Skip to content

imxde-code/ghostscan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
ghostscan
ghostscan
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

  ██████  ██░ ██  ▒█████    ██████ ▄▄▄█████▓  ██████  ▄████▄   ▄▄▄       ███▄    █
▒██    ▒ ▓██░ ██▒▒██▒  ██▒▒██    ▒ ▓  ██▒ ▓▒▒██    ▒ ▒██▀ ▀█  ▒████▄     ██ ▀█   █
░ ▓██▄   ▒██▀▀██░▒██░  ██▒░ ▓██▄   ▒ ▓██░ ▒░░ ▓██▄   ▒▓█    ▄ ▒██  ▀█▄  ▓██  ▀█ ██▒
  ▒   ██▒░▓█ ░██ ▒██   ██░  ▒   ██▒░ ▓██▓ ░   ▒   ██▒▒▓▓▄ ▄██▒░██▄▄▄▄██ ▓██▒  ▐▌██▒
▒██████▒▒░▓█▒░██▓░ ████▓▒░▒██████▒▒  ▒██▒ ░ ▒██████▒▒▒ ▓███▀ ░ ▓█   ▓██▒▒██░   ▓██░

Red Team Reconnaissance Framework

Python 3.10+ License: MIT Red Team Rich CLI

Subdomain enumeration · HTTP header analysis · TCP port scanning — all in one tool.

Legal notice: Use ghostscan only on systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions.

Features

Module Description
subdomain DNS brute-force with 115+ wordlist entries, concurrent resolution
headers HTTP security header audit against 10 common controls
portscan Concurrent TCP connect scan with service identification

Installation

From source (recommended)

git clone https://github.com/ghostscan/ghostscan
cd ghostscan

# Create and activate a virtual environment
python3 -m venv .venv
source .venv/bin/activate        # macOS / Linux
# .venv\Scripts\activate         # Windows

pip install -e .

With pip directly

pip install ghostscan

Usage

Global help

$ ghostscan --help

  ██████  ██░ ██  ▒█████    ██████  ...
  Red Team Recon Framework v1.0.0

Usage: ghostscan [OPTIONS] COMMAND [ARGS]...

  ghostscan — Red team reconnaissance tool.

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  headers   Check HTTP security headers for URL.
  portscan  TCP connect port scan against HOST.
  subdomain Brute-force subdomains for DOMAIN using a built-in wordlist.

ghostscan subdomain

Brute-forces subdomains using DNS resolution with a built-in 115-entry wordlist.

ghostscan subdomain <domain> [OPTIONS]
Flag Default Description
-w, --workers 50 Concurrent DNS threads
-t, --timeout 3.0 DNS resolution timeout (seconds)
-o, --output Save results to a text file

Example:

ghostscan subdomain example.com
ghostscan subdomain example.com --workers 100 --timeout 2 --output found.txt

Demo output:

[*] Starting subdomain enumeration for: example.com
    Wordlist size: 115 | Workers: 50 | Timeout: 3.0s

╭─────────────────────────────────────────────────────────────────╮
│            Subdomain Scan Results — example.com                 │
├─────────────────────────────────┬─────────────────┬────────────┤
│ Subdomain                       │ IP Address      │ Status     │
├─────────────────────────────────┼─────────────────┼────────────┤
│ api.example.com                 │ 93.184.216.34   │   FOUND    │
│ mail.example.com                │ 93.184.216.50   │   FOUND    │
│ staging.example.com             │ 93.184.216.99   │   FOUND    │
│ www.example.com                 │ 93.184.216.34   │   FOUND    │
╰─────────────────────────────────┴─────────────────┴────────────╯

[+] Found 4 live subdomain(s) out of 115 probed.

ghostscan headers

Audits HTTP security headers and reports present/missing controls.

ghostscan headers <url> [OPTIONS]
Flag Default Description
-t, --timeout 10.0 HTTP request timeout (seconds)
--no-redirect Disable redirect following

Example:

ghostscan headers https://example.com
ghostscan headers https://example.com --no-redirect

