sif/docs/scans.md

scans

detailed information about sif's built-in security scans.

base scan

runs automatically unless -noscan is specified.

checks:

• robots.txt parsing
• common files (sitemap.xml, security.txt, etc)
• basic reconnaissance

directory fuzzing (-dirlist)

brute-forces directories and files using wordlists.

sizes

size	entries	use case
small	~1k	quick scan, low noise
medium	~10k	balanced coverage
large	~100k	thorough, takes longer

what it finds

• hidden directories (/admin, /backup, /config)
• backup files (.bak, .old, .zip)
• configuration files
• development artifacts

subdomain enumeration (-dnslist)

discovers subdomains via dns brute-forcing.

sizes

size	entries	use case
small	~1k	quick discovery
medium	~10k	common subdomains
large	~100k	comprehensive

what it finds

• dev/staging environments
• internal services
• forgotten subdomains
• api endpoints

port scanning (-ports)

scans for open ports and identifies services.

scopes

scope	ports	description
common	top 1000	most common services
full	1-65535	all ports, slow

what it finds

• web servers (80, 443, 8080)
• databases (3306, 5432, 27017)
• admin interfaces (8443, 9090)
• development servers

framework detection (-framework)

identifies web frameworks and their versions.

detects

• react, vue, angular, next.js
• django, flask, rails
• laravel, symfony, express
• wordpress, drupal, joomla

features

• version detection
• cve lookup for known vulnerabilities
• confidence scoring

javascript analysis (-js)

analyzes javascript files for security issues.

finds

• api endpoints and keys
• hardcoded credentials
• internal urls
• framework configurations
• source maps

http headers (-headers)

dumps the target's response headers.

security headers (-sh)

flags missing or weak security headers and headers that leak server internals.

checks

• strict-transport-security (https only)
• content-security-policy
• x-frame-options
• x-content-type-options (expects nosniff)
• referrer-policy
• permissions-policy
• cross-origin-opener-policy

flagged as disclosure

• server
• x-powered-by
• x-aspnet-version / x-aspnetmvc-version

cms detection (-cms)

identifies content management systems.

detects

• wordpress (with version)
• drupal
• joomla
• magento
• shopify
• ghost

git repository (-git)

checks for exposed git repositories.

finds

• .git/HEAD
• .git/config
• .git/index
• source code exposure risk

cloud storage (-c3)

checks for cloud storage misconfigurations.

checks

• s3 bucket access
• azure blob storage
• gcp storage buckets
• open bucket policies

subdomain takeover (-st)

detects subdomain takeover vulnerabilities.

requires -dnslist to enumerate subdomains first.

checks

• dangling cname records
• unclaimed cloud services
• expired third-party services

shodan lookup (-shodan)

queries shodan for host intelligence.

requires SHODAN_API_KEY environment variable.

returns

• open ports
• services and versions
• known vulnerabilities
• ssl/tls info
• organization data

sql reconnaissance (-sql)

detects sql-related exposures.

finds

• admin panels (/phpmyadmin, /adminer)
• database error messages
• sql injection indicators

lfi scanning (-lfi)

checks for local file inclusion vulnerabilities.

tests

• path traversal (../)
• null byte injection
• common lfi payloads
• sensitive file disclosure

whois lookup (-whois)

performs whois lookups on target domains.

returns

• registrar info
• creation/expiration dates
• nameservers
• registrant info (if available)

google dorking (-dork)

automated google dorking for target.

searches

• indexed sensitive files
• exposed admin panels
• configuration files
• backup files
• error pages

nuclei scanning (-nuclei)

runs nuclei vulnerability templates.

requires nuclei to be installed.

templates

• cve detection
• misconfigurations
• exposures
• default credentials