Run Scans

axiom-scan

Run distributed scans with your instances. For more information about scans see Scans

Example Usage

axiom-select 'fleet*' # fleets should be already selected, but just in case, select can be a good idea

# Format
axiom-scan <input> -m <module> -o <text outfile> <any other args>

# Examples
axiom-scan roots.txt -m subfinder -o subfinder.txt # run subfinder against all roots
axiom-scan subfinder.txt -m dnsx -o dnsx.txt # run dnsx against all subfinder results
axiom-scan dnsx.txt -m httpx -o httpx.txt # run httpx against all dnsx results
axiom-scan httpx.txt -m gowitness -o screenshots-directory # run gowitness against all httpx results
axiom-scan httpx.txt -m nuclei -o nuclei.txt # run nuclei against all httpx results
axiom-scan httpx.txt -m ffuf -o ffuf.txt # run ffuf against all httpx results


axiom-scan ips.txt -m nmap -oG portscan.txt # run nmap, output as greppable 
axiom-scan ips.txt -m nmap -oX portscan # Output and merge XMLs (this also creates an HTLM report)
axiom-scan ips.txt -m nmap -p- -sV -T4 -v --open -oA nampx-scan --spinup 10 # run nmap, pass extra_args to nmap binary, output to a directory containing text, XML and Greppable results, spin up 10 instances


axiom-scan ips.txt -m masscan -oG masscan.txt # Run masscan, output as greppable

Usage

Modules must be located in ~/.axiom/modules/. For more information about modules, see modules.

axiom-scan provides easy distribution of arbitrary binaries and scripts.
axiom-scan optionally splits user-provided input files (target lists), and wordlists and uploads them to a unique scan working directory on the remote instance.
axiom-scan combines user-provided command-line arguments with commands in the module (~/.axiom/modules) and executes the final command on the remote instance.
axiom-scan downloads and merges scan output in a variety of different formats, specified by the extension in the module (dir, txt, oG, csv, xml, jsonl, none).
individual scanning operations are executed from a detacted tmux session ($module+$timestamp) inside a unique scan working directory (/home/op/scan/$module+$timestamp) on the remote instances.

Usage:
   axiom-scan inputfile.txt -m ffuf -w /home/op/wordlist-on-remote-instance
   axiom-scan inputfile.txt -m ffuf -wL /home/localuser/local-wordlist-to-upload
   axiom-scan inputfile.txt -m ffuf -wD /home/localuser/local-wordlist-to-split-and-upload
   axiom-scan inputfile.txt -m nuclei --remote-folder /home/op/nuclei-templates-on-remote-instances -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-folder /home/localuser/local-custom-nuclei-template-folder-to-upload/ -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-config /home/localuser/local-custom-nuclei-config-file-to-upload.yaml -o outputfile.txt --anew
   axiom-scan inputfile.txt -m gowitness -oD screenshots-folder --spinup 10
   axiom-scan inputfile.txt -m nmapx -p- -sV -T4 -v --open -oA nampx-scan --spinup 100 --rm-when-done --regions dal13,lon06,fra05,sjc04

Flags:
INPUT:
   string[]              required positional first argument must always be an input file, this can be a list of URLs, IPs, hostnames, etc
   --dont-shuffle        do not randomize input file before uploading (default is to randomize)
   --dont-split          do not split input file, upload entire input file to every instance (default is to split the input file)
   --expand-cidr         automatically expand any subnet in the input file (default does not expand subnets)

MODULE:
   -m string[]           the axiom-scan module to use with the scan (must be a JSON file in ~/.axiom/modules)
   --list                print all available modules located in ~/.axiom/modules

WORDLIST:
   -w string[]                           replace _wordlist_ in module with user-provided wordlist (must be a path to a remote wordlist)
   -wD,--distribute-wordlist string[]    replace _wordlist_ in module with user-provided local wordlist to split and upload (default does not split the wordlist)
   -wL,--local-wordlist string[]         replace _wordlist_ in module with user-provided local wordlist (must be a path to a local wordlist)

