From bdb86a7bae871072f5f4e29f0f768fb9f3636622 Mon Sep 17 00:00:00 2001
From: 51pwn <51pwn@51pwn.com>
Date: Fri, 15 Jul 2022 23:27:33 +0800
Subject: [PATCH] =?UTF-8?q?=E6=80=A7=E8=83=BD=E4=BC=98=E5=8C=96=202.5.5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                          |  1 +
 config/config.json                 |  6 ++--
 config/config_me.json              |  6 ++--
 config/doNmapScan.sh               |  4 +--
 config/initEs.sh                   | 12 ++++----
 go.mod                             |  3 +-
 go.sum                             |  2 ++
 main.go                            |  2 +-
 nuclei_Yaml/nuclei_yaml.go         |  2 ++
 pkg/config.go                      | 13 +++++----
 pkg/hydra/cracker.go               | 13 +++++++++
 pkg/hydra/dicts/ssh_user.txt       |  3 +-
 pkg/hydra/doNmapResult.go          |  2 +-
 pkg/hydra/hydra.go                 |  4 ++-
 pkg/hydra/loadDicts.go             |  1 +
 pkg/hydra/snmp/snmp.go             | 46 ++++++++++++++++++++++++++++--
 pkg/naabu/v2/pkg/runner/runner.go  |  5 +++-
 pkg/naabu/v2/pkg/runner/targets.go | 18 ++++++++++--
 pkg/sv2es.go                       | 14 +++++----
 vendor/modules.txt                 |  3 ++
 20 files changed, 123 insertions(+), 37 deletions(-)

diff --git a/README.md b/README.md
index 5ccfe1b3a..faa36fdb8 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@
    <a href="/static/scenario.md">使用场景</a> •
    <a href="/static/pocs.md">POC列表</a> •
    <a href="/static/development.md">自定义扫描</a>
+   <a href="/static/NicePwn.md">最佳实践</a>
 </p>
 
