网络枚举是攻击的基本阶段之一,但是根据规模的不同,它可能会花费大量时间和精力。我们都被Nmap和类似的工具所宠坏了,尽管涉及学习曲线,但是它们非常有用。但是,还有一个基于Nmap的工具GoScan,它提供了一种自动枚举网络和服务的自动方法
GoScan是一种用Go语言编写的交互式网络扫描仪,可自动执行Nmap和服务枚举的某些方面。它具有智能的选项卡自动完成功能,并在后端具有SQLite 数据库,即使在不稳定的环境中也可以维护连接和数据。GoScan还具有其他外部集成功能,例如sqlmap,DNSenum,Hydra,Nikto,EyeWitness和NBTScan。
我们将使用Metasploitable 2作为目标计算机,并使用Kali Linux作为我们的本地计算机,但是您可以使用其他设置来测试该工具。
要下载GoScan,我们可以使用wget直接从GitHub抓取它:
~# wget https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
--2020-03-01 12:03:35-- https://github.com/marco-lancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
Resolving github.com (github.com)... 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream [following]
--2020-03-01 12:03:36-- https://github-production-release-asset-2e65be.s3.amazonaws.com/133977183/d62b7180-45d6-11e9-95a0-a27738c7d5cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200301%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200301T170336Z&X-Amz-Expires=300&X-Amz-Signature=30bf07eb967416e5c5f5bdd2f11e144d4b41f55675e75558f435b2fb36b5982d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoscan_2.4_linux_amd64.zip&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.177.3
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.177.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5031753 (4.8M) [application/octet-stream]
Saving to: ‘goscan_2.4_linux_amd64.zip’
goscan_2.4_linux_amd64.zip 100%[===========================>] 4.80M 6.60MB/s in 0.7s
2020-03-01 12:03:37 (6.60 MB/s) - ‘goscan_2.4_linux_amd64.zip’ saved [5031753/5031753]
解压
~# unzip goscan_2.4_linux_amd64.zip
Archive: goscan_2.4_linux_amd64.zip
inflating: goscan
将二进制文件移至/ bin /目录,使用mv命令
~# mv ./goscan /bin/goscan
我们运行GoScan时,我们会自动放入框架中:
~# goscan
_________ ___________________________ __
__ ____/_______ ___/_ ____/__ |__ | / /
_ / __ _ __ \____ \_ / __ /| |_ |/ /
/ /_/ / / /_/ /___/ // /___ _ ___ | /| /
\____/ \____//____/ \____/ /_/ |_/_/ |_/
goscan (v.2.4)
Marco Lancini [@LanciniMarco]
[-] Created directory: /root/.goscan
[-] Connected to DB
[goscan] >
GoScan包含自动命令建议和制表符完成功能,使它易于使用。只需开始输入命令,就会显示一条建议及其描述:
[goscan] > he
help Show help
[goscan] > help
[*] GoScan automates the scanning and enumeration steps of a penetration test
[*] Available commands:
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
| AREA | COMMAND | SYNTAX |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
| Load target | Add a single target via the CLI (must be a /32) | load target SINGLE <IP> |
| Load target | Upload multiple targets from a text file or folder | load target MULTI <path-to-file> |
| Host Discovery | Perform a Ping Sweep | sweep <TYPE> <TARGET> |
| Load Host Discovery | Add a single alive host via the CLI (must be a /32) | load alive SINGLE <IP> |
| Load Host Discovery | Upload multiple alive hosts from a text file or folder | load alive MULTI <path-to-file> |
| Port Scan | Perform a port scan | portscan <TYPE> <TARGET> |
| Load Port Scan | Upload nmap port scan results from XML files or folder | load portscan <path-to-file> |
| Service Enumeration | Dry Run (only show commands, without performing them | enumerate <TYPE> DRY <TARGET> |
