feat: 增加端口SYN扫描

2025-07-13 21:02:44 +08:00 · 2024-12-22 10:53:36 +08:00 · 2024-12-22 10:53:36 +08:00 · 46f9ab84b1
commit 46f9ab84b1
parent 04ee3afb07
6 changed files with 227 additions and 26 deletions
--- a/Common/Config.go
+++ b/Common/Config.go
@ -48,7 +48,8 @@ var (
 	// 扫描配置
 	ScanMode    string // 原Scantype
 	ThreadNum   int    // 原Threads
-	Timeout     int64  = 3
+	UseSynScan  bool
+	Timeout     int64 = 3
 	LiveTop     int
 	DisablePing bool // 原NoPing
 	UsePing     bool // 原Ping
--- a/Common/Flag.go
+++ b/Common/Flag.go
@ -71,6 +71,7 @@ func Flag(Info *HostInfo) {
 		"  服务类: ftp, ssh, telnet, smb, rdp, vnc, netbios\n"+
 		"  漏洞类: ms17010, smbghost, smb2\n"+
 		"  其他: findnet, wmiexec, localinfo")
+	flag.BoolVar(&UseSynScan, "sS", false, "使用SYN扫描替代TCP全连接扫描(需要root/管理员权限)")
 	flag.IntVar(&ThreadNum, "t", 600, "设置扫描线程数")
 	flag.Int64Var(&Timeout, "time", 3, "设置连接超时时间(单位:秒)")
 	flag.IntVar(&LiveTop, "top", 10, "仅显示指定数量的存活主机")
--- a/Core/PortScan.go
+++ b/Core/PortScan.go
@ -1,8 +1,15 @@
 package Core

 import (
+	"encoding/binary"
 	"fmt"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/google/gopacket/pcap"
 	"github.com/shadow1ng/fscan/Common"
+	"golang.org/x/net/ipv4"
+	"net"
+	"runtime"
 	"sort"
 	"sync"
 	"time"
@ -14,9 +21,9 @@ type Addr struct {
 	port int    // 端口号
 }

-// PortScan 执行端口扫描
 func PortScan(hostslist []string, ports string, timeout int64) []string {
 	var AliveAddress []string
+	var mu sync.Mutex // 添加互斥锁保护 AliveAddress

 	// 解析端口列表
 	probePorts := Common.ParsePort(ports)
@ -33,20 +40,31 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 	addrs := make(chan Addr, 100)
 	results := make(chan string, 100)
 	var wg sync.WaitGroup
-
-	// 接收扫描结果
-	go collectResults(&AliveAddress, results, &wg)
+	var workerWg sync.WaitGroup

 	// 启动扫描协程
 	for i := 0; i < workers; i++ {
+		workerWg.Add(1)
 		go func() {
+			defer workerWg.Done()
 			for addr := range addrs {
 				PortConnect(addr, results, timeout, &wg)
-				wg.Done()
 			}
 		}()
 	}

+	// 接收扫描结果
+	var resultWg sync.WaitGroup
+	resultWg.Add(1)
+	go func() {
+		defer resultWg.Done()
+		for result := range results {
+			mu.Lock()
+			AliveAddress = append(AliveAddress, result)
+			mu.Unlock()
+		}
+	}()
+
 	// 添加扫描目标
 	for _, port := range probePorts {
 		for _, host := range hostslist {
@ -55,38 +73,43 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 		}
 	}

-	wg.Wait()
+	// 按顺序关闭并等待
 	close(addrs)
-	close(results)
+	workerWg.Wait() // 等待所有扫描worker完成
+	wg.Wait()       // 等待所有扫描任务完成
+	close(results)  // 关闭结果通道
+	resultWg.Wait() // 等待结果处理完成
+
 	return AliveAddress
 }

-// collectResults 收集扫描结果
-func collectResults(aliveAddrs *[]string, results <-chan string, wg *sync.WaitGroup) {
-	for found := range results {
-		*aliveAddrs = append(*aliveAddrs, found)
-		wg.Done()
-	}
-}
-
-// PortConnect 尝试连接指定端口
 func PortConnect(addr Addr, respondingHosts chan<- string, timeout int64, wg *sync.WaitGroup) {
-	// 建立TCP连接
-	conn, err := Common.WrapperTcpWithTimeout("tcp4",
-		fmt.Sprintf("%s:%v", addr.ip, addr.port),
-		time.Duration(timeout)*time.Second)
+	defer wg.Done() // 保留 defer wg.Done()

-	if err != nil {
+	var isOpen bool
+	var err error
+
+	if Common.UseSynScan {
+		isOpen, err = SynScan(addr.ip, addr.port, timeout)
+	} else {
+		conn, err := Common.WrapperTcpWithTimeout("tcp4",
+			fmt.Sprintf("%s:%v", addr.ip, addr.port),
+			time.Duration(timeout)*time.Second)
+		if err == nil {
+			defer conn.Close()
+			isOpen = true
+		}
+	}
+
+	if err != nil || !isOpen {
 		return
 	}
-	defer conn.Close()

