Skip to main content
Environment variables provide the highest priority configuration method in scan4all, allowing you to override settings from config.json without modifying files. This is especially useful for one-time scans, CI/CD integration, and testing different configurations.

Priority Order

scan4all uses the following configuration priority:
  1. Environment Variables (Highest)
  2. Configuration File (config/config.json)
  3. Default Values (Lowest)
Any setting in config.json can be overridden by setting an environment variable with the same name.

Common Environment Variables

Scan Control

noScan=true ./scan4all -l targets.txt
VariableTypeDefaultDescription
noScanbooleanfalseSkip port scanning, read nmap XML results
UrlPrecisebooleantrueEnable precise URL list scanning
priorityNmapbooleantrueUse nmap instead of naabu if available
EnableSubfinderbooleanfalseEnable subdomain brute-forcing
EnableHoneyportDetectionbooleantrueDetect and skip honeypots
enableNucleibooleantrueEnable Nuclei vulnerability scanner
enableDevDebugbooleanfalseEnable development debug output
CheckWeakPasswordbooleantrueEnable password brute-forcing
EnableSubfinder=true enables subdomain brute-forcing which significantly increases scan time.

Nmap Configuration

export PPSSWWDD=yourRootPassword
./scan4all -host 192.168.1.0/24
VariableTypeDescription
PPSSWWDDstringRoot/sudo password for nmap execution
Nmap requires root privileges for SYN scanning and OS detection. Set PPSSWWDD to your sudo password.

Performance Tuning

Fuzzthreads=64 hydrathread=128 esthread=16 ./scan4all -l targets.txt
VariableTypeDefaultDescription
Fuzzthreadsinteger32Number of fuzzing threads
hydrathreadinteger64Password brute-force threads
esthreadinteger8Elasticsearch worker threads
ScanPoolSizeinteger5000Maximum concurrent scan operations

Network Settings

Cookie='PHPSESSID=abc123; session=xyz789' ./scan4all -host example.com
VariableTypeDefaultDescription
Cookiestring""Custom cookie header for all requests
LimitReaderinteger819200Max response body size in bytes
ParseSSlbooleantrueDeep analysis of SSL certificates

Elasticsearch Integration

enableEsSv=false ./scan4all -host example.com
VariableTypeDefaultDescription
enableEsSvbooleantrueEnable Elasticsearch storage
esUrlstringSee configElasticsearch endpoint URL
esthreadinteger8ES worker threads

Hydra Credentials

HydraUser=admin HydraPass=password123 ./scan4all -host 192.168.1.1
VariableTypeDescription
HydraUserstringDefault username for all services
HydraPassstringDefault password for all services

Cache Management

CacheName=/tmp/scan4all_cache ./scan4all -host example.com
VariableTypeDefaultDescription
CacheNamestring.DbCacheCache directory name
autoRmCachebooleantrueAuto-remove cache on exit

External Services

VariableTypeDescription
CeyeApistringCeye API token for DNS callback detection
CeyeDomainstringCeye domain name
JndiAddressstringJNDI server address for exploitation

Dictionary Overrides

All dictionary paths can be overridden with environment variables:

Service Dictionaries

ssh_username=/tmp/ssh_users.txt \
ssh_pswd=/tmp/ssh_passwords.txt \
ssh_default=/tmp/ssh_defaults.txt \
./scan4all -host ssh://example.com
  • ssh_username, ssh_pswd, ssh_default
  • ftpusername, ftp_pswd, ftp_default
  • rdpusername, rdp_pswd, rdp_default
  • mysqlusername, mysql_pswd, mysql_default
  • postgresqlusername, postgresql_pswd, postgresql_default
  • mongodbusername, mongodb_pswd, mongodb_default
  • mssqlusername, mssql_pswd, mssql_default
  • oracleusername, oracle_pswd, oracle_default
  • redisusername, redis_pswd, redis_default
  • smbusername, smb_pswd, smb_default
  • telnetusername, telnet_pswd, telnet_default
  • snmp_user, snmp_pswd, snmp_default
  • es_user, es_pswd, es_default

