mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-14 05:12:36 +08:00

一款内网综合扫描工具，方便一键自动化、全方位漏扫扫描。

Go to file

Budi Komarudin bc8c5648f3 Translate 3 file from Plugins		2025-03-19 12:21:51 +00:00
.github	fix: 暂时去除mips相关	2025-02-14 20:45:44 +08:00
Common	Change default lang to en	2025-03-19 08:42:22 +00:00
Core	CN to EN from Core	2025-03-19 10:31:08 +00:00
Docs	refactor: 输出格式重构，去掉所有插件的多线程，因为多线程会导致结果不准确，加入进度条	2025-01-01 07:18:36 +08:00
image	update README.md	2025-02-25 15:01:45 +08:00
Plugins	Translate 3 file from Plugins	2025-03-19 12:21:51 +00:00
TestDocker	refactor: 全部优化为多线程	2024-12-31 20:25:54 +08:00
WebScan	update	2025-02-25 20:15:15 +08:00
.gitignore	refactor: 全部优化为多线程	2024-12-31 20:25:54 +08:00
go.mod	fix: 降级go版本适应环境	2025-01-15 15:49:22 +08:00
go.sum	fix: 降级go版本适应环境	2025-01-15 15:49:22 +08:00
LICENSE.txt	add License.txt	2021-09-12 14:38:28 +08:00
main.go	feat: 分离结果输出和日志	2025-01-14 23:38:58 +08:00
README_CN.md	Update readme	2025-03-19 10:51:16 +00:00
README.md	Update readme	2025-03-19 10:51:16 +00:00

README.md

Fscan 2.0.0

English | 中文

0x00 New Features

UI/UX optimization
Added -f and -o parameters, -f supports txt/csv/json, output format optimization
Added port fingerprint recognition feature.
Added local information collection module, local domain control detection module, and local Minidump module
Added scanning for Telnet, VNC, Elasticsearch, RabbitMQ, Kafka, ActiveMQ, LDAP, SMTP, IMAP, POP3, SNMP, Zabbix, Modbus, Rsync, Cassandra, Neo4j.
Architecture refactoring, built with reflection + plugin modules
Added -log parameter, supports INFO, SUCCESS, ERROR, DEBUG parameters for debugging specific information.
Optimized threading, now runs with better multithreading

Due to the comprehensive refactoring of the old version code, there may inevitably be bugs. Please submit an issue if you encounter any bugs, and they will be fixed as soon as possible. Thank you.

Welcome to submit new plugin modules. Currently, plugins are in a quick hot-plug form, suitable for easy development.

0x01 Introduction

A comprehensive internal network scanning tool with rich features, providing one-click automated, all-around vulnerability scanning capabilities.

Main Features

Host live detection: Quickly identify active hosts in the internal network
Port scanning: Fully detect open ports on target hosts
Service brute force: Support password brute force testing for common services
Vulnerability exploitation: Integrated high-risk vulnerability detection such as MS17-010
Redis exploitation: Support batch writing of public keys for permission acquisition
System information collection: Can read Windows network card information
Web application detection:
- Web fingerprint recognition
- Web vulnerability scanning
Domain environment detection:
- NetBIOS information acquisition
- Domain controller identification
Post-exploitation features: Support for reverse shell through scheduled tasks

0x02 Main Features

1. Information Collection

ICMP-based host live detection: Quickly identify active host devices in the network
Comprehensive port scanning: Systematically detect open ports on target hosts

2. Brute Force Features

Common service password brute force: Support authentication testing for multiple protocols such as SSH, SMB, RDP
Database password brute force: Cover mainstream database systems such as MySQL, MSSQL, Redis, PostgreSQL, Oracle

3. System Information and Vulnerability Scanning

Network information collection: Including NetBIOS detection and domain controller identification
System information acquisition: Able to read network card configuration information of the target system
Security vulnerability detection: Support identification and detection of high-risk vulnerabilities such as MS17-010

