Web Security Testing

GoLismero is a free software framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans. It can run their own security tests and manage a lot of well known security tools (OpenVas, Wfuzz, SQLMap, DNS recon, robot analyzer…) take their results, feedback to the rest of tools and merge all of results. And all of this automatically.

GoLismero is fully extensible through plugins, and that means you can always roll your own scripts, tailored to your specific needs, or using your favorite tools.

The most interesting features of the framework are:

  • Real platform independence. Tested on Windows, Linux, *BSD and OS X.
  • No native library dependencies. All of the framework has been written in pure Python.
  • Good performance when compared with other frameworks written in Python and other scripting languages.
  • Very easy to use.
  • Plugin development is extremely simple.
  • The framework also collects and unifies the results of well known tools: sqlmap, xsser, openvas, dnsrecon, theharvester…
  • Integration with standards: CWE, CVE and OWASP.
  • Designed for cluster deployment in mind (not available yet).

Basic usage

This command will launch GoLismero with all default options and show the report on standard output:

golismero scan

If you omit the default command “scan” GoLismero is smart enough to figure out what you’re trying to do, so this works too:


You can also set a name for your audit with –audit-name:

golismero scan  --audit-name

And you can produce reports in different file formats. The format is guessed from the file extension, and you can write as many files as you want:

golismero scan  -o <output name=""></output>

You can import results from other tools with the -i option. You can use -i several times to import multiple files.

golismero import nikto_output.csv nmap_output.xml -db database.db

All results are automatically stored in a database file. You can prevent this with the -nd option:

golismero  -nd

This allows you to scan the target in one step, and generating the report later. For example, to scan without generating a report:

golismero scan  -db database.db -no

And then generate the report from the database at a later time (or from a different machine!):

golismero report report.html -db database.db

You can also specify multiple output files:

golismero report report.html report.txt report.rst -db example.db

Use the -e option to enable only some specific plugins, and -d to disable plugins (you can use -e and -d many times):

golismero scan  -e

You can also select multiple plugins using wildcards. For example, you can select all bruteforce plugins like this:

golismero scan  -e brute*

GoLismero currently produces reports on the console, in plain text files, in reStructured text format and in HTML format. In all cases, the reports are self-contained in a single file for easier transport – that means the HTML report is a single .html file with everything bundled in, and you can just attach it in an email to send it to someone else.

If no output files are specified, GoLismero reports on the console by default. But you can choose both at the same time too! For example, let’s write an HTML report and also see the output on the console, using the special filename “-“:

golismero scan  -o - -o report.html

In this example we’ll put everything we’ve seen above into practice in a single command. We’ll import results from an Nmap scan, run a scan of our own but using only the DNS analysis plugins, save the results in a database file of our choosing and produce reports in HTML and reStructured text format.

golismero -i nmap_output.xml -e dns* -db database.db -o report.rst -o report.html

GoLismero website.

Download from GitHub.

git clone https://github.com/golismero/golismero /opt/golismero
%d bloggers like this: