skipped 2 lines 3 3 ![Language](https://img.shields.io/badge/Language-Golang-blue) 4 4 ![Author](https://img.shields.io/badge/Author-shadow1ng-orange) 5 5 ![GitHub stars](https://img.shields.io/github/stars/shadow1ng/fscan.svg?style=flat&logo=github) 6 - ![Version](https://img.shields.io/badge/Version-V1.7 .1 -red) 6 + ![Version](https://img.shields.io/badge/Version-V1.8 .0 -red) 7 7 ![Time](https://img.shields.io/badge/Join-20210422-green) 8 8 <!--auto_detail_badge_end_fef74f2d7ea73fcc43ff78e05b1e7451--> 9 - 10 9 11 10 # 简介 12 11 一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。 skipped 5 lines 18 17 * 端口扫描 19 18 20 19 2.爆破功能: 21 - * 各类服务爆破(ssh、smb等) 22 - * 数据库密码爆破(mysql、mssql、redis、psql等) 20 + * 各类服务爆破(ssh、smb、 rdp 等) 21 + * 数据库密码爆破(mysql、mssql、redis、psql、 oracle 等) 23 22 24 23 3.系统信息、漏洞扫描: 25 24 * netbios探测、域控识别 skipped 8 lines 34 33 5.漏洞利用: 35 34 * redis写公钥或写计划任务 36 35 * ssh命令执行 36 + * ms17017利用(植入shellcode),如添加用户等 37 37 38 38 6.其他功能: 39 39 * 文件保存 skipped 19 lines 59 59 fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块) 60 60 fscan.exe -hf ip.txt (以文件导入) 61 61 fscan.exe -u http://baidu.com -proxy 8080 (扫描单个url,并设置http代理 http://127.0.0.1:8080) 62 + fscan.exe -h 192.168.1.1/24 -nobr -nopoc (不进行爆破,不扫Web poc,以减少流量) 63 + fscan.exe -h 192.168.1.1/24 -pa 3389 (在原基础上,加入3389->rdp扫描) 64 + fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 65 + fscan.exe -h 192.168.1.1/24 -m ms17017 -sc add (可在ms17010-exp.go自定义shellcode,内置添加用户等功能) 62 66 ``` 63 67 编译命令 64 68 ``` skipped 2 lines 67 71 68 72 完整参数 69 73 ``` 70 - -Num int 71 - poc rate (default 20) 72 74 -c string 73 - exec command (ssh) 75 + ssh命令执行 74 76 -cookie string 75 - set poc cookie 76 - -debug 77 - debug mode will print more error info 77 + 设 置 cookie 78 + -debug int 79 + 多久没响应,就打印当前进度(default 60) 78 80 -domain string 79 - smb domain 81 + smb爆破模块时,设置域名 80 82 -h string 81 - IP address of the host you want to scan , for example : 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12 83 + 目 标 ip : 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12 82 84 -hf string 83 - host file, -hs ip.txt 85 + 读取文件中的目标 86 + -hn string 87 + 扫描时,要跳过的ip: -hn 192.168.1.1/24 84 88 -m string 85 - Select scan type , as : -m ssh (default "all") 89 + 设 置 扫 描 模 式 : -m ssh (default "all") 86 90 -no 87 - not to save output log 91 + 扫描结果不保存到文件中 92 + -nobr 93 + 跳过sql、ftp、ssh等的密码爆破 88 94 -nopoc 89 - not to scan web vul 95 + 跳过web poc扫描 90 96 -np 91 - not to ping 97 + 跳过存活探测 98 + -num int 99 + web poc 发包速率 (default 20) 92 100 -o string 93 - Outputfile (default "result.txt") 101 + 扫 描 结 果 保 存 到 哪 (default "result.txt") 94 102 -p string 95 - Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9200,11211,270179098,9448,8888,82,8858,1081,8879,21502,9097,8088,8090,8200,91,1080,889,8834,8011,9986,9043,9988,7080,10000,9089,8028,9999,8001,89,8086,8244,9000,2008,8080,7000,8030,8983,8096,8288,18080,8020,8848,808,8099,6868,18088,10004,8443,8042,7008,8161,7001,1082,8095,8087,8880,9096,7074,8044,8048,9087,10008,2020,8003,8069,20000,7688,1010,8092,8484,6648,9100,21501,8009,8360,9060,85,99,8000,9085,9998,8172,8899,9084,9010,9082