Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/GhostTroops/scan4all/llms.txt

Use this file to discover all available pages before exploring further.

scan4all includes a powerful password cracking engine (hydra) that supports brute force attacks against 23 different protocols. The cracker features intelligent dictionary management, concurrent execution, and automatic protocol detection.

Supported Protocols

scan4all can perform password brute force attacks against the following protocols:

RDP (Remote Desktop)

VNC (Virtual Network Computing)

SSH (Secure Shell)

SOCKS5 Proxy

rsh-spx

MySQL Database

MSSQL Database

Oracle Database

PostgreSQL Database

Redis Cache

FTP File Transfer

MongoDB Database

SMB/CIFS

Telnet

SNMP

Elasticsearch

RouterOS

HTTP BasicAuth

Weblogic

Tomcat

JBoss

WinRM

POP3/POP3S

Enabling Password Cracking

By default, password brute forcing is disabled. Enable it with the priorityNmap configuration: 
# Enable password cracking
priorityNmap=true scan4all -host 192.168.1.1 -v
Password cracking is performed on services detected during port scanning. Ensure port scanning is enabled and services are correctly identified.

How It Works

Architecture

The password cracking engine uses a concurrent goroutine pool architecture:
1

Service Detection

After port scanning, services are identified and categorized by protocol (SSH on 22, MySQL on 3306, etc.)
2

Dictionary Loading

Protocol-specific username and password dictionaries are loaded:
  • Default dictionaries embedded in the binary
  • Custom dictionaries from config/ directory
  • User-provided dictionaries
3

Credential Generation

Username and password combinations are generated based on dictionary merge strategy:
  • Replace mode: Use only custom dictionaries
  • Merge mode: Combine custom with default dictionaries
4

Concurrent Execution

Credentials are tested concurrently using a worker pool:
// Configurable thread pool
Pool: pool.NewPool(threads)
Interval: time.Microsecond * 13  // Rate limiting
5

Result Validation

Successful authentications are validated and reported immediately. The cracker stops on first success.

Dictionary Management

Default Dictionaries

scan4all includes built-in dictionaries for all supported protocols: 
# Dictionary location in source
pkg/hydra/dicts/
  ├── ftp.txt
  ├── mysql.txt
  ├── ssh.txt
  ├── rdp.txt
  └── ...

Custom Dictionaries

Override default dictionaries with custom wordlists: 
# Create custom username list
cat > config/usernames.txt <<EOF
admin
root
administrator
user
test
EOF

Dictionary Merge Strategies

Replace Mode (default): 
if CustomAuthMap.IsEmpty() == false {
    list.Replace(CustomAuthMap)  // Use only custom dictionaries
    return list
}
Merge Mode: 
if isAuthUpdate {
    list.Merge(CustomAuthMap)  // Combine custom + default
    return list
}

Protocol-Specific Features

SSH / rsh-spx / LDAP

// SSH cracker with key-based auth support
func sshCracker(info AuthInfo) {
    // Supports:
    // - Password authentication
    // - Public key authentication
    // - Interactive keyboard authentication
}
Usage: 
scan4all -host 192.168.1.1 -p 22 -v

Redis (Password-Only)

Redis uses password-only authentication: 
if info.Protocol == "redis" {
    c.onlyPassword = true  // No username required
}
Common Redis passwords checked:
  • (empty password)
  • redis
  • password
  • Custom passwords from dictionary

Oracle Database

Oracle requires SID detection before brute forcing: 
case "oracle":
    if oracle.CheckProtocol(ip, port) == false {
        c.Pool.OutDone()
        return  // Skip if SID unknown
    }
    c.Pool.Function = oracleCracker(ip, port)
SID detection:
  • Automatic TNS listener enumeration
  • Common SID wordlist: ORCL, XE, PROD, DEV

Telnet

Telnet includes unauthorized access detection: 
serverType := getTelnetServerType(ip, port)
if serverType == gotelnet.UnauthorizedAccess {
    // No authentication required - report immediately
    c.authInfo.Auth.Other["Status"] = "UnauthorizedAccess"
    c.authInfo.Status = true
    return
}

SMB Protocol

SMB cracking includes vulnerability detection: 
func smbCracker(info AuthInfo) {
    // Also checks for:
    // - MS17-010 (EternalBlue)
    // - SmbGhost (CVE-2020-0796)
}
SMB vulnerabilities detected:
  • CVE-2017-0143
  • CVE-2017-0144
  • CVE-2017-0145
  • CVE-2017-0146
  • CVE-2017-0147
  • CVE-2017-0148
  • CVE-2020-0796 (SmbGhost)

HTTP Authentication

HTTP brute forcing includes multiple authentication types:

Basic Auth

  • Standard HTTP Authorization header
  • Base64 credential encoding

WebDAV

  • WebDAV-specific authentication
  • PROPFIND/OPTIONS method support

SVN (Subversion)

  • Apache Subversion authentication
  • Repository enumeration

Application-Specific

  • Weblogic console
  • Tomcat manager
  • JBoss admin
Automatic activation: 
# HTTP password brute force automatically activates
# when HTTP authentication is detected
scan4all -host example.com -v
HTTP brute forcing is enabled by default and activates automatically when authentication is required, without manual intervention.

