fail condition to be reported 
nvTurn off verbose. Error and basic info still gets printed 
inc:[mode]Sets the incremental scan modetargetpref
inctag:[name]Optionally stores the incremental scan data within a tag 
excp:[pathlist]Excludes paths from the analysis (eg: -excp:/path/*,/path2/* 
refurl:[url]Sets an URL associated with the current source code for reference purposes only
noifaDisables input filtering analysis 
tml:[time]Sets the maximum scan time limit (eg: 1d, 3h, 2h30m, 50m)No limit
aboutDisplays information on the current version of Syhunt 
help (or /?)Displays the list of available parameters 

How to perform a breach check via command-line

  1. Go to the directory Syhunt is installed using the command prompt.
  2. Use the following command-line:
 scandark [target] -hm:[a huntmethod]]

// Example:
scandark mydomain.com

Syhunt scandark tool reports are automatically generated and saved unless the -nr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

The following parameters can be provided when calling the scandark tool, all of which are optional:

ParameterDescriptionDefault Value
sn:[name]A session name that must be unique. If omitted, an unique ID will be generated and assignedauto generated ID
hm:[name]the Hunt Method to be used during the scan. If omitted, the default method will be useddarkplus
nrDisables the report generation after scanning 
orOpens report after generation 
erEmails report after generation 
tk:[trackername]Sends breaches to a tracker after scanning. Can be combined with the -pfcond parameter 
tk2:[trackername]Same as above 
tk3:[trackername]Same as above 
rout:[filename]Sets the report output filename and report formatReport_[session name].html
rtpl:[name]Sets the report templateStandard
xout:[filename]Sets the export output filename and report formatExport_[session name].xml
xout2:[filename]Sets a second export output filename and report formatExport_[session name].xml
pfcond:[condition]Sets a pass/fail condition to be reported 
nvTurn off verbose. Error and basic info still gets printed 
tml:[time]Sets the maximum scan time limit (eg: 1d, 3h, 2h30m, 50m)No limit
aboutDisplays information on the current version of Syhunt 
help (or /?)Displays the list of available parameters 

Pass/Fail Conditions

A pass/fail testing condition can be passed to scancode, scanurl or scandark with the -pfcond parameter, The following are the pass/fail conditions currently supported by Syhunt:

  • high or fail-if:risk=high - Fail if a High risk vulnerability or threat is found
  • medium or fail-if:risk=mediumup - Fail if a Medium or High risk vulnerability or threat is found
  • low or fail-if:risk=lowup - Fail if a Low, Medium or High risk vulnerability or threat is found

Incremental Scan Modes & Commands

autoAutomatically manages the incremental scan cache (recommended option)
disabledDisables the incremental scan cache. This will slow down scans, taking 3 to 4 more time to complete
forcedForces the incremental scan to be always enabled. If you run scans with this mode, make sure you have a separate non-forced scan to be run every month or so
targetprefUses the incremental scan mode defined in target preferences

You can reset the incremental scan cache by calling scancore -runcmd:clearinc.

Available Report Formats, Templates & Languages

The following languages are supported:

ENEnglish
DEGerman
ESSpanish
FRFrench
ITItalian
JPJapanese
KRKorean
PTPortuguese

-- Enabling the report translation
scancore -prefset:hybrid.report.defaultlanguage -v:EN

Alternatively, via UI: Go to the Other Hybrid Preferences screen ( -> Preferences -> Other Hybrid Preferences) and select the desired output language.

The following formats are supported:

.htmlHTML report
.pdfAdobe PDF report
.xmlXML export
.jsonJSON vulnerabilities export
.csvCSV (Comma-Separated Values)
.mse.csvCSV (Comma-Separated Values) for MS Excel
.txtText report

The following templates are available:

StandardThis is the standard report with low to high-risk vulnerability information
ComparisonIncludes the standard information plus evolution information about the vulnerabilities
ComplianceIncludes OWASP Top 10, CWE/SANS Top 25 2019 and PCI DSS v3.2.1 compliance information
MobileIncludes OWASP Mobile Top 10, CWE/SANS Top 25 2019 and PCI DSS v3.2.1 compliance information
CompleteIncludes the standard information together with comparison, compliance, request response and coverage details

