feat: 增加IMAP扫描

2025-07-13 21:02:44 +08:00 · 2024-12-23 01:50:20 +08:00 · 2024-12-23 01:50:20 +08:00 · 7bded7bc31
commit 7bded7bc31
parent 8f5d0caaf2
7 changed files with 123 additions and 6 deletions
--- a/Common/Config.go
+++ b/Common/Config.go
@ -18,6 +18,7 @@ var Userdict = map[string][]string{
 	"activemq":   {"admin", "root", "activemq", "system", "user"},
 	"ldap":       {"admin", "administrator", "root", "cn=admin", "cn=administrator", "cn=manager"},
 	"smtp":       {"admin", "root", "postmaster", "mail", "smtp", "administrator"},
 	"imap":       {"admin", "mail", "postmaster", "root", "user", "test"},
 }
 var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "P@ssword123", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789", "elastic123"}
--- a/Common/ParseScanMode.go
+++ b/Common/ParseScanMode.go
@ -21,7 +21,7 @@ var pluginGroups = map[string][]string{
 		"web", "fcgi", // web类
 		"mysql", "mssql", "redis", "mongodb", "postgres", // 数据库类
 		"oracle", "memcached", "elasticsearch", "rabbitmq", "kafka", "activemq", // 数据库类
-		"ftp", "ssh", "telnet", "smb", "rdp", "vnc", "netbios", "ldap", "smtp", // 服务类
+		"ftp", "ssh", "telnet", "smb", "rdp", "vnc", "netbios", "ldap", "smtp", "imap", // 服务类
 		"ms17010", "smbghost", "smb2", // 漏洞类
 		"findnet", // 其他
 	},
@ -36,7 +36,7 @@ var pluginGroups = map[string][]string{
 		"web", "fcgi",
 	},
 	ModeService: {
-		"ftp", "ssh", "telnet", "smb", "rdp", "vnc", "netbios", "ldap", "smtp",
+		"ftp", "ssh", "telnet", "smb", "rdp", "vnc", "netbios", "ldap", "smtp", "imap",
 	},
 	ModeVul: {
 		"ms17010", "smbghost", "smb2",
--- a/Common/Ports.go
+++ b/Common/Ports.go
@ -5,11 +5,11 @@ import (
 	"strings"
 )
-var ServicePorts = "21,22,23,25,135,139,389,445,465,587,636,1433,1521,2222,3306,3389,5432,5672,5671,6379,8161,9000,9092,9093,9200,11211,15672,15671,27017,61616,61613"
+var ServicePorts = "21,22,23,25,135,139,143,389,445,465,587,636,993,1433,1521,2222,3306,3389,5432,5672,5671,6379,8161,9000,9092,9093,9200,11211,15672,15671,27017,61616,61613"
 var DbPorts = "1433,1521,3306,5432,5672,6379,9093,9200,11211,27017,61616"
 var WebPorts = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,15672,15671,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880"
 var AllPorts = "1-65535"
-var MainPorts = "21,22,23,80,81,135,139,389,443,445,1433,1521,3306,5432,5672,6379,7001,8000,8080,8089,9000,9200,9092,11211,15672,27017,61616"
+var MainPorts = "21,22,23,80,81,135,143,139,389,443,445,993,1433,1521,3306,5432,5672,6379,7001,8000,8080,8089,9000,9200,9092,11211,15672,27017,61616"
 func ParsePortsFromString(portsStr string) []int {
 	var ports []int
--- a/Core/Registry.go
+++ b/Core/Registry.go
@ -96,6 +96,12 @@ func init() {
 		Ports:    []int{25, 465, 587},
 		ScanFunc: Plugins.SmtpScan,
 	})
 	Common.RegisterPlugin("imap", Common.ScanPlugin{
 		Name:     "IMAP",
 		Ports:    []int{143, 993}, // 143是标准端口，993是SSL端口
 		ScanFunc: Plugins.IMAPScan,
 	})
 	Common.RegisterPlugin("rdp", Common.ScanPlugin{
 		Name:     "RDP",
--- a/Plugins/IMAP.go
+++ b/Plugins/IMAP.go
@ -0,0 +1,111 @@
 package Plugins
 import (
 	"bufio"
 	"crypto/tls"
 	"fmt"
