- Table of Contents
- Overview
- Features
- Project Structure
- Getting Started
- Roadmap
- Contributing
- License
- Acknowledgments
GhostScan is a security scanner specifically designed for Ghost CMS penetration testing and security assessment. More powerful than WPScan, GhostScan offers comprehensive analysis of Ghost CMS installations with extensive enumeration capabilities, intelligent vulnerability detection, and attack vectors tailored for Ghost CMS.
Built with penetration testers and security researchers in mind, GhostScan performs deep analysis of Ghost CMS installations, providing professional-grade security scanning capabilities that go beyond basic vulnerability detection.
- Ghost Detection: Multi-vector Ghost CMS fingerprinting
- Version Fingerprinting: Precise version detection with build information
- Theme & Plugin Enumeration: Comprehensive discovery of installed components
- API Endpoint Discovery: Intelligent Ghost API enumeration
- Configuration Analysis: Deep configuration and security posture assessment
- CVE Database Integration: Real-time vulnerability scanning with latest CVEs
- Exploit Integration: Built-in exploit modules for known vulnerabilities
- Security Misconfiguration Detection: Security hardening checks
- Admin Panel Discovery: Multiple techniques for admin interface detection
- Database Information Disclosure: Detection of database leaks and exposures
- User & Author Discovery: Multi-vector user enumeration techniques
- Content Discovery: Posts, pages, tags, and metadata enumeration
- Integration Detection: Third-party service and webhook discovery
- Route Mapping: Complete application route discovery
- File & Directory Discovery: Sensitive file and backup detection
- Intelligent Brute Force: Multi-target brute force (admin, API, login forms)
- Custom Wordlists: Support for custom username and password lists
- Rate Limiting Bypass: Techniques to bypass rate limiting
- Session Management: Intelligent session handling and cookie management
- Passive Scanning: Non-intrusive reconnaissance mode
- Random User Agents: Rotating user agent strings
- Request Throttling: Configurable delays and randomization
- Proxy Support: Full HTTP/HTTPS proxy integration
- SSL Bypass: Options for SSL certificate validation bypass
- Multiple Output Formats: Text, JSON, XML, CSV export
- Detailed Logging: Comprehensive audit trails
- Risk Assessment: Automated risk scoring and prioritization
- Executive Summary: High-level security posture reporting
└── ghostscan/
├── 25.2
├── Dockerfile
├── LICENSE
├── Makefile
├── README.md
├── cmd
│ ├── brute.go
│ ├── enumerate.go
│ ├── ghostscan
│ ├── root.go
│ ├── scan.go
│ └── vuln.go
├── configs
│ ├── bruteforce.yaml
│ ├── enumeration.yaml
│ ├── output.yaml
│ ├── scanner.yaml
│ └── vulnerabilities.yaml
├── examples
│ └── usage_examples.sh
├── ghostscan
├── go.mod
├── go.sum
├── helm
│ └── ghostscan
├── k8s
│ └── deployment.yaml
├── main.go
├── pkg
│ ├── bruteforce
│ ├── cache
│ ├── cli
│ ├── config
│ ├── database
│ ├── enumeration
│ ├── exploits
│ ├── fingerprint
│ ├── ghost
│ ├── logging
│ ├── monitoring
│ ├── output
│ ├── payloads
│ ├── performance
│ ├── pool
│ ├── reporting
│ ├── scanner
│ ├── security
│ ├── themes
│ ├── ui
│ └── vulnerabilities
├── tests
│ └── integration_test.go
└── wordlists
├── endpoints.txt
├── passwords.txt
├── themes.txt
└── usernames.txtGHOSTSCAN/
__root__
⦿ __root__
File Name Summary go.mod Go module definition and dependencies LICENSE BSD-2-Clause License for the project Dockerfile Docker container configuration Makefile Build automation and project tasks main.go Main application entry point
- Go: Version 1.21 or higher
- Git: For cloning the repository
- Internet Connection: For vulnerability database updates
# Clone the repository
git clone https://github.com/ibrahmsql/ghostscan.git
cd ghostscan
# Build the application
go mod tidy
go build -o ghostscan cmd/ghostscan/main.go
# Make it executable
chmod +x ghostscan# Build Docker image
docker build -t ghostscan .
# Run with Docker
docker run --rm ghostscan -u https://example.com# Build using Makefile
make build
# Install to system
make install
# Run tests
make test# Quick Ghost CMS detection and basic security scan
./ghostscan -u https://example.com
# Comprehensive scan with all enumeration
./ghostscan -u https://target.com --enumerate all --verbose
# Passive reconnaissance (stealth mode)
./ghostscan -u https://target.com --passive --random-user-agent# Full enumeration of all Ghost components
./ghostscan -u https://target.com --enumerate all
# Specific component enumeration
./ghostscan -u https://target.com --detect-themes --detect-users --detect-plugins
# API and admin discovery
./ghostscan -u https://target.com --detect-api --detect-admin --detect-routes# Comprehensive vulnerability scan
./ghostscan -u https://target.com --vuln-scan --aggressive
# Update vulnerability database and scan
./ghostscan -u https://target.com --update --vuln-scan# Admin panel brute force
./ghostscan -u https://target.com --brute-admin --userlist users.txt --passlist passwords.txt
# API endpoint brute force
./ghostscan -u https://target.com --brute-api --brute-users# Run unit tests
go test ./...
