ConScan has been updated. If you’ve been using the Concrete5 black-box scanner since its initial release last October, version 1.2 adds two features that meaningfully expand what the tool can do against a target.
What’s new in v1.2
Username disclosure — ConScan can now enumerate valid usernames on a target Concrete5 installation. Username enumeration is one of those findings that’s easy to overlook but has real downstream impact: knowing valid usernames turns a brute-force from a shot in the dark into a targeted attack. It also makes a solid standalone finding in a report — applications shouldn’t confirm whether a username exists.
Single-threaded account brute-forcing — With valid usernames in hand, ConScan can now attempt account brute-forcing directly. Single-threaded by design, which keeps the noise down and reduces the chance of triggering lockout policies on sensitive targets. Slow and steady is the right approach here — a locked account is a noisy footprint and an unhappy client.
Together, these two features extend ConScan from pure version-based vulnerability detection into active user enumeration and credential testing — a more complete picture of the attack surface on a Concrete5 target.
Download v1.2
https://github.com/nullsecuritynet/tools/blob/main/scanner/conscan/release/conscan-1.2.tgz