4. Web Application Detection

Website information collection: Automatically obtain website title information
Web fingerprint recognition: Can identify common CMS systems and OA frameworks
Vulnerability scanning capabilities: Integrated vulnerability detection for WebLogic, Struts2, etc., compatible with XRay POC

5. Vulnerability Exploitation Modules

Redis exploitation: Support writing public keys or implanting scheduled tasks
SSH remote execution: Provide SSH command execution function
MS17-010 exploitation: Support ShellCode injection, can perform operations such as adding users

6. Auxiliary Features

Scan result storage: Save all detection results to a file for subsequent analysis

0x03 Usage Instructions

Basic Scan Configuration

Due to refactoring, not all parameters can be guaranteed to work properly. Please submit an issue if you encounter any problems.

Target Configuration

-h      Specify target (supports formats: 192.168.1.1/24, 192.168.1.1-255, 192.168.1.1,192.168.1.2)
-eh     Exclude specific targets
-hf     Import targets from file

Port Configuration

-p      Specify port range (default common ports), e.g., -p 22,80,3306 or -p 1-65535
-portf  Import port list from file

Authentication Configuration

Username and Password

-user   Specify username
-pwd    Specify password
-userf  Username dictionary file
-pwdf   Password dictionary file
-usera  Add additional username
-pwda   Add additional password
-domain Specify domain

SSH Related

-sshkey SSH private key path
-c      Command to execute after SSH connection

Scan Control

Scan Mode

-m      Specify scan mode (default is All)
-t      Number of threads (default 60)
-time   Timeout (default 3 seconds)
-top    Display number of live detection results (default 10)
-np     Skip live detection
-ping   Use ping instead of ICMP
-skip   Skip fingerprint recognition

Web Scan Configuration

-u      Specify single URL scan
-uf     Import URL list from file
-cookie Set Cookie
-wt     Web request timeout (default 5 seconds)

Proxy Settings

-proxy  HTTP proxy (e.g., http://127.0.0.1:8080)
-socks5 SOCKS5 proxy (e.g., 127.0.0.1:1080)

POC Scan Configuration

-pocpath POC file path
-pocname Specify POC name
-full    Enable full POC scan
-dns     Enable DNS log
-num     POC concurrency (default 20)

Redis Exploitation Configuration

-rf      Redis file name
-rs      Redis Shell configuration
-noredis Disable Redis detection

Output Control

-o       Output file path (default off)
-f       Output format (default txt)
-no      Disable result saving
-silent  Silent mode
-nocolor Disable color output
-json    JSON format output
-log     Log level setting
-pg      Display scan progress bar

Other Configuration

-local   Local mode
-nobr    Disable brute force
-retry   Maximum retry times (default 3)
-path    Remote path configuration
-hash    Hash value
-hashf   Hash file
-sc      Shellcode configuration
-wmi     Enable WMI
-lang    Language setting (default zh)

Due to refactoring, not all parameters can be guaranteed to work properly. Please submit an issue if you encounter any problems.

Compilation Instructions

# Basic compilation
go build -ldflags="-s -w" -trimpath main.go

# UPX compression (optional)
upx -9 fscan

System Installation

# Arch Linux
yay -S fscan-git
# or
paru -S fscan-git

0x04 Screenshots

fscan.exe -h 192.168.x.x (full functionality, ms17010, read network card information)

fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis write public key)

fscan.exe -h 192.168.x.x -c "whoami;id" (ssh command)

fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 one-click support for xray's poc

fscan.exe -h 192.168.x.x -p 139 (netbios detection, domain control identification, the [+]DC in the picture represents domain control)

go run .\main.go -h 192.168.x.x/24 -m netbios (when using -m netbios, complete netbios information will be displayed)

go run .\main.go -h 192.0.0.0/8 -m icmp (detect the gateway and several random IPs of each C segment, and count the top 10 B and C segment live counts)

New display

0x05 Disclaimer

This tool is only for legally authorized enterprise security construction activities. If you need to test the availability of this tool, please set up your own target environment.

