Masscan to grab banners

[d34dfr4m3]

Command example:

masscan TARGETIP  -Pn -n -sS --ports 1-65535 -oJ output_masscan  --banners --connection-timeout 3

Command output json:

[
{   "ip": "TARGETIP",   "timestamp": "1576396905", "ports": [ {"port": 22, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
,
{   "ip": "TARGETIP",   "timestamp": "1576397199", "ports": [ {"port": 53, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 61} ] }
,
{   "ip": "TARGETIP",   "timestamp": "1576397352", "ports": [ {"port": 1900, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
]

Need to modify the parser and insert the banner info in database.

[d34dfr4m3]

The command is not returning any banner

masscan 172.217.29.78 -Pn -n -sS -p80 --banners --connection-timeout 3 --wait 3

Wait time default is 10, using --wait we improve speed.

Research in progress about banner grabbing

[d34dfr4m3]

Some RTFM stuff here -> https://github.com/robertdavidgraham/masscan

Banner checking

Masscan can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple "banner" information.

The problem with this is that masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner.

The easiest way to prevent this is to assign masscan a separate IP address. This would look like the following:

# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

The address you choose has to be on the local subnet and not otherwise be used by another system.

In some cases, such as WiFi, this isn't possible. In those cases, you can firewall the port that masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan still sees it since it bypasses the local stack. For Linux, this would look like:

# iptables -A INPUT -p tcp --dport 61000 -j DROP
# masscan 10.0.0.0/8 -p80 --banners --source-port 61000

[d34dfr4m3]

sudo masscan 172.16.0.1 -p22.53.80,1900 -p22,53,80,1900 --banners --connection-timeout 3 --wait 3 --http-user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36' --source-ip 172.16.0.99 -oJ banner_test

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-12-22 01:57:47 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [4 ports/host]

Result:

$ cat banner_test                                        
[
{   "ip": "172.16.0.1",   "timestamp": "1576979867", "ports": [ {"port": 80, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
,
{   "ip": "172.16.0.1",   "timestamp": "1576979867", "ports": [ {"port": 1900, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
,
{   "ip": "172.16.0.1",   "timestamp": "1576979867", "ports": [ {"port": 22, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] }
,
{   "ip": "172.16.0.1",   "timestamp": "1576979867", "ports": [ {"port": 53, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 61} ] }
,
{   "ip": "172.16.0.1",   "timestamp": "1576979871", "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "http", "banner": "CENSURADO} } ] }
,
{   "ip": "172.16.0.1",   "timestamp": "1576979871", "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "title", "banner": "CENSURADO"} } ] }
,
{   "ip": "172.16.0.1",   "timestamp": "1576979871", "ports": [ {"port": 22, "proto": "tcp", "service": {"name": "ssh", "banner": "CENSURADO"} } ] }
]

So the command will be

masscan 172.16.0.1 -p22.53.80,1900 -p22,53,80,1900 --banners --connection-timeout 3 --wait 3 --http-user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36' --source-ip 172.16.0.99 -oJ banner_test

But we will get trouble using a ipaddress in a enviroment where we has only a public IP(VPS host), so we need to ajust to use a port like this:

# iptables -A INPUT -p tcp --dport 61000 -j DROP
# masscan 10.0.0.0/8 -p80 --banners --source-port 61000

[d34dfr4m3]

Fix Code:

def runMasscan(hostname,ipAddress):
  print("[!] Disparando Masscan")
  outputStandart='/tmp/masscan_output_'
  target=ipAddress
  fileName=outputStandart+ipAddress
  FNULL = open(os.devnull, 'w')
  processHandler = subprocess.run(['masscan', ipAddress, '-Pn','--ports' ,'1-65535', '-oJ', fileName, '--banners','--connection-timeout', '3','--wait', '3','Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', '--source-port','61000' ], stdout=FNULL,stderr=subprocess.STDOUT)
  FNULL.close()
  if os.stat(fileName).st_size == 0:
    return False
  data = open(fileName,'r')
  payload=json.loads(data.read())
  data.close()
  for host in range(len(payload)):
    print("[+][MASSSCAN] Result for hostname: {} ipAddress: {}".format(hostname,payload[host]['ip']))
    for port in range(len(payload[host]['ports'])):
      host_port=payload[host]['ports'][port]['port']
      if 'service' in payload[host]['ports'][port]:
        service_name=payload[host]['ports'][port]['service']['name']
        service_banner=payload[host]['ports'][port]['service']['banner']
      else:
        service_name='Null'
        service_banner='Null'
      print('\t[+] Open Port: {} Service: {} Banner: \n\t\t{}'.format(host_port,service_name,service_banner))
      try:
        db_controler.portAdd(ipAddress,port,hostname)
      except Exception as error:
        print("Error:"+str(error))
  print("[=] Cleaning temp dir")
  processHandler = subprocess.run(['rm', '-f', fileName])
  if [ processHandler.check_returncode() == 0  ]:
    print("[+] Arquivo {} foi removido".format(fileName))
  else:
    print("[*] Falha oa excluir arquivo {}, erro: {}".format(fileName,processHandler.check_returncode()))

Need to define iptables

iptables -A INPUT -p tcp --dport 61000 -j DROP