 	// 记录开放端口
 	address := fmt.Sprintf("%s:%d", addr.ip, addr.port)
 	result := fmt.Sprintf("[+] 端口开放 %s", address)
 	Common.LogSuccess(result)

-	wg.Add(1)
 	respondingHosts <- address
 }

@ -134,3 +157,165 @@ func excludeNoPorts(ports []int) []int {

 	return newPorts
 }
+
+func SynScan(ip string, port int, timeout int64) (bool, error) {
+	ifName := getInterfaceName()
+
+	sendConn, err := net.ListenPacket("ip4:tcp", "0.0.0.0")
+	if err != nil {
+		return false, fmt.Errorf("创建发送套接字失败: %v", err)
+	}
+	defer sendConn.Close()
+
+	rawConn, err := ipv4.NewRawConn(sendConn)
+	if err != nil {
+		return false, fmt.Errorf("获取原始连接失败: %v", err)
+	}
+
+	dstIP := net.ParseIP(ip)
+	if dstIP == nil {
+		return false, fmt.Errorf("无效的IP地址: %s", ip)
+	}
+
+	// 打开正确的网络接口
+	handle, err := pcap.OpenLive(ifName, 65536, true, pcap.BlockForever)
+	if err != nil {
+		// 如果失败，尝试查找可用接口
+		ifaces, err := pcap.FindAllDevs()
+		if err != nil {
+			return false, fmt.Errorf("无法找到网络接口: %v", err)
+		}
+
+		// 遍历查找可用接口
+		var found bool
+		for _, iface := range ifaces {
+			handle, err = pcap.OpenLive(iface.Name, 65536, true, pcap.BlockForever)
+			if err == nil {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			return false, fmt.Errorf("无法打开任何网络接口")
+		}
+	}
+	defer handle.Close()
+
+	srcPort := 12345 + port
+	filter := fmt.Sprintf("tcp and src port %d and dst port %d", port, srcPort)
+	if err := handle.SetBPFFilter(filter); err != nil {
+		return false, fmt.Errorf("设置过滤器失败: %v", err)
+	}
+
+	tcpHeader := &ipv4.Header{
+		Version:  4,
+		Len:      20,
+		TotalLen: 40,
+		TTL:      64,
+		Protocol: 6,
+		Dst:      dstIP,
+	}
+
+	synPacket := make([]byte, 20)
+	binary.BigEndian.PutUint16(synPacket[0:2], uint16(srcPort))
+	binary.BigEndian.PutUint16(synPacket[2:4], uint16(port))
+	binary.BigEndian.PutUint32(synPacket[4:8], uint32(1))
+	binary.BigEndian.PutUint32(synPacket[8:12], uint32(0))
+	synPacket[12] = 0x50
+	synPacket[13] = 0x02
+	binary.BigEndian.PutUint16(synPacket[14:16], uint16(8192))
+	binary.BigEndian.PutUint16(synPacket[16:18], uint16(0))
+	binary.BigEndian.PutUint16(synPacket[18:20], uint16(0))
+
+	checksum := calculateTCPChecksum(synPacket, tcpHeader.Src, tcpHeader.Dst)
+	binary.BigEndian.PutUint16(synPacket[16:18], checksum)
+
+	if err := rawConn.WriteTo(tcpHeader, synPacket, nil); err != nil {
+		return false, fmt.Errorf("发送SYN包失败: %v", err)
+	}
+
+	packetSource := gopacket.NewPacketSource(handle, handle.LinkType())
+	packetSource.DecodeOptions.Lazy = true
+	packetSource.NoCopy = true
+
+	timeoutChan := time.After(time.Duration(timeout) * time.Second)
+
+	for {
+		select {
+		case packet := <-packetSource.Packets():
+			tcpLayer := packet.Layer(layers.LayerTypeTCP)
+			if tcpLayer == nil {
+				continue
+			}
+
+			tcp, ok := tcpLayer.(*layers.TCP)
+			if !ok {
+				continue
+			}
+
+			if tcp.SYN && tcp.ACK {
+				return true, nil
+			}
+
+			if tcp.RST {
+				return false, nil
+			}
+
+		case <-timeoutChan:
+			return false, nil
+		}
+	}
+}
+
+// calculateTCPChecksum 计算TCP校验和
+func calculateTCPChecksum(tcpHeader []byte, srcIP, dstIP net.IP) uint16 {
+	// 创建伪首部
+	pseudoHeader := make([]byte, 12)
+	copy(pseudoHeader[0:4], srcIP.To4())
+	copy(pseudoHeader[4:8], dstIP.To4())
+	pseudoHeader[8] = 0
+	pseudoHeader[9] = 6 // TCP协议号
+	pseudoHeader[10] = byte(len(tcpHeader) >> 8)
+	pseudoHeader[11] = byte(len(tcpHeader))
+
+	// 计算校验和
+	var sum uint32
+
+	// 计算伪首部的校验和
+	for i := 0; i < len(pseudoHeader)-1; i += 2 {
+		sum += uint32(pseudoHeader[i])<<8 | uint32(pseudoHeader[i+1])
+	}
+
+	// 计算TCP头的校验和
+	for i := 0; i < len(tcpHeader)-1; i += 2 {
+		sum += uint32(tcpHeader[i])<<8 | uint32(tcpHeader[i+1])
+	}
+
+	// 如果长度为奇数，处理最后一个字节
+	if len(tcpHeader)%2 == 1 {
+		sum += uint32(tcpHeader[len(tcpHeader)-1]) << 8
+	}
+
+	// 将高16位加到低16位
+	for sum > 0xffff {
+		sum = (sum >> 16) + (sum & 0xffff)
+	}
+
+	// 取反
+	return ^uint16(sum)
+}
+
+// 获取系统对应的接口名
+func getInterfaceName() string {
+	switch runtime.GOOS {
+	case "windows":
+		return "\\Device\\NPF_Loopback"
+	case "linux":
+		return "lo"
+	case "darwin":
+		return "lo0"
+	default:
+		return "lo"
+	}
+}
--- a/Core/Scanner.go
+++ b/Core/Scanner.go
@ -70,7 +70,7 @@ func executeScan(hosts []string, info Common.HostInfo, ch *chan struct{}, wg *sy
 			alivePorts = append(alivePorts, Common.HostPort...)
 			alivePorts = Common.RemoveDuplicate(alivePorts)
 			Common.HostPort = nil
-			fmt.Printf("[+] 总计存活端口: %d\n", len(alivePorts))
+			fmt.Printf("[+] 存活端口数量: %d\n", len(alivePorts))
 		}

 		targetInfos = prepareTargetInfos(alivePorts, info)
@ -116,10 +116,12 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro
 	if plugins := Common.GetPluginsForMode(mode); plugins != nil {
 		// 预设模式下使用配置的插件组
 		pluginsToRun = plugins
+		fmt.Printf("[*] 正在加载插件组: %s\n", mode)
 	} else {
 		// 单插件模式
 		pluginsToRun = []string{mode}
 		isSinglePlugin = true
+		fmt.Printf("[*] 正在加载单插件: %s\n", mode)
 	}

 	// 统一处理所有目标和插件
@ -130,12 +132,14 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro
 			// 获取插件信息
 			plugin, exists := Common.PluginManager[pluginName]
 			if !exists {
+				fmt.Printf("[-] 插件 %s 不存在\n", pluginName)
 				continue
 			}

 			// 本地扫描模式的特殊处理
 			if Common.LocalScan {
 				if len(plugin.Ports) == 0 {
+					fmt.Printf("[+] 载入插件: %s\n", pluginName)
 					AddScan(pluginName, target, ch, wg)
 				}
 				continue
@ -143,6 +147,7 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro

 			// 单插件模式直接执行，不检查端口
 			if isSinglePlugin {
+				fmt.Printf("[+] 载入插件: %s\n", pluginName)
 				AddScan(pluginName, target, ch, wg)
 				continue
 			}
@ -150,9 +155,11 @@ func executeScans(targets []Common.HostInfo, ch *chan struct{}, wg *sync.WaitGro
 			// 预设模式下的常规处理
 			if len(plugin.Ports) > 0 {
 				if plugin.HasPort(targetPort) {
+					fmt.Printf("[+] 载入插件: %s (端口: %d)\n", pluginName, targetPort)
 					AddScan(pluginName, target, ch, wg)
 				}
 			} else {
+				fmt.Printf("[+] 载入插件: %s\n", pluginName)
 				AddScan(pluginName, target, ch, wg)
 			}
 		}
--- a/go.mod
+++ b/go.mod
@ -44,6 +44,7 @@ require (
 	github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@ -67,7 +68,7 @@ require (
 	go.uber.org/multierr v1.3.0 // indirect
 	go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee // indirect
 	go.uber.org/zap v1.14.0 // indirect
-	golang.org/x/lint v0.0.0-20190930215403-16217165b5de // indirect
+	golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
 	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -112,6 +112,8 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/gxui v0.0.0-20151028112939-f85e0a97b3a4/go.mod h1:Pw1H1OjSNHiqeuxAduB1BKYXIwFtsyrY47nEqSgEiCM=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@ -359,11 +361,14 @@ golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20181026062114-a27dd33d354d/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@ -491,6 +496,7 @@ golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=