Differences between Hunt Methods

Hunt MethodCLI nameTypeBrute F.InjectionDoSTime-Con.
Application Scan (Default)appscanYYYN
Application Scan (Server-Side Focused)appscanssYYYN
Structure Brute ForcestructbfY (Deep)NNY (Very)
Old & Backup FilesfileoldYNNY
Fault InjectionfaultinjNYYN
Top 10 (OWASP)top10NP (TOP10)YN
Top 10 Mobile (OWASP)top10mobNP (TOP10MOB)NN
Top 25 (CWE)top25cweNP (TOP25)YN
Top 5 (OWASP PHP)top5phpNP (TOP5)NN
Cross-Site ScriptingxssNP (XSS)NN
SQL InjectionsqlinjNP (SQL)NN
File InclusionfileincNP (FI)NN
Unvalidated RedirectsunvredirNP (UR)NN
Malware ContentmalscanP (Malware)P (Malware)NN
PassivepassiveNNNN
Spider OnlyspiderNNNN
Complete ScancompleteYYYY (Very)
Complete Scan, No DoScompnodosYYNY (Very)
Complete Scan, ParanoidcomppnoidY (Deep)YYY (Very)

Letters: Yes/No/Partial (Y/N/P)

Type of Testing

  • - Hybrid (Gray Box), Dynamic & Code
  • - Dynamic Only (Black Box)
  • - Code Only (White Box)

Time-Consuming

A Yes means that extra checks and attack mutations will be performed and the number of checks will be influenced by the number of directories found during the spidering stage.

Description

The Application Scan method is the default scan method in Syhunt. If you want to use a different scan method, you will be able to select one of the following options:

Application Scan

Identifies flaws in custom web applications, web server software and third-party components. This scan method crawls the web site and performs attacks against the web site structure and the web applications. This includes looking for fault injection vulnerabilities such as XSS, SQL Injection, File Inclusion, and more.

Structure Brute Force

A structure brute force will check for:

  • Common Vulnerable Scripts
  • Common File Checks
  • Custom File Checks (User File Checks)
  • Database Disclosure
  • Web-Based Backdoors

The number of checks is influenced by the number of directories found during the spidering stage.

Old & Backup Files

Executes extension checking around the mapped web site structure.

OWASP Top 10

Scans specifically for the OWASP Top 10 2017 vulnerabilities:

  1. A1 2017: Injection
  2. A2 2017: Broken Authentication
  3. A3 2017: Sensitive Data Exposure
  4. A4 2017: XML External Entities (XXE)
  5. A5 2017: Broken Access Control
  6. A6 2017: Security Misconfiguration
  7. A7 2017: Cross-Site Scripting (XSS)
  8. A8 2017: Insecure Deserialization
  9. A9 2017: Using Components with Known Vulnerabilities
  10. A10 2017: Insufficient Logging & Monitoring

CWE Top 25

Scans specifically for the 2019 CWE Top 25 Most Dangerous Software Errors.

See the full list at: https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html

OWASP PHP Top 5

Scans specifically for the OWASP Top Five List of PHP Vulnerabilities:

  1. Remote Command Execution
  2. Cross-Site Scripting (XSS), including DOM XSS
  3. SQL Injection
  4. PHP Misconfiguration
  5. File System Attacks, including File Inclusion

Fault Injection

Scans specifically for fault injection vulnerabilities. If this scan method is selected, all other checks that does not require injection are disabled and Syhunt will then specifically check for SQL injection, XSS, file inclusion, and similar flaws.

Cross-Site Scripting (XSS)

Scans specifically for XSS vulnerabilities, including DOM XSS.

SQL Injection

Scans specifically for SQL & NoSQL Injection vulnerabilities.

File Inclusion

Scans specifically for File Inclusion and Directory Traversal vulnerabilities.

Unvalidated Redirects

Scans specifically for Unvalidated Redirect vulnerabilities.

Malware Scan

Scans specifically for malware content, such as:

  • Web Backdoors
  • Malicious Content
  • Hidden Debug Parameters

Passive Scan

Maps the web site structure and reports vulnerabilities discovered without launching any kind of attacks, such as:

  1. Vulnerabilities in Client-Side JavaScript
  2. Various Form Weaknesses
  3. Web Technology Disclosure
  4. Insecure HTTP Headers
  5. Outdated, Vulnerable Server Software
  6. Outdated, Vulnerable Referenced Scripts
  7. Suspicious HTML Comments
  8. Source Code Disclosure
  9. Malicious Content being served

Spider Only

Maps the web site structure without testing or reporting any kind of vulnerability or weakness.

Complete Scan

Scans for all kinds of web application vulnerabilities using all kinds of mutantions and pen-tester methods, including Header Manipulation attacks. A Complete Scan can sometimes be very time-consuming when performed against a web server that has a large quantity of web folders and entry points.

Complete Scan (No DoS)

Same as before, but with denial-of-service tests disabled.

Complete Scan (Paranoid)

Scans for all kinds of web application vulnerabilities using deep structure brute force, all kinds of mutantions and pen-tester methods, including Header Manipulation attacks. This scan method can be very time-consuming, specially when executed against large web sites. This method also executes triple checking structure brute force, which applies to case-sensitive servers - Syhunt will try all file name possibilities (all uppercase, all lowercase, all leading capitals, etc).

