Merge pull request #395 from ZacharyZcR/main

Fscan 2.0.0 完整代码重构、新增本地信息搜集插件
shadow1ng · Dec 19, 2024 · 40b6dbc · 40b6dbc
2 parents 3dfd2e9 + 59cc462
commit 40b6dbc
Show file tree

Hide file tree

Showing 69 changed files with 7,579 additions and 5,159 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 result.txt
+main
+.idea
diff --git a/common/config.go → Common/Config.go b/common/config.go → Common/Config.go
@@ -1,6 +1,6 @@
-package common
+package Common
 
-var version = "1.8.4"
+var version = "2.0.0"
 var Userdict = map[string][]string{
 	"ftp":        {"ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"},
 	"mysql":      {"root", "mysql"},
@@ -14,33 +14,7 @@ var Userdict = map[string][]string{
 }
 
 var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789"}
-var PORTList = map[string]int{
-	"ftp":         21,
-	"ssh":         22,
-	"findnet":     135,
-	"netbios":     139,
-	"smb":         445,
-	"mssql":       1433,
-	"oracle":      1521,
-	"mysql":       3306,
-	"rdp":         3389,
-	"psql":        5432,
-	"redis":       6379,
-	"fcgi":        9000,
-	"mem":         11211,
-	"mgo":         27017,
-	"ms17010":     1000001,
-	"cve20200796": 1000002,
-	"web":         1000003,
-	"webonly":     1000003,
-	"webpoc":      1000003,
-	"smb2":        1000004,
-	"wmiexec":     1000005,
-	"all":         0,
-	"portscan":    0,
-	"icmp":        0,
-	"main":        0,
-}
+
 var PortGroup = map[string]string{
 	"ftp":         "21",
 	"ssh":         "22",
@@ -69,13 +43,6 @@ var IsSave = true
 var Webport = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880"
 var DefaultPorts = "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017"
 
-type HostInfo struct {
-	Host    string
-	Ports   string
-	Url     string
-	Infostr []string
-}
-
 type PocInfo struct {
 	Target  string
 	PocName string

diff --git a/Common/Flag.go b/Common/Flag.go
@@ -0,0 +1,93 @@
+package Common
+
+import (
+	"flag"
+)
+
+func Banner() {
+	banner := `
+   ___                              _    
+  / _ \     ___  ___ _ __ __ _  ___| | __ 
+ / /_\/____/ __|/ __| '__/ _` + "`" + ` |/ __| |/ /
+/ /_\\_____\__ \ (__| | | (_| | (__|   <    
+\____/     |___/\___|_|  \__,_|\___|_|\_\   
+                     fscan version: ` + version + `
+`
+	print(banner)
+}
+
+func Flag(Info *HostInfo) {
+	Banner()
+
+	// 目标配置
+	flag.StringVar(&Info.Host, "h", "", "目标主机IP，例如: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12")
+	flag.StringVar(&NoHosts, "hn", "", "排除的主机范围，例如: -hn 192.168.1.1/24")
+	flag.StringVar(&Ports, "p", DefaultPorts, "端口配置，例如: 22 | 1-65535 | 22,80,3306")
+	flag.StringVar(&PortAdd, "pa", "", "在默认端口基础上添加端口，-pa 3389")
+	flag.StringVar(&NoPorts, "pn", "", "排除的端口，例如: -pn 445")
+
+	// 认证配置
+	flag.StringVar(&UserAdd, "usera", "", "在默认用户列表基础上添加用户,-usera user")
+	flag.StringVar(&PassAdd, "pwda", "", "在默认密码列表基础上添加密码,-pwda password")
+	flag.StringVar(&Username, "user", "", "用户名")
+	flag.StringVar(&Password, "pwd", "", "密码")
+	flag.StringVar(&Domain, "domain", "", "域名(用于SMB)")
+	flag.StringVar(&SshKey, "sshkey", "", "SSH密钥文件(id_rsa)")
+
+	// 扫描配置
+	flag.StringVar(&Scantype, "m", "all", "扫描类型，例如: -m ssh")
+	flag.IntVar(&Threads, "t", 600, "线程数量")
+	flag.Int64Var(&Timeout, "time", 3, "超时时间(秒)")
+	flag.IntVar(&LiveTop, "top", 10, "显示存活主机数量")
+	flag.BoolVar(&NoPing, "np", false, "禁用存活探测")
+	flag.BoolVar(&Ping, "ping", false, "使用ping替代ICMP")
+	flag.StringVar(&Command, "c", "", "执行命令(支持ssh|wmiexec)")
+
+	// 文件配置
+	flag.StringVar(&HostFile, "hf", "", "主机列表文件")
+	flag.StringVar(&Userfile, "userf", "", "用户名字典")
+	flag.StringVar(&Passfile, "pwdf", "", "密码字典")
+	flag.StringVar(&Hashfile, "hashf", "", "Hash字典")
+	flag.StringVar(&PortFile, "portf", "", "端口列表文件")
+
+	// Web配置
+	flag.StringVar(&URL, "u", "", "目标URL")
+	flag.StringVar(&UrlFile, "uf", "", "URL列表文件")
+	flag.StringVar(&Cookie, "cookie", "", "设置Cookie")
+	flag.Int64Var(&WebTimeout, "wt", 5, "Web请求超时时间")
+	flag.StringVar(&Proxy, "proxy", "", "设置HTTP代理")
+	flag.StringVar(&Socks5Proxy, "socks5", "", "设置Socks5代理(将用于TCP连接,超时设置将失效)")
+
+	// POC配置
+	flag.StringVar(&PocPath, "pocpath", "", "POC文件路径")
+	flag.StringVar(&Pocinfo.PocName, "pocname", "", "使用包含指定名称的POC,例如: -pocname weblogic")
+	flag.BoolVar(&NoPoc, "nopoc", false, "禁用Web漏洞扫描")
+	flag.BoolVar(&PocFull, "full", false, "完整POC扫描,如:shiro 100个key")
+	flag.BoolVar(&DnsLog, "dns", false, "启用dnslog验证")
+	flag.IntVar(&PocNum, "num", 20, "POC并发数")
+
+	// Redis利用配置
+	flag.StringVar(&RedisFile, "rf", "", "Redis写入SSH公钥文件")
+	flag.StringVar(&RedisShell, "rs", "", "Redis写入计划任务")
+	flag.BoolVar(&Noredistest, "noredis", false, "禁用Redis安全检测")
+
+	// 暴力破解配置
+	flag.BoolVar(&IsBrute, "nobr", false, "禁用密码爆破")
+	flag.IntVar(&BruteThread, "br", 1, "密码爆破线程数")
+
+	// 其他配置
+	flag.StringVar(&Path, "path", "", "FCG/SMB远程文件路径")
+	flag.StringVar(&Hash, "hash", "", "Hash值")
+	flag.StringVar(&SC, "sc", "", "MS17漏洞shellcode")
+	flag.BoolVar(&IsWmi, "wmi", false, "启用WMI")
+
+	// 输出配置
+	flag.StringVar(&Outputfile, "o", "result.txt", "结果输出文件")
+	flag.BoolVar(&TmpSave, "no", false, "禁用结果保存")
+	flag.BoolVar(&Silent, "silent", false, "静默扫描模式")
+	flag.BoolVar(&Nocolor, "nocolor", false, "禁用彩色输出")
+	flag.BoolVar(&JsonOutput, "json", false, "JSON格式输出")
+	flag.Int64Var(&WaitTime, "debug", 60, "错误日志输出间隔")
+
+	flag.Parse()
+}
diff --git a/common/log.go → Common/Log.go b/common/log.go → Common/Log.go
@@ -1,4 +1,4 @@
-package common
+package Common
 
 import (
 	"encoding/json"
@@ -12,67 +12,81 @@ import (
 	"time"
 )
 
-var Num int64
-var End int64
-var Results = make(chan *string)
-var LogSucTime int64
-var LogErrTime int64
-var WaitTime int64
-var Silent bool
-var Nocolor bool
-var JsonOutput bool
-var LogWG sync.WaitGroup
+// 记录扫描状态的全局变量
+var (
+	Num        int64                // 总任务数
+	End        int64                // 已完成数
+	Results    = make(chan *string) // 结果通道
+	LogSucTime int64                // 最近成功日志时间
+	LogErrTime int64                // 最近错误日志时间
+	WaitTime   int64                // 等待时间
+	Silent     bool                 // 静默模式
+	Nocolor    bool                 // 禁用颜色
+	JsonOutput bool                 // JSON输出
+	LogWG      sync.WaitGroup       // 日志同步等待组
+)
 
+// JsonText JSON输出的结构体
 type JsonText struct {
-	Type string `json:"type"`
-	Text string `json:"text"`
+	Type string `json:"type"` // 消息类型
+	Text string `json:"text"` // 消息内容
 }
 
+// init 初始化日志配置
 func init() {
 	log.SetOutput(io.Discard)
 	LogSucTime = time.Now().Unix()
 	go SaveLog()
 }
 
+// LogSuccess 记录成功信息
 func LogSuccess(result string) {
 	LogWG.Add(1)
 	LogSucTime = time.Now().Unix()
 	Results <- &result
 }
 
+// SaveLog 保存日志信息
 func SaveLog() {
 	for result := range Results {
+		// 打印日志
 		if !Silent {
 			if Nocolor {
 				fmt.Println(*result)
 			} else {
-				if strings.HasPrefix(*result, "[+] InfoScan") {
+				switch {
+				case strings.HasPrefix(*result, "[+] 信息扫描"):
 					color.Green(*result)
-				} else if strings.HasPrefix(*result, "[+]") {
+				case strings.HasPrefix(*result, "[+]"):
 					color.Red(*result)
-				} else {
+				default:
 					fmt.Println(*result)
 				}
 			}
 		}
+
+		// 保存到文件
 		if IsSave {
 			WriteFile(*result, Outputfile)
 		}
 		LogWG.Done()
 	}
 }
 
+// WriteFile 写入文件
 func WriteFile(result string, filename string) {
+	// 打开文件
 	fl, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0666)
 	if err != nil {
-		fmt.Printf("Open %s error, %v\n", filename, err)
+		fmt.Printf("[!] 打开文件失败 %s: %v\n", filename, err)
 		return
 	}
+	defer fl.Close()
+
 	if JsonOutput {
-		var scantype string
-		var text string
+		// 解析JSON格式
+		var scantype, text string
 		if strings.HasPrefix(result, "[+]") || strings.HasPrefix(result, "[*]") || strings.HasPrefix(result, "[-]") {
-			//找到第二个空格的位置
 			index := strings.Index(result[4:], " ")
 			if index == -1 {
 				scantype = "msg"
@@ -85,47 +99,51 @@ func WriteFile(result string, filename string) {
 			scantype = "msg"
 			text = result
 		}
+
+		// 构造JSON对象
 		jsonText := JsonText{
 			Type: scantype,
 			Text: text,
 		}
+
+		// 序列化JSON
 		jsonData, err := json.Marshal(jsonText)
 		if err != nil {
-			fmt.Println(err)
+			fmt.Printf("[!] JSON序列化失败: %v\n", err)
 			jsonText = JsonText{
 				Type: "msg",
 				Text: result,
 			}
-			jsonData, err = json.Marshal(jsonText)
-			if err != nil {
-				fmt.Println(err)
-				jsonData = []byte(result)
-			}
+			jsonData, _ = json.Marshal(jsonText)
 		}
 		jsonData = append(jsonData, []byte(",\n")...)
 		_, err = fl.Write(jsonData)
 	} else {
 		_, err = fl.Write([]byte(result + "\n"))
 	}
-	fl.Close()
+
 	if err != nil {
-		fmt.Printf("Write %s error, %v\n", filename, err)
+		fmt.Printf("[!] 写入文件失败 %s: %v\n", filename, err)
 	}
 }
 
+// LogError 记录错误信息
 func LogError(errinfo interface{}) {
 	if WaitTime == 0 {
-		fmt.Printf("已完成 %v/%v %v \n", End, Num, errinfo)
+		fmt.Printf("[*] 已完成 %v/%v %v\n", End, Num, errinfo)
 	} else if (time.Now().Unix()-LogSucTime) > WaitTime && (time.Now().Unix()-LogErrTime) > WaitTime {
-		fmt.Printf("已完成 %v/%v %v \n", End, Num, errinfo)
+		fmt.Printf("[*] 已完成 %v/%v %v\n", End, Num, errinfo)
 		LogErrTime = time.Now().Unix()
 	}
 }
 
+// CheckErrs 检查是否为已知错误
 func CheckErrs(err error) bool {
 	if err == nil {
 		return false
 	}
+
+	// 已知错误列表
 	errs := []string{
 		"closed by the remote host", "too many connections",
 		"i/o timeout", "EOF", "A connection attempt failed",
@@ -136,10 +154,14 @@ func CheckErrs(err error) bool {
 		"invalid packet size",
 		"bad connection",
 	}
+
+	// 检查错误是否匹配
+	errLower := strings.ToLower(err.Error())
 	for _, key := range errs {
-		if strings.Contains(strings.ToLower(err.Error()), strings.ToLower(key)) {
+		if strings.Contains(errLower, strings.ToLower(key)) {
 			return true
 		}
 	}
+
 	return false
 }