search

google / tsunami-security-scanner

Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Apache License 2.0
8.27k stars 889 forks source link

Illegal reflective access ( Use --illegal-access=warn) #54

Closed ghost closed 3 years ago

ghost commented 4 years ago

hi all, i've use this command:

cd /root/tsunami && \
java -cp "tsunami-main-0.0.2-SNAPSHOT-cli.jar:/root/tsunami/plugins/*" \
  -Dtsunami-config.location=/root/tsunami/tsunami.yaml \
  com.google.tsunami.main.cli.TsunamiCli \
  --ip-v4-target=192.168.238.138 \
  --scan-results-local-output-format=JSON \
  --scan-results-local-output-filename=/tmp/testdireport.json

and i've this result:

lug 21, 2020 12:02:52 PM com.google.tsunami.main.cli.TsunamiCli main
INFORMAZIONI: Full classpath scan took 10.14 s
lug 21, 2020 12:02:53 PM com.google.tsunami.common.config.ConfigModule configure
INFORMAZIONI: Found Tsunami config class: com.google.tsunami.plugins.detectors.credentials.ncrack.NcrackWeakCredentialDetectorConfigs
lug 21, 2020 12:02:53 PM com.google.tsunami.common.config.ConfigModule configure
INFORMAZIONI: Found Tsunami config class: com.google.tsunami.plugins.portscan.nmap.NmapPortScannerConfigs
lug 21, 2020 12:02:53 PM com.google.tsunami.common.cli.CliOptionsModule configure
INFORMAZIONI: Found CliOption: com.google.tsunami.common.io.archiving.GoogleCloudStorageArchiver$Options
lug 21, 2020 12:02:53 PM com.google.tsunami.common.cli.CliOptionsModule configure
INFORMAZIONI: Found CliOption: com.google.tsunami.main.cli.ScanResultsArchiver$Options
lug 21, 2020 12:02:53 PM com.google.tsunami.common.cli.CliOptionsModule configure
INFORMAZIONI: Found CliOption: com.google.tsunami.main.cli.option.ScanTargetCliOptions
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/root/tsunami/tsunami-main-0.0.2-SNAPSHOT-cli.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginLoadingModule configure
INFORMAZIONI: Found plugin class: com.google.tsunami.plugins.detectors.credentials.ncrack.NcrackWeakCredentialDetector
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginBootstrapModule registerPlugin
INFORMAZIONI: Plugin class com.google.tsunami.plugins.detectors.credentials.ncrack.NcrackWeakCredentialDetector is registered.
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginLoadingModule configure
INFORMAZIONI: Found plugin class: com.google.tsunami.plugins.detectors.exposedui.hadoop.yarn.YarnExposedManagerApiDetector
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginBootstrapModule registerPlugin
INFORMAZIONI: Plugin class com.google.tsunami.plugins.detectors.exposedui.hadoop.yarn.YarnExposedManagerApiDetector is registered.
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginLoadingModule configure
INFORMAZIONI: Found plugin class: com.google.tsunami.plugins.detectors.exposedui.jenkins.JenkinsExposedUiDetector
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginBootstrapModule registerPlugin
INFORMAZIONI: Plugin class com.google.tsunami.plugins.detectors.exposedui.jenkins.JenkinsExposedUiDetector is registered.
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginLoadingModule configure
INFORMAZIONI: Found plugin class: com.google.tsunami.plugins.detectors.exposedui.jupyter.JupyterExposedUiDetector
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginBootstrapModule registerPlugin
INFORMAZIONI: Plugin class com.google.tsunami.plugins.detectors.exposedui.jupyter.JupyterExposedUiDetector is registered.
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginLoadingModule configure
INFORMAZIONI: Found plugin class: com.google.tsunami.plugins.detectors.exposedui.wordpress.WordPressInstallPageDetector
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginBootstrapModule registerPlugin
