Run Scans

axiom-scan

Run distributed scans with your instances. For more information about scans see Scans

Example Usage

axiom-select 'fleet*' # fleets should be already selected, but just in case, select can be a good idea

# Format
axiom-scan <input> -m <module> -o <text outfile> <any other args>

# Examples
axiom-scan roots.txt -m subfinder -o subfinder.txt # run subfinder against all roots
axiom-scan subfinder.txt -m dnsx -o dnsx.txt # run dnsx against all subfinder results
axiom-scan dnsx.txt -m httpx -o httpx.txt # run httpx against all dnsx results
axiom-scan httpx.txt -m gowitness -o screenshots-directory # run gowitness against all httpx results
axiom-scan httpx.txt -m nuclei -o nuclei.txt # run nuclei against all httpx results
axiom-scan httpx.txt -m ffuf -o ffuf.txt # run ffuf against all httpx results


axiom-scan ips.txt -m nmap -oG portscan.txt # run nmap, output as greppable 
axiom-scan ips.txt -m nmap -oX portscan # Output and merge XMLs (this also creates an HTLM report)
axiom-scan ips.txt -m nmap -p- -sV -T4 -v --open -oA nampx-scan --spinup 10 # run nmap, pass extra_args to nmap binary, output to a directory containing text, XML and Greppable results, spin up 10 instances


axiom-scan ips.txt -m masscan -oG masscan.txt # Run masscan, output as greppable

Usage

axiom-scan provides easy distribution of arbitrary binaries and scripts.
axiom-scan optionally splits user-provided input files (target lists), and wordlists and uploads them to a unique scan working directory on the remote instance.
axiom-scan combines user-provided command-line arguments with commands in the module (~/.axiom/modules) and executes the final command on the remote instance.
axiom-scan downloads and merges scan output in a variety of different formats, specified by the extension in the module (dir, txt, oG, csv, xml, jsonl, none).
individual scanning operations are executed from a detacted tmux session ($module+$timestamp) inside a unique scan working directory (/home/op/scan/$module+$timestamp) on the remote instances.

Usage:
   axiom-scan inputfile.txt -m ffuf -w /home/op/wordlist-on-remote-instance
   axiom-scan inputfile.txt -m ffuf -wL /home/localuser/local-wordlist-to-upload
   axiom-scan inputfile.txt -m ffuf -wD /home/localuser/local-wordlist-to-split-and-upload
   axiom-scan inputfile.txt -m nuclei --remote-folder /home/op/nuclei-templates-on-remote-instances -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-folder /home/localuser/local-custom-nuclei-template-folder-to-upload/ -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-config /home/localuser/local-custom-nuclei-config-file-to-upload.yaml -o outputfile.txt --anew
   axiom-scan inputfile.txt -m gowitness -oD screenshots-folder --spinup 10
   axiom-scan inputfile.txt -m nmapx -p- -sV -T4 -v --open -oA nampx-scan --spinup 100 --rm-when-done --regions dal13,lon06,fra05,sjc04

Flags:
INPUT:
   string[]              required positional first argument must always be an input file, this can be a list of URLs, IPs, hostnames, etc
   --dont-shuffle        do not randomize input file before uploading (default is to randomize)
   --dont-split          do not split input file, upload entire input file to every instance (default is to split the input file)
   --expand-cidr         automatically expand any subnet in the input file (default does not expand subnets)

MODULE:
   -m string[]           the axiom-scan module to use with the scan (must be a JSON file in ~/.axiom/modules)
   --list                print all available modules located in ~/.axiom/modules

WORDLIST:
   -w string[]                           replace _wordlist_ in module with user-provided wordlist (must be a path to a remote wordlist)
   -wD,--distribute-wordlist string[]    replace _wordlist_ in module with user-provided local wordlist to split and upload (default does not split the wordlist)
   -wL,--local-wordlist string[]         replace _wordlist_ in module with user-provided local wordlist (must be a path to a local wordlist)