FOLDER:
   --remote-folder string[]              replace _folder_ in module with user-provided remote folder (must be a path to a remote folder)
   --local-folder string[]               replace _folder_ in module with user-provided local folder to upload (must be a path to a local folder)

CONFIGURATIONS:
   --remote-config string[]              replace _config_ in module with user-provided configuration file (must be a configuration file on the remote instances)
   --local-config string[]               replace _config_ in module with user-provided local configuration file to upload (must be a local configuration file)

ONE-SHOT:
   --disable-oneshot           by default, if a module contains the string _target_ or _safe-target_ it is executed as a one-shot module. Use this flag to force disable
   --unsafe                    for one-shot modules only, axiom will transparently replace _target_ with _safe-target_ in modules at runtime, use this flag to force disable
   --track-finished            for one-shot modules only, add this flag to track finished targets (creates a file in the remote scan working directory named finished.txt)
   --threads int[]             specify the number of threads to use with one-shot modules (default uses "threads": $N key:value pair in the module)"

OPTIMIZATIONS:
   --upload string[]           before the scan, upload a file to the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a local file)
   --download string[]         after the scan, download a file from the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a remote file)
   --max-runtime DURATION[]    kill scan if still running after DURATION, DURATION is a floating point number with an required suffix: 'm' for minutes, 'h' for hours or 'd' for days
   --preflight-timeout int[]   specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default 15 seconds
   --skip-preflight            do not automatically remove instances that can not be reached (default removes instances from the queue that can not be reached)
   --anew                      pipe the output to anew before creating the final output file (also requires extension "ext":"txt", "ext":"oG" or "ext":"csv" to be in the module)

OUTPUT:
   -o string[]           output as default (the first ext mentioned in the module)
   -oT/-txt string[]     output as text (must also be supplied in the module using "ext":"txt")
   -oD/-oA string[]      output as directory (must also be supplied in the module using "ext":"dir" or "ext":"")
   -oG string[]          output as greppable, merge and sort unique (must also be supplied in the module using "ext":"oG")
   -oJ string[]          output as json lines, newline characters are used to delimit JSON data (must also be supplied in the module using "ext":"jsonl")
   -oX string[]          output as XML/HTML (supported for nmap and masscan)(must also be supplied in the module using "ext":"xml")
   -csv string []        output as csv, extract csv header, merge and sort unique (must also be supplied in the module using "ext":"csv")
   -none string []       do not attempt to merge the output at all (must also be supplied in the module using "ext":"none")
   --quiet               do not display findings to terminal
   --rm-logs             delete remote and local logs after scan completes, except for the unmered output files in ~/.axiom/logs/$module+$timestamp/output
   --no-logs             do not store any logs at all, do not tail terminal output. Delete all logs even the unmerged output files in ~/.axiom/logs/$module+$timestamp/output
   --stdout              only display stdout results to terminal (default displays stdout and stderr to the terminal)

FLEET:
   --custom-ssh string[]       path to custom SSH config file (default is located at ~/.axiom/.sshconfig)
   --cache                     do not regenerate SSH config prior to scan, instead use cached config (located at ~/.axiom/.sshconfig)
   --fleet string[]            supply fleet prefix to use (default uses instances in ~/.axiom/selected.conf)
   --regions string[]          round-robin region distribution using comma-separated regions to cycle through (default is region in ~/.axiom/axiom.json)
   --rm-when-done              delete the instance when finished with its job (does not wait for all instances to complete)
   --shutdown-when-done        shutdown the instance when finished with its job (does not wait for all instances to complete)
   --spinup int[]              number of instances to spin up prior to scanning (default uses instances in ~/.axiom/selected.conf)

DEBUG:
   --debug                     run with set -xv, warning: very verbose (use with --cache for less output)

EXTRA ARGS:
   string[]                    supply additional arguments to be passed to the module
   --extra-args string[]       explicitly define extra args to be passed to the module, must be wrapped single or double quotes (depending on intended variable expansion)

PreviousList Instances NextTeardown Instances

Last updated 21 days ago

axiom-scan

Run distributed scans with your instances. For more information about scans see Scans

