gogo笔记
快速开始
最简使用
指定网段进行默认扫描, 并在命令行输出
gogo -i 192.168.1.1/24 -p win,db,top2 -f xxx.dat -v -e -t 1000
默认端口全量扫描
gogo -i 192.168.1.1/24 -f xxx.dat -p http,common,db,brute,in,rce,win,info,oracle-ftp,socks,smb -v -e -t 1000
常用命令
全端口扫描
gogo -i 192.168.1.20 -p - -f xxx.dat
扫描多个文件
gogo -l ip.txt -f test.dat
筛选文件
gogo -F .\xxx.dat --filter title::登录
格式转换
gogo -F .\xxx.dat -o csv -f xxx.csv
gogo官方手册
不用-f这个参数则输出到命令行
用法:
E:\STTools\_RIN_Tools\0x03扫描器\【综合扫描】gogo\gogo_windows_amd64.exe [OPTIONS]
杂项选项:
-k, --key= 字符串,文件加密密钥
--version Bool, 显示版本
-P, --print=[port|workflow|neutron|extract] 字符串,显示预设配置
--debug Bool,显示调试信息
--plugin-debug Bool,显示插件调试堆栈
--proxy= 字符串,socks5 代理 url,例如 socks5://127.0.0.1:11111
输入选项:
-i, --ip= IP/CIDR,支持逗号分割ip/cidr,例如
192.168.1.1/24,172.16.1.1/24
-p, --port= 端口, 支持逗号分割预设('-P port' show all preset), range,
别名端口,例如 top2,mysql,12345,10000-10100,oxid,smb(默认值:
顶部 1)
-l, --list= 文件,IP/CIDR 列表
-L Bool,与-l 相同,从标准输入输入
-j, --json= 文件,以前的结果文件,例如 -j 1.dat1 或冒号分割列表
ip:端口,例如 123.123.123.123:123
-J Bool,与-j 相同,从标准输入输入
--filter-or FilterOr
-w, --workflow= String, workflow name('-P workflow' show all workflow)
-W Bool,与-w 相同,从标准输入输入
-F, --format= File, 待格式化结果文件
--filter= 字符串,过滤格式(-F)结果
输出选项:
-f, --file= String, 输出文件名
--path= String,输出文件路径
-o, --output= String,cmdline 输出格式, default: full (default: default)
-O, --file-output=String,文件输出格式,默认:jsonlines(默认:default)
--output-filter= String, 扫描时过滤输出
--output-delimiter=字符串,输出分隔符,默认[TAB](默认:"\t")
--af Bool, 自动选择文件名
--hf Bool, 自动选择隐藏文件名
-C, --compress Bool, 关闭压缩输出文件
--tee Bool,保持控制台输出
-q, --quiet Bool, 关闭日志输出
--no-guess Bool,格式化时不输出猜测框架
智能选项:
-m, --mod=[s|ss|default|sc] String, smart mod (default: default)
--ping Bool,活体预扫描
-n, --no Bool, 只是智能扫描,在默认扫描任务之前返回
--sp= String, smart-port-probe, smart mod default: 80, supersmart mod
默认:icmp(默认:默认)
--ipp= String, IP-probe, default: 1,254 (默认: default)
高级选项:
-s, --spray Bool,启用端口优先喷雾发生器。 如果端口号 > 500,自动开启
--no-spray Bool,强制关闭喷雾
-E, --exploit-name= String, 指定neutron模板名
--ef=String,载入指定模板文件
--payload= String,指定中子载荷
--attack-type=[pitchfork|clusterbomb|sniper] 中子攻击类型,sniper|clusterbomb|pitchfork
--extract= 字符串,自定义提取正则表达式
配置选项:
-e, --exploit Bool,启用中子漏洞利用扫描
-v, --verbose Bool, 启用主动手指扫描
-t, --thread= Int,并发线程数,linux默认:4000,windows默认: 1000
-d, --timeout= Int、socket 和 http 超时(默认值:2)
-D, --ssl-timeout= Int, ssl 和 https 超时(默认值:2)
帮助选项:
-h, --help 显示帮助信息
gogo通用配置
gogo的通用配置, 包括端口, 指纹, poc, workflow
目录结构
│ templates_gen.go # template生成器
│ port.yaml # 端口配置文件
│ workflows.yaml # workflow配置文件
├─fingers # 指纹目录
│ │ tcpfingers.yaml # tcp指纹
│ │
│ └─http # http指纹 因为http指纹较多, 将其分成多个子文件方便管理
│ cloud.yaml # 云相关的框架
│ cms.yaml # 各类cms
│ component.yaml # 内嵌的各种组件
│ device.yaml # 设备相关
│ mail.yaml # 邮件相关
│ oa.yaml # 办公相关
│ other.yaml # 暂未分类
│ waf.yaml # waf相关
│
└─nuclei # nuclei的poc
├─bigip # 按框架名分类, 方便管理
├─cloud
├─component
├─device
......