 # 特性
diff --git a/config/config.json b/config/config.json
index fc44d290d..28911f784 100644
--- a/config/config.json
+++ b/config/config.json
@@ -56,18 +56,18 @@
   "naabu_dns": {},
   "naabu": {"TopPorts": "1000","ScanAllIPS": true,"Threads": 25},
   "priorityNmap": true,
-  "enableNuclei": false,
+  "enableNuclei": true,
   "nuclei": {
     "RateLimit": 150,
     "BulkSize":64,
     "TemplateThreads": 64,
     "HeadlessBulkSize": 10,
     "DisableRedirects": true,
-    "HeadlessTemplateThreads": 10
+    "HeadlessTemplateThreads": 10,
+    "ReportingConfig": "config/nuclei_esConfig.yaml"
   },
   "enablEmbedYaml": true,
   "enablFileFuzz": true,
-  "enablNmapStdIO": false,
   "httpx": {
     "Pipeline": false,
     "HTTP2Probe": false,
diff --git a/config/config_me.json b/config/config_me.json
index 9d22394c2..ddc8881fe 100644
--- a/config/config_me.json
+++ b/config/config_me.json
@@ -55,19 +55,19 @@
   "KsubdomainRegxp": "([0-9a-zA-Z\\-]+\\.[0-9a-zA-Z\\-]+)$",
   "naabu_dns": {},
   "naabu": {"TopPorts": "1000","ScanAllIPS": true,"Threads": 64},
-  "enableNuclei": false,
+  "enableNuclei": true,
   "nuclei": {
     "RateLimit": 150,
     "BulkSize":64,
     "TemplateThreads": 64,
     "HeadlessBulkSize": 10,
     "DisableRedirects": true,
-    "HeadlessTemplateThreads": 10
+    "HeadlessTemplateThreads": 10,
+    "ReportingConfig": "config/nuclei_esConfig.yaml"
   },
   "priorityNmap": true,
   "enablEmbedYaml": true,
   "enablFileFuzz": true,
-  "enablNmapStdIO": false,
   "httpx": {
     "Pipeline": false,
     "HTTP2Probe": true,
diff --git a/config/doNmapScan.sh b/config/doNmapScan.sh
index 008583b68..7c6d76950 100755
--- a/config/doNmapScan.sh
+++ b/config/doNmapScan.sh
@@ -4,9 +4,9 @@ function doMasScan {
     if [[ -f $1 ]] ; then
         # -F --top-ports=65535
         #  -p 80,443
-        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
+        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
     else
-        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
+        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
     fi
 }
 doMasScan $1 $2
diff --git a/config/initEs.sh b/config/initEs.sh
index b9cef0103..9c516835e 100755
--- a/config/initEs.sh
+++ b/config/initEs.sh
@@ -1,6 +1,6 @@
-config/CreateEs.sh nmap
-config/CreateEs.sh naabu
-config/CreateEs.sh httpx
-config/CreateEs.sh nuclei
-config/CreateEs.sh vscan
-config/CreateEs.sh hydra
+~/MyWork/scan4all/config/CreateEs.sh nmap
+~/MyWork/scan4all/config/CreateEs.sh naabu
+~/MyWork/scan4all/config/CreateEs.sh httpx
+~/MyWork/scan4all/config/CreateEs.sh nuclei
+~/MyWork/scan4all/config/CreateEs.sh vscan
+~/MyWork/scan4all/config/CreateEs.sh hydra
diff --git a/go.mod b/go.mod
index e858ae467..c7824e5ad 100644
--- a/go.mod
+++ b/go.mod
@@ -92,6 +92,8 @@ require (
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/google/cel-go v0.11.4
 	github.com/google/go-github v17.0.0+incompatible
+	github.com/gorilla/websocket v1.5.0
+	github.com/gosnmp/gosnmp v1.35.0
 	github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358
 	github.com/icodeface/tls v0.0.0-20190904083142-17aec93c60e5
 	github.com/jlaffaye/ftp v0.0.0-20190624084859-c1312a7102bf
@@ -165,7 +167,6 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uilive v0.0.4 // indirect
 	github.com/gosuri/uiprogress v0.0.1 // indirect
 	github.com/h2non/filetype v1.1.3 // indirect
diff --git a/go.sum b/go.sum
index dd37aff05..9f390022f 100644
--- a/go.sum
+++ b/go.sum
@@ -348,6 +348,8 @@ github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gosnmp/gosnmp v1.35.0 h1:EuWWNPxTCdAUx2/NbQcSa3WdNxjzpy4Phv57b4MWpJM=
+github.com/gosnmp/gosnmp v1.35.0/go.mod h1:2AvKZ3n9aEl5TJEo/fFmf/FGO4Nj4cVeEc5yuk88CYc=
 github.com/gosuri/uilive v0.0.4 h1:hUEBpQDj8D8jXgtCdBu7sWsy5sbW/5GhuO8KBwJ2jyY=
 github.com/gosuri/uilive v0.0.4/go.mod h1:V/epo5LjjlDE5RJUcqx8dbw+zc93y5Ya3yg8tfZ74VI=
 github.com/gosuri/uiprogress v0.0.1 h1:0kpv/XY/qTmFWl/SkaJykZXrBBzwwadmW8fRb7RJSxw=
diff --git a/main.go b/main.go
index 968c0e9f2..5f68fed2c 100644
--- a/main.go
+++ b/main.go
@@ -40,7 +40,7 @@ func main() {
 	if options.Debug {
 		// debug 优化时启用///////////////////////
 		go func() {
-			fmt.Println("debug info: \nopen http://127.0.0.1:6060/debug/pprof/")
+			fmt.Println("debug info: \nopen http://127.0.0.1:6060/debug/pprof/\n\ngo tool pprof -seconds=10 -http=:9999 http://localhost:6060/debug/pprof/heap")
 			http.ListenAndServe(":6060", nil)
 		}()
 		//////////////////////////////////////////*/
diff --git a/nuclei_Yaml/nuclei_yaml.go b/nuclei_Yaml/nuclei_yaml.go
index e60443f51..09df45023 100644
--- a/nuclei_Yaml/nuclei_yaml.go
+++ b/nuclei_Yaml/nuclei_yaml.go
@@ -64,6 +64,8 @@ func RunNuclei(buf *bytes.Buffer, xx chan bool) {
 	if nucleiRunner == nil {
 		return
 	}
+	//data, _ := json.Marshal(options)
+	//log.Printf("%+v", string(data))
 	if err := nucleiRunner.RunEnumeration(); err != nil {
 		if options.Validate {
 			gologger.Fatal().Msgf("Could not validate templates: %s\n", err)
diff --git a/pkg/config.go b/pkg/config.go
index 15f7a264c..0408184e5 100644
--- a/pkg/config.go
+++ b/pkg/config.go
@@ -131,7 +131,11 @@ func GetVal4Filedefault(key, szDefault string) string {
 	return s
 }
 