,10010,7005,12018,87,7004,18004,8098,18098,8002,3505,8018,3000,9094,83,8108,1118,8016,20720,90,8046,9443,8091,7002,8868,8010,18082,8222,7088,8448,18090,3008,12443,9001,9093,7003,8101,14000,7687,8094,9002,8082,9081,8300,9086,8081,8089,8006,443,7007,7777,1888,9090,9095,81,1000,18002,8800,84,9088,7071,7070,8038,9091,8258,9008,9083,16080,88,8085,801,5555,7680,800,8180,9800,10002,18000,18008,98,28018,86,9092,8881,8100,8012,8084,8989,6080,7078,18001,8093,8053,8070,8280,880,92,9099,8181,9981,8060,8004,8083,10001,8097,21000,80,7200,888,7890,3128,8838,8008,8118,9080,2100,7180,9200") 103 + 设置扫描的端口: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017") 104 + -pa string 105 + 新增需要扫描的端口,-pa 3389 (会在原有端口列表基础上,新增该端口) 106 + -path string 107 + fcgi、smb romote file path 96 108 -ping 97 - using ping replace icmp 109 + 使用ping代替icmp进行存活探测 110 + -pn string 111 + 扫描时要跳过的端口,as: -pn 445 98 112 -pocname string 99 - use the pocs these contain pocname, -pocname weblogic 113 + 指定web poc的模糊名字, -pocname weblogic 100 114 -proxy string 101 - set poc proxy , -proxy http://127.0.0.1:8080 115 + 设 置 代 理 , -proxy http://127.0.0.1:8080 116 + -user string 117 + 指定爆破时的用户名 118 + -userf string 119 + 指定爆破时的用户名文件 102 120 -pwd string 103 - password 121 + 指定爆破时的密码 104 122 -pwdf string 105 - password file 123 + 指定爆破时的密码文件 106 124 -rf string 107 - redis file to write sshkey file (as: -rf id_rsa.pub) 125 + 指 定 redis写 公 钥 用 模 块 的 文 件 (as: -rf id_rsa.pub) 108 126 -rs string 109 - redis shell to write cron file (as: -rs 192.168.1.1:6666) 127 + redis计 划 任 务 反 弹 shell的 ip 端 口 (as: -rs 192.168.1.1:6666) 128 + -silent 129 + 静默扫描,适合cs扫描时不回显 130 + -sshkey string 131 + ssh连接时,指定ssh私钥 110 132 -t int 111 - Thread nums (default 600) 133 + 扫 描 线 程 (default 600) 112 134 -time int 113 - Set timeout (default 3) 135 + 端 口 扫 描 超 时 时 间 (default 3) 114 136 -u string 115 - url 137 + 指定Url扫描 116 138 -uf string 117 - urlfile 118 - -user string 119 - username 120 - -userf string 121 - username file 139 + 指定Url文件扫描 122 140 -wt int 123 - Set web timeout (default 5) 141 + web访 问 超 时 时 间 (default 5) 142 + -pocpath string 143 + 指定poc路径 144 + -usera string 145 + 在原有用户字典基础上,新增新用户 146 + -pwda string 147 + 在原有密码字典基础上,增加新密码 148 + -socks5 149 + 指定socks5代理 (as: -socks5 socks5://127.0.0.1:1080) 150 + -sc 151 + 指定ms17010利用模块shellcode,内置添加用户等功能 (as: -sc add) 124 152 ``` 125 153 126 154 ## 运行截图 skipped 18 lines 145 173 `go run .\main.go -h 192.168.x.x/24 -m netbios(-m netbios时,才会显示完整的netbios信息)` 146 174 ![](https://github.com/shadow1ng/fscan/raw/main/image/netbios1.png) 147 175 176 + `go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)` 177 + ![img.png](https://github.com/shadow1ng/fscan/raw/main/image/live.png) 178 + 179 + 148 180 <!--auto_detail_active_begin_e1c6fb434b6f0baf6912c7a1934f772b--> 149 181 ## 项目相关 150 182 151 183 152 184 ## 最近更新 185 + 186 + #### [v1.8.0] - 2022-07-02 187 + 188 + **更新** 189 + - 加强poc fuzz模块,支持跑备份文件、目录、shiro-key等 190 + - 新增ms17017利用,可在ms17010-exp.go自定义shellcode,内置添加用户等功能 191 + - 新增poc、指纹 192 + - 支持socks5代理 193 + - 因body指纹更全,默认不再跑ico图标 153 194 154 195 #### [v1.7.1] - 2022-04-20 155 196 skipped 7 lines