使用
为了方便打包, 大部分情况下, 会将这些配置文件转为json后压缩, 生成为templates.go文件, 进行加载.
因此提供了, templates_gen.go
仅有两个参数. -o 指定输出的文件名, -t templates所在的目录, 默认"."
例如在gogo中, 就在入口文件添加go generate在编译时将templates打包到二进制文件中.
//go:generate go run templates/templates_gen.go -t templates -o pkg/templates.go
package main
import "github.com/chainreactors/gogo/v2/cmd"
func main() {
cmd.Gogo()
}
综合的启发式扫描模式使用¶
结合上面说的两个种方式, 就可以得到多种用法。
为了能够自由的控制启发式扫描, 引入了近10个参数, 以及3-5个输出文件, 使用变得复杂, 也有好多人与我反馈了这个问题。
为了解决这个问题, 我给大部分使用场景添加了workflow解决方案, 现在大部分情况只需要一个参数就能解决了。
- 从B段中发现存活的C段(C段喷洒),
gogo -ip 192.168.1.1/16 -m s -noorgogo -w 192c - 从A段中发现存活的B段(B段喷洒),
gogo -ip 10.1.1.1/8 -m ss -noorgogo -w 10b - 从A段中发现存活的C段(A段的启发式C段喷洒),
gogo -ip 10.1.1.1/8 -m scorgogo -w 10c - 自定义B段的C段喷洒,
gogo -l b.txt -m s -noorgogo -w c -l b.txt - 自定义A段的B段喷洒,
gogo -l a.txt -m ss -noorgogo -w b -l a.txt - 使用icmp协议发现A段中所有存活的IP,
gogo -ip 10.1.1.1/8 -m ss -p icmporgogo -w 10ip(单端口的-m ss扫描做了特殊的优化, 具体见:A段启发式扫描优化4 ) - 使用icmp协议发现A段中所有的数据库,
gogo -ip 10.1.1.1/8 -m ss -p dborgogo -w 10 -p db禁止ping内网需要使用gogo -w 10noping -p db - 使用80端口探测A段中所有的数据库,
gogo -ip 10.1.1.1/8 -m ss -sp 80 -p dbgogo -w 10 -sp 80 -p db - 自动化探测172,192,10等常见内网网段,
gogo -w interc - 启发式扫描B段常见端口资产,
gogo -ip 192.168.1.1/16 -m s -p win,top2,dborgogo -w 192 - 启发式扫描C段常见端口资产,
gogo -ip 10.1.1.1/8 -m ss -p win,top2,dborgogo -w 10
一些特殊情况的使用常见
- 假设80端口存在ACL的C段喷洒,
gogo -ip 10.1.1.1/8 -m s -sp 22,445,icmp -noorgogo -w 10c -sp 22,445,icmp - 假设网关ip为1,253,254的B段喷洒 ,
gogo -ip 10.1.1.1/8 -m ss -ipp 1,253-254 -noorgogo -w 10b -ipp 1,253-254 - 假设禁ping情况下, 网关ip为1,253,254的B段喷洒,
gogo -ip 10.1.1.1/8 -m ss -sp 80,22 -ipp 1,253-254 -noorgogo -w 10b -sp 80,22 -ipp 1,253-254
缺点:
- 这样大规模的跨网段扫描, 是很难逃过流量设备与蜜罐的检测的, 所以使用这种方法扫描的时候需要考虑失去这个点的后果。不过蜜罐大多不会部署在网关ip, 因此启发式扫描不失为一种绕过蜜罐的扫描方式。
- 为了效率可能存在一定程度的漏报, 例如, 某个办公段没有80端口开启, 这种情况下可能会漏报, 但实际上极少发生, 选择合适的启发式扫描配置可以规避这样的漏报。
gogo配置文件
port.yaml
---
- name: top1
ports:
- '80'
- '443'
- '8080'
tags:
- http
- name: top2
ports:
- '70'
- 80-90
- '443'
- '1080'
- 2000-2001
- 3000-3001
- '1443'
- '4443'
- '4430'
- 5000-5001
- '5601'
- 6000-6003
- 7000-7003
- 9000-9003
- 8080-8091
- 8000-8020
- '8820'
- '6443'
- '8443'
- '9443'
- '8787'
- '7080'
- '8070'
- '7070'
- '7443'
- 9080-9083
- '5555'
- '6666'
- '7777'
- '7788'
- '9999'
- '6868'
- '8888'
- '8878'
- '8889'
- '7890'
- '5678'
- '6789'
- 9090-9100
- '9988'
- '9876'
- '8765'
- '8091'
- '8099'
- "8763"
- '8848'
- '8161'
- '8060'
- '8899'
- '8088'
- '800'
- '801'
- '888'
- 10000-10010
- '1080-1082'
- '10080'
- '10443'
