Now, the Final was out!
_____________________________
X-Scan-v3.0 User Manual
1. System requirement: Windows NT4/2000/XP/2003
2. Introduction:
X-Scan is a general network vulnerabilities scanner for scanning network vulnerabilities for specific IP address scope or stand-alone computer by multi-threading method. Plug-ins are supportable and GUI or CUI programs are separately provided. The following items can be scanned: service type, remote OS type and version detection based on TCP/IP stack, weak user/password pair, and all of the nessus attack scripts combination. For the most known vulnerabilities, the corresponding descriptions and solutions are provided. As to other vulnerabilities, please refer to "Document" and "Vulnerability engine" in www.xfocus.org.
We provided a simple SDK in X-Scan 3.0 for the purpose of friends can develop plug-ins expediently. Everyone can download the source code of "nasl for windows", X-Scan plug-in SDK and the sample plug-in code from this link: "http://www.xfocus.net/projects/X-Scan/index.html".
3. Components:
xscan_gui.exe -- X-Scan GUI main program
xscan.exe -- X-Scan CUI main program
checkhost.exe -- plug-ins scheduler
update.exe -- live update main program
*.dll -- the indispensable library file
readme.txt -- X-Scan help text
/dat/language.ini -- multi-language config file, language can be switched by setting "LANGUAGE\SELECTED"
/dat/language.* -- multi-language database
/dat/config.ini -- user configuration file, being used for save scanning port list, scanning settings and the names of all dictionary files (including relative paths)
/dat/config.bak -- backup file of "/dat/config.ini", being used for restore the default configuration
/dat/cgi.lst -- CGI vulnerabilities list
/dat/iis_code.ini -- "IIS encode/decode" vulnerabilities list
/dat/port.ini -- being used for save all the known ports and their corresponding services
/dat/*_user.dic -- username dictionary file, being used for searching weak-password user
/dat/*_pass.dic -- password dictionary, being used for searching weak password
/dat/p0f*.fp -- being used for identifing the target OS fingerprinter(passively)
/dat/nmap-os-fingerprints -- being used for identifing the target OS fingerprinter
/dat/*.nsl -- being used for saving the nessus attack scripts list
/plugins -- being used for storing all plug-ins (whose suffix is .xpn).
/scripts -- being used for storing all nessus attack scripts (whose suffix is .nasl)
/scripts/desc -- being used for storing all muti-language description of nessus attack scripts (whose suffix is .desc)
Note: xscan_gui.exe & xscan.exe use the same plug-in and data file, but each will run independently.
4. Preparation:
X-Scan which is absolutely free can be executed immediately after being decompressed without registration and installation (require WinPCap 3.1 or higher version).
5. GUI program options description:
General config:
"IP address range" - You can input a single IP address or domain name, and you can input the range of IP address that be separated by "-" or "," also, for example: "192.168.0.1-192.168.0.20,192.168.1.10-192.168.1.254".
"Load host list from file" - If you select this checkbox, X-Scan will read target address from a text file. The file should contain a single address or range of address like the "IP address range" in every line.
"Report file" - The final report file what locates directory "\log".
"Report type" - Support TXT and HTML format currently.
"Build and open report automate when complete" - Such as the caption.
"Save host list" - If you select this checkbox, X-Scan will save the address of alive hosts into a text file.
"Host list file" - Being used for saving the address of alive hosts, this file locates directory "\log".
"Advanced config":
"Maximal number of thread" - The maximal number of concurrent threads when X-Scan is working.
"Maximal number of host" - The maximal number of concurrent host when X-Scan is working, X-Scan will create sub-process for every host.
"Display verbose information" - Such as the caption.
"Skip host when failed to get response" - X-Scan will try to check the activity of target host by "TCP Ping" if it's running under Windows 2000/XP/2003 and has administrator permission, otherwise X-Scan will perform this job by "ICMP Ping".
"Skip host when no open port has been found" - If X-Scan doesn't found any TCP port within the "Scan port", X-Scan will cancel the other detection to this host.
"Scan always" - Such as the caption.
"Port":
"Scan port" - The range of TCP port that be separated by "-" or ",".
"Scan mode" - X-Scan support "TCP full connection" and "SYN half connection" two kinds of methods currently.
