加入netbios探测、域控识别

2025-05-06 10:51:35 +00:00 · 2021-04-21 00:13:04 +08:00 · 2021-04-21 00:13:04 +08:00 · 27324dc4a5
commit 27324dc4a5
parent 323d786c66
21 changed files with 80 additions and 66 deletions
--- a/Plugins/CVE-2020-0796.go
+++ b/Plugins/CVE-2020-0796.go
@ -102,7 +102,7 @@ func SmbGhost(info *common.HostInfo) error {

 func SmbGhostScan(info *common.HostInfo) error {
 	ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second
-	addr := fmt.Sprintf("%s:%d", info.Host, port)
+	addr := fmt.Sprintf("%s:%v", info.Host, port)
 	conn, err := net.DialTimeout("tcp", addr, timeout)
 	if err != nil {
 		return err
--- a/Plugins/base.go
+++ b/Plugins/base.go
@ -1,18 +1,19 @@
 package Plugins

 var PluginList = map[string]interface{}{
-	"21": FtpScan,
-	"22": SshScan,
-	"135": Findnet,
-	"445": SmbScan,
-	"1433":MssqlScan,
-	"3306": MysqlScan,
-	"5432": PostgresScan,
-	"6379": RedisScan,
-	"9200":elasticsearchScan,
-	"11211":MemcachedScan,
-	"27017":MongodbScan,
+	"21":      FtpScan,
+	"22":      SshScan,
+	"135":     Findnet,
+	"139":     NetBIOS,
+	"445":     SmbScan,
+	"1433":    MssqlScan,
+	"3306":    MysqlScan,
+	"5432":    PostgresScan,
+	"6379":    RedisScan,
+	"9200":    elasticsearchScan,
+	"11211":   MemcachedScan,
+	"27017":   MongodbScan,
 	"1000001": MS17010,
 	"1000002": SmbGhost,
-	"1000003":WebTitle,
+	"1000003": WebTitle,
 }
--- a/Plugins/elasticsearch.go
+++ b/Plugins/elasticsearch.go
@ -16,7 +16,7 @@ func elasticsearchScan(info *common.HostInfo) error {

 func geturl2(info *common.HostInfo) (flag bool, err error) {
 	flag = false
-	url := fmt.Sprintf("%s:%d/_cat", info.Url, common.PORTList["elastic"])
+	url := fmt.Sprintf("%s:%v/_cat", info.Url, info.Ports)
 	res, err := http.NewRequest("GET", url, nil)
 	if err == nil {
 		res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
--- a/Plugins/findnet.go
+++ b/Plugins/findnet.go
@ -22,7 +22,7 @@ func Findnet(info *common.HostInfo) error {
 }

 func FindnetScan(info *common.HostInfo) error {
-	realhost := fmt.Sprintf("%s:%d", info.Host, 135)
+	realhost := fmt.Sprintf("%s:%v", info.Host, 135)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
 	if err != nil {
 		return err
--- a/Plugins/ftp.go
+++ b/Plugins/ftp.go
@ -14,7 +14,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
 	if flag == true && err == nil {
 		return err
 	} else {
-		errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v", info.Host, common.PORTList["ftp"], "anonymous", err)
+		errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v", info.Host, info.Ports, "anonymous", err)
 		common.LogError(errlog)
 		tmperr = err
 		if common.CheckErrs(err) {
@ -29,7 +29,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v %v", info.Host, common.PORTList["ftp"], user, pass, err)
+				errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
 				if common.CheckErrs(err) {
@ -46,7 +46,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) {

 func FtpConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["ftp"], user, pass
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
 	conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(info.Timeout)*time.Second)
 	if err == nil {
 		err = conn.Login(Username, Password)
--- a/Plugins/memcached.go
+++ b/Plugins/memcached.go
@ -9,7 +9,7 @@ import (
 )

 func MemcachedScan(info *common.HostInfo) (err error) {
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mem"])
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	client, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
 	if err == nil {
 		err = client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
@ -25,7 +25,7 @@ func MemcachedScan(info *common.HostInfo) (err error) {
 					}
 					client.Close()
 				} else {
-					errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, common.PORTList["mem"], err)
+					errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
 					common.LogError(errlog)
 				}
 			}
--- a/Plugins/mongodb.go
+++ b/Plugins/mongodb.go
@ -12,7 +12,7 @@ import (
 func MongodbScan(info *common.HostInfo) error {
 	_, err := MongodbUnauth(info)
 	if err != nil {
-		errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, common.PORTList["mgo"], err)
+		errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
 		common.LogError(errlog)
 	}
 	return err
@ -22,7 +22,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
 	senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0}
 	getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mgo"])
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
 	if err != nil {
 		return flag, err
--- a/Plugins/mssql.go
+++ b/Plugins/mssql.go
@ -18,7 +18,7 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, common.PORTList["mssql"], user, pass, err)
+				errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
 				if common.CheckErrs(err) {
@ -35,7 +35,7 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {

 func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["mssql"], user, pass
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
 	dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%d;encrypt=disable;timeout=%d", Host, Username, Password, Port, time.Duration(info.Timeout)*time.Second)
 	db, err := sql.Open("mssql", dataSourceName)
 	if err == nil {
--- a/Plugins/mysql.go
+++ b/Plugins/mysql.go
@ -18,7 +18,7 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, common.PORTList["mysql"], user, pass, err)
+				errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
 				if common.CheckErrs(err) {
@ -35,7 +35,7 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {

 func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["mysql"], user, pass
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
 	dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/%v?charset=utf8", Username, Password, Host, Port, "mysql")
 	db, err := sql.Open("mysql", dataSourceName)
 	if err == nil {
--- a/Plugins/portscan.go
+++ b/Plugins/portscan.go
@ -55,7 +55,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {

 func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64) {
 	host, port := addr.ip, addr.port
-	con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%d", host, port), time.Duration(adjustedTimeout)*time.Second)
+	con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
 	if err == nil {
 		con.Close()
 		address := host + ":" + strconv.Itoa(port)
--- a/Plugins/postgres.go
+++ b/Plugins/postgres.go
@ -18,7 +18,7 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, common.PORTList["psql"], user, pass, err)
+				errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
 				if common.CheckErrs(err) {
@ -35,7 +35,7 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {

 func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["psql"], user, pass
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
 	dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable")
 	db, err := sql.Open("postgres", dataSourceName)
 	if err == nil {
--- a/Plugins/redis.go
+++ b/Plugins/redis.go
@ -22,7 +22,7 @@ func RedisScan(info *common.HostInfo) (tmperr error) {
 		if flag == true && err == nil {
 			return err
 		} else {
-			errlog := fmt.Sprintf("[-] redis %v:%v %v %v %v", info.Host, common.PORTList["redis"], pass, err)
+			errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err)
 			common.LogError(errlog)
 			tmperr = err
 			if common.CheckErrs(err) {
@ -38,7 +38,7 @@ func RedisScan(info *common.HostInfo) (tmperr error) {

 func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 	flag = false
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
 	if err != nil {
 		return flag, err
@ -63,7 +63,7 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {

 func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
 	if err != nil {
 		return flag, err
--- a/Plugins/scanner.go
+++ b/Plugins/scanner.go
@ -9,6 +9,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"time"
 )

 func Scan(info common.HostInfo) {
@ -47,7 +48,7 @@ func Scan(info common.HostInfo) {
 					AddScan("1000003", info, ch, &wg) //webtitle
 				}
 			} else {
-				port, _ := common.PortlistBack[info.Scantype]
+				port, _ := common.PORTList[info.Scantype]
 				scantype := strconv.Itoa(port)
 				AddScan(scantype, info, ch, &wg)
 			}
@ -64,6 +65,7 @@ func Scan(info common.HostInfo) {
 		}
 	}
 	wg.Wait()
+	time.Sleep(100 * time.Millisecond)
 	close(common.Results)
 	fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num))
 }
--- a/Plugins/ssh.go
+++ b/Plugins/ssh.go
@ -18,7 +18,7 @@ func SshScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] ssh %v:%v %v %v %v", info.Host, common.PORTList["ssh"], user, pass, err)
+				errlog := fmt.Sprintf("[-] ssh %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
 				if common.CheckErrs(err) {
@ -35,7 +35,7 @@ func SshScan(info *common.HostInfo) (tmperr error) {

 func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["ssh"], user, pass
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
 	config := &ssh.ClientConfig{
 		User: Username,
 		Auth: []ssh.AuthMethod{
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@

 # 简介
 一款内网综合扫描工具，方便一键自动化、全方位漏扫扫描。   
-支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描等。
+支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。

 ## 主要功能
 1.信息搜集:
@ -138,6 +138,7 @@ https://github.com/k8gege/LadonGo
 https://github.com/jjf012/gopoc

 ## 最近更新
+[+] 2021/4/21 加入netbios探测、域控识别
 [+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描  
 [+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml  
 [+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。  
--- a/WebScan/lib/eval.go
+++ b/WebScan/lib/eval.go
@ -123,6 +123,10 @@ func NewEnvOption() CustomLib {
 				decls.NewOverload("randomLowercase_int",
 					[]*exprpb.Type{decls.Int},
 					decls.String)),
+			decls.NewFunction("randomUppercase",
+				decls.NewOverload("randomUppercase_int",
+					[]*exprpb.Type{decls.Int},
+					decls.String)),
 			decls.NewFunction("base64",
 				decls.NewOverload("base64_string",
 					[]*exprpb.Type{decls.String},
@ -238,6 +242,16 @@ func NewEnvOption() CustomLib {
 					return types.String(randomLowercase(int(n)))
 				},
 			},
+			&functions.Overload{
+				Operator: "randomUppercase_int",
+				Unary: func(value ref.Val) ref.Val {
+					n, ok := value.(types.Int)
+					if !ok {
+						return types.ValOrErr(value, "unexpected type '%v' passed to randomUppercase", value.Type())
+					}
+					return types.String(randomUppercase(int(n)))
+				},
+			},
 			&functions.Overload{
 				Operator: "base64_string",
 				Unary: func(value ref.Val) ref.Val {
@ -425,6 +439,12 @@ func randomLowercase(n int) string {
 	return RandomStr(randSource, lowercase, n)
 }

