1- .TH ASRFACET-RB 1 "April 2026" "ASRFacet-Rb 1.5 .0" "User Commands"
1+ .TH ASRFACET-RB 1 "April 2026" "ASRFacet-Rb 2.0 .0" "User Commands"
22.SH NAME
33asrfacet-rb \- authorized attack surface reconnaissance and security mapping framework
44.SH SYNOPSIS
@@ -24,12 +24,13 @@ asrfacet-rb
2424asrfrb
2525.SH DESCRIPTION
2626ASRFacet-Rb is a Ruby 3.2+ framework for authorized attack surface reconnaissance.
27- It combines passive discovery, recursive DNS and certificate enrichment, service mapping ,
28- HTTP probing, crawling, JavaScript endpoint mining, asset scoring, monitoring, and
29- lightweight finding generation .
27+ It combines passive discovery, DNS and certificate enrichment, service fingerprinting ,
28+ HTTP probing, crawling, JavaScript endpoint mining, relationship-aware intelligence,
29+ workspace tracking, reporting, and change detection .
3030.PP
3131The framework is intended only for systems you own or have explicit written permission
32- to test. Scope control, recon memory, and educational self-documentation are built in.
32+ to test. Scope control, recon memory, guided help, and local validation surfaces are
33+ built in.
3334.SH COMMANDS
3435.TP
3536.B scan DOMAIN
@@ -39,22 +40,142 @@ Run the full reconnaissance pipeline. Aliases: s, sc.
3940Run passive discovery only. Aliases: p, pa.
4041.TP
4142.B ports HOST
42- Run a focused TCP port scan. Aliases: pt, po.
43+ Run a focused TCP connectivity scan. Aliases: pt, po.
44+ .TP
45+ .B portscan TARGET
46+ Run the scanner engine directly with explicit scan type, timing, and optional version
47+ or OS detection.
4348.TP
4449.B dns DOMAIN
4550Collect DNS records only. Aliases: d, dn.
4651.TP
47- .B console
48- Launch the framework console. Aliases: c, con, shell.
52+ .B keys SUBCOMMAND
53+ Manage encrypted API keys with set, get, list, and delete.
54+ .TP
55+ .B workspace SUBCOMMAND
56+ Manage persisted intelligence workspaces with list, show, delete, and export.
57+ .TP
58+ .B graph SUBCOMMAND
59+ Export the legacy knowledge graph as DOT, JSON, or Mermaid.
60+ .TP
61+ .B track TARGET
62+ Diff the current workspace graph against the latest stored snapshot on or before a date.
63+ .TP
64+ .B viz TARGET
65+ Render a workspace graph as DOT, JSON, or Mermaid.
66+ .TP
67+ .B subs TARGET
68+ List stored FQDN assets from a workspace.
69+ .TP
70+ .B lab
71+ Launch the local validation lab.
72+ .TP
73+ .B deploy
74+ Start the web control panel and optional local lab in one go.
4975.TP
5076.B web
5177Launch the local web control panel. Aliases: w, ui.
5278.TP
5379.B interactive
5480Launch the standalone guided workflow. Aliases: i, int.
5581.TP
82+ .B console
83+ Launch the framework console. Aliases: c, con, shell.
84+ .TP
85+ .B about
86+ Show a framework overview, storage paths, and safety notes. Alias: a.
87+ .TP
5688.B help [topic], explain TOPIC, manual [section]
57- Show built-in documentation. Help aliases: h, ?. Explain aliases: x, exp. Manual aliases: m, man. Version aliases: v, ver.
89+ Show built-in documentation. Help aliases: h, ?. Explain aliases: x, exp.
90+ Manual aliases: m, man. Version aliases: v, ver.
91+ .SH GLOBAL OPTIONS
92+ .TP
93+ .B \- o, --output PATH
94+ Save output to a file or directory.
95+ .TP
96+ .B \- f, --format cli|json|html|txt|csv|pdf|docx|all|sarif
97+ Select the output renderer.
98+ .TP
99+ .B \- v, --verbose
100+ Print stage-by-stage status messages.
101+ .TP
102+ .B \- t, --threads N
103+ Set worker concurrency for threaded engines.
104+ .TP
105+ .B --timeout SEC
106+ Set the network timeout for active operations.
107+ .TP
108+ .B --scope LIST
109+ Comma-separated authorized domains or IPs.
110+ .TP
111+ .B --exclude LIST
112+ Comma-separated domains or IPs to never touch.
113+ .TP
114+ .B --monitor
115+ Show changes since the previous scan.
116+ .TP
117+ .B --memory
118+ Skip already confirmed subdomains when previous recon memory exists.
119+ .TP
120+ .B --headless
121+ Enable headless browser probing for JavaScript-heavy applications.
122+ .TP
123+ .B --webhook-url URL
124+ Send alerts to Slack or Discord.
125+ .TP
126+ .B --webhook-platform slack|discord
127+ Choose the webhook payload format.
128+ .TP
129+ .B --delay MS
130+ Set a base delay between requests in milliseconds.
131+ .TP
132+ .B --adaptive-rate
133+ Enable adaptive rate control.
134+ .TP
135+ .B \- C, --console
136+ Launch the persistent console shell.
137+ .TP
138+ .B --web-session
139+ Launch the local web control panel.
140+ .TP
141+ .B --web-host HOST
142+ Bind host for web or deploy mode.
143+ .TP
144+ .B --web-port N
145+ Bind port for web or deploy mode.
146+ .SH PORTSCAN
147+ The
148+ .B portscan
149+ command provides direct scanner-engine control:
150+ .TP
151+ .B --type connect|syn|udp|ack|fin|null|xmas|window|maimon|ping|service
152+ Choose the scan type.
