源码阅读

灯塔（ARL）里面有一个namp扫描模块，里面有配置可以学习一下 首先上代码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 class PortScan: def __init__(self, targets, ports=None, service_detect=False, os_detect=False, port_parallelism=None, port_min_rate=None, custom_host_timeout=None): self.targets = " ".join(targets) self.ports = ports self.max_hostgroup = 128 self.alive_port = "22,80,443,843,3389,8007-8011,8443,9090,8080-8091,8093,8099,5000-5004,2222,3306,1433,21,25" self.nmap_arguments = "-sT -n --open" self.max_retries = 3 self.host_timeout = 60*5 self.parallelism = port_parallelism # 默认 32 self.min_rate = port_min_rate # 默认64 if service_detect: self.host_timeout += 60 * 5 self.nmap_arguments += " -sV" if os_detect: self.host_timeout += 60 * 4 self.nmap_arguments += " -O" if len(self.ports.split(",")) > 60: self.nmap_arguments += " -PE -PS{}".format(self.alive_port) self.max_retries = 2 else: if self.ports != "0-65535": self.nmap_arguments += " -Pn" if self.ports == "0-65535": self.max_hostgroup = 8 self.min_rate = max(self.min_rate, 400) self.nmap_arguments += " -PE -PS{}".format(self.alive_port) self.host_timeout += 60 * 2 self.max_retries = 2 self.nmap_arguments += " --max-rtt-timeout 800ms" self.nmap_arguments += " --min-rate {}".format(self.min_rate) self.nmap_arguments += " --script-timeout 6s" self.nmap_arguments += " --max-hostgroup {}".format(self.max_hostgroup) # 依据传过来的超时为准 if custom_host_timeout is not None: if int(custom_host_timeout) > 0: self.host_timeout = custom_host_timeout self.nmap_arguments += " --host-timeout {}s".format(self.host_timeout) self.nmap_arguments += " --min-parallelism {}".format(self.parallelism) self.nmap_arguments += " --max-retries {}".format(self.max_retries) def run(self): logger.info("nmap target {} ports {} arguments {}".format( self.targets[:20], self.ports[:20], self.nmap_arguments)) nm = nmap.PortScanner() nm.scan(hosts=self.targets, ports=self.ports, arguments=self.nmap_arguments) ip_info_list = [] for host in nm.all_hosts(): port_info_list = [] for proto in nm[host].all_protocols(): port_len = len(nm[host][proto]) for port in nm[host][proto]: # 对于开了很多端口的直接丢弃 if port_len > 600 and (port not in [80, 443]): continue port_info = nm[host][proto][port] item = { "port_id": port, "service_name": port_info["name"], "version": port_info["version"], "product": port_info["product"], "protocol": proto } port_info_list.append(item) osmatch_list = nm[host].get("osmatch", []) os_info = self.os_match_by_accuracy(osmatch_list) ip_info = { "ip": host, "port_info": port_info_list, "os_info": os_info } ip_info_list.append(ip_info) return ip_info_list def os_match_by_accuracy(self, os_match_list): for os_match in os_match_list: accuracy = os_match.get('accuracy', '0') if int(accuracy) > 90: return os_match return {} 入口是run ...

前两天看了amass关于dns枚举的实现，当然关于加速dns枚举的还有ksubdomain这个项目，今天花了几分钟看了下实现 阅读基于 https://github.com/boy-hack/ksubdomain/commit/9a2f2967eb8fb5c155b22393b9241f4cd6a02dc4 分析 首先从入口点开始看 https://github.com/boy-hack/ksubdomain/blob/main/cmd/ksubdomain/enum.go#L55-L109 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 Action: func(c *cli.Context) error { if c.NumFlags() == 0 { cli.ShowCommandHelpAndExit(c, "enum", 0) } var domains []string // handle domain if c.String("domain") != "" { domains = append(domains, c.String("domain")) } if c.String("domainList") != "" { dl, err := core.LinesInFile(c.String("domainList")) if err != nil { gologger.Fatalf("读取domain文件失败:%s\n", err.Error()) } domains = append(dl, domains...) } levelDict := c.String("level-dict") var levelDomains []string if levelDict != "" { dl, err := core.LinesInFile(levelDict) if err != nil { gologger.Fatalf("读取domain文件失败:%s,请检查--level-dict参数\n", err.Error()) } levelDomains = dl } else if c.Int("level") > 2 { levelDomains = core.GetDefaultSubNextData() } opt := &options.Options{ Rate: options.Band2Rate(c.String("band")), Domain: domains, FileName: c.String("filename"), Resolvers: options.GetResolvers(c.String("resolvers")), Output: c.String("output"), Silent: c.Bool("silent"), Stdin: c.Bool("stdin"), SkipWildCard: c.Bool("skip-wild"), TimeOut: c.Int("timeout"), Retry: c.Int("retry"), Method: "enum", OnlyDomain: c.Bool("only-domain"), NotPrint: c.Bool("not-print"), Level: c.Int("level"), LevelDomains: levelDomains, } opt.Check() r, err := runner.New(opt) if err != nil { gologger.Fatalf("%s\n", err.Error()) return nil } r.RunEnumeration() r.Close() return nil }, 具体的实现细节就不关注了，可以看到入口点只是读取了一些配置，继续进入 RunEnumeration 看看 ...

花了点时间阅读了一下 https://github.com/DeimosC2/DeimosC2 项目的源代码，本文是一个简要的阅读笔记 ...

本文写于 Amass v3.11.2，可能后续有过更多变更，但是应该整体逻辑不会有十分大的变动了 ...