-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit d84969f
Showing
6,740 changed files
with
492,422 additions
and
0 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Binaries for programs and plugins | ||
| *.exe | ||
| *.exe~ | ||
| *.dll | ||
| *.so | ||
| *.dylib | ||
|
|
||
| # Test binary, built with `go test -c` | ||
| *.test | ||
|
|
||
| # Output of the go coverage tool, specifically when used with LiteIDE | ||
| *.out | ||
|
|
||
| # Dependency directories (remove the comment below to include it) | ||
| # vendor/ | ||
| build/ | ||
| .idea/ | ||
|
|
||
| .DS_Store | ||
| */.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # nacs | ||
| 全功能内网扫描器 | ||
|
|
||
| # 功能 | ||
| - 探活 | ||
| - 服务扫描(常规&非常规端口) | ||
| - poc探测(xray&nuclei格式) | ||
| - 数据库等弱口令爆破 | ||
| - 内网常见漏洞利用 | ||
|
|
||
| # 利用过程(部分未实现) | ||
| 环境配置 | ||
| 弱口令配置、要写入的公钥、反弹的地址、DNSLog的地址等 | ||
| 探活 | ||
| icmp ping | ||
| 资产初筛 | ||
| 确定哪个端口对应哪种服务,尤其注意非常规端口 | ||
| 漏洞打点 | ||
| 可以RCE的非web服务 进行探测或者利用(redis、永恒之蓝等) | ||
| web服务 扫poc | ||
| 非web服务 未授权及爆破 | ||
| web服务 自动爆破登录 | ||
| 重点服务 OA、VPN、Weblogic、蜜罐等 | ||
|  | ||
|
|
||
| # 使用方法 | ||
| 快速使用 | ||
| ```shell | ||
| ./nacs -h IP或IP段 | ||
| ./nacs -hf IP或IP段的文件 | ||
| ``` | ||
| 常用参数 | ||
| ```shell | ||
| -np 不探活 | ||
| -xraypocpath xray(v1)的poc路径 格式为"web/pocs/" | ||
| -nucleipocpath nuclei的poc路径 格式为"xxx/pocs/**" | ||
| -nopoc 不进行poc探测, 包括xray与nuclei | ||
| -nonuclei [强烈建议加上此参数!!!]不使用nuclei进行探测, 因为nuclei的poc太多了 | ||
| -nobrute 不进行爆破 | ||
| -pocdebug poc探测时打印全部信息 | ||
| -brutedebug 爆破时打印全部信息 | ||
| -useradd 爆破时添加用户名 | ||
| -passwordadd 爆破时添加密码 | ||
| ``` | ||
|
|
||
| # 他山之石 | ||
| - [x] fscan https://github.com/shadow1ng/fscan 专注于内网 web和服务的poc 服务的爆破 | ||
| - [x] kscan https://github.com/lcvvvv/kscan 专注于信息收集 能探测到非常规端口开的服务 比如2222的ssh | ||
| - [x] dismap https://github.com/zhzyker/dismap 资产收集 | ||
| - [ ] Ladon https://github.com/k8gege/LadonGo | ||
| - [x] xray https://github.com/chaitin/xray 主动/被动扫常见web漏洞 扫poc | ||
| - [ ] goby https://cn.gobies.org/ | ||
| - [x] vulmap https://github.com/zhzyker/vulmap | ||
| - [ ] nali https://github.com/zu1k/nali 查询IP地理信息和CDN提供商 | ||
| - [ ] ehole https://github.com/EdgeSecurityTeam/EHole 重点攻击系统指纹探测 暂时不能用了 | ||
| - [x] Nuclei https://github.com/projectdiscovery/nuclei 基于poc的快速扫描 | ||
| - [x] pocV https://github.com/WAY29/pocV 能扫描xray和nuclei的poc | ||
| - [x] afrog https://github.com/zan8in/afrog CVE、CNVD、默认口令、信息泄露、指纹识别、未授权访问、任意文件读取、命令执行 | ||
| - [ ] woodpecker https://github.com/Ciyfly/woodpecker | ||
| - [x] xray-poc-scan-engine https://github.com/h1iba1/xray-poc-scan-engine | ||
| - [x] pocassist https://github.com/jweny/pocassist 可视化编辑导入和运行 | ||
| - [ ] Aopo https://github.com/ExpLangcn/Aopo | ||
| - [x] SpringExploit https://github.com/SummerSec/SpringExploit | ||
|
|
||
| # TODO | ||
| - [ ] 支持xrayV2, 本来想参考pocV, 不过不太稳定, 暂时先用fscan的v1版本 | ||