+func randomUppercase(n int) string {
+	lowercase := "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	randSource := rand.New(rand.NewSource(time.Now().Unix()))
+	return RandomStr(randSource, lowercase, n)
+}
+
 func reverseCheck(r *Reverse, timeout int64) bool {
 	if ceyeApi == "" || r.Domain == "" {
 		return false
@ -445,7 +465,6 @@ func reverseCheck(r *Reverse, timeout int64) bool {
 	return false
 }

-
 func RandomStr(randSource *rand.Rand, letterBytes string, n int) string {
 	const (
 		letterIdxBits = 6                    // 6 bits to represent a letter index
--- a/WebScan/lib/http.go
+++ b/WebScan/lib/http.go
@ -27,9 +27,9 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
 	}

 	tr := &http.Transport{
-		DialContext: dialer.DialContext,
-		//MaxConnsPerHost:     0,
-		MaxIdleConns:        1000,
+		DialContext:         dialer.DialContext,
+		MaxConnsPerHost:     0,
+		MaxIdleConns:        0,
 		MaxIdleConnsPerHost: ThreadsNum * 2,
 		IdleConnTimeout:     keepAlive,
 		TLSClientConfig:     &tls.Config{InsecureSkipVerify: true},
--- a/common/Parse.go
+++ b/common/Parse.go
@ -117,6 +117,9 @@ func ParseInput(Info *HostInfo) {
 	if TmpSave == true {
 		IsSave = false
 	}
+	if Info.Ports == DefaultPorts {
+		Info.Ports += Webport
+	}
 }

 func ParseScantype(Info *HostInfo) {
@ -127,13 +130,14 @@ func ParseScantype(Info *HostInfo) {
 	if Info.Scantype != "all" {
 		if Info.Ports == DefaultPorts {
 			switch Info.Scantype {
-			case "webtitle":
+			case "web":
 				Info.Ports = Webport
 			case "ms17010":
 				Info.Ports = "445"
 			case "cve20200796":
 				Info.Ports = "445"
-			case "portscan":
+			case "main":
+				Info.Ports = DefaultPorts
 			default:
 				port, _ := PORTList[Info.Scantype]
 				Info.Ports = strconv.Itoa(port)
--- a/common/config.go
+++ b/common/config.go
@ -24,34 +24,14 @@ var PORTList = map[string]int{
 	"smb":         445,
 	"ms17010":     1000001,
 	"cve20200796": 1000002,
-	"webtitle":    1000003,
+	"web":         1000003,
 	"elastic":     9200,
 	"findnet":     135,
 	"netbios":     139,
 	"all":         0,
 	"portscan":    0,
 	"icmp":        0,
-}
-
-var PortlistBack = map[string]int{
-	"ftp":         21,
-	"ssh":         22,
-	"mem":         11211,
-	"mgo":         27017,
-	"mssql":       1433,
-	"psql":        5432,
-	"redis":       6379,
-	"mysql":       3306,
-	"smb":         445,
-	"ms17010":     1000001,
-	"cve20200796": 1000002,
-	"webtitle":    1000003,
-	"elastic":     9200,
-	"findnet":     135,
-	"NetBIOS":     139,
-	"all":         0,
-	"portscan":    0,
-	"icmp":        0,
+	"main":        0,
 }

 var Outputfile = getpath() + "result.txt"
--- a/common/flag.go
+++ b/common/flag.go
@ -18,7 +18,6 @@ func Banner() {

 func Flag(Info *HostInfo) {
 	Banner()
-	DefaultPorts += Webport
 	flag.StringVar(&Info.Host, "h", "", "IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12")
 	flag.StringVar(&Info.Ports, "p", DefaultPorts, "Select a port,for example: 22 | 1-65535 | 22,80,3306")
 	flag.StringVar(&Info.Command, "c", "", "exec command (ssh)")
--- a/common/log.go
+++ b/common/log.go
@ -60,7 +60,15 @@ func CheckErrs(err error) bool {
 	if err == nil {
 		return false
 	}
-	errs := []string{"closed by the remote host", "too many connections", "i/o timeout", "EOF", "A connection attempt failed", "established connection failed", "connection attempt failed", "Unable to read", "is not allowed to connect to this", "no pg_hba.conf entry", "no supported methods remain"}
+	errs := []string{
+		"closed by the remote host", "too many connections",
+		"i/o timeout", "EOF", "A connection attempt failed",
+		"established connection failed", "connection attempt failed",
+		"Unable to read", "is not allowed to connect to this",
+		"no pg_hba.conf entry",
+		"no supported methods remain",
+		"No connection could be made",
+	}
 	for _, key := range errs {
 		if strings.Contains(strings.ToLower(err.Error()), strings.ToLower(key)) {
 			return true