加入hash碰撞、wmiiexec无回显命令执行

Author: shadow1ng

Plugins/NetBIOS.go

@@ -1,22 +1,44 @@
 package Plugins
 
+import "net"
+
 var PluginList = map[string]interface{}{
-	"21":       FtpScan,
-	"22":       SshScan,
-	"135":      Findnet,
-	"139":      NetBIOS,
-	"445":      SmbScan,
-	"1433":     MssqlScan,
-	"1521":     OracleScan,
-	"3306":     MysqlScan,
-	"3389":     RdpScan,
-	"5432":     PostgresScan,
-	"6379":     RedisScan,
-	"9000":     FcgiScan,
-	"11211":    MemcachedScan,
-	"27017":    MongodbScan,
-	"1000001":  MS17010,
-	"1000002":  SmbGhost,
-	"1000003":  WebTitle,
-	"10000031": WebTitle,
+	"21":      FtpScan,
+	"22":      SshScan,
+	"135":     Findnet,
+	"139":     NetBIOS,
+	"445":     SmbScan,
+	"1433":    MssqlScan,
+	"1521":    OracleScan,
+	"3306":    MysqlScan,
+	"3389":    RdpScan,
+	"5432":    PostgresScan,
+	"6379":    RedisScan,
+	"9000":    FcgiScan,
+	"11211":   MemcachedScan,
+	"27017":   MongodbScan,
+	"1000001": MS17010,
+	"1000002": SmbGhost,
+	"1000003": WebTitle,
+	"1000004": SmbScan2,
+	"1000005": WmiExec,
+}
+
+func ReadBytes(conn net.Conn) (result []byte, err error) {
+	size := 4096
+	buf := make([]byte, size)
+	for {
+		count, err := conn.Read(buf)
+		if err != nil {
+			break
+		}
+		result = append(result, buf[0:count]...)
+		if count < size {
+			break
+		}
+	}
+	if len(result) > 0 {
+		err = nil
+	}
+	return result, err
 }

Plugins/base.go

@@ -70,7 +70,7 @@ func read(text []byte, host string) error {
 	encodedStr := hex.EncodeToString(text)
 	hostnames := strings.Replace(encodedStr, "0700", "", -1)
 	hostname := strings.Split(hostnames, "000000")
-	result := "[+] NetInfo:\n[*]" + host
+	result := "[*] NetInfo:\n[*]" + host
 	for i := 0; i < len(hostname); i++ {
 		hostname[i] = strings.Replace(hostname[i], "00", "", -1)
 		host, err := hex.DecodeString(hostname[i])

Plugins/findnet.go

@@ -33,7 +33,10 @@ func Scan(info common.HostInfo) {
 		}
 		common.GC()
 		var AlivePorts []string
-		if common.Scantype == "webonly" {
+		if common.Scantype == "webonly" || common.Scantype == "webpoc" {
+			AlivePorts = NoPortScan(Hosts, info.Ports)
+		} else if common.Scantype == "hostname" {
+			info.Ports = "139"
 			AlivePorts = NoPortScan(Hosts, info.Ports)
 		} else if len(Hosts) > 0 {
 			AlivePorts = PortScan(Hosts, info.Ports, common.Timeout)
@@ -59,6 +62,11 @@ func Scan(info common.HostInfo) {
 			info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
 			if common.Scantype == "all" || common.Scantype == "main" {
 				switch {
+				case info.Ports == "135":
+					AddScan(info.Ports, info, &ch, &wg) //findnet
+					if common.IsWmi {
+						AddScan("1000005", info, &ch, &wg) //wmiexec
+					}
 				case info.Ports == "445":
 					AddScan(ms17010, info, &ch, &wg) //ms17010
 					//AddScan(info.Ports, info, ch, &wg)  //smb

