Skip to main content
The config/config.json file is the primary configuration file for scan4all. It controls all aspects of scanning behavior, from performance settings to dictionary paths.

File Location

scan4all searches for config.json in the following locations:
  1. ./config/config.json (current directory)
  2. ./config.json
  3. $HOME/config/config.json
  4. $HOME/.config/config.json
  5. /etc/config.json
The first found configuration file will be used. Environment variables can override any setting.

Core Settings

Performance & Resources

FieldTypeDefaultDescription
ScanPoolSizeinteger5000Maximum concurrent scan operations
Fuzzthreadsinteger32Number of fuzzing threads (2, 4, 8, 16, 32)
esthreadinteger8Elasticsearch worker threads
hydrathreadinteger64Password brute-force threads
LimitReaderinteger819200Max response body size (bytes)
MaxErrorTimesinteger100Max errors before stopping
{
  "ScanPoolSize": 5000,
  "Fuzzthreads": 32,
  "esthread": 8,
  "hydrathread": 64,
  "LimitReader": 819200,
  "MaxErrorTimes": 100
}

Scan Behavior

FieldTypeDefaultDescription
priorityNmapbooleantrueUse nmap for port scanning if available
noScanbooleanfalseSkip port scanning (read nmap XML results)
UrlPrecisebooleantrueEnable precise URL scanning
ParseSSlbooleantrueDeep analysis of SSL certificates
EnableSubfinderbooleanfalseEnable subdomain enumeration
EnableKsubdomainbooleantrueEnable ksubdomain scanning
EnableHoneyportDetectionbooleantrueDetect and skip honeypots
enableNucleibooleantrueEnable Nuclei vulnerability scanner
enableMultNucleibooleanfalseEnable multiple Nuclei instances
enableByWafbooleantrueEnable WAF bypass techniques
enableEmbedYamlbooleantrueUse embedded YAML templates
enableFileFuzzbooleantrueEnable file fuzzing
enableWebScanbooleanfalseEnable web application scanning
CheckWeakPasswordbooleantrueEnable password brute-forcing
{
  "priorityNmap": true,
  "noScan": false,
  "UrlPrecise": true,
  "ParseSSl": true,
  "EnableSubfinder": false,
  "EnableHoneyportDetection": true,
  "enableNuclei": true,
  "CheckWeakPassword": true
}
Setting EnableSubfinder=true enables subdomain brute-forcing, which can significantly increase scan time.

Network & Protocol Settings

FieldTypeDefaultDescription
OnClientbooleantrueEnable client mode
Cookiestring""Custom cookie header for requests
nmapScanstringSee belowNmap execution command with sudo
nmapstringSee belowNmap parameters
KsubdomainRegxpstringSee belowKsubdomain regex pattern
{
  "nmapScan": "echo $PPSSWWDD|sudo -S nmap ",
  "nmap": "nmap -n --unique --resolve-all -Pn --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m -oX {filename} --version-intensity 9 --min-rate 10000 -T4 "
}
Nmap requires root privileges. Set the PPSSWWDD environment variable with your root password:
export PPSSWWDD=yourRootPassword

httpx Configuration

FieldTypeDefaultDescription
PipelinebooleanfalseEnable HTTP pipelining
HTTP2ProbebooleanfalseProbe for HTTP/2 support
VHostbooleanfalseEnable virtual host discovery
CSPProbebooleantrueCheck Content-Security-Policy
TLSProbebooleantrueProbe TLS/SSL configuration
TechDetectbooleantrueDetect technologies
FollowRedirectsbooleanfalseFollow HTTP redirects
MaxRedirectsinteger3Maximum redirect hops
{
  "httpx": {
    "Pipeline": false,
    "HTTP2Probe": false,
    "VHost": false,
    "CSPProbe": true,
    "TLSProbe": true,
    "TechDetect": true,
    "FollowRedirects": false,
    "MaxRedirects": 3
  }
}

naabu Configuration

FieldTypeDefaultDescription
TopPortsstring”http”Port category to scan
ScanAllIPSbooleantrueScan all IPs for a domain
Threadsinteger50Number of scanning threads
EnableProgressBarbooleanfalseShow progress bar
{
  "naabu": {
    "TopPorts": "http",
    "ScanAllIPS": true,
    "Threads": 50,
    "EnableProgressBar": false
  }
}

Integration Settings

Elasticsearch

FieldTypeDefaultDescription
enableEsSvbooleantrueEnable Elasticsearch storage
esUrlstringSee belowElasticsearch endpoint URL
{
  "enableEsSv": true,
  "esUrl": "https://127.0.0.1:8081/%s_index/_doc/%s"
}
See Elasticsearch Integration for complete setup.

