If you're like me, you don't want to spend your precious memory on remembering awkward command line parameters. However, lots of tools require exactly that: awkward command line parameters.

To simplify scanning of hosts for network vulnerabilities I wrote a simple wrapper script around several open source security tools. The script lets you analyze one or several hosts for common misconfiguration vulnerabilities and weaknesses.
My main objective in writing the script was to make it as easy as possible to perform generic security tests, without any heavy prerequisites, make the script as informative as possible, and make use of open source tools.

Note that the latest version is the Python version - please use that one.

How to install

Clone the git archive using the command

git clone https://github.com/PeterMosmans/security-scripts.git


Linux, and nmap


  • curl
    for fingerprinting and to test for TRACE
  • dig
    to test for recursive DNS servers
  • git
    to update the script
  • nikto
    for webscanning
  • testssl.sh
    to check the SSL configuration


Oh irony - the command line parameters for the tool:

usage: analyze_hosts.sh [OPTION]... [HOST]

Scanning options:
 -a, --all perform all basic scans
 --max perform all advanced scans (more thorough)
 -b, --basic perform basic scans (fingerprint, ssl, trace)
 --filter=FILTER only proceed with scan of HOST if WHOIS
 results of HOST matches regexp FILTER
 --dns test for recursive query
 -f perform web fingerprinting (all webports)
 --fingerprint perform all web fingerprinting methods
 -h, --header show webserver headers (all webports)
 -n, --nikto nikto webscan (all webports)
 -p nmap portscan (top 1000 ports)
 --ports nmap portscan (all ports)
 -s check SSL configuration
 --ssl perform all SSL configuration checks
 --timeout=SECONDS change timeout for sslscan (default=30)
 --ssh perform SSH configuration checks
 -t check webserver for HTTP TRACE method
 --trace perform all HTTP TRACE method checks
 -w, --whois perform WHOIS lookup for the IP address
 -W confirm WHOIS results before continuing scan

Port selection (comma separated list):
 --webports=PORTS use PORTS for web scans (default 80,443)
 --sslports=PORTS use PORTS for ssl scans (default 443,993,995)

Logging and input file:
 -d, --directory=DIR location of temporary files (default /tmp)
 -i, --inputfile=FILE use a file containing hostnames
 -l, --log log each scan in a separate logfile
 --nocolor don't use fancy colors in screen output
 -o, --output=FILE concatenate all results into FILE
 -q, --quiet quiet
 -v, --verbose show server responses

-u update this script (if it's a cloned repository)
 --update force update (overwrite all local modifications)
 --version print version information and exit

 BLUE: status messages
 GREEN: secure settings
 RED: possible vulnerabilities

[HOST] can be a single (IP) address, an IP range, eg.
 or multiple comma-separated addresses, eg,

example: /usr/local/sbin/analyze_hosts -a --filter Amazon www.google.com


comments powered by Disqus