From db028ba0cc42c210dccdf0f985908da461742b02 Mon Sep 17 00:00:00 2001 From: shadow1ng Date: Tue, 17 Nov 2020 14:27:15 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0-ping=20=E5=8F=82=E6=95=B0,?= =?UTF-8?q?=E4=BD=9C=E7=94=A8=E6=98=AF=E5=AD=98=E6=B4=BB=E6=8E=A2=E6=B5=8B?= =?UTF-8?q?=E6=A8=A1=E5=9D=97=E7=94=A8ping=E4=BB=A3=E6=9B=BFicmp=E5=8F=91?= =?UTF-8?q?=E5=8C=85=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Plugins/icmp.go | 96 ++++++++++++++++++++--------------- Plugins/scanner.go | 6 +-- Plugins/webtitle.go | 8 ++- README.md | 7 ++- common/config.go | 121 ++++++++++++++++++++++---------------------- common/flag.go | 48 +++++++++--------- 6 files changed, 149 insertions(+), 137 deletions(-) diff --git a/Plugins/icmp.go b/Plugins/icmp.go index fcdeeef..d8842cd 100644 --- a/Plugins/icmp.go +++ b/Plugins/icmp.go @@ -18,6 +18,8 @@ var icmp ICMP var AliveHosts []string +var SysInfo = GetSys() + type ICMP struct { Type uint8 Code uint8 @@ -27,13 +29,13 @@ type ICMP struct { } type SystemInfo struct { - OS string - ARCH string - HostName string - Groupid string - Userid string - Username string - UserHomeDir string + OS string + ARCH string + HostName string + Groupid string + Userid string + Username string + UserHomeDir string } func GetSys() SystemInfo { @@ -89,7 +91,7 @@ func isping(ip string) bool { conn.SetReadDeadline(time.Time{}) if string(recvBuf[0:num]) != "" { - fmt.Printf("(ICMP) Target '%s' is alive\n",ip) + fmt.Printf("(ICMP) Target '%s' is alive\n", ip) return true } return false @@ -115,60 +117,63 @@ func CheckSum(data []byte) uint16 { return uint16(^sum) } -func IcmpCheck(hostslist []string,IcmpThreads int) { +func IcmpCheck(hostslist []string, IcmpThreads int) { var wg sync.WaitGroup mutex := &sync.Mutex{} limiter := make(chan int, IcmpThreads) - for _,host :=range hostslist{ + for _, host := range hostslist { wg.Add(1) limiter <- 1 go func(host string) { defer wg.Done() - if isping(host){ + if isping(host) { mutex.Lock() AliveHosts = append(AliveHosts, host) mutex.Unlock() } - <- limiter + <-limiter }(host) } wg.Wait() } - -func ExecCommandPing(ip string,bsenv string) bool { - command := exec.Command(bsenv, "-c", "ping -c 1 -w 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false" +func ExecCommandPing(ip string, bsenv string) bool { + var command *exec.Cmd + if SysInfo.OS == "windows" { + command = exec.Command("cmd", "/c", "ping -n 1 -w 1 "+ip+" && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false" + } else { + command = exec.Command(bsenv, "-c", "ping -c 1 -w 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false" + } outinfo := bytes.Buffer{} command.Stdout = &outinfo err := command.Start() - if err != nil{ + if err != nil { return false } - - if err = command.Wait();err!=nil{ + if err = command.Wait(); err != nil { return false - }else{ - if(strings.Contains(outinfo.String(), "true")) { + } else { + if strings.Contains(outinfo.String(), "true") { return true - }else { + } else { return false } } } -func PingCMDcheck(hostslist []string,bsenv string) { +func PingCMDcheck(hostslist []string, bsenv string) { var wg sync.WaitGroup mutex := &sync.Mutex{} limiter := make(chan struct{}, 40) - for _,host :=range hostslist{ + for _, host := range hostslist { wg.Add(1) limiter <- struct{}{} go func(host string) { defer wg.Done() - if ExecCommandPing(host,bsenv){ + if ExecCommandPing(host, bsenv) { mutex.Lock() - fmt.Printf("(Ping) Target '%s' is alive\n",host) + fmt.Printf("(Ping) Target '%s' is alive\n", host) AliveHosts = append(AliveHosts, host) mutex.Unlock() } @@ -177,24 +182,33 @@ func PingCMDcheck(hostslist []string,bsenv string) { } wg.Wait() } +func ICMPRun(hostslist []string, IcmpThreads