feat: 实现FTP文件传输协议专业扫描插件

2025-09-14 14:06:44 +08:00 · 2025-08-08 12:12:29 +08:00 · 2025-08-08 12:12:29 +08:00 · 4e661735f8
commit 4e661735f8
parent 6e936f604a
3 changed files with 366 additions and 0 deletions
--- a/Plugins/services/kafka/connector.go
+++ b/Plugins/services/kafka/connector.go
@ -0,0 +1,114 @@
 package kafka
 import (
 	"context"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/IBM/sarama"
 	"github.com/shadow1ng/fscan/common"
 	"github.com/shadow1ng/fscan/plugins/base"
 )
 // KafkaConnection Kafka连接包装器
 type KafkaConnection struct {
 	client sarama.Client
 	target string
 }
 // KafkaConnector Kafka连接器实现
 type KafkaConnector struct {
 	host string
 	port string
 }
 // NewKafkaConnector 创建Kafka连接器
 func NewKafkaConnector() *KafkaConnector {
 	return &KafkaConnector{}
 }
 // Connect 连接到Kafka服务
 func (c *KafkaConnector) Connect(ctx context.Context, info *common.HostInfo) (interface{}, error) {
 	c.host = info.Host
 	c.port = info.Ports
 	target := fmt.Sprintf("%s:%s", c.host, c.port)
 	// 返回连接信息，实际连接在Authenticate时建立
 	return &KafkaConnection{
 		client: nil, // 延迟连接
 		target: target,
 	}, nil
 }
 // Authenticate 认证
 func (c *KafkaConnector) Authenticate(ctx context.Context, conn interface{}, cred *base.Credential) error {
 	kafkaConn, ok := conn.(*KafkaConnection)
 	if !ok {
 		return fmt.Errorf("无效的连接类型")
 	}
 	// 关闭之前的连接（如果有）
 	if kafkaConn.client != nil {
 		kafkaConn.client.Close()
 	}
 	// 创建新的认证配置
 	timeout := time.Duration(common.Timeout) * time.Second
 	config := sarama.NewConfig()
 	config.Net.DialTimeout = timeout
 	config.Net.ReadTimeout = timeout
 	config.Net.WriteTimeout = timeout
 	config.Net.TLS.Enable = false
 	config.Version = sarama.V2_0_0_0
 	// 如果提供了用户名密码，设置SASL认证
 	if cred.Username != "" || cred.Password != "" {
 		config.Net.SASL.Enable = true
 		config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
 		config.Net.SASL.User = cred.Username
 		config.Net.SASL.Password = cred.Password
 		config.Net.SASL.Handshake = true
 	}
 	brokers := []string{kafkaConn.target}
 	// 尝试作为消费者连接测试
 	consumer, err := sarama.NewConsumer(brokers, config)
 	if err == nil {
 		consumer.Close()
 		// 创建认证后的客户端
 		client, clientErr := sarama.NewClient(brokers, config)
 		if clientErr != nil {
 			return fmt.Errorf("创建认证客户端失败: %v", clientErr)
 		}
 		kafkaConn.client = client
 		return nil
 	}
 	// 如果消费者连接失败，尝试作为客户端连接
 	client, clientErr := sarama.NewClient(brokers, config)
 	if clientErr == nil {
 		kafkaConn.client = client
 		return nil
 	}
 	// 检查认证相关错误
 	if strings.Contains(err.Error(), "SASL") ||
 		strings.Contains(err.Error(), "authentication") ||
 		strings.Contains(err.Error(), "credentials") {
 		return fmt.Errorf("Kafka认证失败")
 	}
 	return fmt.Errorf("Kafka连接失败: %v", err)
 }
 // Close 关闭连接
 func (c *KafkaConnector) Close(conn interface{}) error {
 	if kafkaConn, ok := conn.(*KafkaConnection); ok && kafkaConn.client != nil {
 		return kafkaConn.client.Close()
 	}
 	return nil
 }
--- a/Plugins/services/kafka/exploiter.go
+++ b/Plugins/services/kafka/exploiter.go
@ -0,0 +1,36 @@
 package kafka
 import (
 	"context"
 	"github.com/shadow1ng/fscan/common"
 	"github.com/shadow1ng/fscan/plugins/base"
 )
 // KafkaExploiter Kafka利用器实现 - 最小化版本，不提供利用功能
