Skip to main content

Overview

scan4all supports password cracking across 23 protocols, enabling comprehensive authentication testing during security assessments. Each protocol implementation includes timeout handling, error detection, and integration with the tool’s concurrent execution engine.
Password cracking is enabled by default when priorityNmap=true. The feature automatically activates when authentication-protected services are detected.

Supported Protocols

From pkg/hydra/hydra.go:25: 
ProtocolList = "rdp,ssh,rsh-spx,mysql,mssql,oracle,postgresql,redis,ftp,mongodb,mongod,smb,telnet,snmp,wap-wsp,router,winrm,pop3,socks5,vnc,pop3s"

Database Protocols

MySQL

MySQL / MariaDB Authentication

Tests authentication against MySQL and MariaDB database servers.
Implementation: pkg/hydra/mysql/mysql.go Connection Details:
  • Default Port: 3306
  • Timeout: 5 seconds
  • Authentication Method: Native password authentication
Usage: 
./scan4all -host mysql.example.com -port 3306
Features:
  • Automatic connection handling
  • Error detection and logging
  • SSL/TLS support (when available)

Microsoft SQL Server

MsSQL Authentication

Tests authentication against Microsoft SQL Server instances.
Implementation: pkg/hydra/mssql/mssql.go Connection Details:
  • Default Port: 1433
  • Timeout: Connection-dependent
  • Authentication Method: SQL Server authentication
Usage: 
./scan4all -host mssql.example.com -port 1433

Oracle Database

Oracle Database Authentication

Tests Oracle Database authentication with automatic SID enumeration.
Implementation: pkg/hydra/oracle/oracle.go Connection Details:
  • Default Port: 1521
  • Timeout: 3-5 seconds
  • Authentication Method: Oracle native authentication
  • SID Detection: Automatic enumeration from 400+ known SIDs
Key Features:
scan4all includes an extensive list of 400+ common Oracle SIDs including:
  • Standard SIDs: orcl, XE, ORACLE, ORACLE10, ORACLE11
  • Version-specific: ORA10101, ORA10102, ORA920, ORA910
  • Environment-based: DEV, TEST, PROD, TST, UAT
  • Application-specific: SAP, HR, ERP, DWH, ASDB
  • Platform-specific: LINUX817, WIN817, UNIX817, WINDOWS817
The tool automatically tests SIDs before attempting authentication.
Verifies Oracle protocol availability before password testing:
CheckProtocol(ip, port) // Returns true if Oracle TNS detected
Intelligent handling of Oracle error codes:
  • ORA-28009: Treats as successful authentication (connection reused)
  • ORA-12505: Invalid SID
  • ORA-12504: TNS listener error
  • ORA-12514: SID not found
Connection String Format: 
oracle://username:password@host:port/SID
Usage: 
./scan4all -host oracle.example.com -port 1521

PostgreSQL

PostgreSQL Authentication

Tests authentication against PostgreSQL database servers.
Implementation: pkg/hydra/postgresql/postgresql.go Connection Details:
  • Default Port: 5432
  • Timeout: 5 seconds
  • Database: postgres (default)
  • SSL Mode: disable
Connection String Format: 
postgres://username:password@host:port/postgres?sslmode=disable

MongoDB

MongoDB Authentication

Tests authentication against MongoDB instances.
Implementation: pkg/hydra/mongodb/mongodb.go Connection Details:
  • Default Port: 27017
  • Timeout: 5 seconds
  • Authentication Mechanism: SCRAM-SHA-1
  • Database: ichunt
Connection String Format: 
mongodb://username:password@host:port/ichunt?authMechanism=SCRAM-SHA-1
Features:
  • Context-based timeout handling
  • Ping verification after connection
  • Automatic connection cleanup

Redis

Redis Authentication

Tests Redis AUTH command authentication.
Implementation: pkg/hydra/redis/redis.go Connection Details:
  • Default Port: 6379
  • Timeout: 5 seconds
  • Authentication: AUTH command
Password-Only Authentication: Redis uses only password authentication (no username). The tool automatically handles this by omitting username requirements.
Protocol Communication: 
auth password\r\n
# Expected response: +OK
Usage: 
./scan4all -host redis.example.com -port 6379

Elasticsearch

Elasticsearch Authentication (wap-wsp)

Tests authentication against Elasticsearch clusters.
Implementation: pkg/hydra/elastic/elastic.go Connection Details:
  • Default Port: 9200, 9300
  • Protocol Name: wap-wsp
  • Authentication: HTTP Basic Auth

Remote Access Protocols

RDP (Remote Desktop Protocol)

RDP Authentication

Tests Windows Remote Desktop Protocol authentication with automatic protocol detection.
Implementation: pkg/hydra/rdp/grdp.go Connection Details:
  • Default Port: 3389
  • Protocols: RDP-SSL and RDP
  • Domain Support: Optional domain parameter
Key Features:
scan4all automatically detects whether the target supports:
  • PROTOCOL_SSL: RDP over SSL/TLS
  • PROTOCOL_RDP: Standard RDP
The tool selects the appropriate connection method based on the target’s capabilities.
Supports both local and domain authentication:
Check(ip, domain, username, password, port, protocol)
Usage: 
./scan4all -host rdp.example.com -port 3389