| - [ ] 弱口令自动生成, 根据前缀、后缀、已获得信息等来动态补充爆破的字典 | ||
| - [ ] 常见Spring漏洞的自动利用 | ||
| - [ ] 简单的web登录服务自动探测接口及参数实现爆破 | ||
| - [ ] 完善日志输出功能(目前几乎没实现输出到文件的功能) | ||
| - [ ] ... | ||
|
|
||
| 三五天写出来的, 肯定存在大量bug, 但目前基本使用是没问题的, 师傅们多多提建议! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| rm -rf build/* | ||
| mkdir -p build/pocs | ||
| mkdir build/nacs_linux_amd64 | ||
| mkdir build/nacs_darwin_amd64 | ||
| mkdir build/nacs_darwin_arm64 | ||
| mkdir build/nacs_win_amd64 | ||
| CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w " -trimpath -o build/nacs_linux_amd64/nacs | ||
| CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w " -trimpath -o build/nacs_win_amd64/nacs | ||
| CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w " -trimpath -o build/nacs_darwin_amd64/nacs | ||
| CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags="-s -w " -trimpath -o build/nacs_darwin_arm64/nacs | ||
| cp -r web/pocv1/pocs build/pocs/xrayv1 | ||
| cp -r web/poc/pocs/nuclei build/pocs/nuclei | ||
| cd build/ | ||
| cp -r pocs nacs_linux_amd64 | ||
| cp -r pocs nacs_darwin_amd64 | ||
| cp -r pocs nacs_darwin_arm64 | ||
| cp -r pocs nacs_win_amd64 | ||
| tar -zcvf nacs_darwin_amd64.tar.gz nacs_darwin_amd64 | ||
| tar -zcvf nacs_darwin_arm64.tar.gz nacs_darwin_arm64 | ||
| tar -zcvf nacs_linux_amd64.tar.gz nacs_linux_amd64 | ||
| zip -q -r nacs_win_amd64.zip nacs_win_amd64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,169 @@ | ||
| package common | ||
|
|
||
| import ( | ||
| xray_structs "nacs/web/poc/pkg/xray/structs" | ||
| "net/http" | ||
| ) | ||
|
|
||
| var version = "0.0.1" | ||
|
|
||
| type InputInfoStruct struct { | ||
| Host string | ||
| HostFile string | ||
| PortsAdd string | ||
| PortsOnly string | ||
| Mode string | ||
| OutputFileName string | ||
|
|
||
| SkipHost string | ||
| LiveTop int | ||
| Silent bool | ||
| NoSave bool | ||
| NoColor bool | ||
| LogLevel int | ||
| Thread int | ||
| NoProbe bool | ||
|
|
||
| Proxy string | ||
| Timeout int | ||
| DiscoverMode string | ||
| DiscoverType string | ||
| OutJson string | ||
|
|
||
| CeyeKey string | ||
| CeyeDomain string | ||
|
|
||
| NucleiPocPath string | ||
| FscanPocPath string | ||
| PocRate int | ||
| PocDebug bool | ||
| PocThread int | ||
| PocTimeout int | ||
|
|
||
| BruteTimeout int | ||
|
|
||
| NoNuclei bool | ||
|
|
||
| NoPoc bool | ||
| NoBrute bool | ||
|
|
||
| Command string | ||
| SSHKey string | ||
|
|
||
| PasswordAdd string | ||
| UsernameAdd string | ||
|
|
||
| BruteThread int | ||
| BruteDebug bool | ||
| BruteSocks5Proxy string | ||
| RedisFile string | ||
| RedisShell string | ||
| } | ||
| type FileInfoStruct struct { | ||
| } | ||
|
|
||
| type RunningInfoStruct struct { | ||
| OutputFileName string | ||
| Hosts []string | ||
| Ports []int | ||
| // 不变 | ||
| NoProbe bool | ||
| HostFile string | ||
| SkipHost string | ||