| Service Enumeration | Perform enumeration of detected services | enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> |
| Special Scan - EyeWitness | Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY) | special eyewitness |
| Special Scan - Domain Info | Extract Windows domain information from enumeration data | special domain <users/hosts/servers> |
| Special Scan - DNS | Enumerate DNS (nmap, dnsrecon, dnsenum) | special dns DISCOVERY <domain> |
| Special Scan - DNS | Bruteforce DNS | special dns BRUTEFORCE <domain> |
| Special Scan - DNS | Reverse Bruteforce DNS | special dns BRUTEFORCE_REVERSE <domain> <base_IP> |
| Show | Show targets | show targets |
| Show | Show live hosts | show hosts |
| Show | Show detailed ports information | show ports |
| Utils | Set configs from file | set config_file <PATH> |
| Utils | Set output folder | set output_folder <PATH> |
| Utils | Modify the default nmap switches | set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES> |
| Utils | Modify the default wordlists | set wordlists <FINGER_USER/FTP_USER/...> <PATH> |
| Utils | Exit this program | exit |
+----------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------+
我们可以加载多个IP地址,或者在我们的情况下,加载目标计算机的单个IP:
[goscan] > load target SINGLE 10.10.0.50
[*] Imported target: 10.10.0.50
接下来,让我们执行ping扫描:
[goscan] > sweep PING 10.10.0.50
[*] Starting Ping Sweep
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/sweep
[-] Executing command: nmap -n -sn -PE -PP 10.10.0.50 -oA /root/.goscan/10.10.0.50/sweep/ping_10.10.0.50
[*] [ping] Nmap work in progress on host: 10.10.0.50
[+] [ping] Nmap finished on host: 10.10.0.50
[+] [ping] Output has been saved at: /root/.goscan
GoScan创建一个目录来容纳结果。可以将目录配置为自定义位置,但是默认设置可以正常工作。接下来,我们可以看到它调用并执行的Nmap命令,并告诉我们何时完成。
如果浏览到存储结果的新创建目录,则可以看到输出采用几种不同的格式:
~# ls .goscan/10.10.0.50/sweep/
ping_10.10.0.50.gnmap ping_10.10.0.50.nmap ping_10.10.0.50.xml
GoScan的端口扫描功能可能是其最强大的功能。当我们开始输入portscan时,我们可以看到它可以执行的各种扫描类型:
[goscan] > portscan
TCP-FULL Perform FULL TCP scan
TCP-STANDARD Perform TCP scan (top 200)
TCP-PROD Perform PROD TCP scan (T3, no scripts)
TCP-VULN-SCAN Perform TCP VULN scan (vulscan.nse)
UDP-STANDARD Perform UDP scan (common ports)
UDP-PROD Perform PROD UDP scan (T3, no scripts)
例如,我们可以运行完整的TCP扫描:
[goscan] > portscan TCP-FULL 10.10.0.50
[*] Starting full TCP port scan
[goscan] > [-] Created directory: /root/.goscan/10.10.0.50/portscan
[-] Executing command: nmap -Pn -sT -sC -A -T4 -p- 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/tcp_full_10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
[*] [tcp_full] Nmap work in progress on host: 10.10.0.50
UDP扫描:
[goscan] > portscan UDP-STANDARD ALL
[*] Starting UDP port scan (common ports)
[goscan] > [-] Executing command: nmap -Pn -sU -sC -A -T4 -p19,53,69,79,111,123,135,137,138,161,177,445,500,514,520,1434,1900,5353 10.10.0.50 -oA /root/.goscan/10.10.0.50/portscan/udp_standard_10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
[*] [udp_standard] Nmap work in progress on host: 10.10.0.50
...
