Pbscan
| Project Name | Stars | Downloads | Repos Using This | Packages Using This | Most Recent Commit | Total Releases | Latest Release | Open Issues | License | Language |
|---|---|---|---|---|---|---|---|---|---|---|
| Masscan | 20,609 | a month ago | 1 | February 27, 2018 | 381 | other | C | |||
| TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes. | ||||||||||
| Rustscan | 9,432 | 18 days ago | 17 | April 27, 2022 | 117 | gpl-3.0 | Rust | |||
| 🤖 The Modern Port Scanner 🤖 | ||||||||||
| Autorecon | 3,922 | 22 days ago | 18 | gpl-3.0 | Python | |||||
| AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. | ||||||||||
| Naabu | 3,137 | 1 | 2 days ago | 30 | July 31, 2022 | 25 | mit | Go | ||
| A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests | ||||||||||
| Cameradar | 3,047 | 6 months ago | 7 | November 08, 2021 | 22 | mit | Go | |||
| Cameradar hacks its way into RTSP videosurveillance cameras | ||||||||||
| Nmapautomator | 1,312 | 2 years ago | 4 | mit | Shell | |||||
| A script that you can run in the background! | ||||||||||
| Vxscan | 1,280 | 3 years ago | 4 | apache-2.0 | Python | |||||
| python3写的综合扫描工具,主要用来存活验证,敏感文件探测(目录扫描/js泄露接口/html注释泄露),WAF/CDN识别,端口扫描,指纹/服务识别,操作系统识别,POC扫描,SQL注入,绕过CDN,查询旁站等功能,主要用来甲方自测或乙方授权测试,请勿用来搞破坏。 | ||||||||||
| Androidnetworktools | 1,233 | 23 days ago | 29 | apache-2.0 | Java | |||||
| Set of useful android network tools | ||||||||||
| Static Code Scan | 1,070 | 5 years ago | other | JavaScript | ||||||
| Run this quick static code scan on any URL to check for out-of-date libraries, layout issues and accessibility. | ||||||||||
| Ladongo | 1,034 | 6 months ago | 2 | mit | Go | |||||
| LadonGO 4.2 Pentest Scanner framework 全平台Go开源内网渗透扫描器框架,Windows/Linux/Mac内网渗透,使用它可轻松一键批量探测C段、B段、A段存活主机、高危漏洞检测MS17010、SmbGhost,远程执行SSH/Winrm,密码爆破SMB/SSH/FTP/Mysql/Mssql/Oracle/Winrm/HttpBasic/Redis,端口扫描服务识别PortScan指纹识别/HttpBanner/HttpTitle/TcpBanner/Weblogic/Oxid多网卡主机,端口扫描服务识别PortScan。 | ||||||||||
SUMMARY
polarbearscan is an attempt to do faster and more efficient banner grabbing and port scanning. It combines two different ideas which hopefully will make it somewhat worthy of your attention and time.
The first of these ideas is to use stateless SYN scanning using cryptographically protected cookies to parse incoming acknowledgements. To the best of the author's knowledge this technique was pioneered by Dan Kaminsky in scanrand. Scanrand was itself part of Paketto Keiretsu, a collection of scanning utilities, and it was released somewhere in 2001-2002. A mirror of this code can be found at Packet Storm [1].
The second idea is use a patched userland TCP/IP stack such that the scanner can restore state immediately upon receiving a cryptographically verified packet with both the SYN and ACK flags set. The userland stack being used here by polarbearscan is called libuinet [2]. Unlike some of the other userland TCP/IP stacks out there this one is very mature as it's simply a port of FreeBSD's TCP/IP stack.
By patching the libuinet stack one can then construct a socket and complete the standard TCP 3-way handshake by replying with a proper ACK. Doing it this way a fully functional TCP connection is immediately established. This as opposed to other scanners (such as nmap) who would have to, after noting that a TCP port is open, now perform a full TCP connect via the kernel to do things such as banner grabbing or version scanning. A full TCP connect leads leads to a whole new TCP 3-way handshake being performed. This completely discards the implicit state which was built up by the initial two packets being exchanged between the hosts. By avoiding this one can reduce bandwidth usage and immediately go from detecting that a port is open to connecting to it. This connection can then simply sit back and receive data in banner grab mode or it could send out an HTTP request.
