forked from lcvvvv/kscan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
kscan.go.eng
251 lines (238 loc) · 12.6 KB
/
kscan.go.eng
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
package main
import (
"github.com/lcvvvv/gonmap"
"github.com/lcvvvv/gonmap/lib/httpfinger"
"kscan/app"
"kscan/core/fofa"
"kscan/core/slog"
"kscan/core/spy"
"kscan/core/touch"
"kscan/lib/color"
"kscan/lib/pool"
"kscan/run"
"os"
"runtime"
"strconv"
"time"
)
//logo information
const logo = `
_ __
|#| /#/ Lightweight Asset Mapping Tool by: kv2
|#|/#/ _____ _____ * _ _
|#.#/ /Edge/ /Forum| /#\ |#\ |#|
|##| |#|___ |#| /###\ |##\|#|
|#.#\ \#####\|#| /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
|#| \#\\#####/ \#####/#/ v1.70#\#| \#|
`
//help information
const help = `
optional arguments:
-h , --help show this help message and exit
-f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
-t , --target Specify the detection target:
IP address: 114.114.114.114
IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
--spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
(empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
--check Fingerprinting the target address, only port detection will not be performed
--scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
--touch Get the return package of the specified port, you can use this parameter to get the return package and improve the fingerprint library, the format is: IP:PORT
-p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
-o , --output save scan results to file
-oJ save the scan results to a file in json format
-Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
-Cn With this parameter, the console output will not be colored.
-sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
--top Scan the filtered common ports TopX, up to 1000, the default is TOP400
--proxy set proxy (socks5|socks4|https|http)://IP:Port
--threads thread parameter, the default thread is 100, the maximum value is 2048
--path specifies the directory to request access, only a single directory is supported
--host specifies the header Host value for all requests
--timeout set timeout
--encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
--match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
--hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
--hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
--hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
If there is a comma in the password, use \, to escape, other symbols do not need to be escaped
--hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
--hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
--fofa-syntax will get fofa search syntax description
--fofa-size will set the number of entries returned by fofa, the default is 100
--fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter
`
const usage = "usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--touch) [--spy] [-p,- -port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [- Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]\n\n"
const syntax = `title="beijing" searches for "Beijing" from the title -
header="elastic" searches for "elastic" from http headers -
body="Cyberspace Mapping" Search "Cyberspace Mapping" from the html body -
domain="qq.com" Search for websites with qq.com in the root domain name. -
icp="Jing ICP Certificate No. 030173" Find the website with the record number of "Jing ICP Certificate No. 030173" Search for website type assets
js_name="js/jquery.js" Find assets containing js/jquery.js Search for site type assets
js_md5="82ac3f14327a8b7ba49baa208d4eaa15" to find assets whose js source code matches -
icon_hash="-247388890" Search for assets that use this icon. For FOFA Premium members only
host=".gov.cn" Search ".gov.cn" from the url, use host as the name
port="6379" to find assets corresponding to port "6379" -
ip="1.1.1.1" Search for websites containing "1.1.1.1" from ip Search using ip as the name
ip="220.181.111.1/24" Query the assets of network segment C whose IP is "220.181.111.1" -
status_code="402" Query server for assets with status "402" -
protocol="quic" Query quic protocol assets Search for the specified protocol type (valid when port scanning is enabled)
country="CN" searches for assets in the specified country (code). -
region="Xinjiang" searches for assets in the specified administrative region. -
city="Changsha" searches for assets in the specified city. -
cert="baidu" searches for assets with baidu in the certificate. -
cert.subject="Oracle" searches for a certificate holder that is an Oracle property -
cert.issuer="DigiCert" searches for assets whose certificate issuer is DigiCert Inc -
cert.is_valid=true Verify that the certificate is valid Only for FOFA Premium members
type=service Search all protocol assets Search all protocol assets
os="centos" searches for CentOS assets. -
server=="Microsoft-IIS" searches for IIS 10 servers. -
app="Oracle" searches for Microsoft-Exchange devices -
after="2017" && before="2017-10-01" time range segment search -
asn="19551" Searches for assets with the specified asn. -
org="Amazon.com, Inc." Searches the property of the specified org (organization). -
base_protocol="udp" searches for assets with the specified udp protocol. -
is_fraud=falsenew Exclude phishing/fraud data -
is_honeypot=false Exclude honeypot data Only available to FOFA Premium members
is_ipv6=true Search ipv6 assets Search ipv6 assets, only accept true and false.
is_domain=true Search the assets of the domain name Search the assets of the domain name, only accept true and false.
