Run distributed scans with your instances. For more information about scans see Scans
Example Usage
axiom-select 'fleet*' # fleets should be already selected, but just in case, select can be a good idea
# Format
axiom-scan <input> -m <module> -o <text outfile> <any other args>
# Examples
axiom-scan roots.txt -m subfinder -o subfinder.txt # run subfinder against all roots
axiom-scan subfinder.txt -m dnsx -o dnsx.txt # run dnsx against all subfinder results
axiom-scan dnsx.txt -m httpx -o httpx.txt # run httpx against all dnsx results
axiom-scan httpx.txt -m gowitness -o screenshots-directory # run gowitness against all httpx results
axiom-scan httpx.txt -m nuclei -o nuclei.txt # run nuclei against all httpx results
axiom-scan httpx.txt -m ffuf -o ffuf.txt # run ffuf against all httpx results
axiom-scan ips.txt -m nmap -oG portscan.txt # run nmap, output as greppable
axiom-scan ips.txt -m nmap -oX portscan # Output and merge XMLs (this also creates an HTLM report)
axiom-scan ips.txt -m nmap -p- -sV -T4 -v --open -oA nampx-scan --spinup 10 # run nmap, pass extra_args to nmap binary, output to a directory containing text, XML and Greppable results, spin up 10 instances
axiom-scan ips.txt -m masscan -oG masscan.txt # Run masscan, output as greppable
axiom-scan provides easy distribution of arbitrary binaries and scripts.
axiom-scan optionally splits user-provided input files (target lists), and wordlists and uploads them to a unique scan working directory on the remote instance.
axiom-scan combines user-provided command-line arguments with commands in the module (~/.axiom/modules) and executes the final command on the remote instance.
axiom-scan downloads and merges scan output in a variety of different formats, specified by the extension in the module (dir, txt, oG, csv, xml, jsonl, none).
individual scanning operations are executed from a detacted tmux session ($module+$timestamp) inside a unique scan working directory (/home/op/scan/$module+$timestamp) on the remote instances.
Usage:
axiom-scan inputfile.txt -m ffuf -w /home/op/wordlist-on-remote-instance
axiom-scan inputfile.txt -m ffuf -wL /home/localuser/local-wordlist-to-upload
axiom-scan inputfile.txt -m ffuf -wD /home/localuser/local-wordlist-to-split-and-upload
axiom-scan inputfile.txt -m nuclei --remote-folder /home/op/nuclei-templates-on-remote-instances -o outputfile.txt
axiom-scan inputfile.txt -m nuclei --local-folder /home/localuser/local-custom-nuclei-template-folder-to-upload/ -o outputfile.txt
axiom-scan inputfile.txt -m nuclei --local-config /home/localuser/local-custom-nuclei-config-file-to-upload.yaml -o outputfile.txt --anew
axiom-scan inputfile.txt -m gowitness -oD screenshots-folder --spinup 10
axiom-scan inputfile.txt -m nmapx -p- -sV -T4 -v --open -oA nampx-scan --spinup 100 --rm-when-done --regions dal13,lon06,fra05,sjc04
Flags:
INPUT:
string[] required positional first argument must always be an input file, this can be a list of URLs, IPs, hostnames, etc
--dont-shuffle do not randomize input file before uploading (default is to randomize)
--dont-split do not split input file, upload entire input file to every instance (default is to split the input file)
--expand-cidr automatically expand any subnet in the input file (default does not expand subnets)
MODULE:
-m string[] the axiom-scan module to use with the scan (must be a JSON file in ~/.axiom/modules)
--list print all available modules located in ~/.axiom/modules
WORDLIST:
-w string[] replace _wordlist_ in module with user-provided wordlist (must be a path to a remote wordlist)
-wD,--distribute-wordlist string[] replace _wordlist_ in module with user-provided local wordlist to split and upload (default does not split the wordlist)
-wL,--local-wordlist string[] replace _wordlist_ in module with user-provided local wordlist (must be a path to a local wordlist)
FOLDER:
--remote-folder string[] replace _folder_ in module with user-provided remote folder (must be a path to a remote folder)
--local-folder string[] replace _folder_ in module with user-provided local folder to upload (must be a path to a local folder)
CONFIGURATIONS:
--remote-config string[] replace _config_ in module with user-provided configuration file (must be a configuration file on the remote instances)
--local-config string[] replace _config_ in module with user-provided local configuration file to upload (must be a local configuration file)
ONE-SHOT:
--disable-oneshot by default, if a module contains the string _target_ or _safe-target_ it is executed as a one-shot module. Use this flag to force disable
--unsafe for one-shot modules only, axiom will transparently replace _target_ with _safe-target_ in modules at runtime, use this flag to force disable
--track-finished for one-shot modules only, add this flag to track finished targets (creates a file in the remote scan working directory named finished.txt)
--threads int[] specify the number of threads to use with one-shot modules (default uses "threads": $N key:value pair in the module)"
OPTIMIZATIONS:
--upload string[] before the scan, upload a file to the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a local file)
--download string[] after the scan, download a file from the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a remote file)
--max-runtime DURATION[] kill scan if still running after DURATION, DURATION is a floating point number with an required suffix: 'm' for minutes, 'h' for hours or 'd' for days
--preflight-timeout int[] specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default 15 seconds
--skip-preflight do not automatically remove instances that can not be reached (default removes instances from the queue that can not be reached)
--anew pipe the output to anew before creating the final output file (also requires extension "ext":"txt", "ext":"oG" or "ext":"csv" to be in the module)
OUTPUT:
-o string[] output as default (the first ext mentioned in the module)
-oT/-txt string[] output as text (must also be supplied in the module using "ext":"txt")
-oD/-oA string[] output as directory (must also be supplied in the module using "ext":"dir" or "ext":"")
-oG string[] output as greppable, merge and sort unique (must also be supplied in the module using "ext":"oG")
-oJ string[] output as json lines, newline characters are used to delimit JSON data (must also be supplied in the module using "ext":"jsonl")
-oX string[] output as XML/HTML (supported for nmap and masscan)(must also be supplied in the module using "ext":"xml")
-csv string [] output as csv, extract csv header, merge and sort unique (must also be supplied in the module using "ext":"csv")
-none string [] do not attempt to merge the output at all (must also be supplied in the module using "ext":"none")
--quiet do not display findings to terminal
--rm-logs delete remote and local logs after scan completes, except for the unmered output files in ~/.axiom/logs/$module+$timestamp/output
--no-logs do not store any logs at all, do not tail terminal output. Delete all logs even the unmerged output files in ~/.axiom/logs/$module+$timestamp/output
--stdout only display stdout results to terminal (default displays stdout and stderr to the terminal)
FLEET:
--custom-ssh string[] path to custom SSH config file (default is located at ~/.axiom/.sshconfig)
--cache do not regenerate SSH config prior to scan, instead use cached config (located at ~/.axiom/.sshconfig)
--fleet string[] supply fleet prefix to use (default uses instances in ~/.axiom/selected.conf)
--regions string[] round-robin region distribution using comma-separated regions to cycle through (default is region in ~/.axiom/axiom.json)
--rm-when-done delete the instance when finished with its job (does not wait for all instances to complete)
--shutdown-when-done shutdown the instance when finished with its job (does not wait for all instances to complete)
--spinup int[] number of instances to spin up prior to scanning (default uses instances in ~/.axiom/selected.conf)
DEBUG:
--debug run with set -xv, warning: very verbose (use with --cache for less output)
EXTRA ARGS:
string[] supply additional arguments to be passed to the module
--extra-args string[] explicitly define extra args to be passed to the module, must be wrapped single or double quotes (depending on intended variable expansion)