Advanced Axiom Usage - axiom-scan

Hey 0x00ers!

You may have heard of the tool I’ve been working on for the past 6 months called axiom, incase you haven’t, I’ll provide you with a quick overview.

The dynamic infrastructure framework for anybody! Distribute the workload of many different tools with ease, including nmap, ffuf, masscan, nuclei and many more!

Axiom is a larger infrastructure framework that allows you to quickly spin up and down different hackbox hosts packed with tools for you to perform testing. Axiom instances have tools preinstalled including nmap, ffuf, masscan, nuclei, subfinder, httpx, dnsx and shuffledns (and many more!). You can also spin up lots of hosts at one time by using axiom-fleet.

Once you have a fleet, you can perform distributed scanning! It’s really up to you how you want to use it.

If you’re new to axiom, I recommend reading the wiki in its entirety - and remember - it’s still in Beta, we’re still really just prototyping :stuck_out_tongue: If you find any issues, please open an issue, it’s probable that we can fix it!

This article is intended for existing users, I will not explain the code too much but provide a basic example of how you can use it. I’d like for current users of axiom to try these out and follow along.

Just axiom-scan

Spin up a fleet with more than 2 instances, you can find out how to do this here: I’ll let the code speak for the rest of a demo for axiom-scan, feel free to follow on with this demo:

Step 1 - Download Chaos Subdomains

Download subs from here:

We need to get some data to test with!

# Pull random 50 root levels from chaos - pretty one liner
for domain in $(curl -s | jq -r '.programs[].domains[]' | shuf | head -n 50); do echo "Pulling $domain"; chaos -silent -key $token -d $domain >> subs.txt; done

wc -l subs.txt

Step 2 - Merge Subdomains together

cd ~/Downloads

mkdir demo
mv chaos* demo
cd demo

# Unzip
unzip chaos*

# Show files

find . -name '*.txt' -exec cat {} \; > allsubs.txt

Step 3 - Spin up a fleet (may already be prepared)

axiom-fleet fire -i=15
axiom-select 'fire*'

Step 4 - Resolve Subdomains

We can resolve subdomains at mass using dnsx

Code - Bash

axiom-scan allsubs.txt -m dnsx -resp -o resolvedfqdns.txt # simple

add resolvers

Step 5 - Nmap IP’s

We can do some portscanning with nmap in a distributed axiom-scan.



Note :firecracker: nmapx doesn’t work with old versions of interlace

# Experimental
axiom-scan ips.txt -m nmapx -p80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888 -oX chaos-scan.xml
axiom-scan ips.txt -m nmapx --top-ports 5 -sV -oX chaos-scan.xml

# Tried and true (the old way, slower)
axiom-scan ips.txt -m nmap -p80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888 -oX chaos-scan.xml

Step 6 - Extracting hosts & IP’s from Nmap XML output

Essentially convert nmap.xml → host:ip notation.

> ports.txt
curl -o
python2 -m pip install python-libnmap
python2 chaos-scan.xml > ports.txt

head -n 100 ports.txt
wc -l ports.txt

READ THE HTML OUTPUT! It looks totally cool… :fire:

Axiom-scan xml nmap scans auto generate html output too!

(You must have xsltproc installed :))

xdg-open chaos-scan.xml.html

Step 7 - Scanning port combos with httpx

Using the file we created earlier.

axiom-scan ports.txt -m httpx -o http.txt

Step 8 - Gowitness

Use a shortened sample for gowitness just because it takes foreverrrr otherwise!

cat http.txt | shuf | head -n 150
cat http.txt | shuf | head -n 150 > sample-http.txt

axiom-scan sample-http.txt -m gowitness -o screenshots

Step 9 - Run httpx on subs

Convert ip:port notation into http://ip:port/ notation for using our other tools.

cat allsubs.txt | shuf | head -n 500 
cat allsubs.txt | shuf | head -n 500 > subs.txt

axiom-scan subs.txt -m httpx -o http.txt -title -follow-redirects -ip -content-length -cname -content-type -status-code -vhost


Start a proxy round-robin listener against all our nodes in our fleet.

axiom-proxy 'fire*' --single

Run curl over and over again to show it’s different ips

This proxy can be used in burp :slight_smile:

curl --socks5-hostname | jq
curl --socks5-hostname | jq -c
curl --socks5-hostname | jq -c
curl --socks5-hostname | jq -c
curl --socks5-hostname | jq -c
curl --socks5-hostname | jq -c


Get a list of all the hosts

axiom-exec 'curl -s' 'fire*'


Finally, we can delete our fleet so it doesn’t cost us any $$$. Easy as that!

axiom-rm 'fire*' -f


Today we’ve demonstrated a few ways of executing distributed scans using axiom-scan, I hope this was informative! I hope you enjoy axiom! <3 Enjoy 0x00ers!


Did you planned support and testing this app for Android 5.0.0+ with Termux?

I’d suggest installing it inside tmux on a digitalocean droplet - then you can just SSH in. That’s what I do and I control it from my iPhone too.