refactor: 去掉UDP扫描、优化了DCInfo和MiniDump的检测机制

2025-06-20 18:00:52 +00:00 · 2024-12-28 06:19:25 +08:00 · 2024-12-28 06:19:25 +08:00 · 2ce7041c95
commit 2ce7041c95
parent ee1d176a8f
8 changed files with 60 additions and 22 deletions
--- a/Common/Config.go
+++ b/Common/Config.go
@ -55,7 +55,6 @@ var (
 	ScanMode    string // 原Scantype
 	ThreadNum   int    // 原Threads
 	UseSynScan  bool
-	UseUdpScan  bool
 	Timeout     int64 = 3
 	LiveTop     int
 	DisablePing bool // 原NoPing
--- a/Common/Flag.go
+++ b/Common/Flag.go
@ -73,7 +73,6 @@ func Flag(Info *HostInfo) {
 		"  漏洞类: ms17010, smbghost, smb2\n"+
 		"  其他: findnet, wmiexec, localinfo")
 	flag.BoolVar(&UseSynScan, "sS", false, "使用SYN扫描替代TCP全连接扫描(需要root/管理员权限)")
-	flag.BoolVar(&UseUdpScan, "sU", false, "使用UDP扫描(部分端口自动使用UDP协议)")
 	flag.IntVar(&ThreadNum, "t", 600, "设置扫描线程数")
 	flag.Int64Var(&Timeout, "time", 3, "设置连接超时时间(单位:秒)")
 	flag.IntVar(&LiveTop, "top", 10, "仅显示指定数量的存活主机")
--- a/Common/ParsePort.go
+++ b/Common/ParsePort.go
@ -14,7 +14,6 @@ func ParsePort(ports string) []int {
 		"service": ServicePorts,
 		"db":      DbPorts,
 		"web":     WebPorts,
-		"udp":     UDPPorts,
 		"all":     AllPorts,
 		"main":    MainPorts,
 	}
--- a/Common/ParseScanMode.go
+++ b/Common/ParseScanMode.go
@ -13,7 +13,6 @@ const (
 	ModePort     = "Port"     // 端口扫描
 	ModeICMP     = "ICMP"     // ICMP探测
 	ModeLocal    = "Local"    // 本地信息收集
-	ModeUDP      = "UDP"      //UDP扫描
 )

 // 插件分类映射表 - 所有插件名使用小写
@ -45,9 +44,6 @@ var pluginGroups = map[string][]string{
 	ModeLocal: {
 		"localinfo",
 	},
-	ModeUDP: {
-		"snmp",
-	},
 }

 // ParseScanMode 解析扫描模式
--- a/Common/Ports.go
+++ b/Common/Ports.go
@ -5,12 +5,11 @@ import (
 	"strings"
 )

-var ServicePorts = "21,22,23,25,110,135,139,143,161,162,389,445,465,502,587,636,873,993,995,1433,1521,2222,3306,3389,5020,5432,5672,5671,6379,8161,8443,9000,9092,9093,9200,10051,11211,15672,15671,27017,61616,61613"
+var ServicePorts = "21,22,23,25,110,135,139,143,162,389,445,465,502,587,636,873,993,995,1433,1521,2222,3306,3389,5020,5432,5672,5671,6379,8161,8443,9000,9092,9093,9200,10051,11211,15672,15671,27017,61616,61613"
 var DbPorts = "1433,1521,3306,5432,5672,6379,7687,9042,9093,9200,11211,27017,61616"
 var WebPorts = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8005,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10051,10250,12018,12443,14000,15672,15671,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,20880,21000,21501,21502,28018"
-var UDPPorts = "161"
 var AllPorts = "1-65535"
-var MainPorts = "21,22,23,80,81,110,135,139,143,161,389,443,445,502,873,993,995,1433,1521,3306,5432,5672,6379,7001,7687,8000,8005,8009,8080,8089,8443,9000,9042,9092,9200,10051,11211,15672,27017,61616"
+var MainPorts = "21,22,23,80,81,110,135,139,143,389,443,445,502,873,993,995,1433,1521,3306,5432,5672,6379,7001,7687,8000,8005,8009,8080,8089,8443,9000,9042,9092,9200,10051,11211,15672,27017,61616"

 func ParsePortsFromString(portsStr string) []int {
 	var ports []int
--- a/Core/PortScan.go
+++ b/Core/PortScan.go
@ -91,10 +91,7 @@ func PortConnect(addr Addr, respondingHosts chan<- string, timeout int64, wg *sy
 	var isOpen bool
 	var err error

-	if Common.UseUdpScan {
-		// UDP扫描
-		isOpen, err = UDPScan(addr.ip, addr.port, timeout)
-	} else if Common.UseSynScan {
+	if Common.UseSynScan {
 		// SYN扫描
 		isOpen, err = SynScan(addr.ip, addr.port, timeout)
 	} else {
@ -115,9 +112,6 @@ func PortConnect(addr Addr, respondingHosts chan<- string, timeout int64, wg *sy
 	// 记录开放端口
 	address := fmt.Sprintf("%s:%d", addr.ip, addr.port)
 	protocol := "TCP"
-	if Common.UseUdpScan {
-		protocol = "UDP"
-	}
 	result := fmt.Sprintf("[+] %s端口开放 %s", protocol, address)
 	Common.LogSuccess(result)

--- a/Plugins/DCInfo.go
+++ b/Plugins/DCInfo.go
@ -8,6 +8,8 @@ import (
 	"os/exec"
 	"strconv"
 	"strings"
+	"syscall"
+	"unsafe"

 	"github.com/go-ldap/ldap/v3"
 )
@ -656,7 +658,32 @@ func NewDomainInfo() (*DomainInfo, error) {
 	}, nil
 }

+// 检查是否在域环境中
+func IsInDomain() bool {
+	// 获取计算机域成员身份信息
+	var joinStatus uint32
+	var buffer uint32
+
+	ret, _, _ := syscall.NewLazyDLL("netapi32.dll").NewProc("NetGetJoinInformation").Call(
+		0,
+		uintptr(unsafe.Pointer(&joinStatus)),
+		uintptr(unsafe.Pointer(&buffer)),
+	)
+
+	if ret == 0 {
+		// 清理资源
+		syscall.NewLazyDLL("netapi32.dll").NewProc("NetApiBufferFree").Call(uintptr(buffer))
+		// 检查是否为域成员
+		return joinStatus == 3 // 3 = NetSetupDomainName 表示是域成员
+	}
+	return false
+}
+
 func DCInfoScan(info *Common.HostInfo) (err error) {
+	if !IsInDomain() {
+		return fmt.Errorf("当前系统不在域环境中")
+	}
+
 	// 创建DomainInfo实例，使用当前用户凭据
 	di, err := NewDomainInfo()
 	if err != nil {
--- a/Plugins/MiniDump.go
+++ b/Plugins/MiniDump.go
@ -3,7 +3,7 @@ package Plugins
 import (
 	"fmt"
 	"github.com/shadow1ng/fscan/Common"
-	"log"
+	"golang.org/x/sys/windows"
 	"os"
 	"path/filepath"
 	"syscall"
@ -254,22 +254,47 @@ func (pm *ProcessManager) FindProcess(name string) (uint32, error) {
 	return pm.findProcessInSnapshot(snapshot, name)
 }

+// 检查是否具有管理员权限
+func IsAdmin() bool {
+	var sid *windows.SID
+	err := windows.AllocateAndInitializeSid(
+		&windows.SECURITY_NT_AUTHORITY,
+		2,
+		windows.SECURITY_BUILTIN_DOMAIN_RID,
+		windows.DOMAIN_ALIAS_RID_ADMINS,
+		0, 0, 0, 0, 0, 0,
+		&sid)
+	if err != nil {
+		return false
+	}
+	defer windows.FreeSid(sid)
+
+	token := windows.Token(0)
+	member, err := token.IsMember(sid)
+	return err == nil && member
+}
+
 func MiniDump(info *Common.HostInfo) (err error) {
+	// 先检查管理员权限
+	if !IsAdmin() {
+		return fmt.Errorf("需要管理员权限才能执行此操作")
+	}
+
 	pm, err := NewProcessManager()
 	if err != nil {
-		log.Fatalf("初始化进程管理器失败: %v", err)
+		return fmt.Errorf("初始化进程管理器失败: %v", err)
 	}

 	// 查找 lsass.exe
 	pid, err := pm.FindProcess("lsass.exe")
 	if err != nil {
-		log.Fatalf("查找进程失败: %v", err)
+		return fmt.Errorf("查找进程失败: %v", err)
 	}
 	fmt.Printf("找到进程 lsass.exe, PID: %d\n", pid)

 	// 提升权限
 	if err := pm.ElevatePrivileges(); err != nil {
-		log.Fatalf("提升权限失败: %v", err)
+		return fmt.Errorf("提升权限失败: %v", err)
 	}
 	fmt.Println("成功提升进程权限")

@ -278,8 +303,8 @@ func MiniDump(info *Common.HostInfo) (err error) {

 	// 执行转储
 	if err := pm.DumpProcess(pid, outputPath); err != nil {
-		log.Fatalf("进程转储失败: %v", err)
 		os.Remove(outputPath)
+		return fmt.Errorf("进程转储失败: %v", err)
 	}

 	fmt.Printf("成功将进程内存转储到文件: %s\n", outputPath)