FOLDER:
   --remote-folder string[]              replace _folder_ in module with user-provided remote folder (must be a path to a remote folder)
   --local-folder string[]               replace _folder_ in module with user-provided local folder to upload (must be a path to a local folder)

CONFIGURATIONS:
   --remote-config string[]              replace _config_ in module with user-provided configuration file (must be a configuration file on the remote instances)
   --local-config string[]               replace _config_ in module with user-provided local configuration file to upload (must be a local configuration file)

ONE-SHOT:
   --disable-oneshot           by default, if a module contains the string _target_ or _safe-target_ it is executed as a one-shot module. Use this flag to force disable
   --unsafe                    for one-shot modules only, axiom will transparently replace _target_ with _safe-target_ in modules at runtime, use this flag to force disable
   --track-finished            for one-shot modules only, add this flag to track finished targets (creates a file in the remote scan working directory named finished.txt)
   --threads int[]             specify the number of threads to use with one-shot modules (default uses "threads": $N key:value pair in the module)"

OPTIMIZATIONS:
   --upload string[]           before the scan, upload a file to the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a local file)
   --download string[]         after the scan, download a file from the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a remote file)
   --max-runtime DURATION[]    kill scan if still running after DURATION, DURATION is a floating point number with an required suffix: 'm' for minutes, 'h' for hours or 'd' for days
   --preflight-timeout int[]   specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default 15 seconds
   --skip-preflight            do not automatically remove instances that can not be reached (default removes instances from the queue that can not be reached)
   --anew                      pipe the output to anew before creating the final output file (also requires extension "ext":"txt", "ext":"oG" or "ext":"csv" to be in the module)

OUTPUT:
   -o string[]           output as default (the first ext mentioned in the module)
   -oT/-txt string[]     output as text (must also be supplied in the module using "ext":"txt")
   -oD/-oA string[]      output as directory (must also be supplied in the module using "ext":"dir" or "ext":"")
   -oG string[]          output as greppable, merge and sort unique (must also be supplied in the module using "ext":"oG")
   -oJ string[]          output as json lines, newline characters are used to delimit JSON data (must also be supplied in the module using "ext":"jsonl")
   -oX string[]          output as XML/HTML (supported for nmap and masscan)(must also be supplied in the module using "ext":"xml")
   -csv string []        output as csv, extract csv header, merge and sort unique (must also be supplied in the module using "ext":"csv")
   -none string []       do not attempt to merge the output at all (must also be supplied in the module using "ext":"none")
   --quiet               do not display findings to terminal
   --rm-logs             delete remote and local logs after scan completes, except for the unmered output files in ~/.axiom/logs/$module+$timestamp/output
   --no-logs             do not store any logs at all, do not tail terminal output. Delete all logs even the unmerged output files in ~/.axiom/logs/$module+$timestamp/output
   --stdout              only display stdout results to terminal (default displays stdout and stderr to the terminal)

FLEET:
   --custom-ssh string[]       path to custom SSH config file (default is located at ~/.axiom/.sshconfig)
   --cache                     do not regenerate SSH config prior to scan, instead use cached config (located at ~/.axiom/.sshconfig)
   --fleet string[]            supply fleet prefix to use (default uses instances in ~/.axiom/selected.conf)
   --regions string[]          round-robin region distribution using comma-separated regions to cycle through (default is region in ~/.axiom/axiom.json)
   --rm-when-done              delete the instance when finished with its job (does not wait for all instances to complete)
   --shutdown-when-done        shutdown the instance when finished with its job (does not wait for all instances to complete)
   --spinup int[]              number of instances to spin up prior to scanning (default uses instances in ~/.axiom/selected.conf)

DEBUG:
   --debug                     run with set -xv, warning: very verbose (use with --cache for less output)

EXTRA ARGS:
   string[]                    supply additional arguments to be passed to the module
   --extra-args string[]       explicitly define extra args to be passed to the module, must be wrapped single or double quotes (depending on intended variable expansion)