Please note that the scanner right now only supports IPv4 based scanning and it will only work properly over Ethernet-type (wired or wireless) interfaces. There are no plans to support IPv6 or different interfaces in the near future.
INSTALLATION
Compiling the code is pretty straightforward. One just needs a working connection to the net and git needs to be installed such that the required dependencies can be downloaded. Besides that standard development utilities (gcc, make, patch), development editions of libraries (pthread, pcap, OpenSSL). On Debian based distributions one can simply install all the packages listed in the DEPENDENCIES file. After that one should be able to just type 'make' and the external dependencies will be checked out using git and the entire scanner will be build. This binary can then be copied to /usr/bin or /usr/local/bin or the like.
If compilation fails please email the author (contact details below) and include the error output, kernel version, libc version and anything else that might help with reproducing and fixing the problem. Your help is kindly appreciated.
USAGE
Running the tool should be pretty straightforward. You will need root privileges. The -h option shows brief usage information and the options explained. In most cases one whould not need more than specifying the type of scan to perform, the port lists to scan and the target IP or IP-ranges. CIDR- noation is supported for the IP ranges.
There are four different scan types which are specified with -s
-sB: This does a standard banner grab. The scanner will not send any data as it will simply wait and receive data and display it up until the first newline or carriage return received.
-sH: This mode sends a "GET / HTTP/1.1" request to every successfully setup connection. It's very useful for quickly identifying HTTP servers.
-sT: TLS scanning mode sends a TLS1.0 NULL probe with zero options and zero algorithms specified. However if there's a valid TLS server on the receiving end it will parse out and try to figure out if it's a valid TLS Error response which will then be dispalyed.
-sC: Custom scanning wich will load a payload from a file (specified with -d) and send this payload out to every successfully established socket. Can be useful for quickly probing very specific protocols
-p: The list of TCP ports to scan which can be a range of ports or single ports with ranges and single ports seperated by comma's. Some examples: -p22,80,8080-9000,143 will scan port 22,80,143 and the range of 8080 to 9000.
-b
-d
-t
-x: This forces the tool to alwyas dump output received in hexadecimal notation. Otherwise it will only dump data in hexadecimal notation if non-printable characters are found.
-v: This specifies some verbose output. It's mostly only useful for debugging.
-i
-r
-T
-W
-I
-n: This option should only be used if you know what you're doing. It will make sure the tool does NOT set the firewall rule to drop all outgoing RST packets. If this is used then the scanner will not fork and one has the responsibility to set this rule by hand as otherwise the kernel will send RST packets back for every SYNACK packet received. This will make the tool simply not work. The rule as it's being set on Linux is the following:
$ /sbin/iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
-o: This option does not do the I/O redirection so one will see more output of the uinet internals. It's only added for the sake of completeness or for debugging scenario's as it's not very useful otherwise.
-h: The usage information.
Some examples on how to use the tool. To do a banner grab of port 22 on a /24 range use like:
./pbscan -sB -p22 x.x.x.x/24
To do an HTTP scan on several common HTTP ports for a single IP with the output in hexadecimal mode use:
./pbscan -sH -x -p80,8080-9000 x.x.x.x
During scanning when you press a key on standard input you see some stats being printed out, such as the amount of open ports identified, the amount of valid TCP acks received the number of currently active connections, and how many SYN probes of the total have already been sent out. This will look something like:
sent: 1.97% (of 254), open: 0, active: 2, acks: 2
AUTHOR
This tool was written by Vincent Berg. Contact me by emailing [email protected] or visit my website http://santarago.org for updated releases/news on this scanner.
THANKS
Much appreciation for several folks that helped out testing, porting this cool and reporting bugs. Thanks to Ehab, Joseph, Alejandro, Julian and Diego.
REFERENCES
[1] http://packetstormsecurity.com/files/30489/paketto-1.10.tar.gz.html