+var SzPwd string
+
 func Init() {
+	pwd, _ := os.Getwd()
+	SzPwd = pwd
 	var ConfigName = "config/config.json"
 	config := viper.New()
 	config.AddConfigPath("./")
@@ -160,6 +164,7 @@ func Init() {
 	}
 	config.Unmarshal(&mData)
 	viper.Set("Verbose", false)
+	initEs()
 }
 
 var G_Options interface{}
@@ -175,7 +180,7 @@ func GetNmap() string {
 var hvNmap = false
 
 func CheckHvNmap() bool {
-	if runtime.GOOS == "windows" || "true" != GetVal("priorityNmap") {
+	if runtime.GOOS == "windows" || "true" != GetValByDefault("priorityNmap", "true") {
 		return false
 	}
 	if hvNmap {
@@ -207,10 +212,8 @@ func doReadBuff(buf *bytes.Buffer) string {
 func DoCmd(args ...string) (string, error) {
 	cmd := exec.Command(args[0], args[1:]...)
 	var stdout, stderr bytes.Buffer
-	if "true" == GetValByDefault("enablNmapStdIO", "false") {
-		cmd.Stdout = &stdout // 标准输出
-		cmd.Stderr = &stderr // 标准错误
-	}
+	cmd.Stdout = &stdout // 标准输出
+	cmd.Stderr = &stderr // 标准错误
 	err := cmd.Run()
 	outStr, errStr := doReadBuff(&stdout), doReadBuff(&stderr)
 	// out, err := cmd.CombinedOutput()
diff --git a/pkg/hydra/cracker.go b/pkg/hydra/cracker.go
index 6a96f054c..64fbf3739 100644
--- a/pkg/hydra/cracker.go
+++ b/pkg/hydra/cracker.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hktalent/scan4all/pkg/hydra/rdp"
 	"github.com/hktalent/scan4all/pkg/hydra/redis"
 	"github.com/hktalent/scan4all/pkg/hydra/smb"
+	"github.com/hktalent/scan4all/pkg/hydra/snmp"
 	"github.com/hktalent/scan4all/pkg/hydra/ssh"
 	"github.com/hktalent/scan4all/pkg/hydra/telnet"
 	"github.com/hktalent/scan4all/pkg/kscan/core/slog"
@@ -135,6 +136,18 @@ func redisCracker(i interface{}) interface{} {
 	return nil
 }
 
+func snmpCracker(i interface{}) interface{} {
+	info := i.(AuthInfo)
+	info.Auth.MakePassword()
+	// info.IPAddr, info.Auth.Username, info.Auth.Password, info.Port
+
+	if err, ok := snmp.ScanSNMP(&snmp.Service{Ip: info.IPAddr, Port: info.Port, Username: info.Auth.Username, Password: info.Auth.Password}); nil != ok && ok.Result {
+		slog.Printf(slog.DEBUG, "snmp://%s:%s@%s:%d:%s", info.Auth.Username, info.Auth.Password, info.IPAddr, info.Port, err)
+		info.Status = true
+		return info
+	}
+	return nil
+}
 func ftpCracker(i interface{}) interface{} {
 	info := i.(AuthInfo)
 	info.Auth.MakePassword()
diff --git a/pkg/hydra/dicts/ssh_user.txt b/pkg/hydra/dicts/ssh_user.txt
index d3d1319f5..e388af4c5 100644
--- a/pkg/hydra/dicts/ssh_user.txt
+++ b/pkg/hydra/dicts/ssh_user.txt
@@ -1,2 +1,3 @@
 root
-admin
\ No newline at end of file
+admin
+public
\ No newline at end of file
diff --git a/pkg/hydra/doNmapResult.go b/pkg/hydra/doNmapResult.go
index bf04a90cc..1114cb66f 100644
--- a/pkg/hydra/doNmapResult.go
+++ b/pkg/hydra/doNmapResult.go
@@ -68,7 +68,7 @@ func DoParseXml(s string, bf *bytes.Buffer) {
 						}
 					}
 				}
-				fmt.Printf("%s\t%d\t%s\n", ip, port, service)
+				log.Printf("%s\t%d\t%s\n", ip, port, service)
 			}
 		}
 	}
diff --git a/pkg/hydra/hydra.go b/pkg/hydra/hydra.go
index 7dbfd10ed..e0499d619 100644
--- a/pkg/hydra/hydra.go
+++ b/pkg/hydra/hydra.go
@@ -20,7 +20,7 @@ type Cracker struct {
 var (
 	DefaultAuthMap map[string]*AuthList
 	CustomAuthMap  *AuthList
-	ProtocolList   = strings.Split("rdp,ssh,rsh-spx,mysql,mssql,oracle,postgresql,redis,ftp,mongodb,smb,telnet", ",")
+	ProtocolList   = strings.Split("rdp,ssh,rsh-spx,mysql,mssql,oracle,postgresql,redis,ftp,mongodb,smb,telnet,snmp", ",")
 )
 
