All HowTo's Cybersecurity Linux Redhat, Fedora and CentOS Linux

Installing the Tsunami Vulnerability Scanner on Fedora / CentOS 8

This article demonstrates how to install the new Tsunami vulnerability scanner on a Redhat-like machine such as Fedora or CentOS 8 and how to use it including an example script to scan multiple targets or subnets.

Install Java:

yum install java-*-openjdk-devel

Download the Tsunami ZIP from here:

Extract the file and run the installer:

cd tsunami-security-scanner-master

Once the installer finishes, you’ll see an example command that can be executed to scan the local machine:

cd /root/tsunami && \
java -cp "tsunami-main-0.0.2-SNAPSHOT-cli.jar:/root/tsunami/plugins/*" \
  -Dtsunami-config.location=/root/tsunami/tsunami.yaml \ \
  --ip-v4-target= \
  --scan-results-local-output-format=JSON \

Yes, I ran the above as the “root” user. Just for completeness, the scan above targets the host at “”.

View your results in the “/tmp/tsunami-output.json” JSON file. This file was specified in the example execution command above.

The results may look like this:

  "scanStatus": "SUCCEEDED",
  "scanStartTimestamp": "2020-11-09T00:13:30.036Z",
  "scanDuration": "46.721s",
  "fullDetectionReports": {
  "reconnaissanceReport": {
    "targetInfo": {
      "networkEndpoints": [{
        "type": "IP",
        "ipAddress": {
          "addressFamily": "IPV4",
          "address": ""
    "networkServices": [{
      "networkEndpoint": {
        "type": "IP_PORT",
        "ipAddress": {
          "addressFamily": "IPV4",
          "address": ""

To make it easier to scan a range of computers (such as a network), use the following to get started:


# Andrew Galdes ([email protected])

# Run from:
cd /root/tsunami

# Output file:

# Output format [JSON, BIN_PROTO]:

# Specify target hosts:
for TARGET in 10.0.0.{1..254}
        java -cp "tsunami-main-0.0.2-SNAPSHOT-cli.jar:/root/tsunami/plugins/*" -Dtsunami-config.location=/root/tsunami/tsunami.yaml --ip-v4-target=${TARGET} --scan-results-local-output-format=${FORMAT} --scan-results-local-output-filename=${OUTPUT}
echo "Check your results at: ${OUTPUT}

The output (in this example) is in JSON format. That’s easy to scan over but not easy to view at the management level. You can use one of a multitude of JSON viewers includ the simple “” site where you can simple copy/paste the JSON output from the Vulnerability Scanner and see an “ok” view of the data.

Documentation can be found at “”.
Plugins can be found at “”.

Leave a Reply

Your email address will not be published. Required fields are marked *