Scrappy scanner written in Go. Exploring the relevance of "scanning" in the new realm, what redteams need, and what methods can get us what we need quickly and, if at all possible, silently.
Home Page: https://github.com/chux0r/netbang
License: GNU General Public License v2.0
Build and test a default scan instance constructor (ScanSpec) and associated methods to be used on init()
setup in init() possibly playing havoc with "go test" unit testing
Dev artifact made it to prod?
PS > .\netscanx.exe --ports 3389 127.0.0.1
ParsePortsCDL input string: 3389
Item: 3389
Num character is 9 times 1 (x10^0), totaling 9
Num character is 8 times 10 (x10^1), totaling 89
Num character is 3 times 100 (x10^2), totaling 389
Num character is 3 times 1000 (x10^3), totaling 3389Strings slice: []
uint16 slice: [3389]Ports specified: [3389] List specified: []
tcpScan [127.0.0.1:137] :: Error: [tcpScan [127.0.0.1:623] :: Success!
tcpScan [127.0.0.1:445] :: Success!
tcpScan [127.0.0.1:5040] :: Success!
tcpScan [127.0.0.1:3389] :: Success!
tcpScan [127.0.0.1:5985] :: Success!
tcpScan [127.0.0.1:135] :: Success!
dial tcp 127.0.0.1:137: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.]
tcpScan [127.0.0.1:139] :: Error: [tcpScan [127.0.0.1:8000] :: Error: [dial tcp 127.0.0.1:139: connectex: No connection could be made because the target machine actively refused it.]
dial tcp 127.0.0.1:8000: connectex: No connection could be made because the target machine actively refused it.]tcpScan [127.0.0.1:9999] :: Error: [dial tcp 127.0.0.1:9999: connectex: No connection could be made because the
target machine actively refused it.]
A-Z whole-net scanning is not a realistic strategy for teams needing to enumerate or locate things within very large address spaces, especially ipv6. Stratified random sampling has been useful for researchers in other fields (hello anthropologists!) also dealing with the need to use limited resources to maximize the location of the most significant artifacts. Most are dealing with a limitation on time and funding. We are as well.
To get the best results possible from stratified random target scanning, it will also be important to adjust targeting using things we know, or at least guess intelligently: about the space, customs, protocols, patterns observed, and other knowns to tighten up testing. For instance, we know the first and last addresses of a network are the network and broadcast addresses, respectively. We also can make a decent guess that network routing devices are likely to be found on the first or last host-addressable IP addresses. Knowing that hosts are more likely to have adjacency might give rise to a method that interrogates neighboring IPs once we locate a host. And so on.
Just like anthropologists on a dig with limited research dollars who gather intelligence from other researchers, info gathered from locals in an area, topographical maps, satellite photography, aerial photos, and past results, so should we use available intel to adjust our stratified random sampling.
add whois method to netbang recon
Build and test goroutine concurrency structures, functions, and methods to use in all multi-host scanning contexts.
Go routines
Channel i/o brokers
(noflags, default): moderately verbose
-v|--verbose: chatty
--silent: no output
--debug: OMG flood my screen with telemetry
[Running] go run "netscanx\main.go"
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
main.main()
netscanx/main.go:96 +0xcf9
exit status 2
[Done] exited with code=1 in 2.067 seconds
Build and test a method to enable users to specify hosts by name or IP
Build and test:
TCP Connect
TCP Half-open
TCP full-open
TCP close
TCP connection error collection/handling
TCP session error collection/handling
Response collection
Write an MVP set of dns tools a user can use to:
Perform hostname->IPs lookup
Perform IP->hostname (reverse) lookup
change the resolver in use, by IP:port
Time to put some consistency in the mofo. Need os/arch, version, build, and one or more function-exercise-and-measure executions for each function.
ICMP scanning module w/ useful options
Build and test func/method to recognize and resolve hostnames, then return the address(es) (ipv4 for MVP)
Dependency: CLI switch parser
Build and test "--port|-p" switch and method to specify one or more comma delimited ports to use in any scan that accepts a port list (tcp/udp)
It uses the default list. In fact, looks like it's using the default port list for TCP.
echo "53,161,10000" > ./ports.tmp && ./netbang --proto udp --portsfile ./ports.tmp -t 500 127.0.0.1 && rm ./ports.tmp
(ports used in this job: =====
8443]
20] -
21] -
22] -
23] -
25] -
43] -
53] -
67] -
68] -
69] -
79] -
80] -
989]
111]
113]
119]
135]
137]
139]
143]
177]
179]
389]
443]
445]
464]
512]
513]
514]
515]
546]
547]
587]
593]
636]
853]
873]
2484]
990]
993]
995]
1270]
1337]
1433]
1434]
1521]
2222]
2323]
2375]
2483]
5432]
3306]
3333]
3389]
110]
5060]
5800]
5900]
8008]
8080]
8081]
8088]
88] -
5061
Write some basic Shodan API lookups for no-touch target info
Testing on updates for v0.43 reminded that udp scan will hang there for way too long (killed after 1 min, 4 ports out of "udp_short" default complete).
parsing in #6 blocks.
hostname resolution soft blocks. (Work on IP validation 1st)
validation for MVP will verify valid hostname or IPv4 addr; else display informative and helpful error msg.