Cracker Engine Implementation

Worker Pool Architecture

type Cracker struct {
    Pool         *pool.Pool      // Concurrent worker pool
    authList     *AuthList       // Username/password lists
    authInfo     *AuthInfo       // Target information
    Out          chan AuthInfo   // Success channel
    onlyPassword bool            // Password-only mode
}

Execution Flow

func NewCracker(info *AuthInfo, isAuthUpdate bool, threads int) *Cracker {
    c := &Cracker{}
    c.Pool = pool.NewPool(threads)  // Create worker pool
    c.authInfo = info
    c.Pool.Interval = time.Microsecond * 13  // Rate limiting
    return c
}

Success Detection

The cracker implements an “early exit” strategy: 
if count > 0 && count <= 5 {
    c.Out <- info.(AuthInfo)  // Report success
}
if count > 5 {
    // Too many successes = protocol not supported or error
}

Performance Tuning

Thread Configuration

# Default: 25 threads
scan4all -host 192.168.1.1 -c 25

# More aggressive (faster)
scan4all -host 192.168.1.1 -c 50

# Conservative (slower, stealthier)
scan4all -host 192.168.1.1 -c 5

Rate Limiting

Built-in rate limiting prevents DoS: 
c.Pool.Interval = time.Microsecond * 13  // ~76,923 attempts/second max
Adjust global rate with -rate flag: 
scan4all -host 192.168.1.1 -rate 100  # 100 requests/second

Timeout Configuration

# Increase timeout for slow services
scan4all -host 192.168.1.1 -timeout 5000  # 5 seconds

Security Considerations

Legal and Ethical Use OnlyPassword brute forcing should only be performed:
  • On systems you own
  • With explicit written permission
  • For legitimate security testing purposes
Unauthorized password cracking is illegal in most jurisdictions.

Account Lockout

Be aware of account lockout policies: 
Common lockout thresholds:
- Windows Active Directory: 5 attempts
- Unix PAM: 3-5 attempts
- Database systems: Varies
- Network devices: Often no lockout
Recommendations:
  • Use small, targeted dictionaries
  • Test with known credentials first
  • Monitor for lockout indicators
  • Implement delays between attempts

Network Detection

Brute force attacks are easily detected:
  • IDS/IPS systems will trigger alerts
  • SIEM systems log authentication failures
  • Firewalls may block after multiple failures
  • Application logs record all attempts
Stealth techniques: 
# Slow, low-volume attacks
scan4all -host target.com -c 1 -rate 10 -timeout 10000

Output and Reporting

Success Format

Successful credentials are reported immediately: 
{
  "protocol": "ssh",
  "ip": "192.168.1.100",
  "port": 22,
  "username": "admin",
  "password": "Password123",
  "status": true,
  "timestamp": "2026-03-05T10:30:00Z"
}

Elasticsearch Storage

Results can be stored in Elasticsearch: 
# Query successful authentications
curl "http://127.0.0.1:9200/auth_index/_search?q=status:true"

# Query by protocol
curl "http://127.0.0.1:9200/auth_index/_search?q=protocol:ssh"

Advanced Features

Protocol Detection

Automatic protocol verification: 
func Ok(protocol string) bool {
    if misc.IsInStrArr(ProtocolList, protocol) {
        return true
    }
    return false
}

Custom Wordlist Format

Username file (usernames.txt): 
admin
root
administrator
user
operator
Password file (passwords.txt): 
password
123456
admin
Password123
P@ssw0rd
letmein
qwerty
Combined credentials (credentials.txt): 
admin:admin
root:password
administrator:Password123
user:user123

Weblogic-Specific Dictionaries

scan4all includes specialized Weblogic dictionaries from real-world penetration tests: 
pkg/hydra/dicts/weblogic_users.txt
pkg/hydra/dicts/weblogic_passwords.txt
pkg/hydra/dicts/webshell_paths.txt  # For file fuzzing

Example Workflows

# Crack all services on a single host
priorityNmap=true scan4all -host 192.168.1.100 -v

Troubleshooting

No Credentials Found

1

Verify Service Detection

Ensure the service was correctly identified:
scan4all -host 192.168.1.1 -v | grep "service:"
2

Check Dictionary Quality

Use comprehensive dictionaries:
3

Increase Threads

More threads = faster coverage:
priorityNmap=true scan4all -host target.com -c 50
4

Check for Lockout

Monitor authentication logs for lockout indicators

Protocol Not Supported

If you see “protocol not supported” errors: 
# Check supported protocols
scan4all -h | grep -A 30 "password blasting"

# Verify protocol list
echo $PROTOCOL | grep -i "protocol_name"

Connection Errors

# Increase timeout for slow connections
priorityNmap=true scan4all -host target.com -timeout 10000

# Reduce threads to avoid overwhelming the target
priorityNmap=true scan4all -host target.com -c 5

Best Practices

1

Start with Small Dictionaries

Use top 100-1000 passwords first to avoid lockouts:
head -n 100 passwords.txt > top100.txt
priorityNmap=true scan4all -host target.com -passlist top100.txt
2

Test Known Credentials

Verify the cracker works with known valid credentials before using large dictionaries
3

Monitor Target Logs

Watch authentication logs during testing:
# On Linux targets
tail -f /var/log/auth.log

# On Windows targets
Get-EventLog -LogName Security -Newest 50
4

Document Findings

Record:
  • Successful credentials
  • Account lockout occurrences
  • Service response times
  • Network behavior
5

Secure Discovered Credentials

  • Store securely
  • Encrypt credential files
  • Limit access
  • Delete when testing complete