int, Ping bool) []string { -func ICMPRun(hostslist []string,IcmpThreads int) []string{ - var sysinfo SystemInfo - sysinfo = GetSys() - - if sysinfo.OS == "windows" { - IcmpCheck(hostslist,IcmpThreads) - }else if sysinfo.OS == "linux" { - if (sysinfo.Groupid == "0" || sysinfo.Userid == "0" || sysinfo.Username == "root") { - IcmpCheck(hostslist,IcmpThreads) - }else { - PingCMDcheck(hostslist,"/bin/bash") + if SysInfo.OS == "windows" { + if Ping == false { + IcmpCheck(hostslist, IcmpThreads) + } else { + PingCMDcheck(hostslist, "") } - }else if sysinfo.OS == "darwin" { - if (sysinfo.Groupid == "0" || sysinfo.Userid == "0" || sysinfo.Username == "root") { - IcmpCheck(hostslist,IcmpThreads) - }else { - PingCMDcheck(hostslist,"/usr/local/bin/bash") + } else if SysInfo.OS == "linux" { + if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" { + if Ping == false { + IcmpCheck(hostslist, IcmpThreads) + } else { + PingCMDcheck(hostslist, "/bin/bash") + } + } else { + PingCMDcheck(hostslist, "/bin/bash") + } + } else if SysInfo.OS == "darwin" { + if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" { + if Ping == false { + IcmpCheck(hostslist, IcmpThreads) + } else { + PingCMDcheck(hostslist, "/usr/local/bin/bash") + } + } else { + PingCMDcheck(hostslist, "/usr/local/bin/bash") } } return AliveHosts diff --git a/Plugins/scanner.go b/Plugins/scanner.go index 4340795..49e3b28 100644 --- a/Plugins/scanner.go +++ b/Plugins/scanner.go @@ -15,9 +15,7 @@ func scan_func(m map[string]interface{}, name string, infos ...interface{}) (res f := reflect.ValueOf(m[name]) if len(infos) != f.Type().NumIn() { err = errors.New("The number of infos is not adapted.") - if err != nil { - fmt.Println(err.Error()) - } + fmt.Println(err.Error()) } in := make([]reflect.Value, len(infos)) for k, info := range infos { @@ -39,7 +37,7 @@ func Scan(info common.HostInfo) { fmt.Println("scan start") Hosts, _ := common.ParseIP(info.Host, info.HostFile) if info.Isping == false { - Hosts = ICMPRun(Hosts, info.IcmpThreads) + Hosts = ICMPRun(Hosts, info.IcmpThreads, info.Ping) fmt.Println("icmp alive hosts len is:", len(Hosts)) } _, AlivePorts := TCPportScan(Hosts, info.Ports, "icmp", 3) //return AliveHosts,AlivePorts diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go index 1d24380..f674bf8 100644 --- a/Plugins/webtitle.go +++ b/Plugins/webtitle.go @@ -4,25 +4,24 @@ import ( "crypto/tls" "fmt" "github.com/shadow1ng/fscan/WebScan" + "github.com/shadow1ng/fscan/common" "io/ioutil" "net/http" "regexp" "sync" "time" - - "github.com/shadow1ng/fscan/common" ) func WebTitle(info *common.HostInfo, ch chan int, wg *sync.WaitGroup) (err error, result string) { info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports) err, result = geturl(info) - if err == nil{ + if err == nil { WebScan.WebScan(info) } info.Url = fmt.Sprintf("https://%s:%s", info.Host, info.Ports) err, result = geturl(info) - if err == nil{ + if err == nil { WebScan.WebScan(info) } @@ -33,7 +32,6 @@ func WebTitle(info *common.HostInfo, ch chan int, wg *sync.WaitGroup) (err error func geturl(info *common.HostInfo) (err error, result string) { url := info.Url - info.Timeout = 20 tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } diff --git a/README.md b/README.md index 39e8692..10410d2 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ 因为用习惯了f-scrack,习惯一条命令跑完所有模块,省去一个个模块单独调用的时间,当然我附加了-m 指定模块的功能。 ## 最近更新 +[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。 [+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。 [+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段 [+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理 @@ -46,7 +47,7 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块) -hf string host file, -hs ip.txt -it int - Icmp Threads nums (default 3000) + Icmp Threads nums (default 11000) -m string Select scan type ,as: -m ssh (default "all") -no @@ -57,6 +58,8 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块) Outputfile (default "result.txt") -p string Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,23,80,135,443,445,1433,1521,3306,5432,6379,7001,8080,8089,9000,9200,11211,27017") + -ping + using ping replace icmp -pwd string password -pwdf string @@ -73,6 +76,8 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块) username -userf string username file + -wt int + Set web timeout (default 3) ``` diff --git a/common/config.go b/common/config.go index d2c3044..9c822b1 100644 --- a/common/config.go +++ b/common/config.go @@ -1,52 +1,53 @@ package common + //fscan version 1.3 var Userdict = map[string][]string{ - "ftp": {"www","admin","root","db","wwwroot","data","web","ftp"}, - "mysql": {"root"}, - "mssql": {"root","sa"}, - "smb": {"administrator","guest"}, - "postgresql": {"postgres","admin"}, - "ssh": {"root","admin"}, - "mongodb": {"root","admin"}, + "ftp": {"www", "admin", "root", "db", "wwwroot", "data", "web", "ftp"}, + "mysql": {"root"}, + "mssql": {"root", "sa"}, + "smb": {"administrator", "guest"}, + "postgresql": {"postgres", "admin"}, + "ssh": {"root", "admin"}, + "mongodb": {"root", "admin"}, //"telnet": []string{"administrator","admin","root","cisco","huawei","zte"}, } -var Passwords = []string{"admin123A","admin123","123456","admin","root","password","123123","654321","123","1","admin@123","Admin@123","{user}","{user}123","","P@ssw0rd!","qwa123","12345678","test","123qwe!@#","123456789","123321","666666","fuckyou","000000","1234567890","8888888","qwerty","1qaz2wsx","abc123","abc123456","1qaz@WSX","Aa123456","sysadmin","system","huawei"} +var Passwords = []string{"admin123A", "admin123", "123456", "admin", "root", "password", "123123", "654321", "123", "1", "admin@123", "Admin@123", "{user}", "{user}123", "", "P@ssw0rd!", "qwa123", "12345678", "test", "123qwe!@#", "123456789", "123321", "666666", "fuckyou", "000000", "1234567890", "8888888", "qwerty", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "Aa123456", "sysadmin", "system", "huawei"} var PORTList = map[string]int{ - "ftp": 21, - "ssh": 22, - "mem": 11211, - "mgo": 27017, - "mssql": 1433, - "psql": 5432, - "redis": 6379, - "mysql": 3306, - "smb": 445, - "ms17010": 1000001, - "cve20200796":1000002, - "webtitle": 1000003, - "elastic": 9200, - "findnet": 135, - "all":0, + "ftp": 21, + "ssh": 22, + "mem": 11211, + "mgo": 27017, + "mssql": 1433, + "psql": 5432, + "redis": 6379, + "mysql": 3306, + "smb": 445, + "ms17010": 1000001, + "cve20200796": 1000002, + "webtitle": 1000003, + "elastic": 9200, + "findnet": 135, + "all": 0, } var PORTList_bak = map[string]int{ - "ftp": 21, - "ssh": 22, - "mem": 11211, - "mgo": 27017, - "mssql": 1433, - "psql": 5432, - "redis": 6379, - "mysql": 3306, - "smb": 445, - "ms17010": 1000001, - "cve20200796":1000002, - "webtitle": 1000003, - "elastic": 9200, - "findnet": 135, - "all":0, + "ftp": 21, + "ssh": 22, + "mem": 11211, + "mgo": 27017, + "mssql": 1433, + "psql": 5432, + "redis": 6379, + "mysql": 3306, + "smb": 445, + "ms17010": 1000001, + "cve20200796": 1000002, + "webtitle": 1000003, + "elastic": 9200, + "findnet": 135, + "all": 0, } var Outputfile = "result.txt" @@ -54,29 +55,27 @@ var IsSave = true var DefaultPorts = "21,22,23,80,135,443,445,1433,1521,3306,5432,6379,7001,8080,8089,9000,9200,11211,27017" - type HostInfo struct { - Host string - HostFile string - Ports string - Url string - Timeout int64 - WebTimeout int64 - Scantype string - Isping bool - Threads int + Host string + HostFile string + Ports string + Url string + Timeout int64 + WebTimeout int64 + Scantype string + Ping bool + Isping bool + Threads int IcmpThreads int - Command string - Username string - Password string - Userfile string - Passfile string - Usernames []string - Passwords []string - Outputfile string - IsSave bool - RedisFile string - RedisShell string + Command string + Username string + Password string + Userfile string + Passfile string + Usernames []string + Passwords []string + Outputfile string + IsSave bool + RedisFile string + RedisShell string } - - diff --git a/common/flag.go b/common/flag.go index fde18bc..8c58c5f 100644 --- a/common/flag.go +++ b/common/flag.go @@ -4,40 +4,38 @@ import ( "flag" ) -func Banner(){ +func Banner() { banner := ` ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ - / /_\/____/ __|/ __| '__/ _`+"`"+` |/ __| |/ / + / /_\/____/ __|/ __| '__/ _` + "`" + ` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ ` print(banner) } - - - -func Flag(Info *HostInfo) { +func Flag(Info *HostInfo) { Banner() - flag.StringVar(&Info.Host,"h","","IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12") - flag.StringVar(&Info.HostFile,"hf","","host file, -hs ip.txt") - flag.StringVar(&Info.Ports,"p",DefaultPorts,"Select a port,for example: 22 | 1-65535 | 22,80,3306") - flag.StringVar(&Info.Command,"c","","exec command (ssh)") - flag.IntVar(&Info.Threads,"t",200,"Thread nums") - flag.IntVar(&Info.IcmpThreads,"it",11000,"Icmp Threads nums") - flag.BoolVar(&Info.Isping,"np",false,"not to ping") - flag.BoolVar(&Info.IsSave,"no",false,"not to save output log") - flag.StringVar(&Info.Username,"user","","username") - flag.StringVar(&Info.Userfile,"userf","","username file") - flag.StringVar(&Info.Password,"pwd","","password") - flag.StringVar(&Info.Passfile,"pwdf","","password file") - flag.StringVar(&Info.Outputfile,"o","result.txt","Outputfile") - flag.Int64Var(&Info.Timeout,"time",3,"Set timeout") - flag.Int64Var(&Info.WebTimeout,"wt",3,"Set web timeout") - flag.StringVar(&Info.Scantype,"m","all","Select scan type ,as: -m ssh") - flag.StringVar(&Info.RedisFile,"rf","","redis file to write sshkey file (as: -rf id_rsa.pub) ") - flag.StringVar(&Info.RedisShell,"rs","","redis shell to write cron file (as: -rs 192.168.1.1:6666) ") + flag.StringVar(&Info.Host, "h", "", "IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12") + flag.StringVar(&Info.HostFile, "hf", "", "host file, -hs ip.txt") + flag.StringVar(&Info.Ports, "p", DefaultPorts, "Select a port,for example: 22 | 1-65535 | 22,80,3306") + flag.StringVar(&Info.Command, "c", "", "exec command (ssh)") + flag.IntVar(&Info.Threads, "t", 200, "Thread nums") + flag.IntVar(&Info.IcmpThreads, "it", 11000, "Icmp Threads nums") + flag.BoolVar(&Info.Isping, "np", false, "not to ping") + flag.BoolVar(&Info.Ping, "ping", false, "using ping replace icmp") + flag.BoolVar(&Info.IsSave, "no", false, "not to save output log") + flag.StringVar(&Info.Username, "user", "", "username") + flag.StringVar(&Info.Userfile, "userf", "", "username file") + flag.StringVar(&Info.Password, "pwd", "", "password") + flag.StringVar(&Info.Passfile, "pwdf", "", "password file") + flag.StringVar(&Info.Outputfile, "o", "result.txt", "Outputfile") + flag.Int64Var(&Info.Timeout, "time", 3, "Set timeout") + flag.Int64Var(&Info.WebTimeout, "wt", 3, "Set web timeout") + flag.StringVar(&Info.Scantype, "m", "all", "Select scan type ,as: -m ssh") + flag.StringVar(&Info.RedisFile, "rf", "", "redis file to write sshkey file (as: -rf id_rsa.pub) ") + flag.StringVar(&Info.RedisShell, "rs", "", "redis shell to write cron file (as: -rs 192.168.1.1:6666) ") flag.Parse() -} \ No newline at end of file +}