X-Scan-v3 beta5 User Manual


1. System requirement: Windows NT4/2000/XP/2003


2. Introduction:

X-Scan is a general network vulnerabilities scanner for scanning network vulnerabilities for specific IP address scope or stand-alone computer by multi-threading method. Plug-ins are supportable and GUI or CUI programs are separately provided. The following items can be scanned: service type, remote OS type and version detection based on TCP/IP stack, weak user/password pair, and all of the nessus attack scripts combination. For the most known vulnerabilities, the corresponding descriptions and solutions are provided. As to other vulnerabilities, please refer to "Document" and "Vulnerability engine" in www.xfocus.org.


3. Components:

xscan_gui.exe -- X-Scan GUI main program
xscan.exe -- X-Scan CUI main program
checkhost.exe -- plug-ins scheduler
update.exe -- live update main program
*.dll -- the indispensable library file
readme.txt -- X-Scan help text
/dat/language.ini -- multi-language config file, language can be switched by setting "LANGUAGE\SELECTED"
/dat/language.* -- multi-language database
/dat/config.ini -- user configuration file, being used to save scanning port list, scanning settings and the names of all dictionary files (including relative paths)
/dat/config.bak -- backup file of "/dat/config.ini", used to restore the default configuration
/dat/cgi.lst -- CGI vulnerabilities list
/dat/iis_code.ini -- "IIS encode/decode" vulnerabilities list
/dat/port.ini -- used to save all the known ports and their corresponding services
/dat/*_user.dic -- username dictionary file, used to search weak-password user
/dat/*_pass.dic -- password dictionary, used to search weak password
/dat/p0f*.fp -- used to distinguish the OS fingerprinter utilized by remote computer OS detection(passively)
/dat/nmap-os-fingerprints -- used to distinguish the OS fingerprinter utilized by remote computer OS detection
/dat/*.nsl -- used to save the nessus attack scripts list
/plugins -- used to save all plug-ins (whose suffix is .xpn).
/scripts -- used to save all nessus attack scripts (whose suffix is .nasl)
/scripts/desc -- used to save all muti-language description of nessus attack scripts (whose suffix is .desc)

Note: xscan_gui.exe & xscan.exe use the same plug-in and data file, but each will run independently.


4. Preparation:

X-Scan which is absolutely free can be executed immediately after being decompressed without registration and installation (require WinPCap 2.3 or higher version).


5. Attention:

1.X-Scan require WinPCap 2.3 or higher version, otherwise you can't customize the network packet.

2.Only under Windows 2000/XP/2003, SYN scan and the identification ability of passive host OS are available, simultaneously, the perview of administrator is required.

3.Dictionary shipped with X-Scan is a simple demo. To enhance cracking, you should improve the dictionary.

4.In the scanning process under CUI mode, press "<space>" to view the lines and scanning schedule, press "q" to save current data and exit, press "<ctrl+c>" to close the program compulsively.


6. Command line parameter description:

1.command format: xscan -host <start IP>[-<end IP>] <scanning items> [other options]
xscan -file <host list> < scanning items > [other options]

Explanations of scanning items are as follow:
-active : check if the target host is active
-port : scan the common port status (customizing scanning port list by modifying
"PORT-SCAN-OPTIONS\PORT-LIST" in \dat\config.ini);
-sql : scan SQL-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-ftp : scan FTP weak (setting user/password dictionary file by modifying \dat\config.ini);
-ntpass : scan NT-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-smtp : scan SMTP-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-pop3 : scan POP3-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-smb : scan NT-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-cgi : scan CGI vulnerability (setting coding scheme by modifying "CGI-ENCODE\encode_type" in \dat\config.ini);
-iis : scan IIS encode/decode vulnerability (setting coding scheme by modifying "CGI-ENCODE\encode_type" in \dat\config.ini);
-nasl : load Nessus Attack Scripts
-all : scan all the above items;

[other options] explanations:
-v: display verbose information;
-p: skip host when failed to ping;
-o: skip host when no opened port be found;
-t <thread_count[,host_count]>: specify the maximal thread count and host count, default is 100,10

* Meaning of coding scheme in HTTP requests:
1. Replace "GET" with "HEAD"
2. Replace "GET" with "POST"
3. Replace "GET" with "GET / HTTP/1.0\r\nHeader:"
4. Replace "GET" with "GET /[filename]?param=" (setting [filename] by modifying "CGI-ENCODE\encode4_index_file" in \dat\config.ini)
5. Replace "GET" with "GET %00"
6. Several "/" or "\"
7. Exchange of "/" and "\"
8. Replace "<space>" with "<Tab>"
Notes: the parameters can be used simultaneously when there's no confliction.

