🎮 Usage Guide
This guide covers everything you need to know about using ipcrawler effectively for network reconnaissance.
🚀 Basic Usage
Quick Start Commands
bash
# Scan a single IP
ipcrawler 192.168.1.100
# Scan multiple IPs
ipcrawler 192.168.1.100 192.168.1.101 10.10.10.50
# Scan a network range
ipcrawler 192.168.1.0/24
# Scan a hostname
ipcrawler example.comCommand Structure
bash
ipcrawler [OPTIONS] TARGETS🎯 Target Specification
Single Targets
bash
# IPv4 address
ipcrawler 192.168.1.100
# IPv6 address
ipcrawler 2001:db8::1
# Domain name
ipcrawler target.com
# Domain with subdomain
ipcrawler www.example.comMultiple Targets
bash
# Space-separated list
ipcrawler 192.168.1.100 192.168.1.101 target.com
# CIDR notation
ipcrawler 192.168.1.0/24
ipcrawler 10.0.0.0/16
# IP ranges (if supported)
ipcrawler 192.168.1.1-50Target Files
bash
# Read targets from file
ipcrawler -t targets.txt
# Example targets.txt content:
# 192.168.1.100
# 192.168.1.101
# target.com
# 10.10.10.0/24⚙️ Command-Line Options
Basic Options
bash
# Show help
ipcrawler -h
ipcrawler --help
# Show version
ipcrawler --version
# Verbose output
ipcrawler -v target.com # Level 1
ipcrawler -vv target.com # Level 2
ipcrawler -vvv target.com # Level 3 (debug)
# Quiet mode
ipcrawler -q target.comPort Specification
bash
# Specific ports
ipcrawler -p 80,443,8080 target.com
# Port ranges
ipcrawler -p 1-1000 target.com
# Common ports (default)
ipcrawler target.com
# All ports (1-65535) - WARNING: Very slow
ipcrawler -p 1-65535 target.com
# Custom port list
ipcrawler -p 22,80,135,139,443,445,993,995 target.comOutput Options
bash
# Custom output directory
ipcrawler -o /tmp/scan-results target.com
# Custom project name
ipcrawler --project pentest-2024 target.com
# Generate reports
ipcrawler --report html target.com
ipcrawler --report pdf target.comScanning Options
bash
# UDP scanning (requires root)
sudo ipcrawler --udp target.com
# TCP SYN scan (requires root)
sudo ipcrawler --syn target.com
# TCP connect scan (no root required)
ipcrawler --connect target.com
# Skip ping (useful for firewalled hosts)
ipcrawler --no-ping target.com🔧 Plugin Management
List Available Plugins
bash
# List all plugins
ipcrawler -l
# List port scan plugins
ipcrawler -l port
# List service enumeration plugins
ipcrawler -l service
# List report plugins
ipcrawler -l reportPlugin Selection
bash
# Run specific plugins only
ipcrawler --service-scans dirbuster,nikto target.com
# Skip specific plugins
ipcrawler --skip-plugins wordpress,smb target.com
# Run safe plugins only (no intrusive scans)
ipcrawler --safe-only target.com
# Include manual commands
ipcrawler --manual-commands target.comPlugin Categories
| Category | Description | Examples |
|---|---|---|
| port | Port scanning and discovery | nmap, masscan |
| service | Service enumeration | dirbuster, nikto, enum4linux |
| vuln | Vulnerability scanning | nmap scripts, nuclei |
| report | Report generation | HTML, PDF, XML |
🌐 Common Use Cases
Web Application Testing
bash
# Comprehensive web scan
ipcrawler -p 80,443,8080,8443 --service-scans dirbuster,nikto,whatweb target.com
# WordPress-specific testing
ipcrawler -p 80,443 --service-scans wordpress,dirbuster target.com
# Large wordlist directory busting
ipcrawler --config dirbuster.wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt target.comNetwork Infrastructure
bash
# SMB enumeration
ipcrawler -p 445 --service-scans smb,enum4linux target.com
