This terminal tool allows you to perform various types of scans over a hostname. With this terminal tool you can make network scans like DNS or Traceroute or you can also make scans of used technology or CMS
A content management system (CMS) manages the creation and modification of digital content. It typically supports multiple users in a collaborative environment. Some noteable examples are: WordPress, Joomla, Drupal etc.
This tool is based on python 2.7 To install henum scanner just type the following command:
pip install -r requirements.txt
Wait until all the dependencies are downloaded and proceed with the point below. (PyV8 must be installed to run)
Note for macos users: If you have problems installing PyV8 you can use PyV8-OS-X:
pip install -e git://github.com/brokenseal/PyV8-OS-X#egg=pyv8
- macOS Catalina Version 10.15.5 (19F101)
- IP Scan
- DNS Scan
- WHOIS Scan
- Location Scan
- CMS Scan
- Technologies Scan
- Traceroute Scan
- Subdomains Scan
- Reverse IP Lookup Scan
With this type of scan you can know the IP address of a hostname.
python henum.py -t example.com -s ip
With this type of scan you can know the DNS records of a hostname. The queried records are 'A', 'AAAA', 'MX', 'NS', 'TXT', 'SOA', 'CNAME', 'MF' and 'MD'
python henum.py -t example.com -s dns
"dns": {
"A": [
"avesexoticas.org. 300 IN A 37.59.219.148"
],
"SOA": [
"avesexoticas.org. 3600 IN SOA fay.ns.cloudflare.com. dns.cloudflare.com. 2034574773 10000 2400 604800 3600"
],
"NS": [
"avesexoticas.org. 86400 IN NS fay.ns.cloudflare.com.",
"avesexoticas.org. 86400 IN NS hank.ns.cloudflare.com."
],
"TXT": [
"avesexoticas.org. 300 IN TXT \"v=spf1 +a +mx +ip4:185.162.171.100 +ip4:181.215.9.22 +include:relay.sered.net ~all\""
]
}
With this type of scan you can get the WHOIS information of a hostname.
python henum.py -t example.com -s whois
"whois": {
"updated_date": [ ... ],
"status": [ ... ],
"name": "REDACTED FOR PRIVACY",
"dnssec": "unsigned",
"city": "REDACTED FOR PRIVACY",
"expiration_date": [ ... ],
"address": "REDACTED FOR PRIVACY",
"zipcode": "REDACTED FOR PRIVACY",
"domain_name": [
"AVESEXOTICAS.ORG",
"avesexoticas.org"
],
"whois_server": "whois.registrar.eu",
"state": "ourense",
"registrar": "Hosting Concepts B.V. d/b/a Openprovider",
"country": "ES",
"name_servers": [ ... ],
"org": "SERED.NET",
"creation_date": [ ... ],
"emails": "abuse@registrar.eu"
},
With this type of scan you can geolocate the server's ip adress.
python henum.py -t example.com -s loc
"loc": {
"timezone": "Europe/Paris",
"loc": "48.8534,2.3488",
"ip": "37.59.219.148",
"postal": "75000",
"org": "AS16276 OVH SAS",
"city": "Paris",
"country": "FR",
"region": "\u00cele-de-France",
"hostname": "bigovh2.gestiondeservidor.com"
}
The scan performs different attacks on CMSs based on Wordpress, Joomla, Drupal and Magento.
The most complete information today is when it detects a site made in Wordpress.
If it finds it, it tries to list the users of the backend, the version and theme used, the leaked pages, some of the plugins and if it has them, the vulnerabilities that affect each installed plugin.
python henum.py -t example.com -s cms
"cms": {
"theme": "orbital",
"version": "5.3.2",
"users": [
{
"slug": "noel",
"link": "https://avesexoticas.org/author/noel/",
"id": 2,
"name": "Noel"
},
{
"slug": "romu",
"link": "https://avesexoticas.org/author/romu/",
"id": 3,
"name": "Romu"
}
],
"provider": "WordPress",
"plugins": [
{
"table-of-contents-plus": {
"popular": true,
"last_updated": "2020-02-09T04:53:00.000Z",
"friendly_name": "Table of Contents Plus",
"latest_version": "2002",
"vulnerabilities": [...]
}
},
],
"results": [
"http://avesexoticas.org/wp-admin/upgrade.php",
"http://avesexoticas.org/readme.html"
]
}
With this type of scan you can get the technology used in the website
python henum.py -t example.com -s technology
"technologies": {
"jQuery": {
"confidence": 100,
"version": "",
"categories": [
"javascript-frameworks"
]
},
"Google AdSense": {
"confidence": 100,
"version": "",
"categories": [
"advertising-networks"
]
}
"Google Analytics": {
"confidence": 100,
"version": "",
"categories": [
"analytics"
]
}
}
With this type of scan you can geolocate the different request package hops
python henum.py -t example.com -s traceroute
"traceroute": [
{
"ip": "178.32.135.150",
"host": "be100-104.pao-sv8-bb1-a9.ca.us",
"loc": {
"lat": "2.3488",
"city": "Paris",
"lng": "48.8534",
"region": "\u00cele-de-France",
"country": "FR"
},
"ttl": "196.254ms"
},
{
"ip": "198.27.73.227",
"host": "chi-5-a9.il.us",
"loc": {
"lat": "2.3488",
"city": "Paris",
"lng": "48.8534",
"region": "\u00cele-de-France",
"country": "FR"
},
"ttl": "243.975ms"
}
}
This scan is based on bruteforce attack so you must have patience to be completed beacuse the used wordlist contain 3297 words inside. It detects which subdomains belongs to the hostname.
python henum.py -t example.com -s subdomains
"subdomains": [
"www.avesexoticas.org",
"ftp.avesexoticas.org",
"mx.avesexoticas.org",
...
]
This is an experimental scan based on a limited queries per day. It's still in development. It detects which websites host the same IP address
python henum.py -t example.com -s reverse_ip_lookup
"reverse_ip_lookup": [
"www.avesexoticas.org",
"ftp.avesexoticas.org",
"mx.avesexoticas.org",
...
]
- WP -> https://www.toyota.com.br/
- Joomla -> https://launch.joomla.org/
- magento -> http://demo-acm-2.bird.eu/
- drupal -> https://www.drupal.org/