 	"github.com/shadow1ng/fscan/Common"
 	"io"
 	"net"
 	"strings"
 	"time"
 )
 func IMAPScan(info *Common.HostInfo) (tmperr error) {
 	if Common.DisableBrute {
 		return
 	}
 	starttime := time.Now().Unix()
 	// 尝试用户名密码组合
 	for _, user := range Common.Userdict["imap"] {
 		for _, pass := range Common.Passwords {
 			pass = strings.Replace(pass, "{user}", user, -1)
 			flag, err := IMAPConn(info, user, pass)
 			if flag && err == nil {
 				return err
 			}
 			errlog := fmt.Sprintf("[-] IMAP服务 %v:%v 尝试失败 用户名: %v 密码: %v 错误: %v", info.Host, info.Ports, user, pass, err)
 			Common.LogError(errlog)
 			tmperr = err
 			if Common.CheckErrs(err) {
 				return err
 			}
 			if time.Now().Unix()-starttime > (int64(len(Common.Userdict["imap"])*len(Common.Passwords)) * Common.Timeout) {
 				return err
 			}
 		}
 	}
 	return tmperr
 }
 func IMAPConn(info *Common.HostInfo, user string, pass string) (bool, error) {
 	host, port := info.Host, info.Ports
 	timeout := time.Duration(Common.Timeout) * time.Second
 	addr := fmt.Sprintf("%s:%s", host, port)
 	// 首先尝试普通连接
 	conn, err := net.DialTimeout("tcp", addr, timeout)
 	if err == nil {
 		if flag, err := tryIMAPAuth(conn, host, port, user, pass, timeout); err == nil {
 			return flag, nil
 		}
 		conn.Close()
 	}
 	// 如果普通连接失败，尝试TLS连接
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: true,
 	}
 	conn, err = tls.DialWithDialer(&net.Dialer{Timeout: timeout}, "tcp", addr, tlsConfig)
 	if err != nil {
 		return false, fmt.Errorf("连接失败: %v", err)
 	}
 	defer conn.Close()
 	return tryIMAPAuth(conn, host, port, user, pass, timeout)
 }
 // tryIMAPAuth 尝试IMAP认证
 func tryIMAPAuth(conn net.Conn, host string, port string, user string, pass string, timeout time.Duration) (bool, error) {
 	conn.SetDeadline(time.Now().Add(timeout))
 	reader := bufio.NewReader(conn)
 	_, err := reader.ReadString('\n')
 	if err != nil {
 		return false, fmt.Errorf("读取欢迎消息失败: %v", err)
 	}
 	loginCmd := fmt.Sprintf("a001 LOGIN \"%s\" \"%s\"\r\n", user, pass)
 	_, err = conn.Write([]byte(loginCmd))
 	if err != nil {
 		return false, fmt.Errorf("发送登录命令失败: %v", err)
 	}
 	for {
 		conn.SetDeadline(time.Now().Add(timeout))
 		response, err := reader.ReadString('\n')
 		if err != nil {
 			if err == io.EOF {
 				return false, fmt.Errorf("认证失败")
 			}
 			return false, fmt.Errorf("读取响应失败: %v", err)
 		}
 		if strings.Contains(response, "a001 OK") {
 			result := fmt.Sprintf("[+] IMAP服务 %v:%v 爆破成功 用户名: %v 密码: %v",
 				host, port, user, pass)
 			Common.LogSuccess(result)
 			return true, nil
 		}
 		if strings.Contains(response, "a001 NO") || strings.Contains(response, "a001 BAD") {
 			return false, fmt.Errorf("认证失败")
 		}
 	}
 }
--- a/go.mod
+++ b/go.mod
@ -12,6 +12,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.9
 	github.com/go-sql-driver/mysql v1.8.1
 	github.com/google/cel-go v0.13.0
 	github.com/google/gopacket v1.1.19
 	github.com/hirochachacha/go-smb2 v1.1.0
 	github.com/jlaffaye/ftp v0.2.0
 	github.com/lib/pq v1.10.9
@ -44,7 +45,6 @@ require (
 	github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -359,7 +359,6 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=