To avoid malicious use, all included POCs in this project are theoretical judgments of vulnerabilities, without the process of exploiting vulnerabilities, and will not launch real attacks and exploit vulnerabilities on the target.

When using this tool for detection, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.

If you engage in any illegal behavior while using this tool, you will bear the corresponding consequences yourself, and we will not bear any legal and joint liability.

Before installing and using this tool, please read and fully understand the content of each clause carefully, and pay special attention to the clauses that limit, exempt, or involve your significant rights and interests, which may be highlighted in bold or underlined.

Unless you have fully read, fully understood, and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your express or implied acceptance of this agreement will be deemed as you have read and agreed to be bound by this agreement.

0x06 404StarLink 2.0 - Galaxy

fscan is part of the 404Team StarLink Project 2.0. If you have any questions about fscan or want to find partners to communicate with, you can refer to the StarLink Project's group joining method.

https://github.com/knownsec/404StarLink2.0-Galaxy#community

Demo video 【Security Tool】5 major functions, one-click internal network scanning artifact - 404 StarLink Project fscan

0x07 Security Training

Learn network security, choose Linglong Security! Professional vulnerability mining, precise risk positioning; help skill improvement, shape security elites; Linglong Security, escort your digital world!
Free online learning of network security, covering src vulnerability mining, 0 basic security entry. Suitable for beginners, advanced, experts: https://space.bilibili.com/602205041
Linglong Security past students' good news🎉: https://www.ifhsec.com/list.html
Linglong Security vulnerability mining training contact WeChat: linglongsec

0x08 Star Chart

0x09 Donation

If you think this project is helpful to you, you can buy the author a drink🍹 Click me

0x10 Reference Links

https://github.com/Adminisme/ServerScan
https://github.com/netxfly/x-crack
https://github.com/hack2fun/Gscan
https://github.com/k8gege/LadonGo
https://github.com/jjf012/gopoc

0x11 Recent Updates

2025 Updates

Added plugins

2024 Updates

2024/12/19: v2.0.0 Major Update
- Complete code refactoring, improved performance and maintainability
- Redesigned modular architecture, supports plugin extensions
- Improved concurrency control, enhanced scanning efficiency

2023 Updates

2023/11/13:
- Added console color output (can be turned off with -nocolor)
- Support saving results in JSON format (-json)
- Adjusted minimum TLS version to 1.0
- Support port grouping (-p db,web,service)

2022 Updates

2022/11/19: Added hash collision and wmiexec command execution without echo
2022/7/14: Improved file import support and search matching functionality
2022/7/6: Optimized memory management, extended URL support
2022/7/2:
- Enhanced POC fuzz module
- Added MS17017 exploitation feature
- Added socks5 proxy support
2022/4/20: Added POC path specification and port file import functionality
2022/2/25: Added webonly mode (thanks @AgeloVito)
2022/1/11: Added Oracle password brute force
2022/1/7: Improved large-scale segment scanning, added LiveTop feature

2021 Updates

2021/12/7: Added RDP scanning feature
2021/12/1: Comprehensive optimization of functional modules
2021/6/18: Improved POC recognition mechanism
2021/5/29: Added FCGI unauthorized scanning
2021/5/15: Released Windows 2003 version
2021/5/6: Updated core modules
2021/4/21: Added NetBIOS detection and domain control identification
2021/3/4: Support batch URL scanning
2021/2/25: Support password brute force feature
2021/2/8: Added fingerprint recognition feature
2021/2/5: Optimized ICMP detection

2020 Updates

2020/12/12: Integrated YAML parsing engine, supports XRay POC
2020/12/6: Optimized ICMP module
2020/12/03: Improved IP segment handling
2020/11/17: Added WebScan module
2020/11/16: Optimized ICMP module
2020/11/15: Support file import IP

Thanks to all developers who contributed to the project