search

projectdiscovery / naabu

A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
https://projectdiscovery.io
MIT License
4.69k stars 548 forks source link

Syn scan does not work when used as lib #837

Closed dogasantos closed 1 year ago

dogasantos commented 1 year ago

Hey guys, if you try to use naabu, current version (2.1.9) as lib, the syn scan won't work at all. Even if you skip the host discovery, it won't print anything even on positive open ip:port combinations.

if you take the example snippet provided in readme.md in the official repository, it won't work (even using positive open ip:port combination).

Using strace, we can see many

{sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("")} being fired (even for localhost).

so it seems to try with htons(0) thousands of times and then die. At first this seems to be related to the finding of correct interface, but specifying the interface via options didn't affect those socket attempts.

In the end, the scan running via lib only works with full TCP connect mode.

Can you guys take a look on this? Ty!

dogancanbakir commented 1 year ago

@dogasantos, Thanks for letting us know. Could you also share the code you were using?

dogasantos commented 1 year ago

@dogasantos, Thanks for letting us know. Could you also share the code you were using?

Hey @dogancanbakir , thanks for the quick response. is the example code from readme.md:

package main

import (
    "log"

    "github.com/projectdiscovery/goflags"
    "github.com/projectdiscovery/naabu/v2/pkg/result"
    "github.com/projectdiscovery/naabu/v2/pkg/runner"
)

func main() {
    options := runner.Options{
        Host:      goflags.StringSlice{"scanme.sh"},
        ScanType: "s",
        OnResult: func(hr *result.HostResult) {
            log.Println(hr.Host, hr.Ports)
        },
        Ports: "80",
    }

    naabuRunner, err := runner.NewRunner(&options)
    if err != nil {
        log.Fatal(err)
    }
    defer naabuRunner.Close()

    naabuRunner.RunEnumeration()
}
dogancanbakir commented 1 year ago

@dogasantos, To compare, I ran it with CLI and as a lib. However, when running it as a library, I used all the defaults from CLI. Here are the results.

CLI non-sudo:

$ go run . -host scanme.sh

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/

                projectdiscovery.io

[INF] Current naabu version 2.1.9 (latest)
[INF] Running CONNECT scan with non root privileges
[INF] Found 5 ports on host scanme.sh (128.199.158.128)
scanme.sh:80
scanme.sh:445
scanme.sh:444
scanme.sh:22
scanme.sh:443

CLI sudo:

$ sudo go run . -host scanme.sh

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/

                projectdiscovery.io

[INF] Current naabu version 2.1.9 (latest)
[INF] Running host discovery scan
[INF] Running SYN scan with CAP_NET_RAW privileges
[INF] Found 5 ports on host scanme.sh (128.199.158.128)
scanme.sh:80
scanme.sh:22
scanme.sh:443
scanme.sh:445
scanme.sh:444

LIB non-sudo:

$ go run .
[INF] Running CONNECT scan with non root privileges
[INF] Found 5 ports on host scanme.sh (128.199.158.128)
scanme.sh:444
scanme.sh:445
scanme.sh:80
scanme.sh:22
scanme.sh:443
2023/10/19 10:57:40 scanme.sh [444-0-false 445-0-false 80-0-false 22-0-false 443-0-false]

LIB sudo:

$ sudo go run .
[INF] Running host discovery scan
[INF] Running SYN scan with CAP_NET_RAW privileges
[INF] Found 5 ports on host scanme.sh (128.199.158.128)
scanme.sh:445
scanme.sh:444
scanme.sh:80
scanme.sh:443
scanme.sh:22
2023/10/19 11:04:17 scanme.sh [445-0-false 444-0-false 80-0-false 443-0-false 22-0-false]

So, it might be due to some defaults that need to be set. /shrug. Here is the lib example I used:

package main

import (
    "log"
    "time"

    "github.com/projectdiscovery/goflags"
    "github.com/projectdiscovery/naabu/v2/pkg/result"
    "github.com/projectdiscovery/naabu/v2/pkg/runner"
)

func main() {
    options := runner.Options{
        Host:                      goflags.StringSlice{"scanme.sh"},
        TopPorts:                  "100",
        Threads:                   25,
        Rate:                      1000,
        IPVersion:                 goflags.StringSlice{"4"},
        ScanType:                  "s",
        InputReadTimeout:          time.Duration(3 * time.Minute),
        Retries:                   3,
        Timeout:                   1000,
        WarmUpTime:                2,
        IcmpEchoRequestProbe:      true,
        IcmpTimestampRequestProbe: true,
        TcpSynPingProbes:          goflags.StringSlice{"80"},
        TcpAckPingProbes:          goflags.StringSlice{"443"},
        OnResult: func(hr *result.HostResult) {
            log.Println(hr.Host, hr.Ports)
        },
    }

    naabuRunner, err := runner.NewRunner(&options)
    if err != nil {
        log.Fatal(err)
    }
    defer naabuRunner.Close()

    naabuRunner.RunEnumeration()
}
dogasantos commented 1 year ago

Ah! Thats it!

Is about the runner.Options ! Thank you, it worked here too.