Modifying Syhunt Preferences

If you have Syhunt 6.9.6.3 or superior, you can update Syhunt's permanent preferences (global or target-specific) via CLI by using the new -prefset parameter. You can also use the -prefprint parameter to print and view the value of any preference.


-- Example 1 - Setting a logo to be displayed in newly generated reports
 scancore -prefset:hybrid.report.company.logo.url -v:https://www.mydomain.com/mylogo.png

-- Example 2 - Printing the current report logo URL
 scancore -prefprint:hybrid.report.company.logo.url

-- Example 3 - Setting Basic authentication for a specific site
 scancore -tg:http://127.0.0.1 -prefset:dynamic.servauth.type -v:Basic
 scancore -tg:http://127.0.0.1 -prefset:dynamic.servauth.username -v:myuser 
 scancore -tg:http://127.0.0.1 -prefset:dynamic.servauth.password -vsecret

-- Example 4 - Enabling or disabling preferences for a specific site
 scancore -tg:http://127.0.0.1 -prefset:enabled -v:true 
 scancore -tg:http://127.0.0.1 -prefset:enabled -v:false 

-- Example 5 - Setting a value from a list file
 scancore -tg:http://127.0.0.1 -prefset:dynamic.lists.cookies -fromfile:mycookies.lst

A list of available preference IDs is available here.

Clearing all preferences

You can remove all preferences by calling commands below.


-- Clear global preferences
scancore -runcmd:clearpref
-- Clear preferences for all sites
scancore -runcmd:clearsite

Using Issue Trackers

If you have Syhunt 6.9.6.3 or superior, you can add, manage and use issue trackers via CLI by using the new -tracker parameter.


-- Example 1 - Adding a new GitHub tracker
 scancore -tracker:add 
-- Specify the type GitHub and the name of the tracker, and press enter
-- Configure the GitHub tracker
 scancore -tracker:set to:mytrackername -key:project.name -v:owner/repo
 scancore -tracker:set to:mytrackername -key:auth.token.encrypted -vsecret

-- Example 2 - Adding a new email tracker
 scancore -tracker:add 
-- Specify the type Email and the name of the tracker, and press enter
 scancore -tracker:set to:myemailtracker -key:message.from -v:robot@yourdomain.com
 scancore -tracker:set to:myemailtracker -key:message.tolist -v:security@yourdomain.com,team@yourdomain.com
 scancore -tracker:set to:myemailtracker -key:auth.targethost -v:smtp.yourdomain.com
 scancore -tracker:set to:myemailtracker -key:smtp.targetport -v:587
 scancore -tracker:set to:myemailtracker -key:auth.username -v:myusername
 scancore -tracker:set to:myemailtracker -key:auth.password -vsecret

-- Example 3 - Testing a tracker
 scancore -tracker:send -tid:TEST -to:mytrackername -note:"My comment"

-- Example 4 - Sending a vulnerability from report to the tracker
-- 1596281007-7-4771 is a vulnerability track ID taken from the report. Each vulnerability has its own track ID
 scancore -tracker:send -tid:1596281007-7-4771 -to:mytrackername -note:"My comment"

-- Example 5 - Listing available trackers
 scancore -tracker:list

-- Example 6 - Deleting a tracker
 scancore -tracker:del to:mytrackername

A list of available tracker preference IDs is available here.

Sending vulnerabilities to a tracker after scanning

Syhunt can automatically send a summary of the identified vulnerabilities to a tracker if you provide the -si parameter to the scanurl or scancode command.


-- Example 1: Sending through a previously created tracker
scanurl mydomain -si:trackername

-- Example 2: Sending through a previously created tracker only if high severity vulnerabilities are identified
scanurl mydomain -si:trackername -pfcond:fail-if:risk=high

-- Example 3: Sending through a dynamically created tracker
scanurl mydomain -si:"?app=github###project=user/repo###token=ghp_etc"

Removing all trackers

You can remove all added trackers by calling: scancore -runcmd:cleartrack

Updating Syhunt

On Linux or macOS, you can use the command scanupdate to check for updates. If updates are available, Syhunt will ask if you want to download and install them. If you call scanupdate auto, Syhunt will check for updates and automatically install them when the command is executed without asking for user confirmation.

On Windows, you should download and install the updates directly from the Syhunt website.

Working with Third-Party Launchers

See this document on how to generate a complete command-line that allows to start Syhunt from within batch files, third-party task schedulers, Jenkins and other launchers.


For additional product documentation, visit syhunt.com/docs

Contact