Prerequisites

• Python 3.10+ (tested on 3.13; use a virtual environment if possible)

• Temporal Server running locally or remotely using this guide

• Temporal in Python

  pip install temporalio

• Python nmap library

  pip install python-nmap

• System Dependencies / Tools:

  • amass at least version 5.0.0
  • subfinder
  • httpx
  • alterx
  • dnsx

  All these tools need to be in PATH.

• Root Privileges on the worker are needed, to run the port scan with OS detection.

---

Running the Program

1. Start the Temporal server locally:

   temporal server start-dev

2. Start the worker:

   python run_worker.py

3. Open the Temporal Web UI at:
   http://localhost:8233

4. Click “Start Workflow”.

5. Fill in the form:

   • Workflow ID: any value (you can use the Random UUID button)
   • Task Queue: scan-task-queue
   • Workflow Type: MasterWorkflow

6. Fill out the data field in input section:

   {
       "scan_type": "SCAN_TYPE",
       "domains": ["DOMAIN", "DOMAIN"],
       "ips": ["IP_ADDRESS", "IP_SUBNET"],
       "output_dir": "OUTPUT_DIRECRTORY",
       "wordlist_path": "WORDLIST",
       "use_file_results": "BOOL"
   }

   • scan_type (string, required, no default value) can have 3 values:
     • fast combines passive subdomain enumeration with httpx probing. Requires at least one DOMAIN.
     • complete combines passive and active subdomain enumeration. Requires at least one DOMAIN.
     • asset scans the IP addresses provided using nmap python library. Requires at least one IP_ADDRESS or IP_SUBNET. To run the OS scan, root privileges are needed
   • domains (list of strings, required in fast/complete scan type, no default value) is a list of domains for subdomain enumeration. Can be omitted if the scan type does not require a domains.
   • ips (list of strings, required in asset scan type, no default value) is a list of IP addresses or IP subnets for asset discovery and port scanning. Can be omitted if the scan type does not require a ips.
   • output_dir (string, optional, default value is ./out) is a path that stores all the outputs. It is optional and by default set to ./out
   • wordlist_path (string, optional, default value is ./wordlist.txt) is path to wordlist that is used by dnsx. Is optional and by default set to ./wordlist.txt
   • use_file_results (bool, optional, default value is false) Recommended only when scanning large networks. Gives an option to use all results saved in the output_dir instead of the variable returns. Temporal has a limited history size, so scanning a very large network might hit this limit. This option limits the user to only one worker, or all the workers must have access to the path - must be a shared volume. This setting is optional and by default is set to False.