Example Usage

axiom-select 'fleet*' # fleets should be already selected, but just in case, select can be a good idea

# Format
axiom-scan <input> -m <module> -o <text outfile> <any other args>

# Examples
axiom-scan roots.txt -m subfinder -o subfinder.txt # run subfinder against all roots
axiom-scan subfinder.txt -m dnsx -o dnsx.txt # run dnsx against all subfinder results
axiom-scan dnsx.txt -m httpx -o httpx.txt # run httpx against all dnsx results
axiom-scan httpx.txt -m gowitness -o screenshots-directory # run gowitness against all httpx results
axiom-scan httpx.txt -m nuclei -o nuclei.txt # run nuclei against all httpx results
axiom-scan httpx.txt -m ffuf -o ffuf.txt # run ffuf against all httpx results


axiom-scan ips.txt -m nmap -oG portscan.txt # run nmap, output as greppable 
axiom-scan ips.txt -m nmap -oX portscan # Output and merge XMLs (this also creates an HTLM report)
axiom-scan ips.txt -m nmap -p- -sV -T4 -v --open -oA nampx-scan --spinup 10 # run nmap, pass extra_args to nmap binary, output to a directory containing text, XML and Greppable results, spin up 10 instances


axiom-scan ips.txt -m masscan -oG masscan.txt # Run masscan, output as greppable

Usage

Modules must be located in ~/.axiom/modules/. For more information about modules, see modules.

axiom-scan provides easy distribution of arbitrary binaries and scripts.
axiom-scan optionally splits user-provided input files (target lists), and wordlists and uploads them to a unique scan working directory on the remote instance.
axiom-scan combines user-provided command-line arguments with commands in the module (~/.axiom/modules) and executes the final command on the remote instance.
axiom-scan downloads and merges scan output in a variety of different formats, specified by the extension in the module (dir, txt, oG, csv, xml, jsonl, none).
individual scanning operations are executed from a detacted tmux session ($module+$timestamp) inside a unique scan working directory (/home/op/scan/$module+$timestamp) on the remote instances.

Usage:
   axiom-scan inputfile.txt -m ffuf -w /home/op/wordlist-on-remote-instance
   axiom-scan inputfile.txt -m ffuf -wL /home/localuser/local-wordlist-to-upload
   axiom-scan inputfile.txt -m ffuf -wD /home/localuser/local-wordlist-to-split-and-upload
   axiom-scan inputfile.txt -m nuclei --remote-folder /home/op/nuclei-templates-on-remote-instances -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-folder /home/localuser/local-custom-nuclei-template-folder-to-upload/ -o outputfile.txt
   axiom-scan inputfile.txt -m nuclei --local-config /home/localuser/local-custom-nuclei-config-file-to-upload.yaml -o outputfile.txt --anew
   axiom-scan inputfile.txt -m gowitness -oD screenshots-folder --spinup 10
   axiom-scan inputfile.txt -m nmapx -p- -sV -T4 -v --open -oA nampx-scan --spinup 100 --rm-when-done --regions dal13,lon06,fra05,sjc04

Flags:
INPUT:
   string[]              required positional first argument must always be an input file, this can be a list of URLs, IPs, hostnames, etc
   --dont-shuffle        do not randomize input file before uploading (default is to randomize)
   --dont-split          do not split input file, upload entire input file to every instance (default is to split the input file)
   --expand-cidr         automatically expand any subnet in the input file (default does not expand subnets)

MODULE:
   -m string[]           the axiom-scan module to use with the scan (must be a JSON file in ~/.axiom/modules)
   --list                print all available modules located in ~/.axiom/modules

WORDLIST:
   -w string[]                           replace _wordlist_ in module with user-provided wordlist (must be a path to a remote wordlist)
   -wD,--distribute-wordlist string[]    replace _wordlist_ in module with user-provided local wordlist to split and upload (default does not split the wordlist)
   -wL,--local-wordlist string[]         replace _wordlist_ in module with user-provided local wordlist (must be a path to a local wordlist)

FOLDER:
   --remote-folder string[]              replace _folder_ in module with user-provided remote folder (must be a path to a remote folder)
   --local-folder string[]               replace _folder_ in module with user-provided local folder to upload (must be a path to a local folder)

CONFIGURATIONS:
   --remote-config string[]              replace _config_ in module with user-provided configuration file (must be a configuration file on the remote instances)
   --local-config string[]               replace _config_ in module with user-provided local configuration file to upload (must be a local configuration file)

ONE-SHOT:
   --disable-oneshot           by default, if a module contains the string _target_ or _safe-target_ it is executed as a one-shot module. Use this flag to force disable
   --unsafe                    for one-shot modules only, axiom will transparently replace _target_ with _safe-target_ in modules at runtime, use this flag to force disable
   --track-finished            for one-shot modules only, add this flag to track finished targets (creates a file in the remote scan working directory named finished.txt)
   --threads int[]             specify the number of threads to use with one-shot modules (default uses "threads": $N key:value pair in the module)"

OPTIMIZATIONS:
   --upload string[]           before the scan, upload a file to the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a local file)
   --download string[]         after the scan, download a file from the unique scan working directory (/home/op/scan/$module+$timestamp) on remote instances (must be a path to a remote file)
   --max-runtime DURATION[]    kill scan if still running after DURATION, DURATION is a floating point number with an required suffix: 'm' for minutes, 'h' for hours or 'd' for days
   --preflight-timeout int[]   specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default 15 seconds
   --skip-preflight            do not automatically remove instances that can not be reached (default removes instances from the queue that can not be reached)
   --anew                      pipe the output to anew before creating the final output file (also requires extension "ext":"txt", "ext":"oG" or "ext":"csv" to be in the module)

OUTPUT:
   -o string[]           output as default (the first ext mentioned in the module)
   -oT/-txt string[]     output as text (must also be supplied in the module using "ext":"txt")
   -oD/-oA string[]      output as directory (must also be supplied in the module using "ext":"dir" or "ext":"")
   -oG string[]          output as greppable, merge and sort unique (must also be supplied in the module using "ext":"oG")
   -oJ string[]          output as json lines, newline characters are used to delimit JSON data (must also be supplied in the module using "ext":"jsonl")
   -oX string[]          output as XML/HTML (supported for nmap and masscan)(must also be supplied in the module using "ext":"xml")
   -csv string []        output as csv, extract csv header, merge and sort unique (must also be supplied in the module using "ext":"csv")
   -none string []       do not attempt to merge the output at all (must also be supplied in the module using "ext":"none")
   --quiet               do not display findings to terminal
   --rm-logs             delete remote and local logs after scan completes, except for the unmered output files in ~/.axiom/logs/$module+$timestamp/output
   --no-logs             do not store any logs at all, do not tail terminal output. Delete all logs even the unmerged output files in ~/.axiom/logs/$module+$timestamp/output
   --stdout              only display stdout results to terminal (default displays stdout and stderr to the terminal)

FLEET:
   --custom-ssh string[]       path to custom SSH config file (default is located at ~/.axiom/.sshconfig)
   --cache                     do not regenerate SSH config prior to scan, instead use cached config (located at ~/.axiom/.sshconfig)
   --fleet string[]            supply fleet prefix to use (default uses instances in ~/.axiom/selected.conf)
   --regions string[]          round-robin region distribution using comma-separated regions to cycle through (default is region in ~/.axiom/axiom.json)
   --rm-when-done              delete the instance when finished with its job (does not wait for all instances to complete)
   --shutdown-when-done        shutdown the instance when finished with its job (does not wait for all instances to complete)
   --spinup int[]              number of instances to spin up prior to scanning (default uses instances in ~/.axiom/selected.conf)

DEBUG:
   --debug                     run with set -xv, warning: very verbose (use with --cache for less output)

EXTRA ARGS:
   string[]                    supply additional arguments to be passed to the module
   --extra-args string[]       explicitly define extra args to be passed to the module, must be wrapped single or double quotes (depending on intended variable expansion)