使用load命令加载任何外部扫描结果
[goscan] > load portscan nmap_results.xml
该显示命令可以被用来显示目前所GoScan存储的任何信息。我们可以查看目标:
[goscan] > show targets
+------------+---------+
| ADDRESS | STEP |
+------------+---------+
| 10.10.0.50 | SWEEPED |
+------------+---------+
并显示主机的状态,包括操作系统信息和端口:
[goscan] > show hosts
+------------+--------+-----------------+------+-------------------------------------+
| ADDRESS | STATUS | OS | INFO | PORTS |
+------------+--------+-----------------+------+-------------------------------------+
| 10.10.0.50 | up | Linux 3.2 - 4.9 | | * 5355/tcp open : llmnr |
| | | | | * 19/udp closed : chargen |
| | | | | * 53/udp closed : domain |
| | | | | * 69/udp closed : tftp |
| | | | | * 79/udp closed : finger |
| | | | | * 111/udp open|filtered: rpcbind |
| | | | | * 123/udp closed : ntp |
| | | | | * 135/udp open|filtered: msrpc |
| | | | | * 137/udp closed : netbios-ns |
| | | | | * 138/udp closed : netbios-dgm |
| | | | | * 161/udp open|filtered: snmp |
| | | | | * 177/udp closed : xdmcp |
| | | | | * 445/udp closed : microsoft-ds |
| | | | | * 500/udp open|filtered: isakmp |
| | | | | * 514/udp open|filtered: syslog |
| | | | | * 520/udp closed : route |
| | | | | * 1434/udp closed : ms-sql-m |
| | | | | * 1900/udp closed : upnp |
| | | | | * 5353/udp open|filtered: zeroconf |
| | | | | |
+------------+--------+-----------------+------+-------------------------------------+
还有一些更加井井有条的端口和服务视图:
[goscan] > show ports
+------------+----------+---------------+--------------+
| HOST | PORT | STATUS | SERVICE |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5355/tcp | open | llmnr |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 19/udp | closed | chargen |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 53/udp | closed | domain |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 69/udp | closed | tftp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 79/udp | closed | finger |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 111/udp | open|filtered | rpcbind |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 123/udp | closed | ntp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 135/udp | open|filtered | msrpc |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 137/udp | closed | netbios-ns |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 138/udp | closed | netbios-dgm |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 161/udp | open|filtered | snmp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 177/udp | closed | xdmcp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 445/udp | closed | microsoft-ds |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 500/udp | open|filtered | isakmp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 514/udp | open|filtered | syslog |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 520/udp | closed | route |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1434/udp | closed | ms-sql-m |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 1900/udp | closed | upnp |
+------------+----------+---------------+--------------+
| 10.10.0.50 | 5353/udp | open|filtered | zeroconf |
+------------+----------+---------------+--------------+
除了端口扫描功能外,GoScan还允许我们枚举目标上正在运行的服务。输入枚举将向我们展示可用的模块,其中包括FINGER,FTP,HTTP,RDP和SMB:
[goscan] > enumerate
ALL Automatically identify open services and enumerate them
FINGER Enumerate FINGER
FTP Enumerate FTP
HTTP Enumerate HTTP
RDP Enumerate RDP
SMB Enumerate SMB
[goscan] > enumerate HTTP
DRY Only show the commands that would be performed, without performing them
POLITE Avoid bruteforcing
BRUTEFORCE Include bruteforce scripts
我们可以对HTTP扫描进行试运行:
[goscan] > enumerate HTTP DRY 10.10.0.50
[*] Starting service enumeration
[goscan] > [+] [HTTP] Enumeration finished on host: 10.10.0.50
[+] [HTTP] Output has been saved at: /root/.goscan
GoScan还包含一些特殊的扫描,可用于侦察。在提示符下键入special以查看可用选项:
[goscan] > special
eyewitness Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY)
domain Extract (windows) domain information from enumeration data
dns Perform DNS enumeration
扫描采用了目击者的工具,这将需要的网站,RDP服务,和截图VNC服务器。唯一需要注意的是,EyeWitness必须安装在系统PATH中才能正常工作。
我们还可以使用域扫描来枚举某些域信息,包括用户,主机和服务器:
[goscan] > special domain
users Extract users from enumeration data
hosts Extract hosts from enumeration data
servers Extract servers from enumeration data
该DNS扫描将执行一些DNS枚举技术,如发现和暴力破解:
[goscan] > special dns
DISCOVERY Enumerate DNS (nmap, dnsrecon, dnsenum)
BRUTEFORCE Bruteforce DNS
BRUTEFORCE_REVERSE Reverse Bruteforce DNS