Carnivore - Predator
Formerly known as THC HackSuite, Carnivore - Predator stands at the forefront of cutting-edge cybersecurity tools, redefining the landscape of penetration testing with unparalleled innovation. Designed to empower ethical hackers, security professionals, and enthusiasts alike, Carnivore - Predator is the ultimate Pentest CMS that puts you in command.
current version: 0.7.0 - PREDATOR
home > documentation > modules > How to use THC Sscan
This article explains how to effectively make use of THC Sscan.
author: Remco Kouw
created: 18-May-2024
updated: 18-May-2024

THC Sscan Introduction

This documentation outlines the functionality of the thc_ss module.

THC Sscan is a highly sophisticated module within Carnivore, designed for monitoring content and webpages. Mastering this tool can be challenging, particularly when creating custom callbacks.

Interface Parameters:

  1. URL to scan: The target URL to monitor for changes.
  2. Scan interval (s): The interval in seconds between each scan.
  3. End after match: Terminates script execution upon finding a match.
  4. Regex search: Utilizes regular expressions for searching instead of plain text.
  5. String to find: The text or pattern to search for.
  6. Method to send: The method used to send variables, either POST or GET.
  7. Scan type: Specifies a scan type that reacts to specific conditions when a string or pattern is found or not found.
  8. Notification: Logs the event or sends an email (requires a mail server) when conditions are met.
  9. Use callback? Callbacks enable Sscan to perform advanced tasks. A callback for brute-forcing the login test server is included.
  10. Error message: An error message indicating when something unexpected occurs, causing script termination.
  11. Extra variables: Allows additional query variables when the target requires more input.
  12. Callback function: Specifies a callback function for advanced monitoring tasks.

ModGlue Variables:

  1. $_CONTEXT['thc_ss']['paths']['logs']: The absolute path to the LOGS folder for logging actions.
  2. $_CONTEXT['thc_ss']['paths']['logtemplate']: The absolute path to the LOGT folder containing logging templates.
  3. $_CONTEXT['thc_ss']['paths']['callbacks']: The absolute path to the CALLBACKS folder where callbacks are stored.
  4. $_CONTEXT['thc_ss']['paths']['emailtemplate']: The absolute path to the EMAILT folder containing email templates.
  5. $_CONTEXT['thc_ss']['paths']['callbackpath']: The absolute path to a specific callback.
  6. $_CONTEXT['thc_ss']['paths']['emailtemplatepath']: The absolute path to an email template.
  7. $_CONTEXT['thc_ss']['paths']['loggingpath']: The absolute path to a log file.
  8. $_CONTEXT['thc_ss']['paths']['logtemplatefile']: The absolute path to a log template.
  9. $_CONTEXT['thc_ss']['paths']['dumplogtemplatefile']: The absolute path to the default log template file, applicable only in the Dump Default Log case.
  10. $_CONTEXT['thc_ss']['paths']['dumplogfile']: The absolute path to the default log file, applicable only in the Dump Default Log case.
  11. $_CONTEXT['thc_ss']['urlparts']['host']: The host part of the target URL.
  12. $_CONTEXT['thc_ss']['urlparts']['query']: The query part of the target URL.
  13. $_CONTEXT['thc_ss']['urlparts']['scheme']: The scheme part of the target URL.
  14. $_CONTEXT['thc_ss']['urlparts']['path']: The path part of the target URL.
  15. $_CONTEXT['thc_ss']['urlparts']['queryold']: The original query part of the target URL.
  16. $_CONTEXT['thc_ss']['callbacksearch']: Indicates whether the current search will be performed by a callback (boolean).
  17. $_CONTEXT['thc_ss']['regex']: Indicates if regex pattern searches are enabled (boolean).
  18. $_CONTEXT['thc_ss']['transfermethod']: The transfer method, either POST or GET (string).
  19. $_CONTEXT['thc_ss']['temporary_scan']: Indicates if the scan is temporary (boolean).
  20. $_CONTEXT['thc_ss']['negative_scan']: Indicates if the script ends when a match isn't found (boolean).
  21. $_CONTEXT['thc_ss']['timebased_scan']: Indicates if the scan runs for a limited time (boolean).
  22. $_CONTEXT['thc_ss']['endmessage']: Text that ends Sscan when found, or false if not applicable (mixed).
  23. $_CONTEXT['thc_ss']['mail_notify']: Indicates if results will be emailed (boolean).
  24. $_CONTEXT['thc_ss']['file_logging']: Indicates if results will be logged (boolean).
  25. $_CONTEXT['thc_ss']['endscript']: Indicates if the script ends when a specific text is found (boolean).
  26. $_CONTEXT['thc_ss']['search']: The search text (string).
  27. $_CONTEXT['thc_ss']['cancelled']: Indicates if the script execution ended when a specific text was found (boolean).
  28. $_CONTEXT['thc_ss']['matches']: The total matches of the search string (int).
  29. $_CONTEXT['thc_ss']['searchresults']: Stores the search results (array).
  30. $_CONTEXT['thc_ss']['loggingtemplate']: Stores the log template (string).
  31. $_CONTEXT['thc_ss']['loggingtemplateused']: Indicates if a logging template was used (boolean).
  32. $_CONTEXT['thc_ss']['loggingfilepathused']: Indicates if a log file was created (boolean).
  33. $_CONTEXT['thc_ss']['emailtemplate']: Stores the email template (string).
  34. $_CONTEXT['thc_ss']['emailtemplateused']: Indicates if an email template was used (boolean).
  35. $_CONTEXT['thc_ss']['printemailtemplate']: Indicates if the email template should be printed (boolean).
  36. $_CONTEXT['thc_ss']['callback']: Callback function name or false if not applicable (mixed).
  37. $_CONTEXT['thc_ss']['maincallback']: Primary callback function (function).