| LiveTop int | ||
| Silent bool | ||
| NoSave bool | ||
| NoColor bool | ||
| LogLevel int | ||
| Thread int | ||
|
|
||
| ProxySchema string | ||
| ProxyHost string | ||
| ProxyProxy string | ||
| ProxyErr error | ||
|
|
||
| DiscoverTimeout int | ||
| DiscoverMode string | ||
| DiscoverType string | ||
|
|
||
| OutJson string | ||
|
|
||
| CeyeApi string | ||
| CeyeDomain string | ||
| ReversePlatformType xray_structs.ReverseType | ||
| DnslogCNGetDomainRequest *http.Request | ||
| DnslogCNGetRecordRequest *http.Request | ||
|
|
||
| NucleiPocPath string | ||
| FscanPocPath string | ||
| PocTimeout int | ||
| PocRate int | ||
| PocDebug bool | ||
| PocThread int | ||
| PocSocks5Proxy string | ||
|
|
||
| NoNuclei bool | ||
|
|
||
| NoPoc bool | ||
| NoBrute bool | ||
|
|
||
| Command string | ||
| SSHKey string | ||
| BruteTimeout int | ||
| BruteDebug bool | ||
| BruteThread int | ||
| BruteSocks5Proxy string | ||
| RedisFile string | ||
| RedisShell string | ||
| } | ||
|
|
||
| var InputInfo InputInfoStruct | ||
| var RunningInfo RunningInfoStruct | ||
|
|
||
| var AliveHosts []string | ||
| var DefaultPorts = []int{21, 22, 25, 53, 69, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 110, 135, 137, 138, 139, 143, 389, 443, 445, 554, 587, 631, 800, 801, 808, 880, 888, 1000, 1024, 1025, 1080, 1099, 1389, 1433, 1521, 2000, 2001, 2222, 2601, 3306, 3307, 3308, 3309, 3388, 3389, 3443, 5432, 5800, 5900, 6379, 7000, 7001, 7007, 7010, 7788, 8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8008, 8009, 8010, 8011, 8030, 8060, 8070, 8080, 8081, 8082, 8083, 8084, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8099, 8161, 8175, 8188, 8189, 8443, 8445, 8448, 8554, 8800, 8848, 8880, 8881, 8888, 8899, 8983, 8989, 9000, 9001, 9002, 9008, 9010, 9043, 9060, 9080, 9081, 9082, 9083, 9084, 9085, 9086, 9087, 9088, 9089, 9090, 9091, 9092, 9093, 9094, 9095, 9096, 9097, 9099, 9443, 9448, 9600, 9628, 9800, 9899, 9981, 9986, 9988, 9998, 9999, 11001, 11211, 13443, 15000, 20000, 27017, 33890, 45554, 49155, 49156, 50050, 61616} | ||
|
|
||
| var DefaultHeader = map[string]string{ | ||
| "Accept-Language": "zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6", | ||
| "User-agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36", | ||
| "Cookie": "rememberMe=int", | ||
| } | ||
|
|
||
| var DiscoverResultStruct = map[string]interface{}{ | ||
| "status": "", // open | ||
| "banner.byte": "", // | ||
| "banner.string": "", // | ||
| "protocol": "", // ssh http https redis | ||
| "type": "", // tcp tls udp | ||
| "host": "", // IP地址 | ||
| "port": "", // | ||
| "uri": "", // | ||
| "note": "", // | ||
| "path": "", | ||
| "identify.bool": false, // 是否匹配到服务 | ||
| "identify.string": "", // 匹配到服务的关键词 | ||
| } | ||
|
|
||
| var DiscoverResults = make([]map[string]interface{}, 0) | ||
|
|
||
| //var DiscoverResults []interface{} | ||
