vmfunc
dbe79c495e
-crawl spiders same-host links/scripts/forms through the shared httpx client so proxy/headers/rate-limit and robots.txt are honored, bounded by -crawl-depth. -passive pulls subdomains from keyless ct feeds (crt.sh, certspotter) and historical urls from wayback, each source isolated so one feed being down doesn't sink the rest and the target sees no traffic.
6.7 KiB
usage
complete guide to sif command line options.
target options
-u, --urls
specify target urls (comma-separated):
./sif -u https://example.com
./sif -u https://site1.com,https://site2.com
-f, --file
read targets from a file (one url per line):
./sif -f targets.txt
scan options
directory fuzzing
-dirlist <size> - fuzz for directories and files
sizes: small, medium, large
./sif -u https://example.com -dirlist medium
subdomain enumeration
-dnslist <size> - enumerate subdomains
sizes: small, medium, large
./sif -u https://example.com -dnslist small
port scanning
-ports <scope> - scan for open ports
scopes: common (top ports), full (all ports)
./sif -u https://example.com -ports common
google dorking
-dork - automated google dorking
./sif -u https://example.com -dork
git repository detection
-git - check for exposed git repositories
./sif -u https://example.com -git
nuclei scanning
-nuclei - run nuclei vulnerability templates
./sif -u https://example.com -nuclei
javascript analysis
-js - analyze javascript files + secret and endpoint extraction
./sif -u https://example.com -js
cms detection
-cms - detect content management systems
./sif -u https://example.com -cms
http headers
-headers - dump the target's response headers
./sif -u https://example.com -headers
security headers
-sh - flag missing/weak security headers (hsts, csp, x-frame-options, ...) and headers that leak server internals
./sif -u https://example.com -sh
cloud storage
-c3 - check for cloud storage misconfigurations
./sif -u https://example.com -c3
subdomain takeover
-st - check for subdomain takeover vulnerabilities
requires -dnslist to be enabled
./sif -u https://example.com -dnslist small -st
shodan lookup
-shodan - query shodan for host intelligence
requires SHODAN_API_KEY environment variable
export SHODAN_API_KEY=your-api-key
./sif -u https://example.com -shodan
sql reconnaissance
-sql - detect sql admin panels and error disclosure
./sif -u https://example.com -sql
lfi scanning
-lfi - local file inclusion vulnerability checks
./sif -u https://example.com -lfi
cors probe
-cors - probe for cors misconfigurations (reflected/permissive origins)
./sif -u https://example.com -cors
open redirect probe
-redirect - probe redirect-prone params for open redirects
./sif -u https://example.com/login?next=home -redirect
reflected xss probe
-xss - inject a canary into params and report unescaped reflections
./sif -u https://example.com/search?q=test -xss
framework detection
-framework - detect web frameworks with version and cve lookup
./sif -u https://example.com -framework
web crawler
-crawl - spider the target, following same-host links, scripts and forms
-crawl-depth - max recursion depth (default 2). respects robots.txt and stays on the target host.
./sif -u https://example.com -crawl -crawl-depth 3
passive discovery
-passive - gather subdomains from certificate transparency (crt.sh, certspotter) and historical urls from the wayback machine
keyless and zero traffic to the target itself - all lookups hit third-party feeds.
./sif -u https://example.com -passive
whois lookup
-whois - perform whois lookups
./sif -u https://example.com -whois
skip base scan
-noscan - skip the base url scan (robots.txt, etc)
./sif -u https://example.com -noscan -dirlist medium
module options
-lm, --list-modules
list all available modules:
./sif -lm
-m, --modules
run specific modules by id (comma-separated):
./sif -u https://example.com -m sqli-error-based,xss-reflected
-mt, --module-tags
run modules matching tags:
./sif -u https://example.com -mt owasp-top10
./sif -u https://example.com -mt injection
-am, --all-modules
run all available modules:
./sif -u https://example.com -am
runtime options
-t, --timeout
http request timeout (default: 10s):
./sif -u https://example.com -t 30s
--threads
number of concurrent threads (default: 10). values below 1 are clamped to 1:
./sif -u https://example.com --threads 20
-l, --log
directory to save log files:
./sif -u https://example.com -l ./logs
-d, --debug
enable debug logging:
./sif -u https://example.com -d
http options
these apply to every outbound request across all scanners (proxy, custom headers, cookie and rate limiting share one client). a scanner that sets a header explicitly still wins over the global default.
-proxy
route all traffic through a proxy. supports http, https and socks5 urls:
./sif -u https://example.com -proxy socks5://127.0.0.1:1080
-H, --header
add a custom header to every request. repeatable or comma-separated, "Key: Value":
./sif -u https://example.com -H "Authorization: Bearer tok" -H "X-Env: staging"
-cookie
cookie header to send with every request:
./sif -u https://example.com -cookie "session=abc; theme=dark"
-rate-limit
cap outbound requests per second (0 = unlimited, default 0):
./sif -u https://example.com -rate-limit 20
api options
-api
enable api mode for json output:
./sif -u https://example.com -api
output is a json object with scan results.
commands
these run without scanning a target.
version
print the sif version. release builds are stamped via ldflags, local make builds derive it from git describe, and go installed builds read it from the module build info:
./sif version
patchnote
show the latest release's notes, fetched from github (also -pn):
./sif patchnote
the first time you run a new release sif also prints that release's notes once. set SIF_NO_PATCHNOTES=1 to disable that.
examples
quick recon
./sif -u https://example.com -framework -headers -git
full scan
./sif -u https://example.com \
-dirlist large \
-dnslist medium \
-ports full \
-framework \
-js \
-headers \
-cms \
-git \
-sql \
-lfi \
-cors \
-redirect \
-xss \
-am
ci/cd pipeline
./sif -u https://staging.example.com -api -am > results.json
batch scanning
echo "https://site1.com
https://site2.com
https://site3.com" > targets.txt
./sif -f targets.txt -am -l ./logs