2.Exapmles:
xscan -host xxx.xxx.1.1-xxx.xxx.255.255 -all -active -p
Meaning: scan the vulnerabilities of all the hosts whose IP is between xxx.xxx.1.1-xxx.xxx.255.255, skip host when failed to get response;

xscan -host xxx.xxx.1.1-xxx.xxx.255.255 -port -smb -t 150 -o
Meaning: scan the standard port status and NT weak password user of all hosts whose IP is between xxx.xxx.1.1-xxx.xxx.255.255, skip host when no opened port be found. The max number of concurrent threads is 150;

xscan -file host.lst -port -cgi -t 200,5 -v -o
Meaning: scan the standard port status and CGI vulnerabilities of the hosts which is listed in "host.lst". The max number of concurrent threads is 200, and up to 5 hosts can be scanned simultaneously. Skip host when no opened port be found.


7. Plug-in Interface:

/* This function is quoted when initializing plug-ins, which is used to acquire the plug-in basic information.
Returned value: TRUE -- plug-in initialized successfully; FALSE -- plug-in initialization failed */
extern "C" __declspec(dllexport) BOOL GetPluginInfo(PLUGIN_INFO *);

/* This function is quoted when scanning host. Input the host information and return the scanning result.
Returned value: TRUE -- there are some vulnerabilities; FALSE -- there's no vulnerabilities */
extern "C" __declspec(dllexport) BOOL PluginFunc(VOID *);

The above two functions should be generated before xscan.exe utilizing them. The final .dll program will be renamed to .xpn, and saved in the "plugin" subdirectory as xscan.exe. See the example "/plugins/XScan_Pub_Plugin_{by_Enfis}.rar".


8. Version Information:

X-Scan v2.3 -- release date: 09/29/2002. Added the SSL-plug-in to check SSL vulnerability; updated PORT/HTTP/IIS-plug-in; updated GUI and changed it's style.
Thank ilsy for excellent plug-ins.

X-Scan v2.2 -- release date: 09/12/2002. Changed the style of result index file; enlarged RPC vulnerability database; revised known BUGs in the previous v2.1.
Thank xundi, quack and stardust for neaten vulnerability database.

X-Scan v2.1 -- release date: 09/02002. Allowed scanning specific SNMP-Info-plug-in options; Link "vulnerability description" of HTTP-plug-in, IIS-plug-in and RPC-plug-in to "xfocus" vulnerability search engine; revised all the known BUGs in the previous v2.0.

X-Scan v2.0 -- release date: 007/2002. Added the TraceRoute-plug-in, SNMP-Info-plug-in; updated NETBIOS-plug-in, added remote register information scan; updated IIS-plug-in, added .ASP vulnerabities scan; modified part of plug-in interface; updated graphical interfaces, added "update online" function; enlarged CGI vulnerability database; revised all the known BUGs in the previous v1.3.
Thank precious information or excellent plug-in provided by quack, stardust, sinister, ilsy, bingle, santa, and many thanks to our enthusiastic friends who have ever feed back with good suggestion.

X-Scan v1.3 -- release date: 12/11/2001. Modify the OS-detection bug in PORT-plug-in.

X-Scan v1.2 -- release date: 12/02/2001. Updated HTTP-plug-in and IIS-plug-in, added the detection of error pages which are redirected; updated PORT-plug-in, check port status by standard TCP connect() when fail to create Raw-Socket.

X-Scan v1.1 -- release date: 11/25/2001. Transfered all scanning functions to plug-ins, and turn main program to contain; updated graphical interface program; modified multithreading mode, made plug-ins share threads and increase scanning speed; added SMTP, POP3 weak password scanning; added IIS UTF-Code vulnerabilities exploit; expanded CGI vulnerabilities list.
My thanks to xundi, quack, casper, wollf and Huang Cheng for providing so much valuable information. A special thanks to xundi and quack for their hard work in testing this version.

X-Scan v1.0(beta) -- release date: 07/12/2001. Added the detection of remote OS type and version based on TCP/IP stack fingerprinter; added the function of searching the geographical location of remote host; added the scanning of IIS ".ida/.idq" vulnerabilities in "-iis" option, and updated the description of this vulnerability; allowed scanning specific port scope (by modifying "[PORT-LIST]\port=" in "dat\config.ini"); allowed user using "%" to replace all user names when editing password dictionary in "-ntpass"; updated CGI vulnerabilities list,and clarified CGI vulnerabilities to increase the scanning speed.
My thanks to cloud and Feng Zhihong for providing their great software. And thank you once again, quack, for your encouragement, faith, and support over the past years.

X-Scanner v0.61 -- release date: 05/17/2001. Added the exploit of Microsoft IIS CGI Filename Decode Error Vulnerability in "-iis" option.

X-Scanner v0.6 -- release date: 05/15/2001. Add "-iis" option, used to scan "unicode" & "remote .printer overflow" vulnerability of IIS server; updated the description of vulnerabilities; adjusted the timeouts, avoided "scan unfinished" caused by timeout; upload warning text to "C:\" instead of changing homepage automatically.

X-Scanner v0.5 -- release date: 04/30/2001. Modified command line parameter, and made it more understandble; enlarged CGI vulnerability database; expanded the NT weak password scanning function.
Thank santa and colossus for excellent plug-ins.