PreviousList Instances NextTeardown Instances

Last updated 4 months ago

axiom-scan

Run distributed scans with your instances. For more information about scans see Scans

Example Usage

axiom-select 'fleet*' # fleets should be already selected, but just in case, select can be a good idea

# Format
axiom-scan <input> -m <module> -o <text outfile> <any other args>

# Examples
axiom-scan roots.txt -m subfinder -o subfinder.txt # run subfinder against all roots
axiom-scan subfinder.txt -m dnsx -o dnsx.txt # run dnsx against all subfinder results
axiom-scan dnsx.txt -m httpx -o httpx.txt # run httpx against all dnsx results
axiom-scan httpx.txt -m gowitness -o screenshots-directory # run gowitness against all httpx results
axiom-scan httpx.txt -m nuclei -o nuclei.txt # run nuclei against all httpx results
axiom-scan httpx.txt -m ffuf -o ffuf.txt # run ffuf against all httpx results


axiom-scan ips.txt -m nmap -oG portscan.txt # run nmap, output as greppable 
axiom-scan ips.txt -m nmap -oX portscan # Output and merge XMLs (this also creates an HTLM report)
axiom-scan ips.txt -m nmap -p- -sV -T4 -v --open -oA nampx-scan --spinup 10 # run nmap, pass extra_args to nmap binary, output to a directory containing text, XML and Greppable results, spin up 10 instances


axiom-scan ips.txt -m masscan -oG masscan.txt # Run masscan, output as greppable

Usage

Modules must be located in . For more information about modules, see .

axiom-scan provides easy distribution of arbitrary binaries and scripts.
axiom-scan optionally splits user-provided input files (target lists), and wordlists and uploads them to a unique scan working directory on the remote instance.
axiom-scan combines user-provided command-line arguments with commands in the module (~/.axiom/modules) and executes the final command on the remote instance.
axiom-scan downloads and merges scan output in a variety of different formats, specified by the extension in the module (dir, txt, oG, csv, xml, jsonl, none).
individual scanning operations are executed from a detacted tmux session ($module+$timestamp) inside a unique scan working directory (/home/op/scan/$module+$timestamp) on the remote instances.

Usage:
   axiom-scan inputfile.txt -m ffuf -w /home/op/wordlist-on-remote-instance
   axiom-scan inputfile.txt -m ffuf -wL /home/localuser/local-wordlist-to-upload
   axiom-scan inputfile.txt -m ffuf -wD /home/localuser/local-wordlist-to-split-and-upload
   axiom-scan inputfile.txt -m nuclei --remote-folder /home/op/nuclei-templates-on-remote-instances -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-folder /home/localuser/local-custom-nuclei-template-folder-to-upload/ -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-config /home/localuser/local-custom-nuclei-config-file-to-upload.yaml -o outputfile.txt --anew
   axiom-scan inputfile.txt -m gowitness -oD screenshots-folder --spinup 10
   axiom-scan inputfile.txt -m nmapx -p- -sV -T4 -v --open -oA nampx-scan --spinup 100 --rm-when-done --regions dal13,lon06,fra05,sjc04

Flags:
INPUT:
   string[]              required positional first argument must always be an input file, this can be a list of URLs, IPs, hostnames, etc
   --dont-shuffle        do not randomize input file before uploading (default is to randomize)
   --dont-split          do not split input file, upload entire input file to every instance (default is to split the input file)
   --expand-cidr         automatically expand any subnet in the input file (default does not expand subnets)

MODULE:
   -m string[]           the axiom-scan module to use with the scan (must be a JSON file in ~/.axiom/modules)
   --list                print all available modules located in ~/.axiom/modules

WORDLIST:
   -w string[]                           replace _wordlist_ in module with user-provided wordlist (must be a path to a remote wordlist)
   -wD,--distribute-wordlist string[]    replace _wordlist_ in module with user-provided local wordlist to split and upload (default does not split the wordlist)
   -wL,--local-wordlist string[]         replace _wordlist_ in module with user-provided local wordlist (must be a path to a local wordlist)