External Services

FieldTypeDefaultDescription
CeyeDomainstringscan4all.51pwn.comCeye domain for DNS callback
JndiAddressstringSee configJNDI server address
ldapServerstringSee configLDAP server for exploits
{
  "CeyeDomain": "scan4all.51pwn.com",
  "JndiAddress": "docker.for.mac.localhost:1389",
  "ldapServer": "ldap://docker.for.mac.localhost:1389/%s/#UpX34defineClass"
}

Dictionary Configuration

All dictionary paths are relative to the scan4all directory. See Custom Dictionaries for details.

Brute-Force Dictionaries

{
  "ssh_username": "pkg/hydra/dicts/ssh_user.txt",
  "ssh_pswd": "pkg/hydra/dicts/ssh_pswd.txt",
  "ssh_default": "pkg/hydra/dicts/ssh_default.txt"
}

{
  "mysqlusername": "pkg/hydra/dicts/mysql_user.txt",
  "mysql_pswd": "pkg/hydra/dicts/mysql_pswd.txt",
  "mysql_default": "pkg/hydra/dicts/mysql_default.txt",
  "postgresqlusername": "pkg/hydra/dicts/postgresql_user.txt",
  "postgresql_pswd": "pkg/hydra/dicts/postgresql_pswd.txt",
  "postgresql_default": "pkg/hydra/dicts/postgresql_default.txt",
  "mongodbusername": "pkg/hydra/dicts/mongodb_user.txt",
  "mongodb_pswd": "pkg/hydra/dicts/mongodb_pswd.txt",
  "mongodb_default": "pkg/hydra/dicts/mongodb_default.txt"
}

{
  "tomcatuserpass": "brute/dicts/tomcatuserpass.txt",
  "jbossuserpass": "brute/dicts/jbossuserpass.txt",
  "weblogicuserpass": "brute/dicts/weblogicuserpass.txt",
  "filedic": "brute/dicts/filedic.txt",
  "top100pass": "brute/dicts/top100pass.txt",
  "httpuser": "brute/dicts/httpuser.txt",
  "httpass": "brute/dicts/httpass.txt"
}

{
  "bakSuffix": "brute/dicts/bakSuffix.txt",
  "fuzzct": "brute/dicts/fuzzContentType1.txt",
  "fuzz404": "brute/dicts/fuzz404.txt",
  "404url": "brute/dicts/404url.txt",
  "prefix": "brute/dicts/prefix.txt"
}

Fingerprint Dictionaries

{
  "eHoleFinger": "pkg/fingerprint/dicts/eHoleFinger.json",
  "localFinger": "pkg/fingerprint/dicts/localFinger.json"
}

Exploit Configuration

{
  "Exploit": {
    "Path": "./config/poc/",
    "Logs": "./logs/errror.log"
  }
}
FieldDescription
PathDirectory containing custom POC files
LogsError log file location

Cache Settings

{
  "CacheName": ".DbCache",
  "autoRmCache": "true"
}
FieldTypeDefaultDescription
CacheNamestring.DbCacheCache directory name
autoRmCachestringtrueAuto-remove cache on exit
The cache is automatically removed on Windows or when autoRmCache is enabled.

Advanced Settings

Development & Debugging

{
  "enableDevDebug": false,
  "enableFingerTitleHeaderMd5Hex": false
}
Enable development debugging: 
enableDevDebug=true ./scan4all -v -host example.com

Hydra Password Defaults

{
  "HydraUser": "",
  "HydraPass": ""
}
Set default username/password for all services: 
HydraUser=admin HydraPass=password123 ./scan4all -host example.com

Complete Example

{
  "LimitReader": 819200,
  "OnClient": true,
  "ScanPoolSize": 5000,
  "MaxErrorTimes": 100,
  "priorityNmap": true,
  "noScan": false,
  "enableNuclei": true,
  "enableEsSv": true,
  "CheckWeakPassword": true,
  "esthread": 8,
  "hydrathread": 64,
  "Fuzzthreads": 8,
  "UrlPrecise": true,
  "ParseSSl": true,
  "EnableSubfinder": false,
  "EnableHoneyportDetection": true,
  "EnableKsubdomain": true,
  "httpx": {
    "CSPProbe": true,
    "TLSProbe": true,
    "TechDetect": true
  },
  "naabu": {
    "TopPorts": "http",
    "ScanAllIPS": true,
    "Threads": 50
  }
}

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us