gitea-mirror/sif
1
0
Fork 0
mirror of https://github.com/lunchcat/sif.git synced 2026-06-12 19:11:25 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
6ec0b60e5ac1016da124836380c7e2b963fce296
sif/man/sif.1
T
vmfunc 6ec0b60e5a feat: diff mode with json snapshot store 
re-scans become a monitor: -diff snapshots each target's normalized
findings to a per-target json file and, on the next run, surfaces only
the delta (+ new / - gone) against the last snapshot, then overwrites it
so each run diffs against the previous one. behavior is unchanged when
-diff is off.

new internal/store keys the set-difference off finding.Key (already
stable across runs) and uses only encoding/json + os - no new deps.
snapshot files are sanitized per target (no traversal), written 0600
under 0750 dirs. -store picks the location: explicit dir, else the log
dir, else <user-config>/sif/state. a missing snapshot is a clean
baseline, a corrupt one self-heals on the next save.
2026-06-10 16:39:04 -07:00

267 lines
6.8 KiB
Groff
Raw Blame History

.\" man page for sif - the blazing-fast pentesting suite
.TH sif 1 "2026-06-10" "sif" "sif manual"
.SH NAME
sif \- blazing-fast pentesting suite
.SH SYNOPSIS
.B sif
.B \-u
.I url
.RI [ scans ]
.RI [ options ]
.br
.B sif
.B \-f
.I file
.RI [ scans ]
.RI [ options ]
.br
.I "targets"
|
.B sif
.RI [ scans ]
.RI [ options ]
.br
.B sif
.RB { patchnote | version }
.SH DESCRIPTION
.B sif
is a modular recon and exploitation suite. it runs multiple scan types
concurrently against one or more targets, and can be extended with yaml
modules. a scheme\-less target defaults to
.B https://
\&; an explicit
.B http://
or
.B https://
is kept; any other scheme is rejected.
.SH TARGETS
.TP
.BR \-u ", " \-\-urls " \fIlist\fR"
comma\-separated list of urls to scan.
.TP
.BR \-f ", " \-\-file " \fIpath\fR"
file with one url per line.
.TP
.B stdin
when stdin is a pipe, one target per line is read from it, alongside any
.B \-u
/
.B \-f
targets. lets sif slot into a unix pipeline (e.g. \fBsubfinder | sif \-silent | notify\fR).
.SH SCANS
.TP
.BR \-dirlist " \fIsize\fR"
directory and file fuzzing (small/medium/large).
.TP
.BR \-mc " \fIcodes\fR"
dirlist: match only these status codes (comma list, e.g. 200,301).
.TP
.BR \-fc " \fIcodes\fR"
dirlist: filter out these status codes (comma list).
.TP
.BR \-fs " \fIsizes\fR"
dirlist: filter out responses of these body sizes (comma list).
.TP
.BR \-fw " \fIcounts\fR"
dirlist: filter out responses with these word counts (comma list).
.TP
.BR \-fr " \fIregex\fR"
dirlist: filter out responses whose body matches this regex.
.TP
.B \-ac
dirlist: auto\-calibrate the soft\-404 wildcard baseline so catch\-all 200s are dropped.
.TP
.BR \-w " \fIpath|url\fR"
dirlist: custom wordlist (local file or url); overrides the \fB\-dirlist\fR size.
.TP
.BR \-e " \fIexts\fR"
dirlist: extensions appended to each word (comma list, e.g. php,bak,env).
.TP
.BR \-dnslist " \fIsize\fR"
subdomain enumeration (small/medium/large).
.TP
.BR \-ports " \fIscope\fR"
port scanning (common/full).
.TP
.B \-nuclei
vulnerability scanning with nuclei templates.
.TP
.B \-dork
automated google dorking.
.TP
.B \-js
javascript analysis + secret and endpoint extraction.
.TP
.B \-c3
cloud storage misconfiguration scan.
.TP
.B \-headers
dump the target's response headers.
.TP
.BR \-sh ", " \-\-security\-headers
flag missing or weak security headers and headers that leak server internals.
.TP
.B \-st
subdomain takeover detection (requires \fB\-dnslist\fR).
.TP
.B \-cms
cms detection.
.TP
.B \-whois
whois lookup.
.TP
.B \-git
exposed git repository detection.
.TP
.B \-shodan
shodan host lookup (requires \fBSHODAN_API_KEY\fR).
.TP
.B \-securitytrails
domain discovery and target expansion (requires \fBSECURITYTRAILS_API_KEY\fR).
.TP
.B \-sql
sql reconnaissance (admin panels, error disclosure).
.TP
.B \-lfi
local file inclusion reconnaissance.
.TP
.B \-jwt
jwt discovery plus offline weakness analysis (alg:none, weak hmac secret, missing/expired exp, sensitive plaintext claims).