# Database discovery
ipcrawler -p 1433,3306,5432,1521 --service-scans mssql,mysql,postgres,oracle target.com
# Active Directory
ipcrawler -p 88,389,636,3268 --service-scans ldap,kerberos target.comOSCP Exam Preparation
bash
# OSCP-safe comprehensive scan
ipcrawler --safe-only --manual-commands target.com
# Quick enumeration for time pressure
ipcrawler --quick target.com
# Full enumeration with documentation
ipcrawler --report html --manual-commands target.comCTF Competitions
bash
# Fast initial scan
ipcrawler --quick target.com
# Comprehensive scan with all plugins
ipcrawler --all-plugins target.com
# Custom port range for unusual services
ipcrawler -p 1-10000 target.com📊 Output and Results
Directory Structure
After running ipcrawler, you'll find organized results:
results/target.com/
├── scans/ # Raw scan output
│ ├── tcp80/ # HTTP service scans
│ │ ├── dirbuster.txt
│ │ ├── nikto.txt
│ │ └── whatweb.txt
│ ├── tcp443/ # HTTPS service scans
│ └── tcp22/ # SSH service scans
├── report/ # Clean reports
│ ├── index.html # Main report
│ ├── summary.pdf # Executive summary
│ └── screenshots/ # Tool screenshots
├── loot/ # Extracted data
│ ├── credentials.txt
│ ├── users.txt
│ └── endpoints.txt
└── exploit/ # Exploitation workspace
├── payloads/
└── notes.txtReport Formats
bash
# HTML report (default)
ipcrawler --report html target.com
# PDF report
ipcrawler --report pdf target.com
# JSON output for automation
ipcrawler --output json target.com
# XML output
ipcrawler --output xml target.com🔍 Advanced Usage
Proxy Support
bash
# HTTP proxy
ipcrawler --proxy http://127.0.0.1:8080 target.com
# SOCKS proxy
ipcrawler --proxy socks5://127.0.0.1:1080 target.com
# Proxychains support
proxychains ipcrawler target.comRate Limiting
bash
# Slow scan (stealth)
ipcrawler --delay 5 target.com
# Limit concurrent scans
ipcrawler --max-scans 10 target.com
# Custom timing
ipcrawler --timing paranoid target.comCustom Wordlists
bash
# Custom directory wordlist
ipcrawler --config dirbuster.wordlist=/path/to/custom.txt target.com
# Multiple wordlists
ipcrawler --config dirbuster.wordlist=/path/to/list1.txt,/path/to/list2.txt target.com🚨 Troubleshooting
Common Issues
Permission Denied
bash
# For UDP/SYN scans, use sudo
sudo ipcrawler --udp target.comNo Results Found
bash
# Increase verbosity to debug
ipcrawler -vv target.com
# Check if target is reachable
ping target.com
# Skip ping detection
ipcrawler --no-ping target.comSlow Scans
bash
# Reduce port range
ipcrawler -p 1-1000 target.com
# Increase timing
ipcrawler --timing aggressive target.com
# Reduce concurrent scans
ipcrawler --max-scans 5 target.comGetting Help
bash
# Show all options
ipcrawler --help
# Plugin-specific help
ipcrawler --help dirbuster
# Configuration help
ipcrawler --help config💡 Tips and Best Practices
For OSCP
- Always use
--manual-commandsto get suggested next steps - Generate HTML reports for documentation
- Start with
--safe-onlyto avoid getting blocked - Save manual commands for later execution
For CTFs
- Use
--quickfor fast initial reconnaissance - Try unusual port ranges with
-p 1-10000 - Look for custom services on high ports
For Professional Testing
- Document everything with
--report html - Use appropriate timing (
--timing polite) - Respect rate limits and target systems
- Always have proper authorization
Next: Learn how to customize ipcrawler behavior in the Configuration Guide