# With domain
./scan4all -host rdp.example.com -domain CONTOSO

SSH (Secure Shell)

SSH Authentication

Tests SSH authentication with password and key support.
Implementation: pkg/hydra/ssh/ssh.go Connection Details:
  • Default Port: 22
  • Timeout: 3 seconds
  • Authentication Methods: Password (key support available)
Protocol Support:
  • Standard SSH
  • rsh-spx: Remote Shell variant (uses same SSH implementation)
  • ldap: LDAP over SSH (uses same SSH implementation)
Features:
  • Host key verification bypass for testing
  • Automatic session management
  • Connection reuse detection

Telnet

Telnet Authentication

Tests Telnet authentication with multiple server type detection.
Implementation: pkg/hydra/telnet/telnet.go Connection Details:
  • Default Port: 23
  • Server Types: Multiple (auto-detected)
Key Features:
Automatically detects Telnet server type before authentication:
  • Standard Telnet servers
  • Cisco devices
  • Network equipment
  • Embedded devices
  • Unauthorized Access Detection: Automatically identifies open Telnet without authentication
When unauthorized access is detected:
if serverType == gotelnet.UnauthorizedAccess {
    // Marks as successful with special status
    authInfo.Auth.Other["Status"] = "UnauthorizedAccess"
}

VNC (Virtual Network Computing)

VNC Authentication

Tests VNC password authentication.
Implementation: pkg/hydra/vnc/checkvnc.go Connection Details:
  • Default Port: 5900, 5901, etc.
  • Authentication: VNC password

WinRM (Windows Remote Management)

WinRM Authentication

Tests Windows Remote Management authentication.
Implementation: pkg/hydra/winrm/winrm.go Connection Details:
  • Default Port: 5985 (HTTP), 5986 (HTTPS)
  • Protocol: WS-Management
  • Authentication Methods: Basic, NTLM

rsh-spx

Remote Shell Protocol

Tests remote shell authentication (variant).
Implementation: Uses SSH implementation (pkg/hydra/ssh/ssh.go) Connection Details:
  • Protocol mapping to SSH
  • Standard SSH ports and authentication

File Transfer & Network Protocols

FTP (File Transfer Protocol)

FTP Authentication

Tests FTP server authentication.
Implementation: pkg/hydra/ftp/ftp.go Connection Details:
  • Default Port: 21
  • Timeout: 5 seconds
  • Protocols: FTP (FTPS detection available)
Features:
  • Automatic login/logout sequence
  • Connection pooling
  • Anonymous FTP detection

SMB (Server Message Block)

SMB Authentication with Vulnerability Detection

Tests SMB authentication and detects critical vulnerabilities.
Implementation: pkg/hydra/smb/smb.go Connection Details:
  • Default Port: 445, 139
  • Timeout: 5 seconds
  • Domain Support: Optional
Vulnerability Detection:
Automatic Vulnerability Scanning: SMB protocol testing includes detection for:
  • MS17-010 (EternalBlue):
    • CVE-2017-0143
    • CVE-2017-0144
    • CVE-2017-0145
    • CVE-2017-0146
    • CVE-2017-0147
    • CVE-2017-0148
  • SMBGhost: CVE-2020-0796
Features:
  • Context-based timeout handling
  • Domain authentication support
  • Session authentication verification
  • Workstation name support
Connection Options: 
options := smb.Options{
    Host:        Host,
    Port:        Port,
    User:        Username,
    Password:    Password,
    Domain:      Domain,
    Workstation: "",
}

SOCKS5

SOCKS5 Proxy Authentication

Tests SOCKS5 proxy authentication.
Implementation: pkg/hydra/socks5/client.go Connection Details:
  • Default Port: 1080
  • Authentication Methods: Username/Password

SNMP

SNMP Community String Testing

Tests SNMP community strings.
Implementation: pkg/hydra/snmp/snmp.go Connection Details:
  • Default Port: 161 (UDP)
  • Versions: SNMPv1, SNMPv2c, SNMPv3
  • Community Strings: Tested as passwords

Web & Application Protocols

HTTP Basic Authentication

HTTP BasicAuth Testing

Tests HTTP Basic Authentication including WebDAV and SVN.
Supported Applications:
  • Generic HTTP Basic Auth
  • WebDAV: Web Distributed Authoring and Versioning
  • SVN: Apache Subversion repositories
Implementation: pkg/hydra/svn/checksvn.go
Smart Activation: HTTP password brute-forcing automatically activates when authentication is required, without manual intervention.