# Run integration tests
go test -tags=integration ./tests/
# Run with coverage
go test -cover ./...
# Benchmark tests
go test -bench=. ./...-
Enhanced Vulnerability Detection
- Machine learning-based anomaly detection
- Custom vulnerability rule engine
- Integration with external threat intelligence
-
Enhanced Reporting
- HTML report generation
- PDF export functionality
- Integration with SIEM systems
-
Performance Improvements
- Distributed scanning capabilities
- Enhanced caching mechanisms
- Optimized memory usage
-
Additional Features
- Web interface for easier usage
- Plugin system for extensibility
- API for integration with other tools
| Flag | Description | Default |
|---|---|---|
--url, -u |
Target Ghost CMS URL (required) | - |
--verbose, -v |
Enable verbose output | false |
--output, -o |
Output file for results | stdout |
--format |
Output format (text, json, xml, csv) | text |
--enumerate, -e |
Components to enumerate | - |
--brute-force |
Enable brute force attack | false |
--threads |
Number of concurrent threads | 10 |
--timeout |
Request timeout in seconds | 30 |
--user-agent |
Custom User-Agent string | GhostScan/1.0 |
--proxy |
HTTP/HTTPS proxy URL | - |
--passive |
Enable passive scanning mode | false |
--aggressive |
Enable aggressive scanning | false |
--random-user-agent |
Use random User-Agent strings | false |
--skip-ssl |
Skip SSL certificate validation | false |
-
HTTP Headers
X-Ghost-Cache: miss/hitX-Ghost-Version: 4.x.x
-
HTML Meta Tags
<meta name="generator" content="Ghost 4.48.2">
-
API Endpoints
/ghost/api/v4/admin/site//ghost/api/v4/content/settings//.well-known/ghost/
-
Static Files
/assets/built/admin.js/content/themes/[theme]//ghost/assets/
-
Direct Methods
- Meta generator tag parsing
- API version responses
- Admin asset versioning
-
Fingerprinting
- JavaScript bundle analysis
- API response structure
- Theme helper availability
- CVE-2023-32235: Path Traversal in Theme Preview (≤ 5.52.1)
- CVE-2023-40028: Arbitrary File Read via Theme Upload (≤ 5.58.0)
- CVE-2024-23724: Stored XSS via Profile Image Upload
- Admin interface over HTTP
- Directory browsing enabled
- Debug mode in production
- Exposed configuration files
- Default credentials
=== GhostScan Results ===
[+] Ghost CMS Detected!
Version: 4.48.2
Active Theme: casper
[!] Vulnerabilities Found:
[High] Path Traversal in Theme Preview (CVE-2023-32235)
Description: Path traversal vulnerability in Ghost theme preview functionality
Affected: ≤ 5.52.1
Fixed in: 5.52.2
[*] Users Found:
admin (admin)
john-doe (john-doe) [Author]
jane-smith (jane-smith) [Editor]
[*] Themes Found:
[+] [ACTIVE] casper (v4.8.0)
Description: The default personal blogging theme for Ghost
Author: Ghost Foundation
[*] Interesting Files:
/robots.txt
/sitemap.xml
/rss/
/ghost/
/content/themes/
=== Scan Summary ===
Vulnerabilities: 1
Misconfigurations: 0
Users: 3
Themes: 1
Interesting Files: 5
- Scanner: Main detection and vulnerability assessment engine
- Enumerator: Component discovery and information gathering
- BruteForcer: Authentication testing and credential discovery
- Output: Flexible reporting with multiple formats
- Language: Go 1.21+
- HTTP Client: Resty v2 for robust HTTP handling
- CLI Framework: Cobra for command-line interface
- JSON Parsing: gjson for fast JSON processing
- Output: Fatih/color for terminal colors
- Only scan systems you own or have explicit permission to test
- Respect rate limits and avoid overwhelming target servers
- Use responsibly and in accordance with applicable laws
- Built-in delays between requests to avoid detection
- Configurable thread count for controlled scanning
- Automatic detection of rate limiting responses
Contributions are welcome! Here's how you can help:
Contributing Guidelines
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the BSD-2-Clause License. See the LICENSE file for details.
- Ghost CMS Team: For creating an excellent content management system and providing comprehensive API documentation
- Security Community: For responsible disclosure of vulnerabilities and continuous improvement of security practices
- Go Community: For excellent libraries, tools, and best practices that make development efficient
- Contributors: All the developers who have contributed to making GhostScan better
This tool is designed for authorized security testing and educational purposes only. Users must:
- Only scan systems they own or have explicit written permission to test
- Comply with all applicable local, state, and federal laws
- Respect the target system's resources and avoid causing disruption
- Use the tool responsibly and ethically
The authors and contributors of GhostScan are not responsible for any misuse, damage, or illegal activities performed with this tool. Users assume full responsibility for their actions.