ProjectDiscovery组织开源了很多自动化扫描的内部工具和研究,它们都是基于Go语言编写,并且在实际渗透中有极大的作用。我非常喜欢这个组织开源的软件,它也是我学习Go语言的动力之一,所以计划写一个系列文章来研究下它们的代码。
介绍
几个特性:
- 基于syn/connect两种模式扫描
- 多种输入类型支持,包括HOST / IP / CIDR表示法。
- 自动处理多个子域之间的重复主机
- Stdin和stdout支持集成到工作流中
- 易于使用的轻量级资源
▶ naabu -host hackerone.com
__
___ ___ ___ _/ / __ __
/ _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.3
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running SYN scan with root privileges
[INF] Found 4 ports on host hackerone.com (104.16.100.52)
hackerone.com:80
hackerone.com:443
hackerone.com:8443
hackerone.com:8080
扫描方式
扫描相关的代码在 v2/pkg/scan目录
cdn check
顾名思义,跟踪一下,发现cdn检查调用的是github.com/projectdiscovery/cdncheck中的项目。
通过接口获取一些CDN的ip段,判断ip是否在这些ip段中
// scrapeCloudflare scrapes cloudflare firewall's CIDR ranges from their API
func scrapeCloudflare(httpClient *http.Client) ([]string, error) {
resp, err := httpClient.Get("https://www.cloudflare.com/ips-v4")
if err != nil {
return nil, err
}
defer resp.Body.Close()
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
body := string(data)
cidrs := cidrRegex.FindAllString(body, -1)
return cidrs, nil
}
// scrapeIncapsula scrapes incapsula firewall's CIDR ranges from their API
func scrapeIncapsula(httpClient *http.Client) ([]string, error) {
req, err := http.NewRequest(http.MethodPost, "https://my.incapsula.com/api/integration/v1/ips", strings.NewReader("resp_format=text"))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
resp, err := httpClient.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
body := string(data)
cidrs := cidrRegex.FindAllString(body, -1)
return cidrs, nil
}
// scrapeAkamai scrapes akamai firewall's CIDR ranges from ipinfo
func scrapeAkamai(httpClient *http.Client) ([]string, error) {
resp, err := httpClient.Get("https://ipinfo.io/AS12222")
if err != nil {
return nil, err
}
defer resp.Body.Close()
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
body := string(data)
c