ExploitSynth/ docs

ExploitSynth CLI

The command-line client for the ExploitSynth scanner. Install it, authenticate, and run scans from your terminal.

Installation

Install with pipx. It keeps the CLI isolated in its own environment and on your PATH. Requires Python 3.9+ on Linux, macOS, or WSL.

bash
pipx install exploitsynth

# optional: tab-completion for bash | zsh | fish
exploitsynth --install-completion

Authentication

Create a key under Settings → API keys, then run login once. The key is stored at ~/.config/exploitsynth/config.json with owner-only permissions. For CI or ephemeral shells, export it instead.

bash
exploitsynth login
# CI / ephemeral shells:
export EXPLOITSYNTH_API_KEY=sk_your_key_here

Scanning

New scan

Identify ports you already know are open, or let the CLI discover them first. A target can be a single IP, a CIDR range, or a list.

bash
# identify known-open ports
exploitsynth scan 203.0.113.9 --ports 22,80,9929

# discover open ports first, then identify
exploitsynth scan 10.0.0.0/28 --scope top1000
# scope: top100 | top1000 | all, or a range like 1-1000

Continue from another scanner

Import an nmap or Nessus report and scan only the ports it left unidentified.

bash
exploitsynth scan --nessus engagement.nessus --project acme
exploitsynth scan --nmap recon.xml

Use it in a pipeline

Targets can come from stdin (-) or a file (-iL), so ExploitSynth fits directly into a recon pipeline: let a fast scanner find the open ports, then identify the ones it couldn't fingerprint.

bash
# pipe targets in from another tool
rustscan -a 10.0.0.5 --ports-only | exploitsynth scan - --ports 22,80,9929

# or feed a host list
exploitsynth scan -iL hosts.txt --scope top100

Private networks

Targets on an internal network (10.x, 192.168.x), or behind a firewall that only allows your source IP, aren't reachable from our cloud. --via localcloses that gap: discovery runs on your machine, and a reverse tunnel routes the engine's probes back out through it, so the scan reaches anything you can reach. The agent, prompts, and model stay in the cloud; only network egress runs from your machine.

bash
# 1. get on the network (client VPN, on-site LAN, HTB, …)
sudo openvpn engagement.ovpn        # you can now reach 10.129.45.12

# 2. one command: local nmap discovers, the cloud identifies through the tunnel
exploitsynth scan 10.129.45.12 --via local --scope top1000

You need to be on a network that can reach the target. Discovery runs locally, so nmap must be installed; chisel is downloaded automatically. The tunnel exists only while the command runs, so --via localalways streams live and can't be combined with --no-follow, and Ctrl-C closes it. You're billed only for the open ports found, since discovery itself is free.

Commands

CommandDescription
loginStore and verify your API key.
scan TARGETStart a scan, then stream live progress. See options below.
scansList recent scans (use --project to filter).
show IDPrint a scan's full results (add --reasoningfor the agent's notes).
creditsShow your credit balance.
cancel IDCancel a queued or running scan.

Scan options

OptionDescription
--portsKnown-open ports to identify directly, e.g. 22,80,9929.
--scopeDiscovery scope: top100, top1000, all, or a range like 1-1000.
-iL FILE / -Read targets from a file, or from stdin when the target is -.
--via localScan a private/firewalled target through a reverse tunnel out of this machine.
--nessus / --nmapImport a report and scan its unidentified ports.
--projectEngagement to file the scan under (created if it doesn't exist).
--labelOptional label for the scan.
--timeoutPer-port time limit in seconds (30–600, default 300).
--slowRun one agent at a time instead of three.
--no-followReturn immediately instead of streaming progress.
--yesSkip the credit-cost confirmation prompt.
--jsonEmit machine-readable JSON on stdout (also on scans, show, credits). Progress goes to stderr, so pipes stay clean.

REST API

The CLI is the recommended way to use ExploitSynth. The same engine is also available over a REST API for direct integration; the CLI is simply a client for it. Authenticate with Authorization: Bearer sk_….

POST/api/v1/scanStart one or more scans
bash
curl -X POST https://scan.exploitsynth.com/api/v1/scan \
  -H "Authorization: Bearer sk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "targets": [{ "ip": "203.0.113.9", "ports": [22, 80, 9929] }],
    "project": "acme",
    "timeout_sec": 300
  }'
# → { "ok": true, "scan_ids": ["a1b2c3d4-..."] }
GET/api/v1/scan/:idPoll status & results
bash
curl https://scan.exploitsynth.com/api/v1/scan/SCAN_ID \
  -H "Authorization: Bearer sk_your_key_here"
GET/api/v1/scanList recent scans

Poll the GET endpoint until status is done or error; results grows incrementally as ports finish. The response includes port_progress for live per-port state.