OFFSITE.DARK
← Tools
  • recon
  • scanner
  • automation

Market

SIF

Overview

SIF (github.com/vmfunc/sif) is a Go recon and exploitation scanner that runs the full external assessment chain from a single static binary. Subdomain enumeration, connect-based port scanning, web crawling, nuclei template execution, framework/CVE detection, JavaScript secret extraction, CORS/XSS/redirect probes, cloud misconfiguration checks, and subdomain takeover detection are all flag-selectable modules—not separate processes wired together.

Nuclei and Colly are linked as libraries, not invoked via exec.Command, so there is no runtime dependency on external nuclei or crawler binaries. One build ships everything. Port scanning uses connect() rather than raw SYN; rustscan and nmap remain faster for raw port sweeps, but HTTP-heavy modules benefit from a shared connection-pooled client.

Every scanner shares one HTTP client and a work-stealing worker pool. Global `-proxy`, `-H`/`--header`, `-cookie`, and `-rate-limit` apply across the entire run. Connections are reused across modules—a single-host run reuses one connection for roughly fifty requests instead of opening fifty separate TCP sessions. Slow targets do not block the rest of the queue.

SIF reads targets from `-u`, `-f`, or stdin (scheme-less hosts default to https). Under `-silent`, banner and log output go to stderr while findings print one normalized line per hit to stdout, so it drops into Unix pipelines: `subfinder -d example.com | sif -silent -crawl -js -nuclei | notify`. `-diff` snapshots findings per target and reports only deltas on re-scan; `-sarif` and `-markdown` export for CI; `-notify` posts to Slack, Discord, Telegram, or generic webhooks using notify-compatible config.

Primary use cases

  • Single-command external recon after scope approval (dnslist + ports + headers + framework + nuclei)
  • Pipeline glue: feed subfinder/amass hostnames on stdin for probe/crawl/js/nuclei passes
  • Continuous monitoring with `-diff` to surface new or removed findings between scheduled runs
  • CI/CD security gates with `-sarif` output for GitHub code scanning ingestion
  • Broad web vuln sweeps: CORS, open redirect, reflected XSS, JWT weakness, OpenAPI exposure
  • Passive subdomain/URL discovery (`-passive`) when zero direct traffic to the target is required

Key commands

Broad recon sweep

sif -u https://example.com -dnslist -ports -crawl -js -framework -nuclei

Directory fuzzing with auto-calibration

sif -u https://example.com -dirlist medium -ac -mc 200,301,302

Web vuln probes + report export

sif -u https://example.com -cors -redirect -xss -sarif out.sarif -md out.md

Pipeline from subdomain enum

subfinder -d example.com | sif -silent -probe -crawl -js -nuclei

Diff monitoring (second run shows delta only)

sif -u https://example.com -sh -cors -diff

Proxy, auth header, and rate cap applied globally

sif -u https://example.com -headers -proxy socks5://127.0.0.1:1080 -H "Authorization: Bearer tok" -rate-limit 20

Run custom YAML modules by tag

sif -u https://example.com -mt owasp-top10

Notable modules / features

  • 25+ built-in scan flags: dirlist, dnslist, ports, nuclei, crawl, js, framework, cms, git, cors, xss, redirect, sql, lfi, jwt, openapi, favicon, c3, st, passive, probe, and more
  • YAML module system (`-m`, `-mt`, `-am`); user modules in ~/.config/sif/modules/ with nuclei-like HTTP matchers
  • Shodan (`-shodan`, SHODAN_API_KEY) and SecurityTrails (`-securitytrails`, SECURITYTRAILS_API_KEY) target expansion
  • Dirlist filters: `-mc`/`-fc` status codes, `-fs` body size, `-fw` word count, `-fr` regex, `-w` custom wordlist, `-e` extensions
  • Package managers: Homebrew tap, AUR, nixpkgs, Debian/Ubuntu apt (Cloudsmith), release binaries; BSD-3-Clause
  • Subcommands: `sif version`, `sif patchnote` (release notes on first run; disable with SIF_NO_PATCHNOTES=1)

Detection / defense notes

  • High request volume from combined modules triggers WAF/CDN rate limits and SOC alerts—scope and throttle `-rate-limit`
  • Connect port scans are logged as full TCP connections; SYN scans from dedicated tools may be stealthier
  • Nuclei template false positives still apply; tune severity and custom modules for production targets
  • Webhook notify configs and API keys in env vars should not land in shell history or CI logs

Related tools

  • NucleiTemplate scanner. YAML checks for CVEs, misconfigs, and exposed services at scale.
  • NmapNetwork mapper. SYN/UDP scanning, service detection, NSE scripts, and OS fingerprinting. The baseline recon tool.
  • niktoWeb server scanner. Tests for outdated software, dangerous files, and misconfigs.
  • SQLMapSQL injection automation. DB fingerprinting, data dump, file read, and OS command execution via SQLi.
→ official site