- "18080"
- "18000"
- "18088"
- "18090"
- '19090-19091'
- "50070"
tags:
- http
- common
- name: top3
ports:
- '444'
- '9443'
- '6080'
- '6443'
- "9070"
- 9092-9093
- 7003-7011
- 9003-9011
- 8100-8111
- '8161'
- 8021-8030
- 8880-8890
- 8010-8020
- 8090-8100
- 8180-8181
- '8983'
- "1311"
- '8363'
- '8800'
- '8761'
- '8873'
- '8866'
- '8900'
- '8282'
- '8999'
- '8989'
- '8066'
- '8200'
- '8111'
- '8030'
- '8040'
- '8060'
- '8180'
- '10800'
- '18081'
tags:
- http
- name: socks
ports:
- '1080'
- name: iis
ports:
- '47001'
tags:
- http
- name: jboss
ports:
- '45566'
tags:
- http
- name: postgresql
ports:
- '5432'
tags:
- db
- common
- brute
- name: mssql
ports:
- '1433-1435'
tags:
- db
- common
- brute
- name: mysql
ports:
- 3306-3308
- '33060'
- '33066'
tags:
- db
- common
- brute
- name: oracle
ports:
- '1158'
- '1521'
- '11521'
- '210'
tags:
- db
- common
- in
- name: counchdb
ports:
- '5984'
- '6984'
tags:
- db
- name: redis
ports:
- '6379'
tags:
- db
- common
- rce
- in
- brute
- name: memcache
ports:
- '11211'
tags:
- db
- in
- common
- brute
- name: dm(达梦)
ports:
- '5236'
tags:
- db
- in
- name: oscar(神通)
ports:
- '2003'
tags:
- db
- in
- name: sybase
ports:
- '5000'
- '4100'
tags:
- db
- name: mongodb
ports:
- '27017'
tags:
- db
- common
- brute
- name: hbase
ports:
- '16000'
tags:
- db
- name: rabbitmq
ports:
- '15672'
- '5672'
tags:
- db
- common
- name: neo4j
ports:
- '7474'
tags:
- db
- name: jndi
ports:
- 1098-1101
- 1000-1001
- 4444-4447
- '10999'
- '19001'
- '9999'
- '8083'
- '8686'
- '10001'
- '11099'
- '5001'
tags:
- rce
- common
- in
- name: jdwp
ports:
- '5005'
- '8453'
tags:
- rce
- common
- in
- name: jmx
ports:
- '8686'
- '8093'
- 9010-9012
- '50500'
- '61616'
tags:
- rce
- common
- in
- name: php-xdebug
ports:
- '9000'
tags:
- rce
- in
- name: nodejs-debug
ports:
- '5858'
- '9229'
tags:
- rce
- name: glassfish
ports:
- '4848'
tags:
- rce
- name: rocketmq
ports:
- '9876'
- '10909'
- '10911'
- '10912'
tags:
- rce
- common
- in
- name: activemq
ports:
- '8161'
tags:
- rce
- common
- in
- name: kafka
ports:
- '9092'
tags:
- rce
- name: cisco
ports:
- '4786'
tags:
- rce
- name: rlogin
ports:
- 512-514
tags:
- rce
- name: hp
ports:
- '5555'
- '5556'
tags:
- rce
- name: docker
ports:
- 2375-2380
tags:
- rce
- common
- in
- name: portainer
ports:
- '9000'
tags:
- rce
- in
- name: ajp
ports:
- '8009'
tags:
- rce
- common
- in
- name: elasticsearch
ports:
- '9200'
- '9300'
tags:
- rce
- in
- db
- brute
- common
- name: windows
ports:
- icmp
- '22'
- '135'
- '137'
- '445'
- '3389'
- '5985'
- oxid
tags:
- win
- common
- in
- name: telnet
ports:
- '23'
tags:
- win
- common
- in
- name: ldap
ports:
- '389'
tags:
- win
- db
- common
- in
- name: kerberos
ports:
- '88'
tags:
- win
- common
- in
- name: snmp
ports:
- '161'
tags:
- win
- brute
- name: ping
ports:
- icmp
tags:
- win
- name: ftp
ports:
- '21'
- '2121'
tags:
- win
- common
- brute
- name: other
ports:
- 21-23
- '69'
- '161'
- 901-902
- '50000'
tags:
- info
- in
- name: mail
ports:
- '25'
- '110'
- '143'
- '587'
tags:
- info
- name: zookeeper
ports:
- '2181'
- '2888'
- '3888'
tags:
- info
- common
- in
- name: rsync
ports:
- '873'
tags:
- info
- brute
- common
- in
- name: lotus
ports:
- '1352'
tags:
- info
- in
- name: nfs
ports:
- '2049'
tags:
- rce
- in
- name: oracle-ftp
ports:
- '2100'
- name: squid
ports:
- '3128'
tags:
- rce
- name: pcanywhere
ports:
- '5632'
tags:
- info
- name: ssh
ports:
- '22'
- '2222'
- '10022'
tags:
- info
- common
- in
- name: vnc
ports:
- '5900'
- '5901'
- '5800'
tags:
- brute
- common
- in
- rce
- name: hadoop
ports:
- '8088'
- '50070'
- '50010'
- '50020'
tags:
- info
- name: vmware
ports:
- '9875'
- '427'
tags:
- in
- common
- rce
- name: kibana
ports:
- '5601'
tags:
- info
- common
- name: rdp
ports:
- '3389'
- '13389'
- '33899'
- "33389"
tags:
- win
- common
- brute
- name: dubbo
ports:
- '18086'
- "20880-20882"
tags:
- common
- rce
- name: 深信服ssl-vpn
ports:
- '9990'
- "4430"
- "8870"
tags:
- rce
- common
# 官方端口组整合
http{top1,top2,top3,iis,jboss}
common{top2,postgresql,mssql,mysql,oracle,redis,memcache,mongodb,rabbitmq,jndi,jdwp,jmx,rocketmq,activemq,docker,ajp,elasticsearch,windows,telnet,ldap,kerberos,ftp,zookeeper,rsync,ssh,vnc,vmware,kibana,rdp,dubbo,深信服ssl-vpn}
db{postgresql,mssql,mysql,oracle,counchdb,redis,memcache,dm(达梦),oscar(神通),sybase,mongodb,hbase,rabbitmq,neo4j,elasticsearch,ldap}
brute{postgresql,mssql,mysql,redis,memcache,mongodb,elasticsearch,snmp,ftp,rsync,vnc,rdp}
in{oracle,redis,memcache,dm(达梦),oscar(神通),jndi,jdwp,jmx,php-xdebug,rocketmq,activemq,docker,portainer,ajp,elasticsearch,windows,telnet,ldap,kerberos,other,zookeeper,rsync,lotus,nfs,ssh,vnc,vmware}
rce{redis,jndi,jdwp,jmx,php-xdebug,nodejs-debug,glassfish,rocketmq,activemq,kafka,cisco,rlogin,hp,docker,portainer,ajp,elasticsearch,nfs,squid,vnc,vmware,dubbo,深信服ssl-vpn}
win{windows,telnet,ldap,kerberos,snmp,ping,ftp,rdp}
info{other,mail,zookeeper,rsync,lotus,pcanywhere,ssh,hadoop,kibana}
oracle-ftp
socks