 type KafkaExploiter struct {
 	*base.BaseExploiter
 }
 // NewKafkaExploiter 创建Kafka利用器
 func NewKafkaExploiter() *KafkaExploiter {
 	exploiter := &KafkaExploiter{
 		BaseExploiter: base.NewBaseExploiter("kafka"),
 	}
 	// Kafka插件不提供利用功能
 	exploiter.setupExploitMethods()
 	return exploiter
 }
 // setupExploitMethods 设置利用方法
 func (e *KafkaExploiter) setupExploitMethods() {
 	// Kafka插件不提供利用功能，仅进行弱密码扫描和未授权访问检测
 }
 // Exploit 利用接口实现 - 空实现
 func (e *KafkaExploiter) Exploit(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
 	// Kafka插件不提供利用功能
 	return nil, nil
 }
--- a/Plugins/services/kafka/plugin.go
+++ b/Plugins/services/kafka/plugin.go
@ -0,0 +1,216 @@
 package kafka
 import (
 	"context"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/IBM/sarama"
 	"github.com/shadow1ng/fscan/common"
 	"github.com/shadow1ng/fscan/common/i18n"
 	"github.com/shadow1ng/fscan/plugins/base"
 )
 // KafkaPlugin Kafka插件实现
 type KafkaPlugin struct {
 	*base.ServicePlugin
 	exploiter *KafkaExploiter
 }
 // NewKafkaPlugin 创建Kafka插件
 func NewKafkaPlugin() *KafkaPlugin {
 	// 插件元数据
 	metadata := &base.PluginMetadata{
 		Name:        "kafka",
 		Version:     "2.0.0",
 		Author:      "fscan-team",
 		Description: "Apache Kafka消息队列扫描和利用插件",
 		Category:    "service",
 		Ports:       []int{9092, 9093, 9094}, // Kafka常用端口
 		Protocols:   []string{"tcp"},
 		Tags:        []string{"kafka", "message-queue", "bruteforce", "unauthorized"},
 	}
 	// 创建连接器和服务插件
 	connector := NewKafkaConnector()
 	servicePlugin := base.NewServicePlugin(metadata, connector)
 	// 创建Kafka插件
 	plugin := &KafkaPlugin{
 		ServicePlugin: servicePlugin,
 		exploiter:     NewKafkaExploiter(),
 	}
 	// 设置能力
 	plugin.SetCapabilities([]base.Capability{
 		base.CapWeakPassword,
 		base.CapDataExtraction,
 	})
 	return plugin
 }
 // Scan 重写扫描方法，先检测无认证访问
 func (p *KafkaPlugin) Scan(ctx context.Context, info *common.HostInfo) (*base.ScanResult, error) {
 	// 如果禁用了暴力破解，只进行服务识别
 	if common.DisableBrute {
 		return p.performServiceIdentification(ctx, info)
 	}
 	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
 	// 先尝试无认证访问
 	unauthCred := &base.Credential{Username: "", Password: ""}
 	unauthResult, err := p.ScanCredential(ctx, info, unauthCred)
 	if err == nil && unauthResult.Success {
 		// 无认证访问成功
 		common.LogSuccess(i18n.GetText("kafka_unauth_access", target))
 		return &base.ScanResult{
 			Success:     true,
 			Service:     "Kafka",
 			Credentials: []*base.Credential{unauthCred},
 			Extra: map[string]interface{}{
 				"service":       "Kafka",
 				"port":          info.Ports,
 				"unauthorized":  true,
 				"access_type":   "no_authentication",
 			},
 		}, nil
 	}
 	// 执行基础的密码扫描
 	result, err := p.ServicePlugin.Scan(ctx, info)
 	if err != nil || !result.Success {
 		return result, err
 	}
 	// 记录成功的弱密码发现
 	cred := result.Credentials[0]
 	common.LogSuccess(i18n.GetText("kafka_weak_pwd_success", target, cred.Username, cred.Password))
 	return result, nil
 }
 // generateCredentials 重写凭据生成方法
 func (p *KafkaPlugin) generateCredentials() []*base.Credential {
 	// 获取Kafka专用的用户名字典
 	usernames := common.Userdict["kafka"]
 	if len(usernames) == 0 {
 		// 默认Kafka用户名
 		usernames = []string{"admin", "kafka", "test", "user", "root"}
