From 2ce7041c95c89398552f39dc0714ca886ee20a20 Mon Sep 17 00:00:00 2001 From: ZacharyZcR <2903735704@qq.com> Date: Sat, 28 Dec 2024 06:19:25 +0800 Subject: [PATCH] =?UTF-8?q?refactor:=20=E5=8E=BB=E6=8E=89UDP=E6=89=AB?= =?UTF-8?q?=E6=8F=8F=E3=80=81=E4=BC=98=E5=8C=96=E4=BA=86DCInfo=E5=92=8CMin?= =?UTF-8?q?iDump=E7=9A=84=E6=A3=80=E6=B5=8B=E6=9C=BA=E5=88=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Common/Config.go | 1 - Common/Flag.go | 1 - Common/ParsePort.go | 1 - Common/ParseScanMode.go | 4 ---- Common/Ports.go | 5 ++--- Core/PortScan.go | 8 +------- Plugins/DCInfo.go | 27 +++++++++++++++++++++++++++ Plugins/MiniDump.go | 35 ++++++++++++++++++++++++++++++----- 8 files changed, 60 insertions(+), 22 deletions(-) diff --git a/Common/Config.go b/Common/Config.go index 8f7221c..9037854 100644 --- a/Common/Config.go +++ b/Common/Config.go @@ -55,7 +55,6 @@ var ( ScanMode string // 原Scantype ThreadNum int // 原Threads UseSynScan bool - UseUdpScan bool Timeout int64 = 3 LiveTop int DisablePing bool // 原NoPing diff --git a/Common/Flag.go b/Common/Flag.go index a308c44..8f04032 100644 --- a/Common/Flag.go +++ b/Common/Flag.go @@ -73,7 +73,6 @@ func Flag(Info *HostInfo) { " 漏洞类: ms17010, smbghost, smb2\n"+ " 其他: findnet, wmiexec, localinfo") flag.BoolVar(&UseSynScan, "sS", false, "使用SYN扫描替代TCP全连接扫描(需要root/管理员权限)") - flag.BoolVar(&UseUdpScan, "sU", false, "使用UDP扫描(部分端口自动使用UDP协议)") flag.IntVar(&ThreadNum, "t", 600, "设置扫描线程数") flag.Int64Var(&Timeout, "time", 3, "设置连接超时时间(单位:秒)") flag.IntVar(&LiveTop, "top", 10, "仅显示指定数量的存活主机") diff --git a/Common/ParsePort.go b/Common/ParsePort.go index f8a3453..770b97b 100644 --- a/Common/ParsePort.go +++ b/Common/ParsePort.go @@ -14,7 +14,6 @@ func ParsePort(ports string) []int { "service": ServicePorts, "db": DbPorts, "web": WebPorts, - "udp": UDPPorts, "all": AllPorts, "main": MainPorts, } diff --git a/Common/ParseScanMode.go b/Common/ParseScanMode.go index 5733edc..2868ee5 100644 --- a/Common/ParseScanMode.go +++ b/Common/ParseScanMode.go @@ -13,7 +13,6 @@ const ( ModePort = "Port" // 端口扫描 ModeICMP = "ICMP" // ICMP探测 ModeLocal = "Local" // 本地信息收集 - ModeUDP = "UDP" //UDP扫描 ) // 插件分类映射表 - 所有插件名使用小写 @@ -45,9 +44,6 @@ var pluginGroups = map[string][]string{ ModeLocal: { "localinfo", }, - ModeUDP: { - "snmp", - }, } // ParseScanMode 解析扫描模式 diff --git a/Common/Ports.go b/Common/Ports.go index 85a7f45..cf5bbab 100644 --- a/Common/Ports.go +++ b/Common/Ports.go @@ -5,12 +5,11 @@ import ( "strings" ) -var ServicePorts = "21,22,23,25,110,135,139,143,161,162,389,445,465,502,587,636,873,993,995,1433,1521,2222,3306,3389,5020,5432,5672,5671,6379,8161,8443,9000,9092,9093,9200,10051,11211,15672,15671,27017,61616,61613" +var ServicePorts = "21,22,23,25,110,135,139,143,162,389,445,465,502,587,636,873,993,995,1433,1521,2222,3306,3389,5020,5432,5672,5671,6379,8161,8443,9000,9092,9093,9200,10051,11211,15672,15671,27017,61616,61613" var DbPorts = "1433,1521,3306,5432,5672,6379,7687,9042,9093,9200,11211,27017,61616" var WebPorts = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8005,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10051,10250,12018,12443,14000,15672,15671,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,20880,21000,21501,21502,28018" -var UDPPorts = "161" var AllPorts = "1-65535" -var MainPorts = "21,22,23,80,81,110,135,139,143,161,389,443,445,502,873,993,995,1433,1521,3306,5432,5672,6379,7001,7687,8000,8005,8009,8080,8089,8443,9000,9042,9092,9200,10051,11211,15672,27017,61616" +var MainPorts = "21,22,23,80,81,110,135,139,143,389,443,445,502,873,993,995,1433,1521,3306,5432,5672,6379,7001,7687,8000,8005,8009,8080,8089,8443,9000,9042,9092,9200,10051,11211,15672,27017,61616" func ParsePortsFromString(portsStr string) []int { var ports []int diff --git a/Core/PortScan.go b/Core/PortScan.go index 8cf86c6..f478556 100644 --- a/Core/PortScan.go +++ b/Core/PortScan.go @@ -91,10 +91,7 @@ func PortConnect(addr Addr, respondingHosts chan<- string, timeout int64, wg *sy var isOpen bool var err error - if Common.UseUdpScan { - // UDP扫描 - isOpen, err = UDPScan(addr.ip, addr.port, timeout) - } else if Common.UseSynScan { + if Common.UseSynScan { // SYN扫描 isOpen, err = SynScan(addr.ip, addr.port, timeout) } else { @@ -115,9 +112,6 @@ func PortConnect(addr Addr, respondingHosts chan<- string, timeout int64, wg *sy // 记录开放端口 address := fmt.Sprintf("%s:%d", addr.ip, addr.port) protocol := "TCP" - if Common.UseUdpScan { - protocol = "UDP" - } result := fmt.Sprintf("[+] %s端口开放 %s", protocol, address) Common.LogSuccess(result) diff --git a/Plugins/DCInfo.go b/Plugins/DCInfo.go index 62222b2..8beaca5 100644 --- a/Plugins/DCInfo.go +++ b/Plugins/DCInfo.go @@ -8,6 +8,8 @@ import ( "os/exec" "strconv" "strings" + "syscall" + "unsafe" "github.com/go-ldap/ldap/v3" ) @@ -656,7 +658,32 @@ func NewDomainInfo() (*DomainInfo, error) { }, nil } +// 检查是否在域环境中 +func IsInDomain() bool { + // 获取计算机域成员身份信息 + var joinStatus uint32 + var buffer uint32 + + ret, _, _ := syscall.NewLazyDLL("netapi32.dll").NewProc("NetGetJoinInformation").Call( + 0, + uintptr(unsafe.Pointer(&joinStatus)), + uintptr(unsafe.Pointer(&buffer)), + ) + + if ret == 0 { + // 清理资源 + syscall.NewLazyDLL("netapi32.dll").NewProc("NetApiBufferFree").Call(uintptr(buffer)) + // 检查是否为域成员 + return joinStatus == 3 // 3 = NetSetupDomainName 表示是域成员 + } + return false +} + func DCInfoScan(info *Common.HostInfo) (err error) { + if !IsInDomain() { + return fmt.Errorf("当前系统不在域环境中") + } + // 创建DomainInfo实例,使用当前用户凭据 di, err := NewDomainInfo() if err != nil { diff --git a/Plugins/MiniDump.go b/Plugins/MiniDump.go index 94f4c8f..50aa015 100644 --- a/Plugins/MiniDump.go +++ b/Plugins/MiniDump.go @@ -3,7 +3,7 @@ package Plugins import ( "fmt" "github.com/shadow1ng/fscan/Common" - "log" + "golang.org/x/sys/windows" "os" "path/filepath" "syscall" @@ -254,22 +254,47 @@ func (pm *ProcessManager) FindProcess(name string) (uint32, error) { return pm.findProcessInSnapshot(snapshot, name) } +// 检查是否具有管理员权限 +func IsAdmin() bool { + var sid *windows.SID + err := windows.AllocateAndInitializeSid( + &windows.SECURITY_NT_AUTHORITY, + 2, + windows.SECURITY_BUILTIN_DOMAIN_RID, + windows.DOMAIN_ALIAS_RID_ADMINS, + 0, 0, 0, 0, 0, 0, + &sid) + if err != nil { + return false + } + defer windows.FreeSid(sid) + + token := windows.Token(0) + member, err := token.IsMember(sid) + return err == nil && member +} + func MiniDump(info *Common.HostInfo) (err error) { + // 先检查管理员权限 + if !IsAdmin() { + return fmt.Errorf("需要管理员权限才能执行此操作") + } + pm, err := NewProcessManager() if err != nil { - log.Fatalf("初始化进程管理器失败: %v", err) + return fmt.Errorf("初始化进程管理器失败: %v", err) } // 查找 lsass.exe pid, err := pm.FindProcess("lsass.exe") if err != nil { - log.Fatalf("查找进程失败: %v", err) + return fmt.Errorf("查找进程失败: %v", err) } fmt.Printf("找到进程 lsass.exe, PID: %d\n", pid) // 提升权限 if err := pm.ElevatePrivileges(); err != nil { - log.Fatalf("提升权限失败: %v", err) + return fmt.Errorf("提升权限失败: %v", err) } fmt.Println("成功提升进程权限") @@ -278,8 +303,8 @@ func MiniDump(info *Common.HostInfo) (err error) { // 执行转储 if err := pm.DumpProcess(pid, outputPath); err != nil { - log.Fatalf("进程转储失败: %v", err) os.Remove(outputPath) + return fmt.Errorf("进程转储失败: %v", err) } fmt.Printf("成功将进程内存转储到文件: %s\n", outputPath)