Plugins/scanner.go

@@ -0,0 +1,176 @@
+package Plugins
+
+import (
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	"net"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/hirochachacha/go-smb2"
+)
+
+func SmbScan2(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return nil
+	}
+	hasprint := false
+	starttime := time.Now().Unix()
+	hash := common.HashBytes
+	for _, user := range common.Userdict["smb"] {
+	PASS:
+		for _, pass := range common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+			flag, err, flag2 := Smb2Con(info, user, pass, hash, hasprint)
+			if flag2 {
+				hasprint = true
+			}
+			if flag == true {
+				var result string
+				if common.Domain != "" {
+					result = fmt.Sprintf("[+] SMB2:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
+				} else {
+					result = fmt.Sprintf("[+] SMB2:%v:%v:%v ", info.Host, info.Ports, user)
+				}
+				if len(hash) > 0 {
+					result += "hash: " + common.Hash
+				} else {
+					result += pass
+				}
+				common.LogSuccess(result)
+				return err
+			} else {
+				var errlog string
+				if len(common.Hash) > 0 {
+					errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, common.Hash, err)
+				} else {
+					errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, pass, err)
+				}
+				errlog = strings.Replace(errlog, "\n", " ", -1)
+				common.LogError(errlog)
+				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
+			}
+			if len(common.Hash) > 0 {
+				break PASS
+			}
+		}
+	}
+	return tmperr
+}
+
+func Smb2Con(info *common.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) {
+	conn, err := net.DialTimeout("tcp", info.Host+":445", time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return
+	}
+	initiator := smb2.NTLMInitiator{
+		User:   user,
+		Domain: common.Domain,
+	}
+	if len(hash) > 0 {
+		initiator.Hash = hash
+	} else {
+		initiator.Password = pass
+	}
+	d := &smb2.Dialer{
+		Initiator: &initiator,
+	}
+
+	s, err := d.Dial(conn)
+	if err != nil {
+		return
+	}
+	defer s.Logoff()
+	names, err := s.ListSharenames()
+	if err != nil {
+		return
+	}
+	if !hasprint {
+		var result string
+		if common.Domain != "" {
+			result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
+		} else {
+			result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v ", info.Host, info.Ports, user)
+		}
+		if len(hash) > 0 {
+			result += "hash: " + common.Hash
+		} else {
+			result += pass
+		}
+		result = fmt.Sprintf("%v shares: %v", result, names)
+		common.LogSuccess(result)
+		flag2 = true
+	}
+	fs, err := s.Mount("C$")
+	if err != nil {
+		return
+	}
+	defer fs.Umount()
+	path := `Windows\win.ini`
+	f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
+	if err != nil {
+		return
+	}
+	defer f.Close()
+	flag = true
+	return
+	//bs, err := ioutil.ReadAll(f)
+	//if err != nil {
+	//	return
+	//}
+	//fmt.Println(string(bs))
+	//return
+
+}
+
+//if info.Path == ""{
+//}
+//path = info.Path
+//f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
+//if err != nil {
+//	return
+//}
+//flag = true
+//_, err = f.Seek(0, io.SeekStart)
+//if err != nil {
+//	return
+//}
+//bs, err := ioutil.ReadAll(f)
+//if err != nil {
+//	return
+//}
+//fmt.Println(string(bs))
+//return
+//f, err := fs.Create(`Users\Public\Videos\hello.txt`)
+//if err != nil {
+//	return
+//}
+//flag = true
+//
+//_, err = f.Write([]byte("Hello world!"))
+//if err != nil {
+//	return
+//}
+//
+//_, err = f.Seek(0, io.SeekStart)
+//if err != nil {
+//	return
+//}
+//bs, err := ioutil.ReadAll(f)
+//if err != nil {
+//	return
+//}
+//fmt.Println(string(bs))
+//return

Plugins/smb2.go

@@ -19,8 +19,13 @@ import (
 )
 
 func WebTitle(info *common.HostInfo) error {
+	if common.Scantype == "webpoc" {
+		WebScan.WebScan(info)
+		return nil
+	}
 	err, CheckData := GOWebTitle(info)
 	info.Infostr = WebScan.InfoCheck(info.Url, &CheckData)
+
 	if common.IsWebCan == false && err == nil {
 		WebScan.WebScan(info)
 	} else {
@@ -102,10 +107,12 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 	if err != nil {
 		return err, "", CheckData
 	}
-	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
-	req.Header.Set("Accept", "*/*")
+	req.Header.Set("User-agent", common.UserAgent)
+	req.Header.Set("Accept", common.Accept)
 	req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
-	req.Header.Set("Cookie", common.Cookie)
+	if common.Cookie != "" {
+		req.Header.Set("Cookie", common.Cookie)
+	}
 	//if common.Pocinfo.Cookie != "" {
 	//	req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
 	//} else {