"Identify service by response" - Connect to open port to identify the service by it's response.
"Identify OS version forwardly by TCP/IP stack fingerprinter" - Such as the caption.
"Default port" - Such as the caption.
"NASL config":
"NASL scripts list" - You can customize nessus attack scripts to make scanning speed up. If you want to load all the scripts, you should clear this edit box.
"Select" - In the selecting window, you can select scripts by their risk, category and family.
"Script execute timeout(s)" - Specify the timeout of script executing.
"Network read timeout(s)" - Specify the timeout of reading TCP socket.
"Skip the destructive scripts for host" - Such as the caption.
"Check the dependencies of scripts" - Many scripts are depend on each other, if you don't select this checkbox, you can make scanning speed up, but the result is incorrect probably.
"Execute the destructive scripts for single service orderly" - If a script gather information from a service when another script is performming a DoS attack, the result is incorrect probably. But if you don't select this checkbox, you can make scanning speed up.
"Network config":
"Network adapter" - Select an appropriate adapter in order to capture network packets by WinPCap.
"HTTP":
"Encode" - All are such as the caption.
"Dictionary":
Specify all the password dictionary file what being used for checking weak password.
6. CUI program parameter description:
1.command format: xscan -host <start IP>[-<end IP>] <scanning items> [other options]
xscan -file <host list> < scanning items > [other options]
Explanations of scanning items are as follow:
-active : check if the target host is active
-os : check target operate system by NETBIOS and SNMP protocol
-port : scan the common port status (customizing scanning port list by modifying "PORT-SCAN-OPTIONS\PORT-LIST" in \dat\config.ini);
-ftp : scan FTP weak password (setting user/password dictionary file by modifying \dat\config.ini);
-pub : check anonymous pub write permission of FTP server
-pop3 : scan POP3-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-smtp : scan SMTP-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-sql : scan SQL-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-smb : scan NT-Server weak password (setting user/password dictionary file by modifying \dat\config.ini);
-cgi : scan CGI vulnerability (setting coding scheme by modifying "CGI-ENCODE\encode_type" in \dat\config.ini);
-iis : scan IIS encode/decode vulnerability (setting coding scheme by modifying "CGI-ENCODE\encode_type" in \dat\config.ini);
-nasl : load Nessus Attack Scripts
-all : scan all the above items;
[other options] explanations:
-v: display verbose information;
-p: skip host when failed to ping;
-o: skip host when no opened port be found;
-t <thread_count[,host_count]>: specify the maximal thread count and host count, default is 100,10
-l <report_file>: specify the report filename, text or html format
* Meaning of coding scheme in HTTP requests:
1. Replace "GET" with "HEAD"
2. Replace "GET" with "POST"
3. Replace "GET" with "GET / HTTP/1.0\r\nHeader:"
4. Replace "GET" with "GET /[filename]?param=" (setting [filename] by modifying "CGI-ENCODE\encode4_index_file" in \dat\config.ini)
5. Replace "GET" with "GET %00"
6. Several "/" or "\"
7. Exchange of "/" and "\"
8. Replace "<space>" with "<Tab>"
Notes: the parameters can be used simultaneously when there's no confliction.
2.Exapmles:
xscan -host xxx.xxx.1.1-xxx.xxx.255.255 -all -active -p
Meaning: scan the vulnerabilities of all the hosts whose IP is between xxx.xxx.1.1-xxx.xxx.255.255, skip host when failed to get response;
xscan -host xxx.xxx.1.1-xxx.xxx.255.255 -port -smb -t 150 -o
Meaning: scan the standard port status and NT weak password user of all hosts whose IP is between xxx.xxx.1.1-xxx.xxx.255.255, skip host when no open port has been found. The maximal number of concurrent threads is 150;
xscan -file hostlist.txt -port -cgi -t 200,5 -v -o
Meaning: scan the standard port status and CGI vulnerabilities of the hosts which is listed in "hostlist.txt". The max number of concurrent threads is 200, and up to 5 hosts can be scanned simultaneously. Skip host when no open port has been found.
7. Frequently asked questions:
Q: Does X-Scan work exactly without WinPCap?
A: X-Scan require WinPCap 3.1 or higher version, otherwise you can't customize the network packets in some scripts.
