Open d34dfr4m3 opened 4 years ago
The command is not returning any banner
masscan 172.217.29.78 -Pn -n -sS -p80 --banners --connection-timeout 3 --wait 3
Wait time default is 10, using --wait we improve speed.
Research in progress about banner grabbing
Some RTFM stuff here -> https://github.com/robertdavidgraham/masscan
Masscan can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple "banner" information.
The problem with this is that masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner.
The easiest way to prevent this is to assign masscan a separate IP address. This would look like the following:
# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200
The address you choose has to be on the local subnet and not otherwise be used by another system.
In some cases, such as WiFi, this isn't possible. In those cases, you can firewall the port that masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan still sees it since it bypasses the local stack. For Linux, this would look like:
# iptables -A INPUT -p tcp --dport 61000 -j DROP
# masscan 10.0.0.0/8 -p80 --banners --source-port 61000
sudo masscan 172.16.0.1 -p22.53.80,1900 -p22,53,80,1900 --banners --connection-timeout 3 --wait 3 --http-user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36' --source-ip 172.16.0.99 -oJ banner_test
Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-12-22 01:57:47 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [4 ports/host]
Result:
$ cat banner_test
[
{ "ip": "172.16.0.1", "timestamp": "1576979867", "ports": [ {"port": 80, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
,
{ "ip": "172.16.0.1", "timestamp": "1576979867", "ports": [ {"port": 1900, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
,
{ "ip": "172.16.0.1", "timestamp": "1576979867", "ports": [ {"port": 22, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
,
{ "ip": "172.16.0.1", "timestamp": "1576979867", "ports": [ {"port": 53, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 61} ] }
,
{ "ip": "172.16.0.1", "timestamp": "1576979871", "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "http", "banner": "CENSURADO} } ] }
,
{ "ip": "172.16.0.1", "timestamp": "1576979871", "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "title", "banner": "CENSURADO"} } ] }
,
{ "ip": "172.16.0.1", "timestamp": "1576979871", "ports": [ {"port": 22, "proto": "tcp", "service": {"name": "ssh", "banner": "CENSURADO"} } ] }
]
So the command will be
masscan 172.16.0.1 -p22.53.80,1900 -p22,53,80,1900 --banners --connection-timeout 3 --wait 3 --http-user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36' --source-ip 172.16.0.99 -oJ banner_test
But we will get trouble using a ipaddress in a enviroment where we has only a public IP(VPS host), so we need to ajust to use a port like this:
# iptables -A INPUT -p tcp --dport 61000 -j DROP
# masscan 10.0.0.0/8 -p80 --banners --source-port 61000
Fix Code:
def runMasscan(hostname,ipAddress):
print("[!] Disparando Masscan")
outputStandart='/tmp/masscan_output_'
target=ipAddress
fileName=outputStandart+ipAddress
FNULL = open(os.devnull, 'w')
processHandler = subprocess.run(['masscan', ipAddress, '-Pn','--ports' ,'1-65535', '-oJ', fileName, '--banners','--connection-timeout', '3','--wait', '3','Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', '--source-port','61000' ], stdout=FNULL,stderr=subprocess.STDOUT)
FNULL.close()
if os.stat(fileName).st_size == 0:
return False
data = open(fileName,'r')
payload=json.loads(data.read())
data.close()
for host in range(len(payload)):
print("[+][MASSSCAN] Result for hostname: {} ipAddress: {}".format(hostname,payload[host]['ip']))
for port in range(len(payload[host]['ports'])):
host_port=payload[host]['ports'][port]['port']
if 'service' in payload[host]['ports'][port]:
service_name=payload[host]['ports'][port]['service']['name']
service_banner=payload[host]['ports'][port]['service']['banner']
else:
service_name='Null'
service_banner='Null'
print('\t[+] Open Port: {} Service: {} Banner: \n\t\t{}'.format(host_port,service_name,service_banner))
try:
db_controler.portAdd(ipAddress,port,hostname)
except Exception as error:
print("Error:"+str(error))
print("[=] Cleaning temp dir")
processHandler = subprocess.run(['rm', '-f', fileName])
if [ processHandler.check_returncode() == 0 ]:
print("[+] Arquivo {} foi removido".format(fileName))
else:
print("[*] Falha oa excluir arquivo {}, erro: {}".format(fileName,processHandler.check_returncode()))
Need to define iptables
iptables -A INPUT -p tcp --dport 61000 -j DROP
Command example:
Command output json:
Need to modify the parser and insert the banner info in database.