|
|
||
| //type DiscoverResultStruct struct { | ||
| // | ||
| //} | ||
| // | ||
| //var DiscoverResults = []DiscoverResultStruct | ||
|
|
||
| var Userdict = map[string][]string{ | ||
| "ftp": {"ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"}, | ||
| "mysql": {"root", "mysql"}, | ||
| "mssql": {"sa", "sql"}, | ||
| "smb": {"administrator", "admin", "guest"}, | ||
| "rdp": {"administrator", "admin", "guest"}, | ||
| "postgresql": {"postgres", "admin"}, | ||
| "ssh": {"root", "admin"}, | ||
| "mongodb": {"root", "admin"}, | ||
| "oracle": {"sys", "system", "admin", "test", "web", "orcl"}, | ||
| } | ||
|
|
||
| var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "888888", "88888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| package common | ||
|
|
||
| import "fmt" | ||
|
|
||
| func PrintBanner() { | ||
| banner := ` _ _ ___ ___ ___ | ||
| | \| | / \ / __| / __| | ||
| | . | | - | | (__ \__ \ | ||
| |_|\_| |_|_| \___| |___/ | ||
| Version: ` + version | ||
| fmt.Println(banner) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| package discover | ||
|
|
||
| import ( | ||
| "nacs/common" | ||
| "nacs/discover/parse" | ||
| "nacs/discover/protocol" | ||
| "nacs/utils/logger" | ||
| "strconv" | ||
| "strings" | ||
| "sync" | ||
| ) | ||
|
|
||
| func Discover() { | ||
|
|
||
| thread := common.RunningInfo.Thread | ||
| ports := common.DefaultPorts | ||
| actualHosts := common.AliveHosts | ||
|
|
||
| wg := &sync.WaitGroup{} | ||
|
|
||
| Args := make(map[string]interface{}) | ||
| Args["Timeout"] = common.RunningInfo.DiscoverTimeout | ||
| Args["Mode"] = common.RunningInfo.DiscoverMode | ||
| Args["Type"] = common.RunningInfo.DiscoverType | ||
|
|
||
| logger.Info("Start to discover the ports") | ||
| intSyncThread := 0 | ||
| intAll := 0 | ||
| intIde := 0 | ||
| for _, host := range actualHosts { | ||
| for _, port := range ports { | ||
| wg.Add(1) | ||
| intSyncThread++ | ||
| go func(host string, port int, Args map[string]interface{}) { | ||
| res := protocol.Discover(host, port, Args) | ||
| if res["status"].(string) == "open" { | ||
| intAll++ | ||
| parse.VerboseParse(res) | ||
| //output.JsonOutput(res, "save") | ||
| common.DiscoverResults = append(common.DiscoverResults, res) | ||
| if strings.Contains(res["uri"].(string), "://") { | ||
| intIde++ | ||
| } | ||
| } | ||
| wg.Done() | ||
| }(host, port, Args) | ||
| if intSyncThread >= thread { | ||
| intSyncThread = 0 | ||
| wg.Wait() | ||
| } | ||
| } | ||
| } | ||
| wg.Wait() | ||
| logger.Info(logger.LightGreen("A total of ") + | ||
| logger.White(strconv.Itoa(intAll)) + | ||
| logger.LightGreen(" targets, the rule base hits ") + | ||
| logger.White(strconv.Itoa(intIde)) + | ||
| logger.LightGreen(" targets")) | ||
| //output.JsonOutput(make(map[string]interface{}), "write") | ||
| } |
Oops, something went wrong.