.TP
.B \-openapi
openapi/swagger spec exposure probe; enumerates paths, methods and unauthenticated operations.
.TP
.B \-favicon
favicon hash fingerprinting (shodan\-style mmh3); matches bundled tech and prints the http.favicon.hash pivot query.
.TP
.B \-cors
cors misconfiguration probe (reflected/permissive origins).
.TP
.B \-redirect
open redirect probe.
.TP
.B \-xss
reflected xss probe.
.TP
.B \-framework
framework detection with cve lookup.
.TP
.B \-crawl
web crawler; spiders same\-host links, scripts and forms, respecting robots.txt.
.TP
.BR \-crawl\-depth " \fIn\fR"
max crawl recursion depth (default 2).
.TP
.B \-passive
passive subdomain and historical url discovery from third\-party feeds (zero traffic to the target).
.TP
.B \-probe
live\-host probe; reports liveness, final status, page title, server header and the redirect chain.
.TP
.B \-noscan
skip the base url scan (robots.txt, etc).
.SH OPTIONS
.TP
.BR \-d ", " \-\-debug
enable debug logging.
.TP
.BR \-t ", " \-\-timeout " \fIduration\fR"
per\-request timeout (default 10s).
.TP
.BR \-l ", " \-\-log " \fIdir\fR"
directory to write logs to.
.TP
.BR \-\-threads " \fIn\fR"
number of concurrent workers (default 10). values below 1 are clamped to 1.
.TP
.BR \-\-template " \fIname\fR"
sif runtime template to use.
.TP
.BR \-proxy " \fIurl\fR"
route every request through a proxy. accepts http, https or socks5 urls.
.TP
.BR \-H ", " \-\-header " \fIstring\fR"
custom header to send with every request, as \fBKey: Value\fR. repeatable or comma\-separated.
.TP
.BR \-cookie " \fIstring\fR"
cookie header to send with every request.
.TP
.BR \-rate\-limit " \fIn\fR"
cap outbound requests per second (0 = unlimited, default 0).
.TP
.BR \-sarif " \fIfile\fR"
write a sarif 2.1.0 report of the run to \fIfile\fR.
.TP
.BR \-md ", " \-\-markdown " \fIfile\fR"
write a markdown report of the run to \fIfile\fR.
.TP
.B \-silent
plain output for pipelines: route all chrome to stderr and print one
normalized finding per line to stdout as \fB[severity] target module title\fR.
implies non\-interactive (no spinners).
.TP
.B \-diff
diff mode: snapshot each target's findings to a json file and, on a re\-scan,
print only the delta against the last snapshot (\fB+ new\fR for findings that
appeared, \fB- gone\fR for ones that vanished), then overwrite the snapshot.
the first run for a target reports everything as new.
.TP
.BR \-store " \fIdir\fR"
snapshot directory for \fB\-diff\fR. defaults to the \fB\-log\fR dir if set,
otherwise \fI<user\-config>/sif/state\fR. one sanitized file per target.
.TP
.B \-api
emit json results and suppress the interactive output.
.SH MODULES
.TP
.BR \-m ", " \-\-modules " \fIids\fR"
comma\-separated module ids to run.
.TP
.BR \-mt ", " \-\-module\-tags " \fItags\fR"
run modules matching these tags.
.TP
.BR \-am ", " \-\-all\-modules
run all loaded modules.
.TP
.BR \-lm ", " \-\-list\-modules
list available modules and exit.
.SH COMMANDS
.TP
.B sif patchnote
fetch the latest github release and print its notes. also available as
.BR \-pn .
.TP
.B sif version
print the sif version and exit.
.SH ENVIRONMENT
.TP
.B SHODAN_API_KEY
api key used by \fB\-shodan\fR.
.TP
.B SECURITYTRAILS_API_KEY
api key used by \fB\-securitytrails\fR.
.TP
.B SIF_NO_PATCHNOTES
set to any value to suppress the once\-per\-version patch note shown at startup.
.SH FILES
.TP
.I ~/.config/sif/modules/
user\-defined yaml modules.
.TP
.I ~/.config/sif/seen_version
records the last release whose notes were shown at startup.
.SH EXAMPLES
.TP
run a few scans against a host:
.B sif \-u https://example.com \-headers \-sh \-cms \-framework
.TP
fuzz directories and enumerate subdomains:
.B sif \-u https://example.com \-dirlist medium \-dnslist medium
.TP
scan a list of targets and write logs:
.B sif \-f targets.txt \-headers \-l ./logs
.SH SEE ALSO
project page: https://github.com/vmfunc/sif
.SH AUTHORS
vmfunc, xyzeva, and the lunchcat contributors.
Reference in New Issue View Git Blame Copy Permalink