Ravenscan Features

Complete list of modules and capabilities.

Discovery & enumeration

Host discovery

Ping ICMP, TCP SYN, ARP (local network). Parallel detection with configurable timeouts. Skippable via --skip-discovery.

Port scanning

TCP connect + SYN scan (CAP_NET_RAW required). UDP scan (NTP, SNMP, DNS). Profiles: quick (top 100), standard (top 1000), full (65535). Custom ports supported. Configurable rate limiting.

Service detection

Banner grabbing + fingerprinting. Version identification for SSH, HTTP, SMTP, FTP, MySQL, PostgreSQL, Redis, MongoDB and more. TLS/SSL certificate parsing.

OS fingerprinting

TCP/IP stack fingerprinting (window size, MSS, TTL, DF bit). Multi-source correlation: SSH banner + HTTP Server + SMB OS string. Weighted confidence score.

Protocol audits

SSH

Weak algorithms, vulnerable versions (regreSSHion CVE-2024-6387), deprecated host key algorithms, password auth enabled.

TLS/SSL

Obsolete versions (SSLv2/v3, TLS 1.0/1.1), weak ciphers, expired/self-signed certificates, missing HSTS.

HTTP/HTTPS

Missing security headers (CSP, HSTS, X-Frame-Options), insecure cookies, technology detection, dangerous HTTP methods.

SMB/CIFS

SMBv1 enabled (WannaCry/EternalBlue), signing not required, anonymous shares, null sessions.

RDP

NLA disabled, weak encryption, BlueKeep (CVE-2019-0708), exposed RDP without MFA.

LDAP

Anonymous bind, signing not required, no channel binding, cleartext without STARTTLS.

Kubernetes

Unauthenticated API, exposed kubelet (:10250), exposed dashboard, anonymous cluster-admin.

Docker

Unauthenticated API (:2375), detectable privileged containers, cleartext API.

DNS

Zone transfer (AXFR) allowed, public recursion enabled, missing DNSSEC.

FTP / SNMP / NTP

FTP anonymous login, cleartext FTP. SNMP default communities, v1/v2c. NTP monlist amplification.

Vulnerability detection

  • Embedded CVE database — version-to-CVE mapping for ~200 products, CVSS v3, EPSS, exploit-db references
  • CISA KEV enrichment — "exploited in the wild" flag with date_added and due_date (50+ CVEs tracked)
  • Default credentials — checks default/empty credentials for common services (FTP, Redis, MySQL, PostgreSQL, MongoDB, SSH). Opt-in via --check-defaults

Web vulnerability scanning

SQL injection

Error-based (MySQL, PostgreSQL, MSSQL, Oracle, SQLite), union-based, time-based blind. Injection in GET params, POST body, cookies, headers.

Cross-site scripting (XSS)

Reflected XSS with contextual canary, stored XSS indicators, DOM-based XSS hints.

Directory discovery

Embedded wordlist (~200 high-value paths): .git, .env, backup/, admin/, phpinfo.php, etc.

YAML templates (Nuclei-style)

Custom check engine with matchers (status, word, regex, size) and extractors. Variables: {{BaseURL}}, {{Host}}, {{Port}}.

Scoring & grading

  • Score 0–100 based on: finding count and severity, external exposure, CISA KEV presence, viable attack chains
  • Grade: A (≥90), B (≥75), C (≥60), D (≥40), F (<40)
  • Breakdown: Network, Web, Auth, Crypto, Config, KEV

Attack paths

Automatic correlation of findings into exploit chains, mapped to MITRE ATT&CK:

  • SMBv1 + default creds → lateral movement → domain admin
  • LDAP anonymous → user enumeration → Kerberoasting
  • K8s API unauth → cluster admin → container escape
  • SQLi → data exfiltration → credential reuse

Compliance mapping

ISO 27001
NIST CSF
CIS Controls v8
PCI DSS 4.0
HIPAA
SOC 2

Reports

Formats

  • PDF (Enterprise) — WeasyPrint sidecar, print-quality, identical rendering to EntraGuard reports. Fallback to Go writer if sidecar is offline.
  • HTML — portable, inline CSS
  • JSON — API output for CI/CD integration
  • Markdown — internal documentation

Content

  • Cover page (date, targets, grade)
  • Executive summary
  • Top risks prioritised
  • Findings by severity / host / service
  • Attack paths with MITRE mapping
  • Compliance summary

Live packet capture Enterprise

Browser-based live traffic capture without installing Wireshark on the analyst's machine.

Docker sidecar (Linux)

Container with NET_RAW capability, sees host Docker network interfaces.

Native daemon (macOS / Windows / Linux)

Runs on the operator's host to see real NICs (Wi-Fi, Ethernet, VPN). Installable as systemd / Windows Service / launchd.

  • Captures encrypted AES-256-GCM at rest, auto-purged after 7 days
  • Every start/stop/save/download/delete logged in WORM audit trail
  • API: /api/v1/capture/{interfaces,start,id/stop,id/packets,id/save}

Attack path live verification

After a scan, each detected attack path can be verified in real time against the target to confirm exploitability. Passive read-only probes only — no actual exploitation.

  • 8 verifiers shipped: SMB, LDAP, RDP, SSH, SNMP, VNC, FTP, NTP
  • Returns verdict (exploitable / not_exploitable), confidence, step-by-step output
  • Each result includes curated remediation commands, rollback inverse operations, and verify read-only checks
  • Endpoint: POST /api/v1/scans/:id/attack-paths/:ap_id/test

API & automation

  • REST API/api/v1/scans, /api/v1/reports, /api/v1/trends
  • Summary endpointGET /api/v1/summary exposes score, grade, risk_level, open_findings, critical_cves, alive_hosts for the platform Global Dashboard
  • Scan ETA — progress drawer shows a live remaining-time estimate computed from elapsed time and scan progress
  • Scheduler (Enterprise) — cron-based recurring scans with notifications
  • Webhooks (Enterprise) — Slack, Microsoft Teams, generic HTTP JSON
  • Baselines (Enterprise) — capture accepted state, exceptions with reason/expiry/approval, alert only on new findings

Product security

  • Static binary, non-privileged user in container
  • API key stored as SHA-256 hash, timing-safe comparison
  • Licence signed RSA-2048 PKCS1v15 SHA-256
  • No telemetry — structured logs, no secrets in logs
  • Optional at-rest encryption for SQLite