Skip to content

Latest commit

 

History

History
418 lines (328 loc) · 9.65 KB

README.md

File metadata and controls

418 lines (328 loc) · 9.65 KB

💉Gscan

Gscan is a high concurrency scanner based on golang

📕Usage

⬇️Download links: Download

Gscan use --help to show the usage

~ ./Gscan.exe
Gscan [--host address|--url url] [-p port] [-u username|-U filename] [-uf urlfile] [-p password|-P filename] [-m type] [-t thread] [-w num] [-o output_file] [-v]
Examples:
Gscan --host 127.0.0.1 -p 1-65535 -m portscan
Gscan --host 127.0.0.1 -m ssh -u root -P pass.txt
Gscan --url http://www.test.com -m urlscan --cookie "PHPSESSID=abc" --header '{"X-FORWARDED-FOR":"test
.com","Referer":"www.baidu.com"}'
Usage:
  -P string
        Select the path to the password dictionary
  -U string
        Select the path to the username dictionary
  -cookie string
        Set cookie
  -f string
        configuration file
  -h    Show help
  -header string
        Set http headers (format: JSON)
  -host string
        IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
  -m string
        Select the type you want to scan.If you don't know the scan type and you can add -show to show all scan types
  -o string
        Save the results of the scan to a file
  -p string
        Specify a password
  -port string
        Select a port,for example: 22 | 1-65535 | 22,80,3306
  -show
        Show all scan type
  -t int
        Set number of threads (default 300)
  -u string
        Specify a username
  -uf string
        Select the path to the url path dictionary
  -url string
        url
  -v    Show details when scanning
  -w int
        Set timeout (default 2)

PS: subdomain,urlscan,authmodule please use the parameter --url to specify the target instead of --host, subdomain and urlscan use -uf to specify the dictionary file but auth use -P.

📌Test

Let's test the speed of each module PS: My CPU host performance is not very good, so the speed may be slower you can use --show to show all scantype:Gscan --show

~ ./Gscan.exe --show
-m
   [mysql]
   [icmp]
   [memcached]
   [ftp]
   [smb]
   [subdomain]
   [redis]
   [auth]
   [portscan]
   [mssql]
   [ssh]
   [postgresql]
   [urlscan]
   [mongodb]

ssh

default port: 22 Example:

Gscan --host target_ip -m ssh -u username -P password.txt -t 1000 -w 5

Profile example:

[CONFIG]
#Parameters are case sensitive, for example, only "Scantype", not "scantype"
Scantype = ssh
Host = 192.168.141.142
Port = 22 
Timeout = 5
Thread = 1000
Passfile = ./password.txt # or use "Password=" to specify a password
Username = username # or use "Userfile=" to specify a dictionary file
#Output = output_file #Output results to a file
#ErrShow = false #Whether to display error messages during scanning

Test:

module length threads timeout time consuming
ssh 1053 200 2s (default) 2.9s

postgresql

default port: 5432

Example:

Gscan --host target_ip -m postgresql -u username -P password.txt -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
postgresql 1053 1000 2s (default) 4.0s

Mongodb

default port: 27017

Example:

Gscan --host target_ip -m mongodb -u username -P password.txt -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
mongodb 1054 1000 2s (default) 2.7s

Memcached

default port: 11211

Example:

Gscan --host target_ip -m memcached -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
memcached 256 300 (default) 2s (default) 2.6s

MySQL

default port: 3306

Command line example:

Gscan --host target_ip -m mysql -u username -P dict.txt -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
mysql 1054 300 (default) 2s (default) 3.0s

smb

default port: 445

Command line example:

Gscan --host target_ip -m smb -u username -P dict.txt -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
smb 1053 1000 1s 2.0s

ftp

default port: 21

Command line example:

Gscan --host target_ip -m ftp -u username -P dict.txt -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
ftp 1054 300 (default) 2s (default) 2.1s

Redis

default port: 6379

Command line example:

Gscan --host target_ip -m redis -P dict.txt -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
redis 1054 300 (default) 2s (default) 471.7ms

MSSQL

default port: 1433

Command line example:

Gscan --host target_ip -m mssql -u sa -P dict.txt -t 1000 -w 5

Profile example: Reference ssh

Test:

module length threads timeout time consuming
mssql 1054 300 (default) 2s (default) 10.1s

Portscan

Scan target host open ports

Example:

Gscan --host target_ip -m portscan -port 22,3306 -t 1000 -w 5
Gscan --host target_ip -m portscan -port 1-65535 -t 1000 -w 5

Profile example:

Gscan -f config.ini

[CONFIG]
#Parameters are case sensitive, for example, only "Scantype", not "scantype"
Scantype = portscan
Host = 127.0.0.1
Ports = 1-1000
Timeout = 5
Thread = 1000
#Output = output_file #Output results to a file
#ErrShow = false #Whether to display error messages during scanning   

Test:

module length threads timeout time consuming
portscan 1000 300 (default) 2s (default) 8.6s

icmp

Ping to determine whether the target host is alive

Example:

Gscan --host 192.168.1.1/24 -m icmp -t 1000 -w 5
Gscan --host 192.168.1.1-125 -m icmp -t 1000 -w 5
Gscan --host 192.168.1.1,192.168.1.11 -m icmp -t 1000 -w 5

Prefix example:

[CONFIG]
#Parameters are case sensitive, for example, only "Scantype", not "scantype"
Scantype = icmp
Host = 192.168.43.212/24
Timeout = 5
Thread = 1000
#Output = output_file #Output results to a file
#ErrShow = false #Whether to display error messages during scanning   

Test:

module length threads timeout time consuming
icmp 256 300 (default) 2s (default) 6.1s

urlscan

url path scan

default dictionary: ./dict/dicc.txt (this dictionary from dirsearch)

Example:

Gscan --url http://url -m urlscan -t 1000 -w 5 (default use ./dict/dictt.txt)
Gscan --url http://url -m urlscan -uf dict.txt -t 1000 -w 5
Gscan --url http://baidu.com -m urlscan --cookie "PHPSESSID=abc"
Gscan --url http://baidu.com -m urlscan --cookie "PHPSESSID=abc" --header '{"X-FORWARDED-FOR":"test
.com","Referer":"www.baidu.com"}'

Prefix example:

[CONFIG]
#Parameters are case sensitive, for example, only "Scantype", not "scantype"
Scantype = urlscan
Url = http://192.168.141.128:7777
UrlFile = ./dict.txt
Timeout = 5
Thread = 1000
#Cookie = your_cookie #set cookie
#Header = your_header #set header
#Output = output_file #Output results to a file
#ErrShow = false #Whether to display error messages during scanning   

Test:

module length threads timeout time consuming
urlscan 1054 300 (default) 2s (default) 9.0s

apacheAuth

Apache basic authentication

Example:

Gscan --url http://url -m auth -u qiyou -P dict.txt -t 1000 -w 5
Gscan --url http://url -m auth -u qiyou -P dict.txt -t 1000 -w 5 --cookie "PHPSESSID=abc" --header '{"X-FORWARDED-FOR":"test.com","Referer":"www.baidu.com"}'

Prefix example

[CONFIG]
#Parameters are case sensitive, for example, only "Scantype", not "scantype"
Scantype = auth
Url = http://192.168.141.128:7777
Passfile = ./password.txt
Username = admin
Timeout = 5
Thread = 1000
#Cookie = your_cookie #set cookie
#Header = your_header #set header
#Output = output_file #Output results to a file
#ErrShow = false #Whether to display error messages during scanning   

Test:

module length threads timeout time consuming
auth 1053 300 (default) 2s (default) 7.5s

subdomain

Subdomain violence enumeration

default dictionary: ./dict/sub.txt (this dictionary from lijiejie's subDomainsBrute)

Please do not bring http:// or https://, for example: www.baidu.com, baidu.com Example:

Gscan --url baidu.com -m subdomain -uf password.txt -t 1000 -w 5
Gscan --url baidu.com -m subdomain 1000 -w 5 (default use ./dict/sub.txt)

Prefix example:

[CONFIG]
#Parameters are case sensitive, for example, only "Scantype", not "scantype"
Scantype = subdomain
Url = baidu.com
UrlFile = ./dict.txt
Timeout = 5
Thread = 1000
#Output = output_file #Output results to a file
#ErrShow = false #Whether to display error messages during scanning   

Test:

module length threads timeout time consuming
subdomain 1053 300 (default) 2s (default) 4.8s

💬End

PS: If a false positive occurs during the test, you can increase the timeout or lower the thread,it depends on the target host

If you have any good suggestions or find any bugs, welcome to issue,thanks