search

Security-Tools-Alliance / rengine-ng

reNgine-ng is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface.
GNU General Public License v3.0
68 stars 11 forks source link

bug(scan): port not correctly recognized #8

Open psyray opened 7 months ago

psyray commented 7 months ago

Is there an existing issue for this?

Current Behavior

After a port scan, ports are identified with unknown image

It comes from the whatportis command and is also related with #984

Whatportis rely on the IANA database and this is the root cause of this problem. If download failed, whatportis is useless and no port are recognized

And there's no way to update the IANA DB from GUI, only a docker-compose restart celery triggers the script update and maybe it download the db or maybe not, it depends on the IANA server.

Then you'll have to launch a port scan again to correctly displayed ports

But, and there is a but, while scan is finished, ports are correctly recognized, but duplicated, for ex. You will have 80/http and 80/unknown

Collateral damage for this is that when you do another port scan on the same target and same port is found (eg. 80), now reNgine task will fail with the MultipleObjectsReturned error

image

There are several solutions for this problem :

The quickest solution is the first one, and the better is the third one, as nmap is more effective in service port recognition.

To enable nmap we need some additional work, as nmap recognize the service by querying it, the same port could have more than one label. So we need to rework this part in the db, the logic...

Expected Behavior

Port should be identified

Steps To Reproduce

  1. Check in the make logs at celery container start that IANA db download failed
  2. Connect to reNgine and launch a port scan

Environment

- reNgine: 2.0.2
- OS: Ubuntu 22.04.3
- Python: 3.10
- Docker Engine: 
- Docker Compose: 
- Browser: FF 120

Anything else?

No response

psyray commented 7 months ago

AnonymousWP commented Dec 12, 2023

In my opinion we should go for NMAP as we already added it to reNgine a while ago and second, because it's a better solution. Sure, it might take time, but then at least we can drop one tool (whatportis) and keep NMAP. If we all agree, maybe change the title or create a PR with a descriptive title.

psyray commented Dec 16, 2023

Completely agree with you @AnonymousWP Service recognition on port is way better with nmap But whatportis could identify port protocol without active scan and it's fast So I think the two are complementary. Whatportis to quickly recognize defaut service of a given port (if a scan is launched without a port scan) Nmap to really identify service running when a port scan task is launched @AnonymousWP Collaborator

psyray commented 2 months ago

Starting point PR on official repo https://github.com/yogeshojha/rengine/pull/1317

psyray commented 1 day ago

This one need #238 to be merged in release/2.1.1 branch to be resolved