FOLDER:
   --remote-folder string[]              replace _folder_ in module with user-provided remote folder (must be a path to a remote folder)
   --local-folder string[]               replace _folder_ in module with user-provided local folder to upload (must be a path to a local folder)

CONFIGURATIONS:
   --remote-config string[]              replace _config_ in module with user-provided configuration file (must be a configuration file on the remote instances)
   --local-config string[]               replace _config_ in module with user-provided local configuration file to upload (must be a local configuration file)

ONE-SHOT:
   --disable-oneshot           by default, if a module contains the string _target_ or _safe-target_ it is executed as a one-shot module. Use this flag to force disable
   --unsafe                    for one-shot modules only, axiom will transparently replace _target_ with _safe-target_ in modules at runtime, use this flag to force disable
   --track-finished            for one-shot modules only, add this flag to track finished targets (creates a file in the remote scan working directory named finished.txt)
   --threads int[]             specify the number of threads to use with one-shot modules (default uses "threads": $N key:value pair in the module)"

OPTIMIZATIONS:
   --upload string[]           before the scan, upload a file to the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a local file)
   --download string[]         after the scan, download a file from the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a remote file)
   --max-runtime DURATION[]    kill scan if still running after DURATION, DURATION is a floating point number with an required suffix: 'm' for minutes, 'h' for hours or 'd' for days
   --preflight-timeout int[]   specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default 15 seconds
   --skip-preflight            do not automatically remove instances that can not be reached (default removes instances from the queue that can not be reached)
   --anew                      pipe the output to anew before creating the final output file (also requires extension "ext":"txt", "ext":"oG" or "ext":"csv" to be in the module)

OUTPUT:
   -o string[]           output as default (the first ext mentioned in the module)
   -oT/-txt string[]     output as text (must also be supplied in the module using "ext":"txt")
   -oD/-oA string[]      output as directory (must also be supplied in the module using "ext":"dir" or "ext":"")
   -oG string[]          output as greppable, merge and sort unique (must also be supplied in the module using "ext":"oG")
   -oJ string[]          output as json lines, newline characters are used to delimit JSON data (must also be supplied in the module using "ext":"jsonl")
   -oX string[]          output as XML/HTML (supported for nmap and masscan)(must also be supplied in the module using "ext":"xml")
   -csv string []        output as csv, extract csv header, merge and sort unique (must also be supplied in the module using "ext":"csv")
   -none string []       do not attempt to merge the output at all (must also be supplied in the module using "ext":"none")
   --quiet               do not display findings to terminal
   --rm-logs             delete remote and local logs after scan completes, except for the unmered output files in ~/.axiom/logs/$module+$timestamp/output
   --no-logs             do not store any logs at all, do not tail terminal output. Delete all logs even the unmerged output files in ~/.axiom/logs/$module+$timestamp/output
   --stdout              only display stdout results to terminal (default displays stdout and stderr to the terminal)

FLEET:
   --custom-ssh string[]       path to custom SSH config file (default is located at ~/.axiom/.sshconfig)
   --cache                     do not regenerate SSH config prior to scan, instead use cached config (located at ~/.axiom/.sshconfig)
   --fleet string[]            supply fleet prefix to use (default uses instances in ~/.axiom/selected.conf)
   --regions string[]          round-robin region distribution using comma-separated regions to cycle through (default is region in ~/.axiom/axiom.json)
   --rm-when-done              delete the instance when finished with its job (does not wait for all instances to complete)
   --shutdown-when-done        shutdown the instance when finished with its job (does not wait for all instances to complete)
   --spinup int[]              number of instances to spin up prior to scanning (default uses instances in ~/.axiom/selected.conf)

DEBUG:
   --debug                     run with set -xv, warning: very verbose (use with --cache for less output)

EXTRA ARGS:
   string[]                    supply additional arguments to be passed to the module
   --extra-args string[]       explicitly define extra args to be passed to the module, must be wrapped single or double quotes (depending on intended variable expansion)