 func NewCracker(info *AuthInfo, isAuthUpdate bool, threads int) *Cracker {
@@ -97,6 +97,8 @@ func (c *Cracker) Run() {
 		c.Pool.Function = telnetCracker(serverType)
 	case "ftp":
 		c.Pool.Function = ftpCracker
+	case "snmp":
+		c.Pool.Function = snmpCracker
 	case "mongodb":
 		c.Pool.Function = mongodbCracker
 	case "redis":
diff --git a/pkg/hydra/loadDicts.go b/pkg/hydra/loadDicts.go
index e6c876b59..39f7e4982 100644
--- a/pkg/hydra/loadDicts.go
+++ b/pkg/hydra/loadDicts.go
@@ -125,6 +125,7 @@ func init() {
 		DefaultUp: pkg.GetVal4Filedefault("ssh_default", ssh_default),
 	}
 	md["rsh-spx"] = md["ssh"]
+	md["snmp"] = md["ssh"]
 	md["mongodb"] = PPDict{
 		Username:  pkg.GetVal4File("mongodb_username", mongodbusername),
 		Paswd:     pkg.GetVal4File("mongodb_pswd", mongodb_pswd),
diff --git a/pkg/hydra/snmp/snmp.go b/pkg/hydra/snmp/snmp.go
index 3e4cfe47c..84647d5e9 100644
--- a/pkg/hydra/snmp/snmp.go
+++ b/pkg/hydra/snmp/snmp.go
@@ -1,5 +1,45 @@
-package main
+package snmp
 
-func main() {
-	$END$
+import (
+	"github.com/gosnmp/gosnmp"
+)
+
+type IpAddr struct {
+	Ip       string
+	Port     int
+	Protocol string
+}
+type Service struct {
+	Ip       string
+	Port     int
+	Protocol string
+	Username string
+	Password string
+}
+type ScanResult struct {
+	Service *Service
+	Result  bool
+}
+
+// default port: 161/162,
+// more see: https://nmap.org/book/scan-methods-udp-scan.html
+func ScanSNMP(s *Service) (err error, result *ScanResult) {
+	result.Service = s
+	result.Service.Username = s.Username // default public
+	result.Service.Password = s.Password // default public
+	gosnmp.Default.Target = s.Ip
+	gosnmp.Default.Port = uint16(s.Port)
+	gosnmp.Default.Community = result.Service.Password
+	gosnmp.Default.Timeout = 10
+
+	err = gosnmp.Default.Connect()
+	if err == nil {
+		oids := []string{"1.3.6.1.2.1.1.4.0", "1.3.6.1.2.1.1.7.0"}
+		_, err := gosnmp.Default.Get(oids)
+		if err == nil {
+			result.Result = true
+		}
+	}
+
+	return err, result
 }
diff --git a/pkg/naabu/v2/pkg/runner/runner.go b/pkg/naabu/v2/pkg/runner/runner.go
index 7e3016663..70bc16642 100644
--- a/pkg/naabu/v2/pkg/runner/runner.go
+++ b/pkg/naabu/v2/pkg/runner/runner.go
@@ -53,6 +53,9 @@ var Naabubuffer = bytes.Buffer{}
 func (r *Runner) Httpxrun() error {
 	httpxrunner.Naabubuffer = Naabubuffer
 	var nucleiDone = make(chan bool)
+	defer func() {
+		<-nucleiDone
+	}()
 	// 集成nuclei
 	//log.Println("httpxrunner.Naabubuffer = ", httpxrunner.Naabubuffer.String())
 	//Naabubuffer1 := bytes.Buffer{}
@@ -114,7 +117,7 @@ func (r *Runner) Httpxrun() error {
 	rx.RunEnumeration()
 	rx.Close()
 	// wait nuclei
-	<-nucleiDone
+
 	return nil
 }
 
