diff --git a/Common/Flag.go b/Common/Flag.go index 34de495..c76685d 100644 --- a/Common/Flag.go +++ b/Common/Flag.go @@ -20,77 +20,112 @@ func Flag(Info *HostInfo) { Banner() // 目标配置 - flag.StringVar(&Info.Host, "h", "", "目标主机IP,例如: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12") - flag.StringVar(&ExcludeHosts, "eh", "", "排除的主机范围,例如: -eh 192.168.1.1/24") - flag.StringVar(&Ports, "p", MainPorts, "端口配置,例如: 22 | 1-65535 | 22,80,3306") - flag.StringVar(&AddPorts, "pa", "", "在默认端口基础上添加端口,-pa 3389") - flag.StringVar(&ExcludePorts, "pn", "", "排除的端口,例如: -pn 445") + flag.StringVar(&Info.Host, "h", "", "指定目标主机,支持以下格式:\n"+ + " - 单个IP: 192.168.11.11\n"+ + " - IP范围: 192.168.11.11-255\n"+ + " - 多个IP: 192.168.11.11,192.168.11.12") + flag.StringVar(&ExcludeHosts, "eh", "", "排除指定主机范围,支持CIDR格式,如: 192.168.1.1/24") + flag.StringVar(&Ports, "p", MainPorts, "指定扫描端口,支持以下格式:\n"+ + "端口格式:\n"+ + " - 单个端口: 22\n"+ + " - 端口范围: 1-65535\n"+ + " - 多个端口: 22,80,3306\n\n"+ + "预定义端口组(别名):\n"+ + " - main: 常用端口 (21,22,23,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017)\n"+ + " - service: 服务端口 (21,22,23,135,139,445,1433,1521,2222,3306,3389,5432,6379,9000,11211,27017)\n"+ + " - db: 数据库端口 (1433,1521,3306,5432,6379,11211,27017)\n"+ + " - web: Web服务端口 (包含常见的 80-90,443,800-1080,2000-8000,8080-9000,9090-10000 等Web端口)\n"+ + " - all: 全部端口 (1-65535)\n\n"+ + "示例:\n"+ + " -p main 扫描常用端口\n"+ + " -p web 扫描Web端口\n"+ + " -p 80,443 扫描指定端口\n"+ + " -p 1-1000 扫描1-1000端口范围\n"+ + "默认使用 main 端口组") + flag.StringVar(&AddPorts, "pa", "", "在默认端口基础上额外添加端口,如: -pa 3389") + flag.StringVar(&ExcludePorts, "pn", "", "排除指定端口,如: -pn 445") // 认证配置 - flag.StringVar(&AddUsers, "usera", "", "在默认用户列表基础上添加用户,-usera user") - flag.StringVar(&AddPasswords, "pwda", "", "在默认密码列表基础上添加密码,-pwda password") - flag.StringVar(&Username, "user", "", "用户名") - flag.StringVar(&Password, "pwd", "", "密码") - flag.StringVar(&Domain, "domain", "", "域名(用于SMB)") - flag.StringVar(&SshKeyPath, "sshkey", "", "SSH密钥文件(id_rsa)") + flag.StringVar(&AddUsers, "usera", "", "在默认用户列表基础上添加自定义用户名") + flag.StringVar(&AddPasswords, "pwda", "", "在默认密码列表基础上添加自定义密码") + flag.StringVar(&Username, "user", "", "指定单个用户名") + flag.StringVar(&Password, "pwd", "", "指定单个密码") + flag.StringVar(&Domain, "domain", "", "指定域名(仅用于SMB协议)") + flag.StringVar(&SshKeyPath, "sshkey", "", "指定SSH私钥文件路径(默认为id_rsa)") // 扫描配置 - flag.StringVar(&ScanMode, "m", "All", "扫描类型,例如: -m ssh") - flag.IntVar(&ThreadNum, "t", 600, "线程数量") - flag.Int64Var(&Timeout, "time", 3, "超时时间(秒)") - flag.IntVar(&LiveTop, "top", 10, "显示存活主机数量") - flag.BoolVar(&DisablePing, "np", false, "禁用存活探测") - flag.BoolVar(&UsePing, "ping", false, "使用ping替代ICMP") - flag.StringVar(&Command, "c", "", "执行命令(支持ssh|wmiexec)") + flag.StringVar(&ScanMode, "m", "All", "指定扫描模式:\n"+ + "预设扫描模式(大写开头):\n"+ + " - All: 全量扫描,包含所有可用插件\n"+ + " - Basic: 基础扫描,包含 web/ftp/ssh/smb/findnet\n"+ + " - Database: 数据库扫描,包含 mysql/mssql/redis/mongodb/postgres/oracle/memcached\n"+ + " - Web: Web服务扫描,包含 web/fcgi\n"+ + " - Service: 常见服务扫描,包含 ftp/ssh/telnet/smb/rdp/vnc/netbios\n"+ + " - Vul: 漏洞扫描,包含 ms17010/smbghost/smb2\n"+ + " - Port: 端口扫描模式\n"+ + " - ICMP: ICMP存活探测\n"+ + " - Local: 本地信息收集\n\n"+ + "单个插件模式(小写):\n"+ + " Web类: web, fcgi\n"+ + " 数据库类: mysql, mssql, redis, mongodb, postgres, oracle, memcached\n"+ + " 服务类: ftp, ssh, telnet, smb, rdp, vnc, netbios\n"+ + " 漏洞类: ms17010, smbghost, smb2\n"+ + " 其他: findnet, wmiexec, localinfo") + flag.IntVar(&ThreadNum, "t", 600, "设置扫描线程数") + flag.Int64Var(&Timeout, "time", 3, "设置连接超时时间(单位:秒)") + flag.IntVar(&LiveTop, "top", 10, "仅显示指定数量的存活主机") + flag.BoolVar(&DisablePing, "np", false, "禁用主机存活探测") + flag.BoolVar(&UsePing, "ping", false, "使用系统ping命令替代ICMP探测") + flag.StringVar(&Command, "c", "", "指定要执行的系统命令(支持ssh和wmiexec)") // 本地扫描配置 - flag.BoolVar(&LocalScan, "local", false, "启用本地扫描") + flag.BoolVar(&LocalScan, "local", false, "启用本地网段扫描模式") // 文件配置 - flag.StringVar(&HostsFile, "hf", "", "主机列表文件") - flag.StringVar(&UsersFile, "userf", "", "用户名字典") - flag.StringVar(&PasswordsFile, "pwdf", "", "密码字典") - flag.StringVar(&HashFile, "hashf", "", "Hash字典") - flag.StringVar(&PortsFile, "portf", "", "端口列表文件") + flag.StringVar(&HostsFile, "hf", "", "从文件中读取目标主机列表") + flag.StringVar(&UsersFile, "userf", "", "从文件中读取用户名字典") + flag.StringVar(&PasswordsFile, "pwdf", "", "从文件中读取密码字典") + flag.StringVar(&HashFile, "hashf", "", "从文件中读取Hash字典") + flag.StringVar(&PortsFile, "portf", "", "从文件中读取端口列表") // Web配置 - flag.StringVar(&TargetURL, "u", "", "目标URL") - flag.StringVar(&URLsFile, "uf", "", "URL列表文件") - flag.StringVar(&Cookie, "cookie", "", "设置Cookie") - flag.Int64Var(&WebTimeout, "wt", 5, "Web请求超时时间") - flag.StringVar(&HttpProxy, "proxy", "", "设置HTTP代理") - flag.StringVar(&Socks5Proxy, "socks5", "", "设置Socks5代理(将用于TCP连接,超时设置将失效)") + flag.StringVar(&TargetURL, "u", "", "指定目标URL") + flag.StringVar(&URLsFile, "uf", "", "从文件中读取URL列表") + flag.StringVar(&Cookie, "cookie", "", "设置HTTP请求Cookie") + flag.Int64Var(&WebTimeout, "wt", 5, "设置Web请求超时时间(单位:秒)") + flag.StringVar(&HttpProxy, "proxy", "", "设置HTTP代理服务器") + flag.StringVar(&Socks5Proxy, "socks5", "", "设置Socks5代理(用于TCP连接,将影响超时设置)") // POC配置 - flag.StringVar(&PocPath, "pocpath", "", "POC文件路径") - flag.StringVar(&Pocinfo.PocName, "pocname", "", "使用包含指定名称的POC,例如: -pocname weblogic") - flag.BoolVar(&DisablePoc, "nopoc", false, "禁用Web漏洞扫描") - flag.BoolVar(&PocFull, "full", false, "完整POC扫描,如:shiro 100个key") - flag.BoolVar(&DnsLog, "dns", false, "启用dnslog验证") - flag.IntVar(&PocNum, "num", 20, "POC并发数") + flag.StringVar(&PocPath, "pocpath", "", "指定自定义POC文件路径") + flag.StringVar(&Pocinfo.PocName, "pocname", "", "指定要使用的POC名称,如: -pocname weblogic") + flag.BoolVar(&DisablePoc, "nopoc", false, "禁用Web漏洞POC扫描") + flag.BoolVar(&PocFull, "full", false, "启用完整POC扫描(如测试shiro全部100个key)") + flag.BoolVar(&DnsLog, "dns", false, "启用dnslog进行漏洞验证") + flag.IntVar(&PocNum, "num", 20, "设置POC扫描并发数") // Redis利用配置 - flag.StringVar(&RedisFile, "rf", "", "Redis写入SSH公钥文件") - flag.StringVar(&RedisShell, "rs", "", "Redis写入计划任务") + flag.StringVar(&RedisFile, "rf", "", "指定Redis写入的SSH公钥文件") + flag.StringVar(&RedisShell, "rs", "", "指定Redis写入的计划任务内容") flag.BoolVar(&DisableRedis, "noredis", false, "禁用Redis安全检测") // 暴力破解配置 - flag.BoolVar(&DisableBrute, "nobr", false, "禁用密码爆破") - flag.IntVar(&BruteThreads, "br", 1, "密码爆破线程数") + flag.BoolVar(&DisableBrute, "nobr", false, "禁用密码暴力破解") + flag.IntVar(&BruteThreads, "br", 1, "设置密码破解线程数") // 其他配置 - flag.StringVar(&RemotePath, "path", "", "FCG/SMB远程文件路径") - flag.StringVar(&HashValue, "hash", "", "Hash值") - flag.StringVar(&Shellcode, "sc", "", "MS17漏洞shellcode") - flag.BoolVar(&EnableWmi, "wmi", false, "启用WMI") + flag.StringVar(&RemotePath, "path", "", "指定FCG/SMB远程文件路径") + flag.StringVar(&HashValue, "hash", "", "指定要破解的Hash值") + flag.StringVar(&Shellcode, "sc", "", "指定MS17漏洞利用的shellcode") + flag.BoolVar(&EnableWmi, "wmi", false, "启用WMI协议扫描") // 输出配置 - flag.StringVar(&Outputfile, "o", "result.txt", "结果输出文件") - flag.BoolVar(&DisableSave, "no", false, "禁用结果保存") - flag.BoolVar(&Silent, "silent", false, "静默扫描模式") - flag.BoolVar(&Nocolor, "nocolor", false, "禁用彩色输出") - flag.BoolVar(&JsonOutput, "json", false, "JSON格式输出") - flag.Int64Var(&WaitTime, "debug", 60, "错误日志输出间隔") + flag.StringVar(&Outputfile, "o", "result.txt", "指定结果输出文件名") + flag.BoolVar(&DisableSave, "no", false, "禁止保存扫描结果") + flag.BoolVar(&Silent, "silent", false, "启用静默扫描模式(减少屏幕输出)") + flag.BoolVar(&Nocolor, "nocolor", false, "禁用彩色输出显示") + flag.BoolVar(&JsonOutput, "json", false, "以JSON格式输出结果") + flag.Int64Var(&WaitTime, "debug", 60, "设置错误日志输出时间间隔(单位:秒)") flag.Parse() } diff --git a/Common/Parse.go b/Common/Parse.go index 651ce46..a6a1f6f 100644 --- a/Common/Parse.go +++ b/Common/Parse.go @@ -10,10 +10,13 @@ import ( "strings" ) -func Parse(Info *HostInfo) { +func Parse(Info *HostInfo) error { ParseUser() ParsePass(Info) - ParseInput(Info) + if err := ParseInput(Info); err != nil { + return err + } + return nil } // ParseUser 解析用户名配置,支持直接指定用户名列表或从文件读取 @@ -321,34 +324,3 @@ func ParseInput(Info *HostInfo) error { return nil } - -//// showmode 显示所有支持的扫描类型 -//func showmode() { -// fmt.Println("[!] 指定的扫描类型不存在") -// fmt.Println("[*] 支持的扫描类型:") -// -// // 显示常规服务扫描类型 -// fmt.Println("\n[+] 常规服务扫描:") -// for name, plugin := range PluginManager { -// if plugin.Port > 0 && plugin.Port < 1000000 { -// fmt.Printf(" - %-10s (端口: %d)\n", name, plugin.Port) -// } -// } -// -// // 显示特殊漏洞扫描类型 -// fmt.Println("\n[+] 特殊漏洞扫描:") -// for name, plugin := range PluginManager { -// if plugin.Port >= 1000000 || plugin.Port == 0 { -// fmt.Printf(" - %-10s\n", name) -// } -// } -// -// // 显示其他扫描类型 -// fmt.Println("\n[+] 其他扫描类型:") -// specialTypes := []string{"all", "portscan", "icmp", "main", "webonly", "webpoc"} -// for _, name := range specialTypes { -// fmt.Printf(" - %s\n", name) -// } -// -// os.Exit(0) -//} diff --git a/main.go b/main.go index f2c5bce..b006f07 100644 --- a/main.go +++ b/main.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/shadow1ng/fscan/Common" "github.com/shadow1ng/fscan/Core" + "os" "time" ) @@ -11,7 +12,9 @@ func main() { start := time.Now() var Info Common.HostInfo Common.Flag(&Info) - Common.Parse(&Info) + if err := Common.Parse(&Info); err != nil { + os.Exit(1) // 或者其他错误处理 + } Core.Scan(Info) fmt.Printf("[*] 扫描结束,耗时: %s\n", time.Since(start)) }