INFORMAZIONI: Plugin class com.google.tsunami.plugins.detectors.exposedui.wordpress.WordPressInstallPageDetector is registered.
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginLoadingModule configure
INFORMAZIONI: Found plugin class: com.google.tsunami.plugins.portscan.nmap.NmapPortScanner
lug 21, 2020 12:02:53 PM com.google.tsunami.plugin.PluginBootstrapModule registerPlugin
INFORMAZIONI: Plugin class com.google.tsunami.plugins.portscan.nmap.NmapPortScanner is registered.
lug 21, 2020 12:02:53 PM com.google.tsunami.main.cli.TsunamiCli run
INFORMAZIONI: TsunamiCli starting...
lug 21, 2020 12:02:53 PM com.google.tsunami.workflow.DefaultScanningWorkflow runAsync
INFORMAZIONI: Staring Tsunami scanning workflow.
lug 21, 2020 12:02:53 PM com.google.tsunami.workflow.DefaultScanningWorkflow scanPorts
INFORMAZIONI: Starting port scanning phase of the scanning workflow.
lug 21, 2020 12:02:53 PM com.google.tsunami.plugins.portscan.nmap.NmapPortScanner scan
INFORMAZIONI: Starting nmap scan.
lug 21, 2020 12:02:54 PM com.google.tsunami.common.command.CommandExecutor execute
INFORMAZIONI: Executing the following command: '/usr/bin/nmap --unprivileged -Pn -n -sT -sV --version-intensity 5 -T4 --script banner 192.168.238.138 -oX /tmp/nmap10473025464739146339.report'
lug 21, 2020 12:03:05 PM com.google.tsunami.plugins.portscan.nmap.client.parser.NmapResultHandler startDocument
INFORMAZIONI: Start parsing Nmap result document.
lug 21, 2020 12:03:05 PM com.google.tsunami.plugins.portscan.nmap.client.parser.NmapResultHandler endDocument
INFORMAZIONI: Finished parsing Nmap result document.
lug 21, 2020 12:03:05 PM com.google.tsunami.plugins.portscan.nmap.NmapPortScanner scan
INFORMAZIONI: Finished nmap scan on target '192.168.238.138' in 11.86 s.
lug 21, 2020 12:03:05 PM com.google.tsunami.plugins.portscan.nmap.NmapPortScanner extractServicesFromNmapRun
INFORMAZIONI: Building PortScanningReport from Nmap result.
lug 21, 2020 12:03:05 PM com.google.tsunami.workflow.DefaultScanningWorkflow fingerprintNetworkServices
INFORMAZIONI: Port scanning phase done, moving to service fingerprinting phase with '0' fingerprinter(s) selected.
lug 21, 2020 12:03:05 PM com.google.tsunami.workflow.DefaultScanningWorkflow detectVulnerabilities
INFORMAZIONI: Service fingerprinting phase done, moving to vuln detection phase.
lug 21, 2020 12:03:05 PM com.google.tsunami.workflow.DefaultScanningWorkflow generateScanResults
INFORMAZIONI: Tsunami scanning workflow done. Generating scan results.
lug 21, 2020 12:03:05 PM com.google.tsunami.workflow.DefaultScanningWorkflow lambda$runAsync$0
INFORMAZIONI: Tsunami scanning workflow traces:
  Port scanning phase (11.91 s) with 1 plugin(s):
    /Tsunami Team (tsunami-dev@google.com)/PORT_SCAN/NmapPortScanner/0.1
  Service fingerprinting phase (14.37 ms) with 0 plugin(s):

  Vuln detection phase (2.242 ms) with 0 plugin(s):

  # of detected vulnerability: 0.

I have to insert the "--illegal-access=warn" ? like:

cd /root/tsunami && \
java -cp "tsunami-main-0.0.2-SNAPSHOT-cli.jar:/root/tsunami/plugins/*" --illegal-access=warn\
  -Dtsunami-config.location=/root/tsunami/tsunami.yaml \
  com.google.tsunami.main.cli.TsunamiCli \
  --ip-v4-target=192.168.238.138 \
  --scan-results-local-output-format=JSON \
  --scan-results-local-output-filename=/tmp/testdireport.json
magl0 commented 4 years ago

Hi the illegal access warning doesn't affect the overall functionality of the scanner. It looks like nmap cannot find any open ports on your scan target and hence no detection is triggered.

Without configuration, Tsunami uses default nmap port configuration, which scans the most common 1,000 ports for each protocol. If you know certain ports are open, you could configure Tsunami to only scan those ports instead. See this for the exported configuration options for nmap.