From 27324dc4a53e38bb05adef73096fb55652849913 Mon Sep 17 00:00:00 2001 From: shadow1ng Date: Wed, 21 Apr 2021 00:13:04 +0800 Subject: [PATCH] =?UTF-8?q?=E5=8A=A0=E5=85=A5netbios=E6=8E=A2=E6=B5=8B?= =?UTF-8?q?=E3=80=81=E5=9F=9F=E6=8E=A7=E8=AF=86=E5=88=AB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Plugins/CVE-2020-0796.go | 2 +- Plugins/base.go | 25 +++++++++++++------------ Plugins/elasticsearch.go | 2 +- Plugins/findnet.go | 2 +- Plugins/ftp.go | 6 +++--- Plugins/memcached.go | 4 ++-- Plugins/mongodb.go | 4 ++-- Plugins/mssql.go | 4 ++-- Plugins/mysql.go | 4 ++-- Plugins/portscan.go | 2 +- Plugins/postgres.go | 4 ++-- Plugins/redis.go | 6 +++--- Plugins/scanner.go | 4 +++- Plugins/ssh.go | 4 ++-- README.md | 3 ++- WebScan/lib/eval.go | 21 ++++++++++++++++++++- WebScan/lib/http.go | 6 +++--- common/Parse.go | 8 ++++++-- common/config.go | 24 ++---------------------- common/flag.go | 1 - common/log.go | 10 +++++++++- 21 files changed, 80 insertions(+), 66 deletions(-) diff --git a/Plugins/CVE-2020-0796.go b/Plugins/CVE-2020-0796.go index 225f324..b629a3f 100644 --- a/Plugins/CVE-2020-0796.go +++ b/Plugins/CVE-2020-0796.go @@ -102,7 +102,7 @@ func SmbGhost(info *common.HostInfo) error { func SmbGhostScan(info *common.HostInfo) error { ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second - addr := fmt.Sprintf("%s:%d", info.Host, port) + addr := fmt.Sprintf("%s:%v", info.Host, port) conn, err := net.DialTimeout("tcp", addr, timeout) if err != nil { return err diff --git a/Plugins/base.go b/Plugins/base.go index 4d5bf47..eff4b62 100644 --- a/Plugins/base.go +++ b/Plugins/base.go @@ -1,18 +1,19 @@ package Plugins var PluginList = map[string]interface{}{ - "21": FtpScan, - "22": SshScan, - "135": Findnet, - "445": SmbScan, - "1433":MssqlScan, - "3306": MysqlScan, - "5432": PostgresScan, - "6379": RedisScan, - "9200":elasticsearchScan, - "11211":MemcachedScan, - "27017":MongodbScan, + "21": FtpScan, + "22": SshScan, + "135": Findnet, + "139": NetBIOS, + "445": SmbScan, + "1433": MssqlScan, + "3306": MysqlScan, + "5432": PostgresScan, + "6379": RedisScan, + "9200": elasticsearchScan, + "11211": MemcachedScan, + "27017": MongodbScan, "1000001": MS17010, "1000002": SmbGhost, - "1000003":WebTitle, + "1000003": WebTitle, } diff --git a/Plugins/elasticsearch.go b/Plugins/elasticsearch.go index d46eddd..d688cf9 100644 --- a/Plugins/elasticsearch.go +++ b/Plugins/elasticsearch.go @@ -16,7 +16,7 @@ func elasticsearchScan(info *common.HostInfo) error { func geturl2(info *common.HostInfo) (flag bool, err error) { flag = false - url := fmt.Sprintf("%s:%d/_cat", info.Url, common.PORTList["elastic"]) + url := fmt.Sprintf("%s:%v/_cat", info.Url, info.Ports) res, err := http.NewRequest("GET", url, nil) if err == nil { res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36") diff --git a/Plugins/findnet.go b/Plugins/findnet.go index 44114ec..ce158da 100644 --- a/Plugins/findnet.go +++ b/Plugins/findnet.go @@ -22,7 +22,7 @@ func Findnet(info *common.HostInfo) error { } func FindnetScan(info *common.HostInfo) error { - realhost := fmt.Sprintf("%s:%d", info.Host, 135) + realhost := fmt.Sprintf("%s:%v", info.Host, 135) conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second) if err != nil { return err diff --git a/Plugins/ftp.go b/Plugins/ftp.go index 56def89..9118275 100644 --- a/Plugins/ftp.go +++ b/Plugins/ftp.go @@ -14,7 +14,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) { if flag == true && err == nil { return err } else { - errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v", info.Host, common.PORTList["ftp"], "anonymous", err) + errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v", info.Host, info.Ports, "anonymous", err) common.LogError(errlog) tmperr = err if common.CheckErrs(err) { @@ -29,7 +29,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) { if flag == true && err == nil { return err } else { - errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v %v", info.Host, common.PORTList["ftp"], user, pass, err) + errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v %v", info.Host, info.Ports, user, pass, err) common.LogError(errlog) tmperr = err if common.CheckErrs(err) { @@ -46,7 +46,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) { func FtpConn(info *common.HostInfo, user string, pass string) (flag bool, err error) { flag = false - Host, Port, Username, Password := info.Host, common.PORTList["ftp"], user, pass + Host, Port, Username, Password := info.Host, info.Ports, user, pass conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(info.Timeout)*time.Second) if err == nil { err = conn.Login(Username, Password) diff --git a/Plugins/memcached.go b/Plugins/memcached.go index cd3b491..af776ee 100644 --- a/Plugins/memcached.go +++ b/Plugins/memcached.go @@ -9,7 +9,7 @@ import ( ) func MemcachedScan(info *common.HostInfo) (err error) { - realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mem"]) + realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) client, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second) if err == nil { err = client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second)) @@ -25,7 +25,7 @@ func MemcachedScan(info *common.HostInfo) (err error) { } client.Close() } else { - errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, common.PORTList["mem"], err) + errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err) common.LogError(errlog) } } diff --git a/Plugins/mongodb.go b/Plugins/mongodb.go index 5b4a9aa..8ca84e2 100644 --- a/Plugins/mongodb.go +++ b/Plugins/mongodb.go @@ -12,7 +12,7 @@ import ( func MongodbScan(info *common.HostInfo) error { _, err := MongodbUnauth(info) if err != nil { - errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, common.PORTList["mgo"], err) + errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err) common.LogError(errlog) } return err @@ -22,7 +22,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) { flag = false senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0} getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0} - realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mgo"]) + realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second) if err != nil { return flag, err diff --git a/Plugins/mssql.go b/Plugins/mssql.go index 5cd51a6..0220d87 100644 --- a/Plugins/mssql.go +++ b/Plugins/mssql.go @@ -18,7 +18,7 @@ func MssqlScan(info *common.HostInfo) (tmperr error) { if flag == true && err == nil { return err } else { - errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, common.PORTList["mssql"], user, pass, err) + errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) common.LogError(errlog) tmperr = err if common.CheckErrs(err) { @@ -35,7 +35,7 @@ func MssqlScan(info *common.HostInfo) (tmperr error) { func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) { flag = false - Host, Port, Username, Password := info.Host, common.PORTList["mssql"], user, pass + Host, Port, Username, Password := info.Host, info.Ports, user, pass dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%d;encrypt=disable;timeout=%d", Host, Username, Password, Port, time.Duration(info.Timeout)*time.Second) db, err := sql.Open("mssql", dataSourceName) if err == nil { diff --git a/Plugins/mysql.go b/Plugins/mysql.go index 6067044..23cb815 100644 --- a/Plugins/mysql.go +++ b/Plugins/mysql.go @@ -18,7 +18,7 @@ func MysqlScan(info *common.HostInfo) (tmperr error) { if flag == true && err == nil { return err } else { - errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, common.PORTList["mysql"], user, pass, err) + errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) common.LogError(errlog) tmperr = err if common.CheckErrs(err) { @@ -35,7 +35,7 @@ func MysqlScan(info *common.HostInfo) (tmperr error) { func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) { flag = false - Host, Port, Username, Password := info.Host, common.PORTList["mysql"], user, pass + Host, Port, Username, Password := info.Host, info.Ports, user, pass dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/%v?charset=utf8", Username, Password, Host, Port, "mysql") db, err := sql.Open("mysql", dataSourceName) if err == nil { diff --git a/Plugins/portscan.go b/Plugins/portscan.go index 84de07d..34330b4 100644 --- a/Plugins/portscan.go +++ b/Plugins/portscan.go @@ -55,7 +55,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string { func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64) { host, port := addr.ip, addr.port - con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%d", host, port), time.Duration(adjustedTimeout)*time.Second) + con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second) if err == nil { con.Close() address := host + ":" + strconv.Itoa(port) diff --git a/Plugins/postgres.go b/Plugins/postgres.go index c076a74..1554c88 100644 --- a/Plugins/postgres.go +++ b/Plugins/postgres.go @@ -18,7 +18,7 @@ func PostgresScan(info *common.HostInfo) (tmperr error) { if flag == true && err == nil { return err } else { - errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, common.PORTList["psql"], user, pass, err) + errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) common.LogError(errlog) tmperr = err if common.CheckErrs(err) { @@ -35,7 +35,7 @@ func PostgresScan(info *common.HostInfo) (tmperr error) { func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, err error) { flag = false - Host, Port, Username, Password := info.Host, common.PORTList["psql"], user, pass + Host, Port, Username, Password := info.Host, info.Ports, user, pass dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable") db, err := sql.Open("postgres", dataSourceName) if err == nil { diff --git a/Plugins/redis.go b/Plugins/redis.go index 08c4199..849bbd4 100644 --- a/Plugins/redis.go +++ b/Plugins/redis.go @@ -22,7 +22,7 @@ func RedisScan(info *common.HostInfo) (tmperr error) { if flag == true && err == nil { return err } else { - errlog := fmt.Sprintf("[-] redis %v:%v %v %v %v", info.Host, common.PORTList["redis"], pass, err) + errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err) common.LogError(errlog) tmperr = err if common.CheckErrs(err) { @@ -38,7 +38,7 @@ func RedisScan(info *common.HostInfo) (tmperr error) { func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) { flag = false - realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"]) + realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second) if err != nil { return flag, err @@ -63,7 +63,7 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) { func RedisUnauth(info *common.HostInfo) (flag bool, err error) { flag = false - realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"]) + realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second) if err != nil { return flag, err diff --git a/Plugins/scanner.go b/Plugins/scanner.go index c623e4f..3bd9fed 100644 --- a/Plugins/scanner.go +++ b/Plugins/scanner.go @@ -9,6 +9,7 @@ import ( "strconv" "strings" "sync" + "time" ) func Scan(info common.HostInfo) { @@ -47,7 +48,7 @@ func Scan(info common.HostInfo) { AddScan("1000003", info, ch, &wg) //webtitle } } else { - port, _ := common.PortlistBack[info.Scantype] + port, _ := common.PORTList[info.Scantype] scantype := strconv.Itoa(port) AddScan(scantype, info, ch, &wg) } @@ -64,6 +65,7 @@ func Scan(info common.HostInfo) { } } wg.Wait() + time.Sleep(100 * time.Millisecond) close(common.Results) fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num)) } diff --git a/Plugins/ssh.go b/Plugins/ssh.go index 471f9a2..a0777de 100644 --- a/Plugins/ssh.go +++ b/Plugins/ssh.go @@ -18,7 +18,7 @@ func SshScan(info *common.HostInfo) (tmperr error) { if flag == true && err == nil { return err } else { - errlog := fmt.Sprintf("[-] ssh %v:%v %v %v %v", info.Host, common.PORTList["ssh"], user, pass, err) + errlog := fmt.Sprintf("[-] ssh %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) common.LogError(errlog) tmperr = err if common.CheckErrs(err) { @@ -35,7 +35,7 @@ func SshScan(info *common.HostInfo) (tmperr error) { func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err error) { flag = false - Host, Port, Username, Password := info.Host, common.PORTList["ssh"], user, pass + Host, Port, Username, Password := info.Host, info.Ports, user, pass config := &ssh.ClientConfig{ User: Username, Auth: []ssh.AuthMethod{ diff --git a/README.md b/README.md index ab7ab40..e0f4b51 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # 简介 一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。 -支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描等。 +支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。 ## 主要功能 1.信息搜集: @@ -138,6 +138,7 @@ https://github.com/k8gege/LadonGo https://github.com/jjf012/gopoc ## 最近更新 +[+] 2021/4/21 加入netbios探测、域控识别 [+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描 [+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml [+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。 diff --git a/WebScan/lib/eval.go b/WebScan/lib/eval.go index 8874599..cb1a7ea 100644 --- a/WebScan/lib/eval.go +++ b/WebScan/lib/eval.go @@ -123,6 +123,10 @@ func NewEnvOption() CustomLib { decls.NewOverload("randomLowercase_int", []*exprpb.Type{decls.Int}, decls.String)), + decls.NewFunction("randomUppercase", + decls.NewOverload("randomUppercase_int", + []*exprpb.Type{decls.Int}, + decls.String)), decls.NewFunction("base64", decls.NewOverload("base64_string", []*exprpb.Type{decls.String}, @@ -238,6 +242,16 @@ func NewEnvOption() CustomLib { return types.String(randomLowercase(int(n))) }, }, + &functions.Overload{ + Operator: "randomUppercase_int", + Unary: func(value ref.Val) ref.Val { + n, ok := value.