port_size="6" Query assets with open ports equal to "6" Only for FOFA members
port_size_gt="6" Query assets with open ports greater than "6" Only for FOFA members
port_size_lt="12" Query assets with open ports less than "12" Only for FOFA members
ip_ports="80,161" Search for IPs that open ports 80 and 161 at the same time Search for IP assets that open ports 80 and 161 at the same time (asset data in ip units)
ip_country="CN" searches for ip assets in China. Search for IP assets in China
ip_region="Zhejiang" searches for ip assets in the specified administrative region. claim assets in a designated borough
ip_city="Hangzhou" searches for ip assets in the specified city. Search for assets in a given city
ip_after="2021-03-18" Search ip assets after 2021-03-18. Search ip assets after 2021-03-18
ip_before="2019-09-09" Search ip assets before 2019-09-09. Search ip assets before 2019-09-09
`
func main() {
startTime := time.Now()
//Environment initialization
Init()
//check upgrade status
//app.CheckUpdate()
if app.Setting.Spy != "None" {
InitSpy()
spy.Start()
if spy.Scan {
app.Setting.HostTarget = spy.Target
}
}
//fofa module initialization
if len(app.Setting.Fofa) > 0 {
InitFofa()
}
//kscan module start
if len(app.Setting.UrlTarget) > 0 || len(app.Setting.HostTarget) > 0 {
//Scan module initialization
InitKscan()
// start scanning
run.Start(app.Setting)
}
//touch module start
if app.Setting.Touch != "None" {
gonmap.Init(9)
gonmap.SetTimeout(app.Setting.Timeout)
gonmap.SetLogger(slog.Debug())
//Enable full probe mode
gonmap.SetScanVersion()
tcpBanner := touch.Touch(app.Setting.Touch)
slog.Println(slog.INFO, "Netloc:", tcpBanner.Target.URI())
slog.Println(slog.INFO, "Status:", tcpBanner.StatusDisplay())
if tcpBanner.Status() == gonmap.Matched {
slog.Println(slog.INFO, "ProbesName:", tcpBanner.TcpFinger.ProbeName)
slog.Println(slog.INFO, "MatchedRegex:", tcpBanner.TcpFinger.MatchRegexString)
slog.Println(slog.INFO, "Protocol:", tcpBanner.TcpFinger.Service)
}
slog.Println(slog.INFO, "Length:", tcpBanner.Response.Length())
slog.Println(slog.INFO, "Response:")
quoteResponse := strconv.Quote(tcpBanner.Response.Value())
slog.Println(slog.DATA, quoteResponse[1:len(quoteResponse)-1])
}
//calculate the running time of the program
elapsed := time.Since(startTime)
slog.Printf(slog.INFO, "The total execution time of the program is: [%s]", elapsed.String())
slog.Println(slog.INFO, "If you have any questions, please come to my Github to submit a bug[https://github.com/lcvvvv/kscan/]")
}
func Init() {
app.Args.SetLogo(logo)
app.Args.SetUsage(usage)
app.Args.SetHelp(help)
app.Args.SetSyntax(syntax)
//parameter initialization
app.Args.Parse()
//log initialization
slog.SetEncoding(app.Args.Encoding)
if app.Args.Debug {
slog.SetLogger(slog.DEBUG)
} else {
slog.SetLogger(slog.INFO)
}
//color package initialization
app.Setting.CloseColor = color.Init(app.Args.CloseColor)
//pool package initialization
pool.SetLogger(slog.Debug())
// Initialize the configuration file
app.ConfigInit()
slog.Println(slog.INFO, "The current environment is: ", runtime.GOOS, ", the output encoding is: ", app.Setting.Encoding)
if runtime.GOOS == "windows" && app.Setting.CloseColor == true {
slog.Println(slog.INFO, "In Windows system, the color display is not enabled by default, you can enable it by adding an environment variable: KSCAN_COLOR=TRUE")
}
}
func InitKscan() {
//slog.Println(slog.WARN, "Start reading scan object...")
slog.Printf(slog.INFO, "Successfully read URL addresses: [%d]", len(app.Setting.UrlTarget))
if app.Setting.Check == false {
slog.Printf(slog.INFO, "Successfully read host addresses: [%d], ports to be detected: [%d]", len(app.Setting.HostTarget), len(app.Setting.HostTarget)*len(app.Setting.Port))
}
//Initialize HTTP fingerprint library
r := httpfinger.Init()
slog.Printf(slog.INFO, "Successfully loaded favicon fingerprints: [%d], keyword fingerprints: [%d]", r["FaviconHash"], r["KeywordFinger"])
//gonmap probe/fingerprint library initialization
gonmap.Init(9)
//Timeout and log configuration
gonmap.SetTimeout(app.Setting.Timeout)
gonmap.SetLogger(slog.Debug())
//-sV parameter configuration
if app.Setting.ScanVersion == true {
gonmap.SetScanVersion()
app.Setting.Timeout = time.Second * 120
}
slog.Printf(slog.INFO, "Successfully loaded NMAP probes: [%d], fingerprints [%d]", gonmap.UsedProbesCount, gonmap.UsedMatchCount)
//Gonmap application layer fingerprint identification initialization
gonmap.InitAppBannerDiscernConfig(app.Setting.Host, app.Setting.Path, app.Setting.Proxy, app.Setting.Timeout)
}
func InitFofa() {
email := os.Getenv("FOFA_EMAIL")
key := os.Getenv("FOFA_KEY")
if email == "" || key == "" {
slog.Println(slog.WARN, "Please configure environment variables before using -f/-fofa parameters: FOFA_EMAIL, FOFA_KEY")
slog.Println(slog.ERROR, "If you want to import port scan tasks from a file, use -t file:/path/to/file")
}
fofa.Init(email, key)
fofa.Run()
if app.Setting.Check == false && app.Setting.Scan == false {
slog.Println(slog.WARN, "You can use the --check parameter to perform liveness and fingerprint detection on the fofa scan results, and you can use the --scan parameter to perform port scans on the fofa scan results")
}
if app.Setting.Check == true {
app.Setting.UrlTarget = fofa.GetUrlTarget()
slog.Println(slog.WARN, "check parameter is enabled, now will perform liveness and fingerprint detection on fofa scan results")
}
if app.Setting.Scan == true {
app.Setting.UrlTarget = fofa.GetUrlTarget()
app.Setting.HostTarget = fofa.GetHostTarget()
slog.Println(slog.WARN, "scan parameter is enabled, now port scan and fingerprint detection will be performed on fofa scan results")
}
slog.Println(slog.DEBUG)
}
func InitSpy() {
spy.Keyword = app.Setting.Spy
spy.Scan = app.Setting.Scan
}