diff --git a/pkg/naabu/v2/pkg/runner/targets.go b/pkg/naabu/v2/pkg/runner/targets.go
index 41a755d7d..d280c1a3a 100644
--- a/pkg/naabu/v2/pkg/runner/targets.go
+++ b/pkg/naabu/v2/pkg/runner/targets.go
@@ -151,8 +151,11 @@ func (r *Runner) DoTargets() (bool, error) {
 	}
 	a = nil
 	aR = pkg.RemoveDuplication_map(aR)
-	//log.Printf("%+v", aR)
-	ioutil.WriteFile(r.targetsFile, []byte(strings.Join(aR, "\n")), os.ModePerm)
+	//log.Printf("DoTargets:: %+v", aR)
+	err = ioutil.WriteFile(r.targetsFile, []byte(strings.Join(aR, "\n")), os.ModePerm)
+	if nil != err {
+		log.Println("ioutil.WriteFile(r.targetsFile err: ", err)
+	}
 	// 有nmap那么就直接调用nmap了
 	bRw := false
 	if pkg.CheckHvNmap() {
@@ -160,7 +163,7 @@ func (r *Runner) DoTargets() (bool, error) {
 		tempInput1, err := ioutil.TempFile("", "stdin-out-*")
 		if err == nil {
 			defer tempInput1.Close()
-			x := "config/doNmapScan.sh " + r.targetsFile + " " + tempInput1.Name()
+			x := pkg.SzPwd + "/config/doNmapScan.sh " + r.targetsFile + " " + tempInput1.Name()
 			log.Println(x)
 			ss, err := pkg.DoCmd(strings.Split(x, " ")...)
 			s0 := tempInput1.Name()
@@ -193,7 +196,11 @@ func (r *Runner) DoTargets() (bool, error) {
 			} else {
 				log.Println("DoCmd: ", err)
 			}
+		} else {
+			log.Println("ioutil.TempFile ", err)
 		}
+	} else {
+		log.Println(" pkg.CheckHvNmap() false")
 	}
 	if bRw {
 		ioutil.WriteFile(r.targetsFile, []byte(strings.Join(aR, "\n")), os.ModePerm)
@@ -204,6 +211,8 @@ func (r *Runner) DoTargets() (bool, error) {
 func (r *Runner) PreProcessTargets() error {
 	if b11, _ := r.DoTargets(); b11 {
 		return nil
+	} else {
+		log.Println("r.DoTargets 不正常，走naabu")
 	}
 	if r.options.Stream {
 		defer close(r.streamChannel)
@@ -333,6 +342,9 @@ func (r *Runner) DoDns(target string) {
 		} else {
 			log.Println(" r.scanner.IPRanger.AddHostWithMetadata add ", ip, " ", target)
 		}
+		if ip == target && len(ip) != len(target) {
+			log.Println("please reTry, Your current network is not good")
+		}
 	}
 }
 
diff --git a/pkg/sv2es.go b/pkg/sv2es.go
index d26cb8d66..882650453 100644
--- a/pkg/sv2es.go
+++ b/pkg/sv2es.go
@@ -18,12 +18,12 @@ var nThreads chan struct{}
 var esUrl string
 var enableEsSv string
 
-func init() {
-	enableEsSv = GetVal("enableEsSv")
+func initEs() {
+	enableEsSv = GetValByDefault("enableEsSv", "true")
 	if "true" == enableEsSv {
-		esUrl = GetVal("esUrl")
+		esUrl = GetValByDefault("esUrl", "http://127.0.0.1:9200/%s_index/_doc/%s")
 		n1, _ = strconv.Atoi(GetValByDefault("esthread", "4"))
-		//log.Println("es 初始化线程数 = ", n1)
+		log.Printf("es 初始化线程数 = %d, esUrl = %s", n1, esUrl)
 		nThreads = make(chan struct{}, n1)
 	}
 }
@@ -61,7 +61,9 @@ func SendReq(data1 interface{}, id, szType string) {
 	defer func() {
 		<-nThreads
 	}()
+	//log.Println("esUrl = ", esUrl)
 	url := fmt.Sprintf(esUrl, szType, url.QueryEscape(id))
+	//log.Println("url = ", url)
 	req, err := http.NewRequest("POST", url, bytes.NewReader(data))
 	if err != nil {
 		Log(fmt.Sprintf("%s error %v", id, err))
@@ -92,8 +94,8 @@ func SendReq(data1 interface{}, id, szType string) {
 	}
 
 	body, err := ioutil.ReadAll(resp.Body)
-	if nil == err {
-		Log(body)
+	if nil == err && 0 < len(body) {
+		//Log("Es save result ", string(body))
 	} else {
 		Log(err)
 	}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index a9685b746..e64fce805 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -295,6 +295,9 @@ github.com/gorilla/css/scanner
 # github.com/gorilla/websocket v1.5.0
 ## explicit; go 1.12
 github.com/gorilla/websocket
+# github.com/gosnmp/gosnmp v1.35.0
+## explicit; go 1.17
+github.com/gosnmp/gosnmp
 # github.com/gosuri/uilive v0.0.4
 ## explicit; go 1.10
 github.com/gosuri/uilive