技术笔记

GoScan-交互式网络扫描仪客户端

GoScan是一个有用的框架,可简化网络枚举。

GoScan与其他网络扫描仪

网络枚举是攻击的基本阶段之一,但是根据规模的不同,它可能会花费大量时间和精力。我们都被Nmap和类似的工具所宠坏了,尽管涉及学习曲线,但是它们非常有用。但是,还有一个基于Nmap的工具GoScan,它提供了一种自动枚举网络和服务的自动方法

GoScan是一种用Go语言编写的交互式网络扫描仪,可自动执行Nmap和服务枚举的某些方面。它具有智能的选项卡自动完成功能,并在后端具有SQLite 数据库,即使在不稳定的环境中也可以维护连接和数据。GoScan还具有其他外部集成功能,例如sqlmap,DNSenum,Hydra,Nikto,EyeWitness和NBTScan。

安装GoScan并准备就绪

我们将使用Metasploitable 2作为目标计算机,并使用Kali Linux作为我们的本地计算机,但是您可以使用其他设置来测试该工具。

要下载GoScan,我们可以使用wget直接从GitHub抓取它:

~# wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip

--2020-03-01 12:03:35--  https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
Resolving github.com (github.com)... 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream [following]
--2020-03-01 12:03:36--  https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.177.3
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.177.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5031753 (4.8M) [application/octet-stream]
Saving to: ‘goscan_2.4_linux_amd64.zip’

goscan_2.4_linux_amd64.zip 100%[===========================>]   4.80M  6.60MB/s    in 0.7s

2020-03-01 12:03:37 (6.60 MB/s) - ‘goscan_2.4_linux_amd64.zip’ saved [5031753/5031753]

解压

~# unzip goscan_2.4_linux_amd64.zip

Archive:  goscan_2.4_linux_amd64.zip
  inflating: goscan

将二进制文件移至/ bin /目录,使用mv命令

~# mv ./goscan /bin/goscan

我们运行GoScan时,我们会自动放入框架中:

~# goscan

_________     ___________________________   __
__  ____/_______  ___/_  ____/__    |__  | / /
_  / __ _  __ \____ \_  /    __  /| |_   |/ /
/ /_/ / / /_/ /___/ // /___  _  ___ |  /|  /
\____/  \____//____/ \____/  /_/  |_/_/ |_/

                goscan (v.2.4)
        Marco Lancini [@LanciniMarco]

[-] Created directory: /root/.goscan
[-] Connected to DB
[goscan] >

GoScan包含自动命令建议和制表符完成功能,使它易于使用。只需开始输入命令,就会显示一条建议及其描述:

[goscan] > he
              help  Show help
[goscan] > help

[*] GoScan automates the scanning and enumeration steps of a penetration test
[*] Available commands:
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
|            AREA            |                                   COMMAND                                    |                                      SYNTAX                                      |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
| Load target                | Add a single target via the CLI (must be a /32)                              | load target SINGLE <IP>                                                          |
| Load target                | Upload multiple targets from a text file or folder                           | load target MULTI <path-to-file>                                                 |
| Host Discovery             | Perform a Ping Sweep                                                         | sweep <TYPE> <TARGET>                                                            |
| Load Host Discovery        | Add a single alive host via the CLI (must be a /32)                          | load alive SINGLE <IP>                                                           |
| Load Host Discovery        | Upload multiple alive hosts from a text file or folder                       | load alive MULTI <path-to-file>                                                  |
| Port Scan                  | Perform a port scan                                                          | portscan <TYPE> <TARGET>                                                         |
| Load Port Scan             | Upload nmap port scan results from XML files or folder                       | load portscan <path-to-file>                                                     |
| Service Enumeration        | Dry Run (only show commands, without performing them                         | enumerate <TYPE> DRY <TARGET>                                                    |
| Service Enumeration        | Perform enumeration of detected services                                     | enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET>                                    |
| Special Scan - EyeWitness  | Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY) | special eyewitness                                                               |
| Special Scan - Domain Info | Extract Windows domain information from enumeration data                     | special domain <users/hosts/servers>                                             |
| Special Scan - DNS         | Enumerate DNS (nmap, dnsrecon, dnsenum)                                      | special dns DISCOVERY <domain>                                                   |
| Special Scan - DNS         | Bruteforce DNS                                                               | special dns BRUTEFORCE <domain>                                                  |
| Special Scan - DNS         | Reverse Bruteforce DNS                                                       | special dns BRUTEFORCE_REVERSE <domain> <base_IP>                                |
| Show                       | Show targets                                                                 | show targets                                                                     |
| Show                       | Show live hosts                                                              | show hosts                                                                       |
| Show                       | Show detailed ports information                                              | show ports                                                                       |
| Utils                      | Set configs from file                                                        | set config_file <PATH>                                                           |
| Utils                      | Set output folder                                                            | set output_folder <PATH>                                                         |
| Utils                      | Modify the default nmap switches                                             | set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES> |
| Utils                      | Modify the default wordlists                                                 | set wordlists <FINGER_USER/FTP_USER/...> <PATH>                                  |
| Utils                      | Exit this program                                                            | exit                                                                             |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+

我们可以加载多个IP地址,或者在我们的情况下,加载目标计算机的单个IP:

[goscan] > load target SINGLE 10.10.0.50

[*] Imported target: 10.10.0.50

接下来,让我们执行ping扫描:

[goscan] > sweep PING 10.10.0.50

[*] Starting Ping Sweep
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/sweep
[-] Executing command: nmap -n -sn -PE -PP 10.10.0.50 -oA /root/.goscan/10.10.0.50/sweep/ping_10.10.0.50
[*] [ping] Nmap work in progress on host:   10.10.0.50
[+] [ping] Nmap finished on host:   10.10.0.50
[+] [ping] Output has been saved at:    /root/.goscan

端口扫描

GoScan创建一个目录来容纳结果。可以将目录配置为自定义位置,但是默认设置可以正常工作。接下来,我们可以看到它调用并执行的Nmap命令,并告诉我们何时完成。

如果浏览到存储结果的新创建目录,则可以看到输出采用几种不同的格式:

~# ls .goscan/10.10.0.50/sweep/

ping_10.10.0.50.gnmap  ping_10.10.0.50.nmap  ping_10.10.0.50.xml

GoScan的端口扫描功能可能是其最强大的功能。当我们开始输入portscan时,我们可以看到它可以执行的各种扫描类型:

[goscan] > portscan
                     TCP-FULL       Perform FULL TCP scan
                     TCP-STANDARD   Perform TCP scan (top 200)
                     TCP-PROD       Perform PROD TCP scan (T3, no scripts)
                     TCP-VULN-SCAN  Perform TCP VULN scan (vulscan.nse)
                     UDP-STANDARD   Perform UDP scan (common ports)
                     UDP-PROD       Perform PROD UDP scan (T3, no scripts)

例如,我们可以运行完整的TCP扫描:

[goscan] > portscan TCP-FULL 10.10.0.50

[*] Starting full TCP port scan
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/portscan
[-] Executing command: nmap -Pn -sT -sC -A -T4 -p- 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/tcp_full_10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50
[*] [tcp_full] Nmap work in progress on host:   10.10.0.50

UDP扫描:

[goscan] > portscan UDP-STANDARD ALL

[*] Starting UDP port scan (common ports)
[goscan] > [-] Executing command: nmap -Pn -sU -sC -A -T4 -p19,53,69,79,111,123,135,137,138,161,177,445,500,514,520,1434,1900,5353 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/udp_standard_10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50
[*] [udp_standard] Nmap work in progress on host:   10.10.0.50

...

使用load命令加载任何外部扫描结果

[goscan] > load portscan nmap_results.xml

显示命令可以被用来显示目前所GoScan存储的任何信息。我们可以查看目标:

[goscan] > show targets

+------------+---------+
|  ADDRESS   |  STEP   |
+------------+---------+
| 10.10.0.50 | SWEEPED |
+------------+---------+

并显示主机的状态,包括操作系统信息和端口:

[goscan] > show hosts

+------------+--------+-----------------+------+-------------------------------------+
|  ADDRESS   | STATUS |       OS        | INFO |                PORTS                |
+------------+--------+-----------------+------+-------------------------------------+
| 10.10.0.50 | up     | Linux 3.2 - 4.9 |      | *  5355/tcp open    : llmnr         |
|            |        |                 |      | *    19/udp closed  : chargen       |
|            |        |                 |      | *    53/udp closed  : domain        |
|            |        |                 |      | *    69/udp closed  : tftp          |
|            |        |                 |      | *    79/udp closed  : finger        |
|            |        |                 |      | *   111/udp open|filtered: rpcbind  |
|            |        |                 |      | *   123/udp closed  : ntp           |
|            |        |                 |      | *   135/udp open|filtered: msrpc    |
|            |        |                 |      | *   137/udp closed  : netbios-ns    |
|            |        |                 |      | *   138/udp closed  : netbios-dgm   |
|            |        |                 |      | *   161/udp open|filtered: snmp     |
|            |        |                 |      | *   177/udp closed  : xdmcp         |
|            |        |                 |      | *   445/udp closed  : microsoft-ds  |
|            |        |                 |      | *   500/udp open|filtered: isakmp   |
|            |        |                 |      | *   514/udp open|filtered: syslog   |
|            |        |                 |      | *   520/udp closed  : route         |
|            |        |                 |      | *  1434/udp closed  : ms-sql-m      |
|            |        |                 |      | *  1900/udp closed  : upnp          |
|            |        |                 |      | *  5353/udp open|filtered: zeroconf |
|            |        |                 |      |                                     |
+------------+--------+-----------------+------+-------------------------------------+

还有一些更加井井有条的端口和服务视图:

[goscan] > show ports

+------------+----------+---------------+--------------+
|    HOST    |   PORT   |    STATUS     |   SERVICE    |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5355/tcp | open          | llmnr        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 19/udp   | closed        | chargen      |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 53/udp   | closed        | domain       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 69/udp   | closed        | tftp         |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 79/udp   | closed        | finger       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 111/udp  | open|filtered | rpcbind      |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 123/udp  | closed        | ntp          |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 135/udp  | open|filtered | msrpc        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 137/udp  | closed        | netbios-ns   |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 138/udp  | closed        | netbios-dgm  |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 161/udp  | open|filtered | snmp         |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 177/udp  | closed        | xdmcp        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 445/udp  | closed        | microsoft-ds |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 500/udp  | open|filtered | isakmp       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 514/udp  | open|filtered | syslog       |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 520/udp  | closed        | route        |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1434/udp | closed        | ms-sql-m     |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1900/udp | closed        | upnp         |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5353/udp | open|filtered | zeroconf     |
+------------+----------+---------------+--------------+

列举服务

除了端口扫描功能外,GoScan还允许我们枚举目标上正在运行的服务。输入枚举将向我们展示可用的模块,其中包括FINGER,FTP,HTTP,RDP和SMB:

[goscan] > enumerate
                      ALL     Automatically identify open services and enumerate them
                      FINGER  Enumerate FINGER
                      FTP     Enumerate FTP
                      HTTP    Enumerate HTTP
                      RDP     Enumerate RDP
                      SMB     Enumerate SMB
[goscan] > enumerate HTTP
                           DRY         Only show the commands that would be performed, without performing them
                           POLITE      Avoid bruteforcing
                           BRUTEFORCE  Include bruteforce scripts

我们可以对HTTP扫描进行试运行:

[goscan] > enumerate HTTP DRY 10.10.0.50

[*] Starting service enumeration
[goscan] > [+] [HTTP] Enumeration finished on host: 10.10.0.50
[+] [HTTP] Output has been saved at:    /root/.goscan

特殊扫描

GoScan还包含一些特殊的扫描,可用于侦察。在提示符下键入special以查看可用选项:

[goscan] > special
                    eyewitness  Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY)
                    domain      Extract (windows) domain information from enumeration data
                    dns         Perform DNS enumeration

扫描采用了目击者的工具,这将需要的网站,RDP服务,和截图VNC服务器。唯一需要注意的是,EyeWitness必须安装在系统PATH中才能正常工作。

我们还可以使用域扫描来枚举某些域信息,包括用户,主机和服务器:

[goscan] > special domain
                           users    Extract users from enumeration data
                           hosts    Extract hosts from enumeration data
                           servers  Extract servers from enumeration data

该DNS扫描将执行一些DNS枚举技术,如发现和暴力破解:

[goscan] > special dns
                        DISCOVERY           Enumerate DNS (nmap, dnsrecon, dnsenum)
                        BRUTEFORCE          Bruteforce DNS
                        BRUTEFORCE_REVERSE  Reverse Bruteforce DNS

 

 

admin
我还没有学会写个人说明!
查看“admin”的所有文章 →

发表评论

电子邮件地址不会被公开。 必填项已用*标注

相关推荐