From 46f9ab84b19008a8b9c63288c5fad4e28a4eb8b8 Mon Sep 17 00:00:00 2001 From: ZacharyZcR <2903735704@qq.com> Date: Sun, 22 Dec 2024 10:53:36 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E5=A2=9E=E5=8A=A0=E7=AB=AF=E5=8F=A3SYN?= =?UTF-8?q?=E6=89=AB=E6=8F=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Common/Config.go | 3 +- Common/Flag.go | 1 + Core/PortScan.go | 231 ++++++++++++++++++++++++++++++++++++++++++----- Core/Scanner.go | 9 +- go.mod | 3 +- go.sum | 6 ++ 6 files changed, 227 insertions(+), 26 deletions(-) diff --git a/Common/Config.go b/Common/Config.go index 07bd1b1..3df730f 100644 --- a/Common/Config.go +++ b/Common/Config.go @@ -48,7 +48,8 @@ var ( // 扫描配置 ScanMode string // 原Scantype ThreadNum int // 原Threads - Timeout int64 = 3 + UseSynScan bool + Timeout int64 = 3 LiveTop int DisablePing bool // 原NoPing UsePing bool // 原Ping diff --git a/Common/Flag.go b/Common/Flag.go index c76685d..0d97421 100644 --- a/Common/Flag.go +++ b/Common/Flag.go @@ -71,6 +71,7 @@ func Flag(Info *HostInfo) { " 服务类: ftp, ssh, telnet, smb, rdp, vnc, netbios\n"+ " 漏洞类: ms17010, smbghost, smb2\n"+ " 其他: findnet, wmiexec, localinfo") + flag.BoolVar(&UseSynScan, "sS", false, "使用SYN扫描替代TCP全连接扫描(需要root/管理员权限)") flag.IntVar(&ThreadNum, "t", 600, "设置扫描线程数") flag.Int64Var(&Timeout, "time", 3, "设置连接超时时间(单位:秒)") flag.IntVar(&LiveTop, "top", 10, "仅显示指定数量的存活主机") diff --git a/Core/PortScan.go b/Core/PortScan.go index 5e3c06e..eb5a2ae 100644 --- a/Core/PortScan.go +++ b/Core/PortScan.go @@ -1,8 +1,15 @@ package Core import ( + "encoding/binary" "fmt" + "github.com/google/gopacket" + "github.com/google/gopacket/layers" + "github.com/google/gopacket/pcap" "github.com/shadow1ng/fscan/Common" + "golang.org/x/net/ipv4" + "net" + "runtime" "sort" "sync" "time" @@ -14,9 +21,9 @@ type Addr struct { port int // 端口号 } -// PortScan 执行端口扫描 func PortScan(hostslist []string, ports string, timeout int64) []string { var AliveAddress []string + var mu sync.Mutex // 添加互斥锁保护 AliveAddress // 解析端口列表 probePorts := Common.ParsePort(ports) @@ -33,20 +40,31 @@ func PortScan(hostslist []string, ports string, timeout int64) []string { addrs := make(chan Addr, 100) results := make(chan string, 100) var wg sync.WaitGroup - - // 接收扫描结果 - go collectResults(&AliveAddress, results, &wg) + var workerWg sync.WaitGroup // 启动扫描协程 for i := 0; i < workers; i++ { + workerWg.Add(1) go func() { + defer workerWg.Done() for addr := range addrs { PortConnect(addr, results, timeout, &wg) - wg.Done() } }() } + // 接收扫描结果 + var resultWg sync.WaitGroup + resultWg.Add(1) + go func() { + defer resultWg.Done() + for result := range results { + mu.Lock() + AliveAddress = append(AliveAddress, result) + mu.Unlock() + } + }() + // 添加扫描目标 for _, port := range probePorts { for _, host := range hostslist { @@ -55,38 +73,43 @@ func PortScan(hostslist []string, ports string, timeout int64) []string { } } - wg.Wait() + // 按顺序关闭并等待 close(addrs) - close(results) + workerWg.Wait() // 等待所有扫描worker完成 + wg.Wait() // 等待所有扫描任务完成 + close(results) // 关闭结果通道 + resultWg.Wait() // 等待结果处理完成 + return AliveAddress } -// collectResults 收集扫描结果 -func collectResults(aliveAddrs *[]string, results <-chan string, wg *sync.WaitGroup) { - for found := range results { - *aliveAddrs = append(*aliveAddrs, found) - wg.Done() - } -} - -// PortConnect 尝试连接指定端口 func PortConnect(addr Addr, respondingHosts chan<- string, timeout int64, wg *sync.WaitGroup) { - // 建立TCP连接 - conn, err := Common.WrapperTcpWithTimeout("tcp4", - fmt.Sprintf("%s:%v", addr.ip, addr.port), - time.Duration(timeout)*time.Second) + defer wg.Done() // 保留 defer wg.Done() - if err != nil { + var isOpen bool + var err error + + if Common.UseSynScan { + isOpen, err = SynScan(addr.ip, addr.port, timeout) + } else { + conn, err := Common.WrapperTcpWithTimeout("tcp4", + fmt.Sprintf("%s:%v", addr.ip, addr.port), + time.Duration(timeout)*time.Second) + if err == nil { + defer conn.Close() + isOpen = true + } + } + + if err != nil || !isOpen { return } - defer conn.Close() // 记录开放端口 address := fmt.Sprintf("%s:%d", addr.ip, addr.port) result := fmt.Sprintf("[+] 端口开放 %s", address) Common.LogSuccess(result) - wg.Add(1) respondingHosts <- address } @@ -134,3 +157,165 @@ func excludeNoPorts(ports []int) []int { return newPorts } + +func SynScan(ip string, port int, timeout int64) (bool, error) { + ifName := getInterfaceName() + + sendConn, err := net.ListenPacket("ip4:tcp", "0.0.0.0") + if err != nil { + return false, fmt.Errorf("创建发送套接字失败: %v", err) + } + defer sendConn.Close() + + rawConn, err := ipv4.NewRawConn(sendConn) + if err != nil { + return false, fmt.Errorf("获取原始连接失败: %v", err) + } + + dstIP := net.ParseIP(ip) + if dstIP == nil { + return false, fmt.Errorf("无效的IP地址: %s", ip) + } + + // 打开正确的网络接口 + handle, err := pcap.OpenLive(ifName, 65536, true, pcap.BlockForever) + if err != nil { + // 如果失败,尝试查找可用接口 + ifaces, err := pcap.FindAllDevs() + if err != nil { + return false, fmt.Errorf("无法找到网络接口: %v", err) + } + + // 遍历查找可用接口 + var found bool + for _, iface := range ifaces { + handle, err = pcap.OpenLive(iface.Name, 65536, true, pcap.BlockForever) + if err == nil { + found = true + break + } + } + + if !found { + return false, fmt.Errorf("无法打开任何网络接口") + } + } + defer handle.Close() + + srcPort := 12345 + port + filter := fmt.Sprintf("tcp and src port %d and dst port %d", port, srcPort) + if err := handle.SetBPFFilter(filter); err != nil { + return false, fmt.Errorf("设置过滤器失败: %v", err) + } + + tcpHeader := &ipv4.Header{ + Version: 4, + Len: 20, + TotalLen: 40, + TTL: 64, + Protocol: 6, + Dst: dstIP, + } + + synPacket := make([]byte, 20) + binary.BigEndian.PutUint16(synPacket[0:2], uint16(srcPort)) + binary.BigEndian.PutUint16(synPacket[2:4], uint16(port)) + binary.BigEndian.PutUint32(synPacket[4:8], uint32(1)) + binary.BigEndian.PutUint32(synPacket[8:12], uint32(0)) + synPacket[12] = 0x50 + synPacket[13] = 0x02 + binary.BigEndian.PutUint16(synPacket[14:16], uint16(8192)) + binary.BigEndian.PutUint16(synPacket[16:18], uint16(0)) + binary.BigEndian.PutUint16(synPacket[18:20], uint16(0)) + + checksum := calculateTCPChecksum(synPacket, tcpHeader.Src, tcpHeader.Dst) + binary.BigEndian.PutUint16(synPacket[16:18], checksum) + + if err := rawConn.WriteTo(tcpHeader, synPacket, nil); err != nil { + return false, fmt.Errorf("发送SYN包失败: %v", err) + } + + packetSource := gopacket.NewPacketSource(handle, handle.LinkType()) + packetSource.DecodeOptions.Lazy = true + packetSource.NoCopy = true + + timeoutChan := time.After(time.Duration(timeout) * time.Second) + + for { + select { + case packet := <-packetSource.Packets(): + tcpLayer := packet.Layer(layers.LayerTypeTCP) + if tcpLayer == nil { + continue + } + + tcp, ok := tcpLayer.(*layers.TCP) + if !ok { + continue + } + + if tcp.SYN && tcp.ACK { + return true, nil + } + + if tcp.RST { + return false, nil + } + + case <-timeoutChan: + return false, nil + } + } +} + +// calculateTCPChecksum 计算TCP校验和 +func calculateTCPChecksum(tcpHeader []byte, srcIP, dstIP net.IP) uint16 { + // 创建伪首部 + pseudoHeader := make([]byte, 12) + copy(pseudoHeader[0:4], srcIP.To4()) + copy(pseudoHeader[4:8], dstIP.To4()) + pseudoHeader[8] = 0 + pseudoHeader[9] = 6 // TCP协议号 + pseudoHeader[10] = byte(len(tcpHeader) >> 8) + pseudoHeader[11] = byte(len(tcpHeader)) + + // 计算校验和 + var sum uint32 + + // 计算伪首部的校验和 + for i := 0; i < len(pseudoHeader)-1; i += 2 { + sum += uint32(pseudoHeader[i])<<8 | uint32(pseudoHeader[i+1]) + } + + // 计算TCP头的校验和 + for i := 0; i < len(tcpHeader)-1; i += 2 { + sum += uint32(tcpHeader[i])<<8 | uint32(tcpHeader[i+1]) + } + + // 如果长度为奇数,处理最后一个字节 + if len(tcpHeader)%2 == 1 { + sum += uint32(tcpHeader[len(tcpHeader)-1]) << 8 + } + + // 将高16位加到低16位 + for sum > 0xffff { + sum = (sum >> 16) + (sum & 0xffff) + } + + // 取反 + return ^uint16(sum) +} + +// 获取系统对应的接口名 +func getInterfaceName() string { + switch runtime.GOOS { + case "windows": + return "\\Device\\NPF_Loopback" + case "linux": + return "lo" + case "darwin": + return "lo0" + default: + return "lo" + } +} diff --git a/Core/Scanner.go b/Core/Scanner.go index 9ae8d8a..f85a84d 100644 --- a/Core/Scanner.go +++ b/Core/Scanner.go @@ -70,7 +70,7 @@ func executeScan(hosts []string, info Common.HostInfo, ch *chan struct{}, wg *sy alivePorts = append(alivePorts, Common.HostPort...) alivePorts = Common.RemoveDuplicate(alivePorts) Common.HostPort = nil - fmt.Printf("[+] 总计存活端口: %d\n", len(alivePorts)) + fmt.Printf("[+] 存活端口数量: %d\n", len(alivePorts)) } targetInfos = prepareTargetInfos(alivePorts, info) @@ -116,10 +116,12 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro if plugins := Common.GetPluginsForMode(mode); plugins != nil { // 预设模式下使用配置的插件组 pluginsToRun = plugins + fmt.Printf("[*] 正在加载插件组: %s\n", mode) } else { // 单插件模式 pluginsToRun = []string{mode} isSinglePlugin = true + fmt.Printf("[*] 正在加载单插件: %s\n", mode) } // 统一处理所有目标和插件 @@ -130,12 +132,14 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro // 获取插件信息 plugin, exists := Common.PluginManager[pluginName] if !exists { + fmt.Printf("[-] 插件 %s 不存在\n", pluginName) continue } // 本地扫描模式的特殊处理 if Common.LocalScan { if len(plugin.Ports) == 0 { + fmt.Printf("[+] 载入插件: %s\n", pluginName) AddScan(pluginName, target, ch, wg) } continue @@ -143,6 +147,7 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro // 单插件模式直接执行,不检查端口 if isSinglePlugin { + fmt.Printf("[+] 载入插件: %s\n", pluginName) AddScan(pluginName, target, ch, wg) continue } @@ -150,9 +155,11 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro // 预设模式下的常规处理 if len(plugin.Ports) > 0 { if plugin.HasPort(targetPort) { + fmt.Printf("[+] 载入插件: %s (端口: %d)\n", pluginName, targetPort) AddScan(pluginName, target, ch, wg) } } else { + fmt.Printf("[+] 载入插件: %s\n", pluginName) AddScan(pluginName, target, ch, wg) } } diff --git a/go.mod b/go.mod index f24a6ff..7b42c92 100644 --- a/go.mod +++ b/go.mod @@ -44,6 +44,7 @@ require ( github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect github.com/golang-sql/sqlexp v0.1.0 // indirect github.com/golang/snappy v0.0.4 // indirect + github.com/google/gopacket v1.1.19 // indirect github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/errwrap v1.0.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect @@ -67,7 +68,7 @@ require ( go.uber.org/multierr v1.3.0 // indirect go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee // indirect go.uber.org/zap v1.14.0 // indirect - golang.org/x/lint v0.0.0-20190930215403-16217165b5de // indirect + golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect golang.org/x/mod v0.18.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/sys v0.28.0 // indirect diff --git a/go.sum b/go.sum index 994d5e3..82d6c11 100644 --- a/go.sum +++ b/go.sum @@ -112,6 +112,8 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= +github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= github.com/google/gxui v0.0.0-20151028112939-f85e0a97b3a4/go.mod h1:Pw1H1OjSNHiqeuxAduB1BKYXIwFtsyrY47nEqSgEiCM= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -359,11 +361,14 @@ golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20181026062114-a27dd33d354d/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= @@ -491,6 +496,7 @@ golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=