Q: I can find 10 "checkhost.exe" in my task list when I'm checking a subnet, why?
A: X-Scan will create sub-process for every host. The sub-processes will terminate automatically after scanning. You can specify this number by parameter "-t".
Q: Why did my computer rebooted when X-Scan was working?
A: WinPcap does not work well if a firewall is installed on the same machine. You should disable or uninstall the firewall and try again.
Q: Why did X-Scan identify target OS incorrectly?
A: If target filtered NETBIOS and SNMP protocol and has strange TCP/IP stack fingerprinter, X-Scan can't identify it's OS correctly, you should conclude by yourself.
Q: Why did I selected the "SYN" method to scan TCP port but X-Scan used "TCP" method actually?
A: Only under Windows 2000/XP/2003, SYN scan and the ability of identifing target OS passively are available, the permission of administrator is required simultaneously.
Q: Dose the plug-ins of X-Scan 2.3 is compatible with X-Scan 3.0?
A: No, X-Scan 3.0 changed the plug-in interface for the purpose of friends can develop plug-ins expediently. So the old plug-ins need some modification.
Q: What's the concrete meaning about "Skip host when failed to get response"?
A: This job is performed by plug-in "Active". If X-Scan is working under Windows 2000/XP/2003 and has the permission of administrator, it will check the activity of target host by "TCP Ping", otherwise it will perform this job by "ICMP Ping".
Q: I find many nessus attack scripts in directory "\Scripts", can I download the latest scripts from internet and move them to this directory to execute them by X-Scan?
A: Yes, X-Scan replanted the engine of nessus attack scripts to windows platform, if you want load added scripts, you should copy them to directory "/Scripts" and insert them to "NASL scripts list" or clear this edit box.
Q: How can I check the weak password with added password?
A: Dictionary shipped with X-Scan is a simple demo. To enhance cracking, you should improve the dictionary.
Q: How can I stop or pause the scanning under CUI mode?
A:In the scanning process under CUI mode, press "<space>" to view the lines and scanning schedule, press "<enter>" to pause or continue, press "q" to save current data and exit, press "<ctrl+c>" to terminate X-Scan compulsively.
Q: How can I install X-Scan to my system, and how can I register it?
A: X-Scan which is absolutely free can be executed immediately after being decompressed without registration and installation (require WinPCap 3.1 or higher version).
8. Release history:
X-Scan v3.0 -- release date: 01/03/2004. Fixed known BUGs in the previous v3.0 beta, optimized the mail program and plug-ins; updated nasl.dll to support the latest nessus attack scripts; provided a simple library for the purpose of everyone can develop plug-in expediently.
Thank wuxiu and quack for culling nessus attack scripts, thank san for the web page about X-Scan project, and thank our enthusiastic friends again who have ever feed back with good suggestion.
X-Scan v3.0(beta) -- release date: 30/12/2003. Updated main program, added the NASL-plug-in to load all the nessus attack scripts; modified the plug-in interface for the purpose of developping plug-in expediently; enhanced the "identify remote OS" function; threw away some plug-ins what completed by NASL scripts.
Thank isno and Enfis for their excellent plug-ins; thank wuxiu and quack for culling nessus attack scripts; thank our enthusiastic friends who have feed back with good suggestion.
X-Scan v2.3 -- release date: 09/29/2002. Added the SSL-plug-in to check SSL vulnerability; updated PORT/HTTP/IIS-plug-in; updated GUI and changed it's style.
Thank ilsy for excellent plug-ins.
X-Scan v2.2 -- release date: 09/12/2002. Changed the style of result index file; enlarged RPC vulnerability database; fixed known BUGs in the previous v2.1.
Thank xundi, quack and stardust for neaten vulnerability database.
X-Scan v2.1 -- release date: 09/08/2002. Allowed scanning specific SNMP-Info-plug-in options; Link "vulnerability description" of HTTP-plug-in, IIS-plug-in and RPC-plug-in to "xfocus" vulnerability search engine; fixed all the known BUGs in the previous v2.0.
X-Scan v2.0 -- release date: 08/07/2002. Added the TraceRoute-plug-in, SNMP-Info-plug-in; updated NETBIOS-plug-in, added remote register information scan; updated IIS-plug-in, added .ASP vulnerabities scan; modified part of plug-in interface; updated graphical interfaces, added "update online" function; enlarged CGI vulnerability database; fixed all the known BUGs in the previous v1.3.