Demo output:

[*] Analysing security headers for: https://example.com

HTTP Status: 200 OK   Server: ECS   X-Powered-By: —

╭───────────────────────────────────────────────────────────────────────────────────╮
│                   Security Header Analysis — https://example.com                  │
├──────────────────────────────────┬──────────────┬──────────────────────────────────┤
│ Header                           │    Status    │ Value / Notes                    │
├──────────────────────────────────┼──────────────┼──────────────────────────────────┤
│ Strict-Transport-Security        │   PRESENT    │ max-age=31536000                 │
│                                  │              │ Forces HTTPS; prevents protocol  │
│                                  │              │ downgrade attacks.               │
├──────────────────────────────────┼──────────────┼──────────────────────────────────┤
│ Content-Security-Policy          │   MISSING    │ Mitigates XSS and data injection │
│                                  │              │ attacks.                         │
├──────────────────────────────────┼──────────────┼──────────────────────────────────┤
│ X-Frame-Options                  │   PRESENT    │ DENY                             │
├──────────────────────────────────┼──────────────┼──────────────────────────────────┤
│ X-Content-Type-Options           │   PRESENT    │ nosniff                          │
├──────────────────────────────────┼──────────────┼──────────────────────────────────┤
│ Referrer-Policy                  │   MISSING    │ Controls how much referrer info  │
│                                  │              │ is included with requests.       │
├──────────────────────────────────┼──────────────┼──────────────────────────────────┤
│ Permissions-Policy               │   MISSING    │ Controls access to browser       │
│                                  │              │ features (camera, mic, etc.).    │
├──────────────────────────────────┼──────────────┼──────────────────────────────────┤
│ X-XSS-Protection                 │  DEPRECATED  │ 1; mode=block                    │
╰──────────────────────────────────┴──────────────┴──────────────────────────────────╯

Security Score: 4/9 headers present (44%) — Poor

Missing headers:
  • Content-Security-Policy
  • Referrer-Policy
  • Permissions-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • Cache-Control

ghostscan portscan

Concurrent TCP connect scan. Identifies open ports and their associated services.

ghostscan portscan <host> [OPTIONS]
Flag Default Description
-p, --ports top-100 Port range (1-1024), list (80,443), or omit for top-100
-t, --timeout 1.0 TCP connect timeout (seconds)
-w, --workers 100 Concurrent scanning threads

Examples:

ghostscan portscan 192.168.1.1
ghostscan portscan example.com -p 1-1024 --timeout 0.5
ghostscan portscan 10.0.0.1 -p 22,80,443,8080,8443
ghostscan portscan 10.0.0.1 -p 1-65535 -w 500 -t 0.3

Demo output:

[*] Starting port scan against: example.com (93.184.216.34)
    Ports: 100 | Workers: 100 | Timeout: 1.0s

╭──────────────────────────────────────────────╮
│    Port Scan Results — example.com (93.…)    │
├──────────┬────────────────────┬──────────────┤
│     Port │ Service            │    Status    │
├──────────┼────────────────────┼──────────────┤
│       80 │ HTTP               │     OPEN     │
│      443 │ HTTPS              │     OPEN     │
╰──────────┴────────────────────┴──────────────╯

[+] Found 2 open port(s) out of 100 scanned.

Architecture

ghostscan/
├── ghostscan/
│   ├── __init__.py     # Package metadata
│   ├── cli.py          # Click entry point & subcommand definitions
│   ├── subdomain.py    # DNS brute-force with ThreadPoolExecutor
│   ├── headers.py      # HTTP security header auditor
│   └── portscan.py     # Concurrent TCP connect scanner
├── pyproject.toml      # PEP 517/518 packaging
├── requirements.txt
└── README.md

License

MIT — see LICENSE for details.

Built for authorized security testing only.

About

Recon CLI for red teamers — subdomain enumeration, HTTP security header analysis, and port scanning

Topics

python cli osint cybersecurity penetration-testing port-scanner recon red-team subdomain-enumeration

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages