Ravenscan Features

Complete list of modules and capabilities.

Discovery & enumeration

Host discovery

Ping ICMP, TCP SYN, ARP (local network). Parallel detection with configurable timeouts. Skippable via --skip-discovery.

Port scanning

TCP connect + SYN scan (CAP_NET_RAW required). UDP scan (NTP, SNMP, DNS). Profiles: quick (top 100), standard (top 1000), full (65535). Custom ports supported. Configurable rate limiting.

Service detection

Banner grabbing + fingerprinting. Version identification for SSH, HTTP, SMTP, FTP, MySQL, PostgreSQL, Redis, MongoDB and more. TLS/SSL certificate parsing.

OS fingerprinting

TCP/IP stack fingerprinting (window size, MSS, TTL, DF bit). Multi-source correlation: SSH banner + HTTP Server + SMB OS string. Weighted confidence score.

Protocol audits

SSH

Weak algorithms, vulnerable versions (regreSSHion CVE-2024-6387), deprecated host key algorithms, password auth enabled.

TLS/SSL

Obsolete versions (SSLv2/v3, TLS 1.0/1.1), weak ciphers, expired/self-signed certificates, missing HSTS.

HTTP/HTTPS

Missing security headers (CSP, HSTS, X-Frame-Options), insecure cookies, technology detection, dangerous HTTP methods.

SMB/CIFS

SMBv1 enabled (WannaCry/EternalBlue), signing not required, anonymous shares, null sessions.

RDP

NLA disabled, weak encryption, BlueKeep (CVE-2019-0708), exposed RDP without MFA.

LDAP

Anonymous bind, signing not required, no channel binding, cleartext without STARTTLS.

Kubernetes

Unauthenticated API, exposed kubelet (:10250), exposed dashboard, anonymous cluster-admin.

Docker

Unauthenticated API (:2375), detectable privileged containers, cleartext API.

DNS

Zone transfer (AXFR) allowed, public recursion enabled, missing DNSSEC.

FTP / SNMP / NTP

FTP anonymous login, cleartext FTP. SNMP default communities, v1/v2c. NTP monlist amplification.

Vulnerability detection

  • Embedded CVE database — version-to-CVE mapping for ~200 products, CVSS v3, EPSS, exploit-db references
  • CISA KEV enrichment — "exploited in the wild" flag with date_added and due_date (~1,100 CVEs tracked)
  • Default credentials — ~500 combos by service (routers, databases, IP cameras, BMC/iLO). Opt-in via --check-defaults

Web vulnerability scanning

SQL injection

Error-based (MySQL, PostgreSQL, MSSQL, Oracle, SQLite), union-based, time-based blind. Injection in GET params, POST body, cookies, headers.

Cross-site scripting (XSS)

Reflected XSS with contextual canary, stored XSS indicators, DOM-based XSS hints.

Directory discovery

Embedded wordlist (~200 high-value paths): .git, .env, backup/, admin/, phpinfo.php, etc.

YAML templates (Nuclei-style)

Custom check engine with matchers (status, word, regex, size) and extractors. Variables: {{BaseURL}}, {{Host}}, {{Port}}.

Scoring & grading

  • Score 0–100 based on: finding count and severity, external exposure, CISA KEV presence, viable attack chains
  • Grade: A (≥90), B (≥75), C (≥60), D (≥40), F (<40)
  • Breakdown: Network, Web, Auth, Crypto, Config, KEV

Attack paths

Automatic correlation of findings into exploit chains, mapped to MITRE ATT&CK:

  • SMBv1 + default creds → lateral movement → domain admin
  • LDAP anonymous → user enumeration → Kerberoasting
  • K8s API unauth → cluster admin → container escape
  • SQLi → data exfiltration → credential reuse

Compliance mapping

ISO 27001
NIST CSF
CIS Controls v8
PCI DSS 4.0
HIPAA
SOC 2

Reports

Formats

  • PDF — executive summary + detailed findings
  • HTML — portable, inline CSS
  • JSON / JSONL — SIEM integration
  • Markdown — internal documentation
  • TXT — CLI / grep-friendly

Content

  • Cover page (date, targets, grade)
  • Executive summary
  • Top risks prioritised
  • Findings by severity / host / service
  • Attack paths with MITRE mapping
  • Compliance summary

API & automation

  • REST API/api/v1/scans, /api/v1/reports, /api/v1/trends
  • Scheduler (Enterprise) — cron-based recurring scans with notifications
  • Webhooks (Enterprise) — Slack, Microsoft Teams, generic HTTP JSON
  • Baselines (Enterprise) — capture accepted state, exceptions with reason/expiry/approval, alert only on new findings

Product security

  • Static binary, non-privileged user in container
  • API key stored as SHA-256 hash, timing-safe comparison
  • Licence signed RSA-2048 PKCS1v15 SHA-256
  • No telemetry — structured logs, no secrets in logs
  • Optional at-rest encryption for SQLite