wiki
  • 👋Welcome to the Ax Framework Wiki
  • Overview
    • ✅Existing Users
    • 💿Installation Guide
    • 💻Ax Controller
    • 💡How it Works
  • Fundamentals
    • 🛠️Ax Utility Scripts
    • 🔎Bring Your Own Provisioner
    • ⚔️Fleets
    • 🚀Scans
      • 🤖Modules
        • 📤Adding Simple Modules
        • 🎯Adding One-Shot Modules
        • 📎Merging and Module Extensions
      • ⚙️Horizontal vs Vertical Scaling
    • 🤝Responsibility
    • 📖Terminology
Powered by GitBook
On this page
  1. Fundamentals
  2. Scans

Modules

PreviousScansNextAdding Simple Modules

Last updated 3 months ago

All ax scan modules must be stored in ~/.axiom/modules. To create custom modules, see Adding Simple Modules and Adding One-Shot Modules.

Simple Modules are bash commands defined within JSON files. ax scan can execute any bash command you supply in the module, including loops and sub-shells, as long as it's valid JSON.

One-Shot Modules allow you to easily thread any binary or script. If the command in the module contains the string _target_ or _safe-target_, ax scan automatically executes the module as a One-Shot Module (unless --disable-oneshot is used). _target_ is replaced with the expanded target list that the current thread is running against.

When creating custom modules, make sure to understand how Merging and Module Extensions work. These features tell ax scan how to download and merge scan results in various formats.

When supplying extra command-line arguments to ax scan (also known as extra_args), these arguments are combined with the commands in the module. This effectively passes the extra arguments to the binary or script you are distributing at run-time. The final command is executed on all instances in parallel.

To quickly familiarize yourself with the default modules included in Ax, simply run ax scan --list.

Ax scan has some optional variable replacements, simplifying the process of dynamically replacing some variables at runtime, such as wordlists, config files, and folder paths.

Variable Replacements

The following variables will be replaced in both Simple Modules and One-Shot Modules at runtime:

Variable
Replacement and Argument

_wordlist_

  • A wordlist on the remote instances (-w).

  • A local wordlist to upload before the scan (-wL/--local-wordlist)

  • A local wordlist to split and upload before the scan (-wD/--distribute-wordlist

_config_

  • A file on the remote instances (--remote-config)

  • A local file to upload to all instances before the scan (--local-config)

_folder_

  • A folder on the remote instances (--remote-folder)

  • A local folder to upload to all instances (--nuclei-templates or --local-folder)

The following variables will only be replaced in One-Shot modules at runtime:

Variable
Replacement

_target_

Replaced with the expanded target list that the current thread is running against

_cleantarget_

Replaced with target cleaned from http:// or https://

_safe-target_

Replaced with target automatically quoting for commands, stopping subcommands running

Safe Target: By default the string _target_ in the module is automatically replaced with _safe-target_, unless the ax scan option --unsafe is used.

🚀
🤖
modules with long commands were truncated in the above screenshot for readability