X-Scanner v0.42b -- release date: 03/07/2001. Modify the bug in "-b" option.

X-Scanner v0.42 -- release date: 03/02/2001. Allowed user extend SQL-SERVER account.

X-Scanner v0.41 -- release date: 02/19/2001. Modified the scanning-weak-password bug in former versions; optimized the script, and combined xscan.exe and xscan98.

X-Scanner v0.4 -- release date: 02/15/2001. Added the scan for SQL-SERVER default account "sa"; made a simple GUI temporarily (all work can be done by one mouse!)

X-Scanner v0.31 -- release date: 01/17/2001. Adjusted the port scan way and the format of export files; enhanced the Unicode decode vulnerability; provided a simple CGI list maintenance tool for win98.

X-Scanner v0.3 -- release date: 12/27/2000. Added the thread timeout limitation; added proxy; enlarge CGI vulnerability database, added the scan for vulnerabilities such as Unicode decoding; Modified the memory leak bug. Internal test version.

X-Scanner v0.2 -- release date: 12/12/2000. Internal test version.


9. Appendix:

X-Scan is a totally free software. Any suggestions and reflections are highly appreciated. I welcome email from any user with comments or bug fixes.

Many thanks to the support of the members of xfocus, uid0 and ex-DarkSun. I can do nothing without you.

__________________________________________________
____________
Question, advice, bug ... please mail to£ºxscan@xfocus.org
Copyright © http://www.xfocus.org

________
have fun

greetz nowhere

thx.....only been using the 2.3 version.....gonna check this on out!!

Devil

Ok I'll check this out many thanks for sharing this !

thanks a lot dude for this version goin to take a looksi at it

Finaly an update, thnx

sweet gui and output options. But why did they kil the proxy geature ;(.... also anyone know of any program that can force any program to use a proxy? ive seen it before..dont know where it is now

thanks a lot ...nessus option seem to be very good

wow i love this scanner !!! many many thx

Thx Alot ........Great Job .......Keep It Up ......

thank ya man. Nice Prog Ì'm going to test it!

Nice One M8.always good to keep up to date

Thanks for the upload. I didn't even see this on their website...

nice work, will take a lookie. thx

thx 4 the tool
i had problems with version 2,0 and version 1,3 was still the best solution 4 me but i hope this version will work a lil bit better than the old one h3h3


greeTz fL4Shb4Ck

One of the best scanners out there, Very nice.

download doesn't seem to be working for me. Strange. Adressed this prob already on another thread. Some download without a prob others download as 0 byte files.

If possible could someone who was sucessful in downloading this beta send to me please.

Thanxs in advance

excuse my ignorance. does this mean you can just copy over all of your nessus nasl scripts? I mean the ones that ship with nessus, and it it will use those to scan with?

Thank You for the Scanner but had anyone scanned something with this version I think there is something wrong with it.


When Iam scann there are Empty server fields

the only thing I have seen so far that is "wrong" is a false positive for blank admin accounts against windows machines.

xscan.exe -- X-Scan CUI main program

^^ This file is missing or have it anywhre ?

cool, nice update

going to use this

grt m8

Thanks Bro "download does work" just finished tryin it out and it works for me "by the way X-scan gives a nice html report also .....

thanks you !
the last xscan's version i have it's the 2,3 !
let me test it !

great post, i'll nab the new xscan from it. thanks for sharing the tools

nice share man good 1

Yeah, much improved, but where can i add to my dictionary list?

niiiiiice. I wonder if this actually works though - v 2.2 and 2.3 didn't work for me so ive bin using 1.3 :\

its strange that it doesn't appear on their website ?

but thx !

thanx man!!!hopefully its worth the while!

I don't see what exactly is new in this version and is not already implemented in v2.3 . BTW, I think I downloaded it from their site, but .ch one.. I guess they don't update English version of site regulary..

The download Link in the english version is only at their Board

Take a look

Great News X-Scan is Updated to Beta 6 with xscan.exe

Update u Beta 5 Version!! ive zipped the updates files!!!!

Greetz nowhere

PS:

Here the files:

xscan_gui.exe 05-Feb-2004 23:23 1.4M
NaslLib.dll 10-Feb-2004 02:57 284k
Xscan.exe 10-Feb-2004 03:47 599k
dat/ 11-Feb-2004 04:41 -
plugins/ 11-Feb-2004 04:55 -

ive updated my xscan3 beta 5 so i fix it yet

i upload the updated xscan3 beta 6 version!!!!

have fun!!!!

greetz nowhere

How is it that you have Beta6 when on their forums is Beta5??? Where did you get it?

i have it ))))

download or update ur 5!

I want to say THX to nowhere for xscan3 beta 6 version

and thx to this great community.

have a nice day

thanx - good job - keep it up

thx for the hint!

Big thx for Beta 6 i will tst it

Great thx a lot