(types.Int) + if !ok { + return types.ValOrErr(value, "unexpected type '%v' passed to randomUppercase", value.Type()) + } + return types.String(randomUppercase(int(n))) + }, + }, &functions.Overload{ Operator: "base64_string", Unary: func(value ref.Val) ref.Val { @@ -425,6 +439,12 @@ func randomLowercase(n int) string { return RandomStr(randSource, lowercase, n) } +func randomUppercase(n int) string { + lowercase := "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + randSource := rand.New(rand.NewSource(time.Now().Unix())) + return RandomStr(randSource, lowercase, n) +} + func reverseCheck(r *Reverse, timeout int64) bool { if ceyeApi == "" || r.Domain == "" { return false @@ -445,7 +465,6 @@ func reverseCheck(r *Reverse, timeout int64) bool { return false } - func RandomStr(randSource *rand.Rand, letterBytes string, n int) string { const ( letterIdxBits = 6 // 6 bits to represent a letter index diff --git a/WebScan/lib/http.go b/WebScan/lib/http.go index 278ce64..2c46821 100644 --- a/WebScan/lib/http.go +++ b/WebScan/lib/http.go @@ -27,9 +27,9 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err } tr := &http.Transport{ - DialContext: dialer.DialContext, - //MaxConnsPerHost: 0, - MaxIdleConns: 1000, + DialContext: dialer.DialContext, + MaxConnsPerHost: 0, + MaxIdleConns: 0, MaxIdleConnsPerHost: ThreadsNum * 2, IdleConnTimeout: keepAlive, TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, diff --git a/common/Parse.go b/common/Parse.go index b0d9504..73eea10 100644 --- a/common/Parse.go +++ b/common/Parse.go @@ -117,6 +117,9 @@ func ParseInput(Info *HostInfo) { if TmpSave == true { IsSave = false } + if Info.Ports == DefaultPorts { + Info.Ports += Webport + } } func ParseScantype(Info *HostInfo) { @@ -127,13 +130,14 @@ func ParseScantype(Info *HostInfo) { if Info.Scantype != "all" { if Info.Ports == DefaultPorts { switch Info.Scantype { - case "webtitle": + case "web": Info.Ports = Webport case "ms17010": Info.Ports = "445" case "cve20200796": Info.Ports = "445" - case "portscan": + case "main": + Info.Ports = DefaultPorts default: port, _ := PORTList[Info.Scantype] Info.Ports = strconv.Itoa(port) diff --git a/common/config.go b/common/config.go index cec3108..0dd05c3 100644 --- a/common/config.go +++ b/common/config.go @@ -24,34 +24,14 @@ var PORTList = map[string]int{ "smb": 445, "ms17010": 1000001, "cve20200796": 1000002, - "webtitle": 1000003, + "web": 1000003, "elastic": 9200, "findnet": 135, "netbios": 139, "all": 0, "portscan": 0, "icmp": 0, -} - -var PortlistBack = map[string]int{ - "ftp": 21, - "ssh": 22, - "mem": 11211, - "mgo": 27017, - "mssql": 1433, - "psql": 5432, - "redis": 6379, - "mysql": 3306, - "smb": 445, - "ms17010": 1000001, - "cve20200796": 1000002, - "webtitle": 1000003, - "elastic": 9200, - "findnet": 135, - "NetBIOS": 139, - "all": 0, - "portscan": 0, - "icmp": 0, + "main": 0, } var Outputfile = getpath() + "result.txt" diff --git a/common/flag.go b/common/flag.go index 4ba219b..aca9759 100644 --- a/common/flag.go +++ b/common/flag.go @@ -18,7 +18,6 @@ func Banner() { func Flag(Info *HostInfo) { Banner() - DefaultPorts += Webport flag.StringVar(&Info.Host, "h", "", "IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12") flag.StringVar(&Info.Ports, "p", DefaultPorts, "Select a port,for example: 22 | 1-65535 | 22,80,3306") flag.StringVar(&Info.Command, "c", "", "exec command (ssh)") diff --git a/common/log.go b/common/log.go index 19a5601..47f53bc 100644 --- a/common/log.go +++ b/common/log.go @@ -60,7 +60,15 @@ func CheckErrs(err error) bool { if err == nil { return false } - errs := []string{"closed by the remote host", "too many connections", "i/o timeout", "EOF", "A connection attempt failed", "established connection failed", "connection attempt failed", "Unable to read", "is not allowed to connect to this", "no pg_hba.conf entry", "no supported methods remain"} + errs := []string{ + "closed by the remote host", "too many connections", + "i/o timeout", "EOF", "A connection attempt failed", + "established connection failed", "connection attempt failed", + "Unable to read", "is not allowed to connect to this", + "no pg_hba.conf entry", + "no supported methods remain", + "No connection could be made", + } for _, key := range errs { if strings.Contains(strings.ToLower(err.Error()), strings.ToLower(key)) { return true