Scanner Suite

RTFMv2 provides integrated graphical interfaces for the most popular penetration testing scanners. Each scanner has a custom UI designed to simplify configuration while providing access to advanced options.

Overview

The Scanner Suite includes:

  • Nmap: Network discovery and port scanning
  • Wfuzz: Web application fuzzing
  • SQLMap: SQL injection detection and exploitation
  • OpenVAS: Comprehensive vulnerability scanning
  • Nuclei: Template-based vulnerability detection

All scanners automatically parse results and populate the session database with findings.

Nmap Scanner

Network mapper for host discovery, port scanning, and service enumeration.

Quick Scan

Launch a basic scan with one click:

  1. Select target(s) from session IP ranges or enter manually
  2. Click "Quick Scan" button
  3. Choose scan profile:
    • Ping sweep (host discovery)
    • Top 100 ports
    • Common ports (top 1000)
    • All ports (1-65535)
  4. Click "Start Scan"

Nmap Scripting Engine (NSE)

Script Categories: - Auth: Authentication testing - Brute: Brute-force attacks - Discovery: Service enumeration - Exploit: Exploitation attempts - Vuln: Vulnerability detection - Malware: Malware detection

Using Scripts:

  1. Select "Script Scan" tab
  2. Choose category or specific scripts
  3. Configure script arguments (if required)
  4. Add to scan configuration
  5. Launch scan

Popular Scripts:

  • http-enum: Web directory enumeration
  • smb-enum-shares: SMB share listing
  • vuln: Run all vulnerability detection scripts
  • ssl-cert: SSL certificate information
  • dns-brute: DNS subdomain brute-force

Scan Profiles

Pre-configured profiles for common tasks:

Web Server Enumeration:

Ports: 80,443,8000,8080,8443
Scripts: http-enum, http-headers, http-methods, ssl-cert
Version detection: Enabled
Timing: T4

Windows Host Discovery:

Ports: 135,139,445,3389,5985
Scripts: smb-os-discovery, smb-enum-shares, rdp-enum-encryption
OS detection: Enabled
Version detection: Enabled

Database Server Scan:

Ports: 1433,3306,5432,5984,27017,6379
Scripts: Database-specific enumeration
Version detection: Intensity 9

Full Network Audit:

Ports: 1-65535
All scripts: Enabled
OS detection: Enabled
Version detection: Max intensity
Timing: T3 (aggressive but not overwhelming)

Wfuzz Scanner

Web application fuzzing for directory discovery, parameter testing, and vulnerability detection.

Directory and File Discovery

Quick Fuzzing:

  1. Enter target URL: http://example.com/FUZZ
  2. Select wordlist: Built-in or custom
  3. Click "Start Fuzzing"

FUZZ Keyword:

The FUZZ keyword is replaced with each wordlist entry:

  • Directory brute-force: http://example.com/FUZZ
  • File discovery: http://example.com/FUZZ.php
  • Subdomain enumeration: http://FUZZ.example.com
  • Parameter fuzzing: http://example.com/page?param=FUZZ

Multiple FUZZ Points:

http://example.com/FUZZ/FUZ2Z

Use different wordlists for each position.

Wordlists

Built-in Wordlists:

  • Common directories (DirBuster, SecLists)
  • Files by extension (.php, .asp, .jsp)
  • Subdomains
  • Parameters
  • User-agents
  • API endpoints

Custom Wordlists:

  1. Click "Import Wordlist"
  2. Select text file (one entry per line)
  3. Name the wordlist
  4. Save for future use

Wordlist Filtering:

  • Minimum/maximum word length
  • Regex pattern matching
  • Case transformation
  • Prefix/suffix addition

Filtering Results

Filter by:

  • Status codes: Show only 200, 301, 403, etc.
  • Response length: Hide responses of N chars
  • Response words: Filter by word count
  • Response lines: Filter by line count
  • Regex match: Custom pattern in response

Hide/Show:

  • Hide 404 errors (default)
  • Hide specific status codes
  • Show only anomalies (unusual sizes)
  • Custom filter expressions

Example Filters:

Show only: 200,301,302,403
Hide length: 0 (empty responses)
Hide regex: "Not Found|404"

Advanced Fuzzing

Authentication:

  • Basic Auth: Username/password
  • Digest Auth: Credentials
  • NTLM: Domain credentials
  • Cookie-based: Custom cookies
  • Header-based: API keys, tokens

Custom Headers:

User-Agent: Mozilla/5.0...
X-Forwarded-For: 127.0.0.1
Authorization: Bearer <token>

POST Data Fuzzing:

URL: http://example.com/login
Method: POST
Data: username=admin&password=FUZZ
Wordlist: Passwords

Rate Limiting:

  • Requests per second
  • Delay between requests
  • Concurrent connections
  • Randomize request order

Fuzzing Profiles

Common Web Discovery:

  • Wordlist: common.txt
  • Extensions: .php, .html, .asp
  • Hide: 404, 403
  • Threads: 10

API Endpoint Discovery:

  • Wordlist: api-endpoints.txt
  • Format: JSON/XML
  • Custom headers for API
  • Filter by content-type

Backup File Discovery:

  • Wordlist: backups.txt
  • Extensions: .bak, .old, .zip, .tar.gz
  • Show only: 200

Results Management

View Results:

  • Sortable table (status, size, words, lines)
  • Color-coded by status code
  • Click to view full response
  • Save interesting responses

Export Options:

  • CSV format
  • JSON for automation
  • HTML report
  • Raw responses

Integration:

  • Automatically add discovered URLs to session
  • Trigger SQLMap on suspicious parameters
  • Send to manual testing queue

SQLMap Scanner

Automated SQL injection detection and database exploitation.

Target Configuration

Direct URL:

http://example.com/page.php?id=1

SQLMap automatically tests all parameters.

Request from Burp:

  1. Copy HTTP request from Burp Suite
  2. Click "Import Request"
  3. Paste raw request
  4. SQLMap extracts parameters automatically

From Wfuzz Results:

  1. Select URL from Wfuzz findings
  2. Right-click → "Test with SQLMap"
  3. Parameters auto-populated

Injection Testing

Test Levels:

  • Level 1: Basic tests (default)
  • Level 2: Moderate tests
  • Level 3: Extensive tests
  • Level 4: Heavy testing
  • Level 5: All payloads (slowest)

Risk Levels:

  • Risk 1: Safe tests (default)
  • Risk 2: Medium risk (time-based)
  • Risk 3: OR-based payloads (dangerous on write operations)

Test Specific Parameters:

--param: id, user, page

Limit testing to specific parameters to save time.

Database Enumeration

Once injection is confirmed:

Enumerate:

  • Current database name
  • Current user
  • Current database user
  • Database server version
  • Available databases

Extract Data:

  1. Select database
  2. Choose tables to dump
  3. Select columns (or dump all)
  4. Set row limits (avoid massive dumps)
  5. Start extraction

Dump Options:

  • Dump specific table
  • Dump all tables in database
  • Dump all databases (dangerous!)
  • Search for specific data (passwords, emails)

Advanced Options

Tamper Scripts:

Evade WAFs and filters: - space2comment: Replace spaces with /**/ - base64encode: Encode payload - charencode: Character encoding - randomcase: RaNdOm CaSe

DBMS-Specific:

  • Force DBMS type (MySQL, PostgreSQL, MSSQL, Oracle)
  • Custom injection techniques
  • Union-based, error-based, time-based, boolean-based

Operating System Access:

  • --os-shell: Interactive OS shell (if DBA)
  • --os-cmd: Execute single command
  • --file-read: Read files from server
  • --file-write: Upload files (if permissions allow)

Output and Reporting

Real-time Output:

  • Live SQLMap console output
  • Colored status messages
  • Vulnerability confirmations
  • Extracted data preview

Saved Results:

  • All data stored in session database
  • Dumped tables in structured format
  • SQL injection details (type, payload)
  • Exploitation techniques used

Exporting:

  • CSV/JSON format
  • HTML report
  • Include in engagement report

OpenVAS Scanner

Comprehensive vulnerability assessment platform.

Configuration

First-Time Setup:

  1. Configure OpenVAS connection:
    • Host: localhost or remote OpenVAS server
    • Port: 9390 (default)
    • Username/Password: OpenVAS credentials
  2. Test connection
  3. Sync vulnerability database

Scan Profiles

Built-in Scan Configs:

  • Full and Fast: Quick scan with all NVTs
  • Full and Deep: Comprehensive, slower scan
  • System Discovery: Host discovery and OS detection
  • Host Discovery: Ping sweep only
  • Web Application Scan: Focus on web vulnerabilities
  • Custom: Build your own configuration

Creating Custom Configs:

  1. Select "Custom Scan Config"
  2. Choose NVT families to include:
    • Buffer overflow
    • Compliance
    • Credentials
    • Databases
    • Denial of Service
    • FTP
    • Web application
    • Etc.
  3. Save configuration

Target Management

Add Targets:

  • Single IP or hostname
  • IP range or CIDR
  • Import from session hosts
  • Exclude specific IPs

Credentials:

Provide credentials for authenticated scanning:

SSH:

  • Username/password
  • SSH private key
  • Privilege escalation (sudo)

SMB/Windows:

  • Domain\Username
  • Password or hash

SNMP:

  • Community string
  • Version (v1, v2c, v3)

Running Scans

Scan Execution:

  1. Select scan config
  2. Choose targets
  3. Set credentials (optional)
  4. Schedule or start immediately
  5. Monitor progress

Progress Monitoring:

  • Overall completion percentage
  • Current phase (host discovery, port scan, NVT execution)
  • Vulnerabilities found so far
  • ETA to completion

Results Analysis

Vulnerability List:

  • Sorted by severity (Critical, High, Medium, Low, Log)
  • Filterable by host, port, or vulnerability type
  • CVE references
  • CVSS scores

Vulnerability Details:

  • Full description
  • Affected hosts and ports
  • Solution/remediation steps
  • References (CVE, BID, etc.)
  • Risk assessment

Reporting:

  • Executive summary
  • Technical details
  • Remediation plan
  • Compliance mapping (PCI-DSS, ISO 27001)

Integration with Session

Automatic Parsing:

  • Vulnerabilities added to session database
  • Hosts updated with findings
  • Cross-referenced with other scanner results
  • AI analysis triggered on critical findings

Workflow:

  1. OpenVAS finds vulnerability
  2. AI suggests exploitation method
  3. User selects attack template
  4. Metasploit module launched automatically

Nuclei Scanner

Template-based vulnerability scanner for modern applications.

Template Management

Built-in Templates:

RTFMv2 includes templates from the Nuclei project:

  • CVEs (thousands of templates)
  • Misconfigurations
  • Default credentials
  • Exposed panels
  • Takeovers
  • Exposures

Template Categories:

  • cves/: CVE-specific checks
  • exposed-panels/: Admin panels, dashboards
  • exposures/: Configuration files, backups
  • misconfiguration/: Server misconfigs
  • technologies/: Tech stack detection
  • vulnerabilities/: Generic vulns
  • workflows/: Multi-step checks

Updating Templates:

  1. Click "Update Templates"
  2. Downloads latest from Nuclei GitHub
  3. Merge with custom templates
  4. Indexing for fast searching

Scanning with Nuclei

Quick Scan:

  1. Enter target URL or select from session
  2. Choose template severity:
  3. Critical only
  4. High and above
  5. Medium and above
  6. All severities
  7. Start scan

Template Selection:

  • Select specific templates
  • Choose entire categories
  • Use tags: -tags cve,exposure
  • Exclude tags: -exclude-tags dos

Severity Filtering:

-severity critical,high

Run only high-severity checks first.

Targeting:

  • Single URL
  • Multiple URLs (bulk mode)
  • All HTTP services in session
  • From Wfuzz discoveries

Rate Limiting:

  • Concurrent templates
  • Requests per second
  • Timeout values
  • Retries on failure

Results and Reporting

Findings Display:

  • Template matched
  • Severity
  • Target URL
  • Matched content
  • Template info

Exporting:

  • JSON format
  • Markdown report
  • Integration with session database

Scanner Comparison and Orchestration

Multi-Scanner Workflows

Coordinated Scanning:

Use multiple scanners in sequence:

  1. Nmap for host/port discovery
  2. Nuclei for quick vulnerability checks
  3. OpenVAS for comprehensive assessment
  4. Wfuzz for web-specific enumeration
  5. SQLMap for injection testing

AI-Driven Selection:

Enable AI to choose appropriate scanners: - Detects HTTP service → Runs Wfuzz + Nuclei - Finds database port → Suggests Nmap scripts + SQLMap - Discovers SMB → Runs SMB-specific NSE scripts

Scan Results Correlation

Cross-Scanner Analysis:

RTFMv2 correlates findings: - Same vulnerability found by multiple scanners (confidence boost) - Complementary information merged - Duplicate findings deduplicated

Example:

Nmap: Apache 2.4.49 detected on port 80
Nuclei: CVE-2021-41773 matched
OpenVAS: Apache Path Traversal vulnerability
→ Merged into single high-confidence finding

Best Practices

Scan Strategy

  1. Start broad: Nmap ping sweep and port scan
  2. Enumerate services: Nmap version detection and scripts
  3. Quick vuln check: Nuclei with high-severity templates
  4. Deep assessment: OpenVAS authenticated scan
  5. Targeted fuzzing: Wfuzz and SQLMap on interesting services

Avoiding Detection

  • Use slower timing templates (T2, T3)
  • Randomize scan order
  • Scan during business hours (blend with traffic)
  • Fragment packets (-f in Nmap)
  • Use decoy IPs (Nmap -D)

Data Management

  • Regularly review and triage findings
  • Mark false positives promptly
  • Tag vulnerabilities for reporting
  • Export incremental results for backup

Next Steps

With scanners configured and results collected: