性能优化 2.5.5

README.md

@@ -7,6 +7,7 @@
    <a href="/static/scenario.md">使用场景</a> •
    <a href="/static/pocs.md">POC列表</a> •
    <a href="/static/development.md">自定义扫描</a>
+   <a href="/static/NicePwn.md">最佳实践</a>
 </p>
 
 # 特性

config/config.json

@@ -56,18 +56,18 @@
   "naabu_dns": {},
   "naabu": {"TopPorts": "1000","ScanAllIPS": true,"Threads": 25},
   "priorityNmap": true,
-  "enableNuclei": false,
+  "enableNuclei": true,
   "nuclei": {
     "RateLimit": 150,
     "BulkSize":64,
     "TemplateThreads": 64,
     "HeadlessBulkSize": 10,
     "DisableRedirects": true,
-    "HeadlessTemplateThreads": 10
+    "HeadlessTemplateThreads": 10,
+    "ReportingConfig": "config/nuclei_esConfig.yaml"
   },
   "enablEmbedYaml": true,
   "enablFileFuzz": true,
-  "enablNmapStdIO": false,
   "httpx": {
     "Pipeline": false,
     "HTTP2Probe": false,

config/config_me.json

@@ -55,19 +55,19 @@
   "KsubdomainRegxp": "([0-9a-zA-Z\\-]+\\.[0-9a-zA-Z\\-]+)$",
   "naabu_dns": {},
   "naabu": {"TopPorts": "1000","ScanAllIPS": true,"Threads": 64},
-  "enableNuclei": false,
+  "enableNuclei": true,
   "nuclei": {
     "RateLimit": 150,
     "BulkSize":64,
     "TemplateThreads": 64,
     "HeadlessBulkSize": 10,
     "DisableRedirects": true,
-    "HeadlessTemplateThreads": 10
+    "HeadlessTemplateThreads": 10,
+    "ReportingConfig": "config/nuclei_esConfig.yaml"
   },
   "priorityNmap": true,
   "enablEmbedYaml": true,
   "enablFileFuzz": true,
-  "enablNmapStdIO": false,
   "httpx": {
     "Pipeline": false,
     "HTTP2Probe": true,

config/doNmapScan.sh

@@ -4,9 +4,9 @@ function doMasScan {
     if [[ -f $1 ]] ; then
         # -F --top-ports=65535
         #  -p 80,443
-        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
+        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
     else
-        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
+        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
     fi
 }
 doMasScan $1 $2

config/initEs.sh

@@ -1,6 +1,6 @@
-config/CreateEs.sh nmap
-config/CreateEs.sh naabu
-config/CreateEs.sh httpx
-config/CreateEs.sh nuclei
-config/CreateEs.sh vscan
-config/CreateEs.sh hydra
+~/MyWork/scan4all/config/CreateEs.sh nmap
+~/MyWork/scan4all/config/CreateEs.sh naabu
+~/MyWork/scan4all/config/CreateEs.sh httpx
+~/MyWork/scan4all/config/CreateEs.sh nuclei
+~/MyWork/scan4all/config/CreateEs.sh vscan
+~/MyWork/scan4all/config/CreateEs.sh hydra

go.mod

@@ -92,6 +92,8 @@ require (
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/google/cel-go v0.11.4
 	github.com/google/go-github v17.0.0+incompatible
+	github.com/gorilla/websocket v1.5.0
+	github.com/gosnmp/gosnmp v1.35.0
 	github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358
 	github.com/icodeface/tls v0.0.0-20190904083142-17aec93c60e5
 	github.com/jlaffaye/ftp v0.0.0-20190624084859-c1312a7102bf
@@ -165,7 +167,6 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uilive v0.0.4 // indirect
 	github.com/gosuri/uiprogress v0.0.1 // indirect
 	github.com/h2non/filetype v1.1.3 // indirect

go.sum

@@ -348,6 +348,8 @@ github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gosnmp/gosnmp v1.35.0 h1:EuWWNPxTCdAUx2/NbQcSa3WdNxjzpy4Phv57b4MWpJM=
+github.com/gosnmp/gosnmp v1.35.0/go.mod h1:2AvKZ3n9aEl5TJEo/fFmf/FGO4Nj4cVeEc5yuk88CYc=
 github.com/gosuri/uilive v0.0.4 h1:hUEBpQDj8D8jXgtCdBu7sWsy5sbW/5GhuO8KBwJ2jyY=
 github.com/gosuri/uilive v0.0.4/go.mod h1:V/epo5LjjlDE5RJUcqx8dbw+zc93y5Ya3yg8tfZ74VI=
 github.com/gosuri/uiprogress v0.0.1 h1:0kpv/XY/qTmFWl/SkaJykZXrBBzwwadmW8fRb7RJSxw=

main.go

@@ -40,7 +40,7 @@ func main() {
 	if options.Debug {
 		// debug 优化时启用///////////////////////
 		go func() {
-			fmt.Println("debug info: \nopen http://127.0.0.1:6060/debug/pprof/")
+			fmt.Println("debug info: \nopen http://127.0.0.1:6060/debug/pprof/\n\ngo tool pprof -seconds=10 -http=:9999 http://localhost:6060/debug/pprof/heap")
 			http.ListenAndServe(":6060", nil)
 		}()
 		//////////////////////////////////////////*/

nuclei_Yaml/nuclei_yaml.go

@@ -64,6 +64,8 @@ func RunNuclei(buf *bytes.Buffer, xx chan bool) {
 	if nucleiRunner == nil {
 		return
 	}
+	//data, _ := json.Marshal(options)
+	//log.Printf("%+v", string(data))
 	if err := nucleiRunner.RunEnumeration(); err != nil {
 		if options.Validate {
 			gologger.Fatal().Msgf("Could not validate templates: %s\n", err)

pkg/config.go

@@ -131,7 +131,11 @@ func GetVal4Filedefault(key, szDefault string) string {
 	return s
 }
 
+var SzPwd string
+
 func Init() {
+	pwd, _ := os.Getwd()
+	SzPwd = pwd
 	var ConfigName = "config/config.json"
 	config := viper.New()
 	config.AddConfigPath("./")
@@ -160,6 +164,7 @@ func Init() {
 	}
 	config.Unmarshal(&mData)
 	viper.Set("Verbose", false)
+	initEs()
 }
 
 var G_Options interface{}
@@ -175,7 +180,7 @@ func GetNmap() string {
 var hvNmap = false
 
 func CheckHvNmap() bool {
-	if runtime.GOOS == "windows" || "true" != GetVal("priorityNmap") {
+	if runtime.GOOS == "windows" || "true" != GetValByDefault("priorityNmap", "true") {
 		return false
 	}
 	if hvNmap {
@@ -207,10 +212,8 @@ func doReadBuff(buf *bytes.Buffer) string {
 func DoCmd(args ...string) (string, error) {
 	cmd := exec.Command(args[0], args[1:]...)
 	var stdout, stderr bytes.Buffer
-	if "true" == GetValByDefault("enablNmapStdIO", "false") {
-		cmd.Stdout = &stdout // 标准输出
-		cmd.Stderr = &stderr // 标准错误
-	}
+	cmd.Stdout = &stdout // 标准输出
+	cmd.Stderr = &stderr // 标准错误
 	err := cmd.Run()
 	outStr, errStr := doReadBuff(&stdout), doReadBuff(&stderr)
 	// out, err := cmd.CombinedOutput()

pkg/hydra/cracker.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hktalent/scan4all/pkg/hydra/rdp"
 	"github.com/hktalent/scan4all/pkg/hydra/redis"
 	"github.com/hktalent/scan4all/pkg/hydra/smb"
+	"github.com/hktalent/scan4all/pkg/hydra/snmp"
 	"github.com/hktalent/scan4all/pkg/hydra/ssh"
 	"github.com/hktalent/scan4all/pkg/hydra/telnet"
 	"github.com/hktalent/scan4all/pkg/kscan/core/slog"
@@ -135,6 +136,18 @@ func redisCracker(i interface{}) interface{} {
 	return nil
 }
 
+func snmpCracker(i interface{}) interface{} {
+	info := i.(AuthInfo)
+	info.Auth.MakePassword()
+	// info.IPAddr, info.Auth.Username, info.Auth.Password, info.Port
+
+	if err, ok := snmp.ScanSNMP(&snmp.Service{Ip: info.IPAddr, Port: info.Port, Username: info.Auth.Username, Password: info.Auth.Password}); nil != ok && ok.Result {
+		slog.Printf(slog.DEBUG, "snmp://%s:%s@%s:%d:%s", info.Auth.Username, info.Auth.Password, info.IPAddr, info.Port, err)
+		info.Status = true
+		return info
+	}
+	return nil
+}
 func ftpCracker(i interface{}) interface{} {
 	info := i.(AuthInfo)
 	info.Auth.MakePassword()

pkg/hydra/dicts/ssh_user.txt

@@ -1,2 +1,3 @@
 root
-admin
+admin
+public

pkg/hydra/doNmapResult.go

@@ -68,7 +68,7 @@ func DoParseXml(s string, bf *bytes.Buffer) {
 						}
 					}
 				}
-				fmt.Printf("%s\t%d\t%s\n", ip, port, service)
+				log.Printf("%s\t%d\t%s\n", ip, port, service)
 			}
 		}
 	}

pkg/hydra/hydra.go

@@ -20,7 +20,7 @@ type Cracker struct {
 var (
 	DefaultAuthMap map[string]*AuthList
 	CustomAuthMap  *AuthList
-	ProtocolList   = strings.Split("rdp,ssh,rsh-spx,mysql,mssql,oracle,postgresql,redis,ftp,mongodb,smb,telnet", ",")
+	ProtocolList   = strings.Split("rdp,ssh,rsh-spx,mysql,mssql,oracle,postgresql,redis,ftp,mongodb,smb,telnet,snmp", ",")
 )
 
 func NewCracker(info *AuthInfo, isAuthUpdate bool, threads int) *Cracker {
@@ -97,6 +97,8 @@ func (c *Cracker) Run() {
 		c.Pool.Function = telnetCracker(serverType)
 	case "ftp":
 		c.Pool.Function = ftpCracker
+	case "snmp":
+		c.Pool.Function = snmpCracker
 	case "mongodb":
 		c.Pool.Function = mongodbCracker
 	case "redis":

pkg/hydra/loadDicts.go

@@ -125,6 +125,7 @@ func init() {
 		DefaultUp: pkg.GetVal4Filedefault("ssh_default", ssh_default),
 	}
 	md["rsh-spx"] = md["ssh"]
+	md["snmp"] = md["ssh"]
 	md["mongodb"] = PPDict{
 		Username:  pkg.GetVal4File("mongodb_username", mongodbusername),
 		Paswd:     pkg.GetVal4File("mongodb_pswd", mongodb_pswd),

pkg/hydra/snmp/snmp.go

@@ -1,5 +1,45 @@
-package main
+package snmp
 
-func main() {
-	$END$
+import (
+	"github.com/gosnmp/gosnmp"
+)
+
+type IpAddr struct {
+	Ip       string
+	Port     int
+	Protocol string
+}
+type Service struct {
+	Ip       string
+	Port     int
+	Protocol string
+	Username string
+	Password string
+}
+type ScanResult struct {
+	Service *Service
+	Result  bool
+}
+
+// default port: 161/162,
+// more see: https://nmap.org/book/scan-methods-udp-scan.html
+func ScanSNMP(s *Service) (err error, result *ScanResult) {
+	result.Service = s
+	result.Service.Username = s.Username // default public
+	result.Service.Password = s.Password // default public
+	gosnmp.Default.Target = s.Ip
+	gosnmp.Default.Port = uint16(s.Port)
+	gosnmp.Default.Community = result.Service.Password
+	gosnmp.Default.Timeout = 10
+
+	err = gosnmp.Default.Connect()
+	if err == nil {
+		oids := []string{"1.3.6.1.2.1.1.4.0", "1.3.6.1.2.1.1.7.0"}
+		_, err := gosnmp.Default.Get(oids)
+		if err == nil {
+			result.Result = true
+		}
+	}
+
+	return err, result
 }

pkg/naabu/v2/pkg/runner/runner.go

@@ -53,6 +53,9 @@ var Naabubuffer = bytes.Buffer{}
 func (r *Runner) Httpxrun() error {
 	httpxrunner.Naabubuffer = Naabubuffer
 	var nucleiDone = make(chan bool)
+	defer func() {
+		<-nucleiDone
+	}()
 	// 集成nuclei
 	//log.Println("httpxrunner.Naabubuffer = ", httpxrunner.Naabubuffer.String())
 	//Naabubuffer1 := bytes.Buffer{}
@@ -114,7 +117,7 @@ func (r *Runner) Httpxrun() error {
 	rx.RunEnumeration()
 	rx.Close()
 	// wait nuclei
-	<-nucleiDone
+
 	return nil
 }
 

pkg/naabu/v2/pkg/runner/targets.go

@@ -151,16 +151,19 @@ func (r *Runner) DoTargets() (bool, error) {
 	}
 	a = nil
 	aR = pkg.RemoveDuplication_map(aR)
-	//log.Printf("%+v", aR)
-	ioutil.WriteFile(r.targetsFile, []byte(strings.Join(aR, "\n")), os.ModePerm)
+	//log.Printf("DoTargets:: %+v", aR)
+	err = ioutil.WriteFile(r.targetsFile, []byte(strings.Join(aR, "\n")), os.ModePerm)
+	if nil != err {
+		log.Println("ioutil.WriteFile(r.targetsFile err: ", err)
+	}
 	// 有nmap那么就直接调用nmap了
 	bRw := false
 	if pkg.CheckHvNmap() {
 		bRw = true
 		tempInput1, err := ioutil.TempFile("", "stdin-out-*")
 		if err == nil {
 			defer tempInput1.Close()
-			x := "config/doNmapScan.sh " + r.targetsFile + " " + tempInput1.Name()
+			x := pkg.SzPwd + "/config/doNmapScan.sh " + r.targetsFile + " " + tempInput1.Name()
 			log.Println(x)
 			ss, err := pkg.DoCmd(strings.Split(x, " ")...)
 			s0 := tempInput1.Name()
@@ -193,7 +196,11 @@ func (r *Runner) DoTargets() (bool, error) {
 			} else {
 				log.Println("DoCmd: ", err)
 			}
+		} else {
+			log.Println("ioutil.TempFile ", err)
 		}
+	} else {
+		log.Println(" pkg.CheckHvNmap() false")
 	}
 	if bRw {
 		ioutil.WriteFile(r.targetsFile, []byte(strings.Join(aR, "\n")), os.ModePerm)
@@ -204,6 +211,8 @@ func (r *Runner) DoTargets() (bool, error) {
 func (r *Runner) PreProcessTargets() error {
 	if b11, _ := r.DoTargets(); b11 {
 		return nil
+	} else {
+		log.Println("r.DoTargets 不正常，走naabu")
 	}
 	if r.options.Stream {
 		defer close(r.streamChannel)
@@ -333,6 +342,9 @@ func (r *Runner) DoDns(target string) {
 		} else {
 			log.Println(" r.scanner.IPRanger.AddHostWithMetadata add ", ip, " ", target)
 		}
+		if ip == target && len(ip) != len(target) {
+			log.Println("please reTry, Your current network is not good")
+		}
 	}
 }
 

pkg/sv2es.go

@@ -18,12 +18,12 @@ var nThreads chan struct{}
 var esUrl string
 var enableEsSv string
 
-func init() {
-	enableEsSv = GetVal("enableEsSv")
+func initEs() {
+	enableEsSv = GetValByDefault("enableEsSv", "true")
 	if "true" == enableEsSv {
-		esUrl = GetVal("esUrl")
+		esUrl = GetValByDefault("esUrl", "http://127.0.0.1:9200/%s_index/_doc/%s")
 		n1, _ = strconv.Atoi(GetValByDefault("esthread", "4"))
-		//log.Println("es 初始化线程数 = ", n1)
+		log.Printf("es 初始化线程数 = %d, esUrl = %s", n1, esUrl)
 		nThreads = make(chan struct{}, n1)
 	}
 }
@@ -61,7 +61,9 @@ func SendReq(data1 interface{}, id, szType string) {
 	defer func() {
 		<-nThreads
 	}()
+	//log.Println("esUrl = ", esUrl)
 	url := fmt.Sprintf(esUrl, szType, url.QueryEscape(id))
+	//log.Println("url = ", url)
 	req, err := http.NewRequest("POST", url, bytes.NewReader(data))
 	if err != nil {
 		Log(fmt.Sprintf("%s error %v", id, err))
@@ -92,8 +94,8 @@ func SendReq(data1 interface{}, id, szType string) {
 	}
 
 	body, err := ioutil.ReadAll(resp.Body)
-	if nil == err {
-		Log(body)
+	if nil == err && 0 < len(body) {
+		//Log("Es save result ", string(body))
 	} else {
 		Log(err)
 	}