CLI-specified portdef will allow numbers > 65535 without throwing an error. Number wraps around and is used anyway.
--ctg
mongoose@thoughtcrime:~/workbench/dev/golang/netbang$ ./netbang -p 80,8urr1to-,111,10000,80000 --debug scanme.org
DEBUG: buildPortsList(): Process input [ 80,8urr1to-,111,10000,80000 ] with parsePortsCdl()
DEBUG: parsePortsCDL(): parsing " 80,8urr1to-,111,10000,80000 "
DEBUG: parsePortsCDL(): Evaluating item [ 80 ]
DEBUG: parsePortsCDL(): Item [ 80 ] is a number [ 80 ]. Appended. Current port slice [ [80] ]
DEBUG: parsePortsCDL(): Evaluating item [ 8urr1to- ]
DEBUG: parsePortsCDL(): [ 8urr1to- ] result: NAN
DEBUG: parsePortsCDL(): [ 8urr1to- ] is possibly a port range.
DEBUG: ArgsToPortRange. Result: RANGE[ 0 ]:[ 0 ]
DEBUG: parsePortsCDL(): Evaluating item [ 111 ]
DEBUG: parsePortsCDL(): Item [ 111 ] is a number [ 111 ]. Appended. Current port slice [ [80 111] ]
DEBUG: parsePortsCDL(): Evaluating item [ 10000 ]
DEBUG: parsePortsCDL(): Item [ 10000 ] is a number [ 10000 ]. Appended. Current port slice [ [80 111 10000] ]
DEBUG: parsePortsCDL(): Evaluating item [ 80000 ]
DEBUG: parsePortsCDL(): Item [ 80000 ] is a number [ 80000 ]. Appended. Current port slice [ [80 111 10000 14464] ]
DEBUG: parsePortsCdl() Port range def string: 80,8urr1to-,111,10000,80000
DEBUG: parsePortsCdl() RETURN-> Named portlist strings slice: []
DEBUG: parsePortsCdl() RETURN-> Uint16 ports slice: [80 111 10000 14464]
DEBUG: buildPortsList(): Adding [ [80 111 10000 14464] ] to ThisScan...Portlist.
DEBUG: buildPortsList(): Resulting PortList [ [80 111 10000 14464] ]
Bang target: [scanme.org], Portcount: [4]
=====================================================
TCP portbangers unleashed...๐๐๐๐
Jobs run: 4
scanme.org Scan Results
================================================================================
[scanme.org:80] --> [๐] OPEN
[scanme.org:10000] --> [๐] ERROR: dial tcp 45.33.32.156:10000: connect: connection refused
[scanme.org:14464] --> [๐] ERROR: dial tcp 45.33.32.156:14464: connect: connection refused
[scanme.org:111] --> [๐] ERROR: dial tcp 45.33.32.156:111: i/o timeout
Too much crap is in main. move to local module includes
Build and test a method to be used on the CLI that will parse CLI switches given between argv[0] and argv[last] (target IP/hostname(s))
EXECUTE: ./netbang --recon shodan hostip 1.1.1.1
2024/03/25 14:11:51 "Notice: SHODAN_KEY: " set in OS ENV; but other API key given. Using key set explicitly: [1.1.1.1].
(morgan freeman voice: "no other API key was given")
Build and test scan output formats and functions for screen and file i/o
Key features:
Input: netscanx ports.conf file
Processing:
format is <whitespace?>PORTNUM(INT32)DESCRIPTION
(DESCRIPTION can include multiple whitespaces)
Use as record separator
parse file
ignore everything after comments "#"
ignore any/all whitespace at beginning of records
ignore empty lines
error out if there are lines where PORTNUM is not a valid uint32 value
Output: Return a slice of uint32
See Ports.md for example.
Standard configs are
tcp_short
tcp_extra
udp_short
(NOTE, there is no "tcp_long", at least in the config. We build it on the fly as "tcp_short+tcp_extra"
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.