Web Dictionaries

filedic=/opt/wordlists/web_paths.txt \
bakSuffix=/opt/wordlists/backup_extensions.txt \
httpuser=/opt/wordlists/http_users.txt \
httpass=/opt/wordlists/http_passwords.txt \
./scan4all -host https://example.com
  • tomcatuserpass - Tomcat credentials
  • jbossuserpass - JBoss credentials
  • weblogicuserpass - WebLogic credentials
  • filedic - File/directory names
  • bakSuffix - Backup file extensions
  • httpuser - HTTP basic auth usernames
  • httpass - HTTP basic auth passwords
  • top100pass - Top 100 passwords
  • prefix - URL prefixes
  • fuzzct - Content-Type headers
  • fuzz404 - 404 detection patterns

Usage Patterns

One-Time Configuration

Set variables for a single scan without modifying config files: 
noScan=true UrlPrecise=true enableDevDebug=true ./scan4all -l targets.txt

Export for Session

Set variables for the entire terminal session: 
export PPSSWWDD=myRootPassword
export EnableSubfinder=true
export Fuzzthreads=64

./scan4all -host example.com
./scan4all -host another.com

Environment File

Create a .env file for project-specific settings: 
# Scan settings
noScan=false
UrlPrecise=true
EnableSubfinder=true
priority Nmap=true

# Performance
Fuzzthreads=64
hydrathread=128
esthread=16

# Elasticsearch
enableEsSv=true
esUrl=http://10.0.0.5:9200/%s_index/_doc/%s

# Custom dictionaries
ssh_username=/opt/dicts/ssh_users.txt
ssh_pswd=/opt/dicts/ssh_passwords.txt

CI/CD Integration

name: Security Scan
on: [push]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      - name: Run scan4all
        env:
          noScan: false
          UrlPrecise: true
          enableEsSv: true
          esUrl: ${{ secrets.ES_URL }}
          Cookie: ${{ secrets.SCAN_COOKIE }}
        run: |
          ./scan4all -l targets.txt -o results.json

Advanced Configuration

Combining Sources

Environment variables override config file settings: 
{
  "Fuzzthreads": 32,
  "enableNuclei": true,
  "UrlPrecise": false
}
Final configuration:
  • Fuzzthreads: 64 (overridden)
  • enableNuclei: true (from config)
  • UrlPrecise: true (overridden)

Boolean Values

Boolean environment variables accept:
  • True: true, True, TRUE, 1
  • False: false, False, FALSE, 0, empty string
# These are equivalent
enableNuclei=true ./scan4all -host example.com
enableNuclei=TRUE ./scan4all -host example.com
enableNuclei=1 ./scan4all -host example.com

Integer Values

Integer environment variables are parsed as numbers: 
Fuzzthreads=64 ./scan4all -host example.com
ScanPoolSize=10000 ./scan4all -l targets.txt

String Values

String values support spaces when quoted: 
Cookie='session=abc123; user=admin' ./scan4all -host example.com

Debugging Configuration

View effective configuration by enabling debug mode: 
enableDevDebug=true ./scan4all -v -host example.com
This shows which settings are active and where they came from.

Best Practices

Use for Overrides

Use environment variables for temporary overrides, not permanent settings

Document in Scripts

Comment environment variables in shell scripts for clarity

Protect Secrets

Never commit .env files with passwords or API keys

Validate Values

Test configuration changes on non-production targets first

Common Scenarios

Scenario 1: Quick Scan Without Elasticsearch

enableEsSv=false ./scan4all -host example.com -o results.json

Scenario 2: Aggressive Scan with Custom Threads

Fuzzthreads=128 hydrathread=256 ./scan4all -l targets.txt

Scenario 3: Read Nmap Results Only

noScan=true ./scan4all -l nmap_output.xml

Scenario 4: Full Subdomain Enumeration

EnableSubfinder=true ParseSSl=true ./scan4all -host example.com

Scenario 5: Custom Authentication

Cookie='session=xyz' HydraUser=admin HydraPass=test ./scan4all -host app.example.com

Troubleshooting

  • Check variable name matches config.json exactly (case-sensitive)
  • Ensure no spaces around = in assignment
  • Verify with echo $VARIABLE_NAME
  • Try exporting: export UrlPrecise=true
Use lowercase true/false:
# Correct
enableNuclei=true

# Incorrect
enableNuclei=yes
enableNuclei=on
Use absolute paths for dictionary overrides:
# Correct
ssh_username=/opt/dicts/users.txt

# May fail
ssh_username=users.txt

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us