Weblogic

Oracle Weblogic Server

Tests Weblogic authentication with T3 and IIOP protocol support.
Connection Details:
  • Default Port: 7001
  • Protocols: T3, IIOP
Enable nuclei integration with enableNuclei=true for comprehensive Weblogic vulnerability detection including T3 and IIOP protocol testing.

Tomcat

Apache Tomcat Manager

Tests Tomcat manager application authentication.
Connection Details:
  • Default Port: 8080
  • Path: /manager/html
  • Authentication: HTTP Basic Auth

JBoss

Red Hat JBoss Application Server

Tests JBoss application server authentication.
Connection Details:
  • Default Port: 8080, 9990
  • Management Interface: Admin console

RouterOS

MikroTik RouterOS

Tests MikroTik RouterOS authentication.
Implementation: pkg/hydra/router/router.go Connection Details:
  • Default Port: 8728
  • Protocol: RouterOS API

POP3 / POP3S

Post Office Protocol v3

Tests POP3 email server authentication.
Implementation: pkg/hydra/pop3/pop3.go Connection Details:
  • POP3 Port: 110
  • POP3S Port: 995 (SSL/TLS)
  • Authentication: USER/PASS commands
Protocols:
  • pop3: Plain text authentication
  • pop3s: SSL/TLS encrypted authentication

Configuration

Dictionary Management

Each protocol has default username/password lists:
DefaultAuthMap = map[string]*AuthList{
    "mysql":      GetDefaultFtpList("mysql"),
    "ssh":        GetDefaultFtpList("ssh"),
    "rdp":        GetDefaultFtpList("rdp"),
    // ... for all 23 protocols
}
Override defaults with custom wordlists:
# Merge with defaults
./scan4all -host target.com -user custom_users.txt -pass custom_pass.txt

# Replace defaults completely
./scan4all -host target.com -user users.txt -pass pass.txt -replace
Redis and other password-only protocols automatically ignore username lists:
if protocol == "redis" {
    CustomAuthMap.Username = []string{}
}

Concurrency Control

From pkg/hydra/hydra.go:54: 
Pool.Interval = time.Microsecond * 13  // Delay between attempts
Thread Configuration: 
# Set concurrent threads
./scan4all -host target.com -threads 50

Timeout Configuration

Most protocols use 3-5 second timeouts. Adjust in config/config.json: 
{
  "hydra": {
    "timeout": 5,
    "threads": 50
  }
}

Usage Examples

Single Host Testing

# Test all protocols against single host
./scan4all -host 192.168.1.100

# Test specific protocol
./scan4all -host 192.168.1.100 -protocol ssh

# Custom port
./scan4all -host 192.168.1.100 -port 2222 -protocol ssh

Bulk Testing

# Test multiple hosts from file
./scan4all -list targets.txt

# With custom dictionaries
./scan4all -list targets.txt -user users.txt -pass passwords.txt

Advanced Configuration

# Enable password cracking with custom settings
priorityNmap=true ./scan4all -host target.com -threads 100

# With Elasticsearch output
./scan4all -host target.com -es http://localhost:9200

Output Format

Successful Authentication

[+] ssh://admin:[email protected]:22
[+] mysql://root:[email protected]:3306
[+] redis://192.168.1.100:6379 auth:redis123

With Elasticsearch

Results are automatically indexed to Elasticsearch when enabled: 
# Query results
curl "http://localhost:9200/hydra_index/_search?q=protocol:ssh"

Security Considerations

Legal Authorization: Only perform password cracking against systems you own or have explicit written permission to test. Unauthorized access attempts may be illegal.
Account Lockout: Many systems implement account lockout policies. Use appropriate delays and limits to avoid:
  • Account lockouts
  • IP bans
  • Service disruption
  • Detection by security systems

Best Practices

  1. Rate Limiting: Configure appropriate thread counts and delays
  2. Targeted Testing: Test specific protocols rather than all protocols
  3. Custom Dictionaries: Use targeted wordlists based on reconnaissance
  4. Monitoring: Watch for account lockouts and adjust strategy
  5. Documentation: Maintain logs of all testing activities

Integration

With Nuclei

# Enable nuclei for vulnerability detection
enableNuclei=true ./scan4all -host target.com

With Nmap Results

# Import nmap results and test only detected services
noScan=true ./scan4all -list nmap_results.xml

Custom POCs

Extend with custom authentication POCs in config/config.json.

Troubleshooting

  • Verify target is reachable
  • Check firewall rules
  • Confirm service is running on expected port
  • Review dictionary quality
  • Increase timeout in configuration
  • Check network latency
  • Reduce concurrent threads
  • Verify target stability
  • Reduce thread count
  • Increase delay between attempts
  • Use smaller dictionaries
  • Implement progressive delays
  • Tool tests 400+ common SIDs automatically
  • Add custom SIDs to configuration
  • Verify Oracle TNS listener is responding
  • Check Oracle service status

Protocol Overview

Complete protocol support overview

Network Services

Port scanning protocols

Configuration

Advanced configuration options

Build docs developers (and LLMs) love

Get started for freeTalk to us