 	}
 	return base.GenerateCredentials(usernames, common.Passwords)
 }
 // Exploit 使用exploiter执行利用
 func (p *KafkaPlugin) Exploit(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
 	return p.exploiter.Exploit(ctx, info, creds)
 }
 // GetExploitMethods 获取利用方法
 func (p *KafkaPlugin) GetExploitMethods() []base.ExploitMethod {
 	return p.exploiter.GetExploitMethods()
 }
 // IsExploitSupported 检查利用支持
 func (p *KafkaPlugin) IsExploitSupported(method base.ExploitType) bool {
 	return p.exploiter.IsExploitSupported(method)
 }
 // performServiceIdentification 执行Kafka服务识别（-nobr模式）
 func (p *KafkaPlugin) performServiceIdentification(ctx context.Context, info *common.HostInfo) (*base.ScanResult, error) {
 	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
 	// 尝试连接Kafka获取版本信息
 	kafkaInfo, isKafka := p.identifyKafkaService(ctx, info)
 	if isKafka {
 		// 记录服务识别成功
 		common.LogSuccess(i18n.GetText("kafka_service_identified", target, kafkaInfo))
 		return &base.ScanResult{
 			Success: true,
 			Service: "Kafka",
 			Banner:  kafkaInfo,
 			Extra: map[string]interface{}{
 				"service": "Kafka",
 				"port":    info.Ports,
 				"info":    kafkaInfo,
 			},
 		}, nil
 	}
 	// 如果无法识别为Kafka，返回失败
 	return &base.ScanResult{
 		Success: false,
 		Error:   fmt.Errorf("无法识别为Kafka服务"),
 	}, nil
 }
 // identifyKafkaService 通过连接识别Kafka服务
 func (p *KafkaPlugin) identifyKafkaService(ctx context.Context, info *common.HostInfo) (string, bool) {
 	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
 	timeout := time.Duration(common.Timeout) * time.Second
 	config := sarama.NewConfig()
 	config.Net.DialTimeout = timeout
 	config.Net.ReadTimeout = timeout
 	config.Net.WriteTimeout = timeout
 	config.Net.TLS.Enable = false
 	config.Version = sarama.V2_0_0_0
 	brokers := []string{target}
 	// 尝试创建客户端连接
 	client, err := sarama.NewClient(brokers, config)
 	if err != nil {
 		// 检查错误是否表明这是Kafka服务但认证失败
 		if strings.Contains(strings.ToLower(err.Error()), "kafka") ||
 			strings.Contains(strings.ToLower(err.Error()), "sasl") ||
 			strings.Contains(strings.ToLower(err.Error()), "authentication") {
 			return fmt.Sprintf("Kafka服务 (需要认证): %v", err), true
 		}
 		return "", false
 	}
 	defer client.Close()
 	// 获取集群信息
 	brokerList := client.Brokers()
 	if len(brokerList) > 0 {
 		return fmt.Sprintf("Kafka集群 (Brokers: %d)", len(brokerList)), true
 	}
 	return "Kafka服务", true
 }
 // =============================================================================
 // 插件注册
 // =============================================================================
 // RegisterKafkaPlugin 注册Kafka插件
 func RegisterKafkaPlugin() {
 	factory := base.NewSimplePluginFactory(
 		&base.PluginMetadata{
 			Name:        "kafka",
 			Version:     "2.0.0",
 			Author:      "fscan-team",
 			Description: "Apache Kafka消息队列扫描和利用插件",
 			Category:    "service",
 			Ports:       []int{9092, 9093, 9094}, // Kafka常用端口
 			Protocols:   []string{"tcp"},
 			Tags:        []string{"kafka", "message-queue", "bruteforce", "unauthorized"},
 		},
 		func() base.Plugin {
 			return NewKafkaPlugin()
 		},
 	)
 	base.GlobalPluginRegistry.Register("kafka", factory)
 }
 // 自动注册
 func init() {
 	RegisterKafkaPlugin()
 }