Thank precious information or excellent plug-in provided by quack, stardust, sinister, ilsy, bingle, santa, and many thanks to our enthusiastic friends who have ever feed back with good suggestion.
X-Scan v1.3 -- release date: 12/11/2001. Modify the OS-detection bug in PORT-plug-in.
X-Scan v1.2 -- release date: 12/02/2001. Updated HTTP-plug-in and IIS-plug-in, added the detection of error pages which are redirected; updated PORT-plug-in, check port status by standard TCP connect() when fail to create Raw-Socket.
X-Scan v1.1 -- release date: 11/25/2001. Transfered all scanning functions to plug-ins, and turn main program to contain; updated graphical interface program; modified multithreading mode, made plug-ins share threads and increase scanning speed; added SMTP, POP3 weak password scanning; added IIS UTF-Code vulnerabilities exploit; expanded CGI vulnerabilities list.
My thanks to xundi, quack, casper, wollf and Huang Cheng for providing so much valuable information. A special thanks to xundi and quack for their hard work in testing this version.
X-Scan v1.0(beta) -- release date: 07/12/2001. Added the detection of remote OS type and version based on TCP/IP stack fingerprinter; added the function of searching the geographical location of remote host; added the scanning of IIS ".ida/.idq" vulnerabilities in "-iis" option, and updated the description of this vulnerability; allowed scanning specific port scope (by modifying "[PORT-LIST]\port=" in "dat\config.ini"); allowed user using "%" to replace all user names when editing password dictionary in "-ntpass"; updated CGI vulnerabilities list,and clarified CGI vulnerabilities to increase the scanning speed.
My thanks to cloud and Feng Zhihong for providing their great software. And thank you once again, quack, for your encouragement, faith, and support over the past years.
X-Scanner v0.61 -- release date: 05/17/2001. Added the exploit of Microsoft IIS CGI Filename Decode Error Vulnerability in "-iis" option.
X-Scanner v0.6 -- release date: 05/15/2001. Add "-iis" option, being used for scanning "unicode" & "remote .printer overflow" vulnerability of IIS server; updated the description of vulnerabilities; adjusted the timeouts, avoided "scan unfinished" caused by timeout; upload warning text to "C:\" instead of changing homepage automatically.
X-Scanner v0.5 -- release date: 04/30/2001. Modified command line parameter, and made it more understandble; enlarged CGI vulnerability database; expanded the NT weak password scanning function.
Thank santa and colossus for excellent plug-ins.
X-Scanner v0.42b -- release date: 03/07/2001. Modify the bug in "-b" option.
X-Scanner v0.42 -- release date: 03/02/2001. Allowed user extend SQL-SERVER account.
X-Scanner v0.41 -- release date: 02/19/2001. Modified the scanning-weak-password bug in former versions; optimized the script, and combined xscan.exe and xscan98.
X-Scanner v0.4 -- release date: 02/15/2001. Added the scan for SQL-SERVER default account "sa"; made a simple GUI temporarily (all work can be done by one mouse!)
X-Scanner v0.31 -- release date: 01/17/2001. Adjusted the port scan way and the format of export files; enhanced the Unicode decode vulnerability; provided a simple CGI list maintenance tool for win98.
X-Scanner v0.3 -- release date: 12/27/2000. Added the thread timeout limitation; added proxy; enlarge CGI vulnerability database, added the scan for vulnerabilities such as Unicode decoding; Modified the memory leak bug. Internal test version.
X-Scanner v0.2 -- release date: 12/12/2000. Internal test version.
9. Appendix:
X-Scan is a totally free software. Any suggestions and reflections are highly appreciated. I welcome email from any user with comments or bug fixes.
Many thanks to the support of the members of xfocus, uid0 and ex-DarkSun. I can do nothing without you. --glacier_at_xfocus_dot_org
__________________________________________________________________
Question, advice, bug ... please mail to: xscan_at_xfocus_dot_org
Copyright © http://www.xfocus.org
I was waiting for this one, thx for sharing/info 
hs the pc process dead ram 