Resource Settings:

  • time limit: php default
  • memory limit: php default

Dependencies:

Curl

Expanding THC Sscan:

You can expand THC Sscan's functionality by:

  1. log templates: in these files you can setup the way you want to log the results of Sscan sessions, all of these files are located in the EMAILT folder which is located in the module's root folder. You can just copy an existing template and edit it so it meets your requirements.
  2. email templates: in these files you can setup the way you want to email the results of Sscan sessions, all of these files are located in the LOGT folder which is located in the module's root folder. Like the log templates, these are very straightforward, you can just copy an existing template and edit it.
  3. callbacks: these are like little plugins for Sscan. They do two things. Setup the monitor interface by editing the form fields. The second is changing the behavior of Sscan when monitoring a target. A callback file is included before the monitoring starts. At the start of every monitoring iteration a function will be called by the name Callbck, this function will run until it returns a BREAK keyword.
At first these callbacks may seem confusing but they can become an excellent tool for automatising tasks once you're getting used to it.

The best way to learn how to write your own callbacks is to look at an existing callback. For this example, we'll use the callbackbf.php from the CALLBACKS folder in the module's root directory. This code turns Sscan in a bruteforce script that attacks the html login test server. It basically only alters the password field in the query for every iteration. That's all callbacks basically do. Just change the query part. Sscan will handle the rest.

In the first part the callback is described and variables that will be used for this session are defined.

$_CBACKD = array("Attack THC_HS Login","callbackbf.php");
$_CBACKD: this defines the name and the location of the callback
Attack THC_HS Login: title of the callback, also used for the callback selection menu
callbackbf.php: name of the callback file

In the second part the callback variables are setup that you want to use to fill up the index's interface. Each variable consists of multiple properties.

$_CBACKV[x]: each array element consists of 4 properties: value, row, fieldclass and visibility, as with any array counting starts at 0
$_CBACKV[x]['value']: the value we will give to this form field
$_CBACKV[x]['row']: the row's id name where the field we are going to overwrite is found, for example when this value would be a5, it means we are referring to the .modrow#a5 div
$_CBACKV[x]['fieldclass']: classname of the input field where we will change the value, always make sure that this field is found in the same html row. For example: a5f is in this case the input.a5f html field
$_CBACKV[x]['visibility']: 0, when you want the field to dissapear from the interface, 1, when you want the field to be visisble, 2, to leave it as it is now

Open the module's index file in order to find out the input field's class and in which row they can be found.

The third part is where the query will be edited, in this case with each iteration a new password will be tried. The function Callbck is mandatory and will be called at the start of every iteration to manipulate the variables that will be send.

Known Issues:

N/A

How to use Shodown || How to use xWhere
similar content
How to use CollectPanelsHow to use THC CF ResolverHow to use xDNSHow to use THC DorkHow to use THC DiscoverHow to use EnumerateHow to use THC InvestigateHow to use MisterLGHow to use ShodownHow to use xWhereHow to use xScan
Created by Remco Kouw: 2008-2024