153+ .TP
154+ .B \- T, --timing 0-5
155+ Select the scanner timing template.
156+ .TP
157+ .B \- p, --ports SPEC
158+ Use presets such as top100 or top1000, ranges such as 1-1024, or lists such as 22,80,443.
159+ .TP
160+ .B \- sV, --version
161+ Enable service version detection.
162+ .TP
163+ .B \- O, --os
164+ Enable OS fingerprinting.
165+ .TP
166+ .B --intensity 0-9
167+ Set version detection intensity.
168+ .TP
169+ .B --raw-backend auto|nping|builtin
170+ Choose the raw TCP backend for raw-style scan types.
171+ .TP
172+ .B --sudo, --elevate
173+ Attempt a sudo or Administrator relaunch when a raw scan needs elevation.
174+ .PP
175+ Raw-style TCP modes such as syn, ack, fin, null, xmas, window, and maimon require
176+ a raw-capable backend and elevated privileges. ASRFacet-Rb can use Nping across
177+ Linux, macOS, and Windows when it is installed and the host has the required raw
178+ packet support.
58179.SH CONSOLE
59180The console is the richest operator interface and supports framework-style commands such as:
60181.IP
@@ -78,26 +199,30 @@ Normal framework commands can also be run directly inside the console.
78199.SH WEB SESSION
79200Web session mode starts a local browser-facing control panel, bound to 127.0.0.1:4567
80201by default unless overridden.
81- It keeps saved sessions, live activity, report links, and built-in docs in one shell.
202+ It keeps saved sessions, live activity, report links, command previews, and built-in docs in one shell.
82203.PP
83204The web UI is local, not hosted. Drafts are stored under
84205.I ~/.asrfacet_rb/web_sessions/
85- and runs still use the same underlying reconnaissance pipeline as the CLI.
86- .SH WIZARD
87- The console-only wizard asks what you are trying to achieve, how careful you want to be,
88- what format you want, and whether monitoring or memory should be enabled.
89- It then recommends a concrete command and can execute it for you.
206+ and runs still use the same underlying reconnaissance and scanner surfaces as the CLI.
207+ .SH LOCAL LAB
208+ The local lab starts a safe placeholder validation target on 127.0.0.1:9292 by default.
209+ It exposes intentionally weak headers, permissive CORS, JavaScript endpoint patterns,
210+ debug-style routes, and reporting-friendly placeholder content so operators can test
211+ the framework locally before using a real authorized target.
212+ .SH DEPLOY
213+ Deploy mode starts the web control panel and, by default, the local lab together.
214+ It waits for readiness, prints the service URLs, and writes a runtime manifest under
215+ .I ~/.asrfacet_rb/runtime/
216+ unless overridden with
217+ .B --manifest .
218+ Use
219+ .B --public
220+ only when you intentionally want the stack bound to 0.0.0.0.
90221.SH RECON BASICS
91222Passive reconnaissance uses third-party data without touching the target.
92223Active reconnaissance confirms assets by making requests or opening connections.
93224Effective attack surface mapping combines both approaches, then ranks the results so
94225deeper testing focuses on the most valuable assets first.
95- .SH CONFIGURATION
96- Project defaults are stored in
97- .I config/default.yml
98- and user overrides are stored in
99- .I ~/.asrfacet_rb/config.yml .
100- Common settings include timeouts, thread counts, wordlists, output preferences, and HTTP behavior.
101226.SH OUTPUTS
102227.TP
103228.B cli
@@ -111,6 +236,21 @@ Offline report with findings, graph relationships, and top targets.
111236.TP
112237.B txt
113238Plain-text export.
239+ .TP
240+ .B csv
241+ Flat exports for subdomains, IPs, ports, findings, and JavaScript endpoints.
242+ .TP
243+ .B pdf
244+ Dark-theme printable report for evidence capture and sharing.
245+ .TP
246+ .B docx
247+ Editable document export for formal reporting workflows.
248+ .TP
249+ .B sarif
250+ Structured security-tooling export for downstream pipelines.
251+ .TP
252+ .B all
253+ Generate every supported report flavor in one request.
114254.PP
115255Automatic report bundles are stored under
116256.I ~/.asrfacet_rb/output/reports/<target>/<timestamp>/
@@ -133,12 +273,18 @@ User configuration overrides.
133273.I ~/.asrfacet_rb/memory/
134274Per-target scan memory.
135275.TP
276+ .I ~/.asrfacet_rb/workspaces/
277+ Persisted workspace graphs, session metadata, and exports.
278+ .TP
136279.I ~/.asrfacet_rb/output/
137280Stored reports and generated artifacts.
138281.TP
139282.I ~/.asrfacet_rb/web_sessions/
140283Persistent web-session drafts and recovered state.
141284.TP
285+ .I ~/.asrfacet_rb/runtime/
286+ Deployment manifests and runtime state.
287+ .TP
142288.I man/asrfacet-rb.1
143289Primary manual page source.
144290.TP
@@ -160,6 +306,15 @@ Run a full scan and save an HTML report.
160306.B asrfacet-rb passive example.com --format json --output passive.json
161307Run passive discovery only and save JSON output.
162308.TP
309+ .B asrfacet-rb portscan 192.0.2.10 --type syn --timing 4 --ports 1-1024 --raw-backend nping --sudo
310+ Run a raw-capable SYN scan with elevation support.
311+ .TP
312+ .B asrfacet-rb workspace list
313+ List persisted workspaces.
314+ .TP
315+ .B asrfacet-rb deploy --public --web-port 8080 --lab-port 9393
316+ Start the full local operator stack.
317+ .TP
163318.B asrfacet-rb --web-session
164319Open the local control panel.
165320.TP
0 commit comments